2
0

extensions_clnt.c 67 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025
  1. /*
  2. * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ocsp.h>
  10. #include "../ssl_local.h"
  11. #include "internal/cryptlib.h"
  12. #include "statem_local.h"
  13. EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
  14. unsigned int context, X509 *x,
  15. size_t chainidx)
  16. {
  17. /* Add RI if renegotiating */
  18. if (!s->renegotiate)
  19. return EXT_RETURN_NOT_SENT;
  20. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
  21. || !WPACKET_start_sub_packet_u16(pkt)
  22. || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
  23. s->s3.previous_client_finished_len)
  24. || !WPACKET_close(pkt)) {
  25. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  26. return EXT_RETURN_FAIL;
  27. }
  28. return EXT_RETURN_SENT;
  29. }
  30. EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,
  31. unsigned int context, X509 *x,
  32. size_t chainidx)
  33. {
  34. if (s->ext.hostname == NULL)
  35. return EXT_RETURN_NOT_SENT;
  36. /* Add TLS extension servername to the Client Hello message */
  37. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
  38. /* Sub-packet for server_name extension */
  39. || !WPACKET_start_sub_packet_u16(pkt)
  40. /* Sub-packet for servername list (always 1 hostname)*/
  41. || !WPACKET_start_sub_packet_u16(pkt)
  42. || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
  43. || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
  44. strlen(s->ext.hostname))
  45. || !WPACKET_close(pkt)
  46. || !WPACKET_close(pkt)) {
  47. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  48. return EXT_RETURN_FAIL;
  49. }
  50. return EXT_RETURN_SENT;
  51. }
  52. /* Push a Max Fragment Len extension into ClientHello */
  53. EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
  54. unsigned int context, X509 *x,
  55. size_t chainidx)
  56. {
  57. if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
  58. return EXT_RETURN_NOT_SENT;
  59. /* Add Max Fragment Length extension if client enabled it. */
  60. /*-
  61. * 4 bytes for this extension type and extension length
  62. * 1 byte for the Max Fragment Length code value.
  63. */
  64. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
  65. /* Sub-packet for Max Fragment Length extension (1 byte) */
  66. || !WPACKET_start_sub_packet_u16(pkt)
  67. || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
  68. || !WPACKET_close(pkt)) {
  69. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  70. return EXT_RETURN_FAIL;
  71. }
  72. return EXT_RETURN_SENT;
  73. }
  74. #ifndef OPENSSL_NO_SRP
  75. EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,
  76. unsigned int context,
  77. X509 *x, size_t chainidx)
  78. {
  79. /* Add SRP username if there is one */
  80. if (s->srp_ctx.login == NULL)
  81. return EXT_RETURN_NOT_SENT;
  82. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
  83. /* Sub-packet for SRP extension */
  84. || !WPACKET_start_sub_packet_u16(pkt)
  85. || !WPACKET_start_sub_packet_u8(pkt)
  86. /* login must not be zero...internal error if so */
  87. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  88. || !WPACKET_memcpy(pkt, s->srp_ctx.login,
  89. strlen(s->srp_ctx.login))
  90. || !WPACKET_close(pkt)
  91. || !WPACKET_close(pkt)) {
  92. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  93. return EXT_RETURN_FAIL;
  94. }
  95. return EXT_RETURN_SENT;
  96. }
  97. #endif
  98. static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)
  99. {
  100. int i, end, ret = 0;
  101. unsigned long alg_k, alg_a;
  102. STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
  103. const uint16_t *pgroups = NULL;
  104. size_t num_groups, j;
  105. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  106. /* See if we support any ECC ciphersuites */
  107. if (s->version == SSL3_VERSION)
  108. return 0;
  109. cipher_stack = SSL_get1_supported_ciphers(ssl);
  110. end = sk_SSL_CIPHER_num(cipher_stack);
  111. for (i = 0; i < end; i++) {
  112. const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
  113. alg_k = c->algorithm_mkey;
  114. alg_a = c->algorithm_auth;
  115. if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
  116. || (alg_a & SSL_aECDSA)
  117. || c->min_tls >= TLS1_3_VERSION) {
  118. ret = 1;
  119. break;
  120. }
  121. }
  122. sk_SSL_CIPHER_free(cipher_stack);
  123. if (!ret)
  124. return 0;
  125. /* Check we have at least one EC supported group */
  126. tls1_get_supported_groups(s, &pgroups, &num_groups);
  127. for (j = 0; j < num_groups; j++) {
  128. uint16_t ctmp = pgroups[j];
  129. if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
  130. && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
  131. return 1;
  132. }
  133. return 0;
  134. }
  135. EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
  136. unsigned int context, X509 *x,
  137. size_t chainidx)
  138. {
  139. const unsigned char *pformats;
  140. size_t num_formats;
  141. int reason, min_version, max_version;
  142. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  143. if (reason != 0) {
  144. SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
  145. return EXT_RETURN_FAIL;
  146. }
  147. if (!use_ecc(s, min_version, max_version))
  148. return EXT_RETURN_NOT_SENT;
  149. /* Add TLS extension ECPointFormats to the ClientHello message */
  150. tls1_get_formatlist(s, &pformats, &num_formats);
  151. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
  152. /* Sub-packet for formats extension */
  153. || !WPACKET_start_sub_packet_u16(pkt)
  154. || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
  155. || !WPACKET_close(pkt)) {
  156. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  157. return EXT_RETURN_FAIL;
  158. }
  159. return EXT_RETURN_SENT;
  160. }
  161. EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
  162. unsigned int context, X509 *x,
  163. size_t chainidx)
  164. {
  165. const uint16_t *pgroups = NULL;
  166. size_t num_groups = 0, i, tls13added = 0, added = 0;
  167. int min_version, max_version, reason;
  168. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  169. if (reason != 0) {
  170. SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
  171. return EXT_RETURN_FAIL;
  172. }
  173. /*
  174. * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
  175. * if we don't have EC support then we don't send this extension.
  176. */
  177. if (!use_ecc(s, min_version, max_version)
  178. && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
  179. return EXT_RETURN_NOT_SENT;
  180. /*
  181. * Add TLS extension supported_groups to the ClientHello message
  182. */
  183. tls1_get_supported_groups(s, &pgroups, &num_groups);
  184. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
  185. /* Sub-packet for supported_groups extension */
  186. || !WPACKET_start_sub_packet_u16(pkt)
  187. || !WPACKET_start_sub_packet_u16(pkt)
  188. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
  189. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  190. return EXT_RETURN_FAIL;
  191. }
  192. /* Copy group ID if supported */
  193. for (i = 0; i < num_groups; i++) {
  194. uint16_t ctmp = pgroups[i];
  195. int okfortls13;
  196. if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
  197. && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
  198. #ifndef OPENSSL_NO_TLS1_3
  199. int ctmp13 = ssl_group_id_internal_to_tls13(ctmp);
  200. if (ctmp13 != 0 && ctmp13 != ctmp
  201. && max_version == TLS1_3_VERSION) {
  202. if (!WPACKET_put_bytes_u16(pkt, ctmp13)) {
  203. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  204. return EXT_RETURN_FAIL;
  205. }
  206. tls13added++;
  207. added++;
  208. if (min_version == TLS1_3_VERSION)
  209. continue;
  210. }
  211. #endif
  212. if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
  213. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  214. return EXT_RETURN_FAIL;
  215. }
  216. if (okfortls13 && max_version == TLS1_3_VERSION)
  217. tls13added++;
  218. added++;
  219. }
  220. }
  221. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  222. if (added == 0)
  223. SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
  224. "No groups enabled for max supported SSL/TLS version");
  225. else
  226. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  227. return EXT_RETURN_FAIL;
  228. }
  229. if (tls13added == 0 && max_version == TLS1_3_VERSION) {
  230. SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
  231. "No groups enabled for max supported SSL/TLS version");
  232. return EXT_RETURN_FAIL;
  233. }
  234. return EXT_RETURN_SENT;
  235. }
  236. EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
  237. unsigned int context, X509 *x,
  238. size_t chainidx)
  239. {
  240. size_t ticklen;
  241. if (!tls_use_ticket(s))
  242. return EXT_RETURN_NOT_SENT;
  243. if (!s->new_session && s->session != NULL
  244. && s->session->ext.tick != NULL
  245. && s->session->ssl_version != TLS1_3_VERSION) {
  246. ticklen = s->session->ext.ticklen;
  247. } else if (s->session && s->ext.session_ticket != NULL
  248. && s->ext.session_ticket->data != NULL) {
  249. ticklen = s->ext.session_ticket->length;
  250. s->session->ext.tick = OPENSSL_malloc(ticklen);
  251. if (s->session->ext.tick == NULL) {
  252. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  253. return EXT_RETURN_FAIL;
  254. }
  255. memcpy(s->session->ext.tick,
  256. s->ext.session_ticket->data, ticklen);
  257. s->session->ext.ticklen = ticklen;
  258. } else {
  259. ticklen = 0;
  260. }
  261. if (ticklen == 0 && s->ext.session_ticket != NULL &&
  262. s->ext.session_ticket->data == NULL)
  263. return EXT_RETURN_NOT_SENT;
  264. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
  265. || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
  266. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  267. return EXT_RETURN_FAIL;
  268. }
  269. return EXT_RETURN_SENT;
  270. }
  271. EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,
  272. unsigned int context, X509 *x,
  273. size_t chainidx)
  274. {
  275. size_t salglen;
  276. const uint16_t *salg;
  277. if (!SSL_CLIENT_USE_SIGALGS(s))
  278. return EXT_RETURN_NOT_SENT;
  279. salglen = tls12_get_psigalgs(s, 1, &salg);
  280. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
  281. /* Sub-packet for sig-algs extension */
  282. || !WPACKET_start_sub_packet_u16(pkt)
  283. /* Sub-packet for the actual list */
  284. || !WPACKET_start_sub_packet_u16(pkt)
  285. || !tls12_copy_sigalgs(s, pkt, salg, salglen)
  286. || !WPACKET_close(pkt)
  287. || !WPACKET_close(pkt)) {
  288. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  289. return EXT_RETURN_FAIL;
  290. }
  291. return EXT_RETURN_SENT;
  292. }
  293. #ifndef OPENSSL_NO_OCSP
  294. EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,
  295. unsigned int context, X509 *x,
  296. size_t chainidx)
  297. {
  298. int i;
  299. /* This extension isn't defined for client Certificates */
  300. if (x != NULL)
  301. return EXT_RETURN_NOT_SENT;
  302. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
  303. return EXT_RETURN_NOT_SENT;
  304. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
  305. /* Sub-packet for status request extension */
  306. || !WPACKET_start_sub_packet_u16(pkt)
  307. || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
  308. /* Sub-packet for the ids */
  309. || !WPACKET_start_sub_packet_u16(pkt)) {
  310. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  311. return EXT_RETURN_FAIL;
  312. }
  313. for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
  314. unsigned char *idbytes;
  315. OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
  316. int idlen = i2d_OCSP_RESPID(id, NULL);
  317. if (idlen <= 0
  318. /* Sub-packet for an individual id */
  319. || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
  320. || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
  321. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  322. return EXT_RETURN_FAIL;
  323. }
  324. }
  325. if (!WPACKET_close(pkt)
  326. || !WPACKET_start_sub_packet_u16(pkt)) {
  327. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  328. return EXT_RETURN_FAIL;
  329. }
  330. if (s->ext.ocsp.exts) {
  331. unsigned char *extbytes;
  332. int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
  333. if (extlen < 0) {
  334. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  335. return EXT_RETURN_FAIL;
  336. }
  337. if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
  338. || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
  339. != extlen) {
  340. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  341. return EXT_RETURN_FAIL;
  342. }
  343. }
  344. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  345. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  346. return EXT_RETURN_FAIL;
  347. }
  348. return EXT_RETURN_SENT;
  349. }
  350. #endif
  351. #ifndef OPENSSL_NO_NEXTPROTONEG
  352. EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,
  353. unsigned int context,
  354. X509 *x, size_t chainidx)
  355. {
  356. if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL
  357. || !SSL_IS_FIRST_HANDSHAKE(s))
  358. return EXT_RETURN_NOT_SENT;
  359. /*
  360. * The client advertises an empty extension to indicate its support
  361. * for Next Protocol Negotiation
  362. */
  363. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
  364. || !WPACKET_put_bytes_u16(pkt, 0)) {
  365. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  366. return EXT_RETURN_FAIL;
  367. }
  368. return EXT_RETURN_SENT;
  369. }
  370. #endif
  371. EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,
  372. unsigned int context,
  373. X509 *x, size_t chainidx)
  374. {
  375. s->s3.alpn_sent = 0;
  376. if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
  377. return EXT_RETURN_NOT_SENT;
  378. if (!WPACKET_put_bytes_u16(pkt,
  379. TLSEXT_TYPE_application_layer_protocol_negotiation)
  380. /* Sub-packet ALPN extension */
  381. || !WPACKET_start_sub_packet_u16(pkt)
  382. || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
  383. || !WPACKET_close(pkt)) {
  384. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  385. return EXT_RETURN_FAIL;
  386. }
  387. s->s3.alpn_sent = 1;
  388. return EXT_RETURN_SENT;
  389. }
  390. #ifndef OPENSSL_NO_SRTP
  391. EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
  392. unsigned int context, X509 *x,
  393. size_t chainidx)
  394. {
  395. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  396. STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);
  397. int i, end;
  398. if (clnt == NULL)
  399. return EXT_RETURN_NOT_SENT;
  400. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
  401. /* Sub-packet for SRTP extension */
  402. || !WPACKET_start_sub_packet_u16(pkt)
  403. /* Sub-packet for the protection profile list */
  404. || !WPACKET_start_sub_packet_u16(pkt)) {
  405. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  406. return EXT_RETURN_FAIL;
  407. }
  408. end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
  409. for (i = 0; i < end; i++) {
  410. const SRTP_PROTECTION_PROFILE *prof =
  411. sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
  412. if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
  413. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  414. return EXT_RETURN_FAIL;
  415. }
  416. }
  417. if (!WPACKET_close(pkt)
  418. /* Add an empty use_mki value */
  419. || !WPACKET_put_bytes_u8(pkt, 0)
  420. || !WPACKET_close(pkt)) {
  421. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  422. return EXT_RETURN_FAIL;
  423. }
  424. return EXT_RETURN_SENT;
  425. }
  426. #endif
  427. EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,
  428. unsigned int context,
  429. X509 *x, size_t chainidx)
  430. {
  431. if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
  432. return EXT_RETURN_NOT_SENT;
  433. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
  434. || !WPACKET_put_bytes_u16(pkt, 0)) {
  435. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  436. return EXT_RETURN_FAIL;
  437. }
  438. return EXT_RETURN_SENT;
  439. }
  440. #ifndef OPENSSL_NO_CT
  441. EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,
  442. unsigned int context,
  443. X509 *x, size_t chainidx)
  444. {
  445. if (s->ct_validation_callback == NULL)
  446. return EXT_RETURN_NOT_SENT;
  447. /* Not defined for client Certificates */
  448. if (x != NULL)
  449. return EXT_RETURN_NOT_SENT;
  450. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
  451. || !WPACKET_put_bytes_u16(pkt, 0)) {
  452. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  453. return EXT_RETURN_FAIL;
  454. }
  455. return EXT_RETURN_SENT;
  456. }
  457. #endif
  458. EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,
  459. unsigned int context,
  460. X509 *x, size_t chainidx)
  461. {
  462. if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
  463. return EXT_RETURN_NOT_SENT;
  464. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
  465. || !WPACKET_put_bytes_u16(pkt, 0)) {
  466. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  467. return EXT_RETURN_FAIL;
  468. }
  469. return EXT_RETURN_SENT;
  470. }
  471. EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
  472. unsigned int context, X509 *x,
  473. size_t chainidx)
  474. {
  475. int currv, min_version, max_version, reason;
  476. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  477. if (reason != 0) {
  478. SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
  479. return EXT_RETURN_FAIL;
  480. }
  481. /*
  482. * Don't include this if we can't negotiate TLSv1.3. We can do a straight
  483. * comparison here because we will never be called in DTLS.
  484. */
  485. if (max_version < TLS1_3_VERSION)
  486. return EXT_RETURN_NOT_SENT;
  487. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
  488. || !WPACKET_start_sub_packet_u16(pkt)
  489. || !WPACKET_start_sub_packet_u8(pkt)) {
  490. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  491. return EXT_RETURN_FAIL;
  492. }
  493. for (currv = max_version; currv >= min_version; currv--) {
  494. if (!WPACKET_put_bytes_u16(pkt, currv)) {
  495. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  496. return EXT_RETURN_FAIL;
  497. }
  498. }
  499. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  500. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  501. return EXT_RETURN_FAIL;
  502. }
  503. return EXT_RETURN_SENT;
  504. }
  505. /*
  506. * Construct a psk_kex_modes extension.
  507. */
  508. EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
  509. unsigned int context, X509 *x,
  510. size_t chainidx)
  511. {
  512. #ifndef OPENSSL_NO_TLS1_3
  513. int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
  514. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
  515. || !WPACKET_start_sub_packet_u16(pkt)
  516. || !WPACKET_start_sub_packet_u8(pkt)
  517. || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
  518. || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
  519. || !WPACKET_close(pkt)
  520. || !WPACKET_close(pkt)) {
  521. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  522. return EXT_RETURN_FAIL;
  523. }
  524. s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
  525. if (nodhe)
  526. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
  527. #endif
  528. return EXT_RETURN_SENT;
  529. }
  530. #ifndef OPENSSL_NO_TLS1_3
  531. static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id)
  532. {
  533. unsigned char *encoded_point = NULL;
  534. EVP_PKEY *key_share_key = NULL;
  535. size_t encodedlen;
  536. if (s->s3.tmp.pkey != NULL) {
  537. if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
  538. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  539. return 0;
  540. }
  541. /*
  542. * Could happen if we got an HRR that wasn't requesting a new key_share
  543. */
  544. key_share_key = s->s3.tmp.pkey;
  545. } else {
  546. key_share_key = ssl_generate_pkey_group(s, curve_id);
  547. if (key_share_key == NULL) {
  548. /* SSLfatal() already called */
  549. return 0;
  550. }
  551. }
  552. /* Encode the public key. */
  553. encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
  554. &encoded_point);
  555. if (encodedlen == 0) {
  556. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  557. goto err;
  558. }
  559. /* Create KeyShareEntry */
  560. if (!WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(curve_id))
  561. || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
  562. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  563. goto err;
  564. }
  565. /*
  566. * When changing to send more than one key_share we're
  567. * going to need to be able to save more than one EVP_PKEY. For now
  568. * we reuse the existing tmp.pkey
  569. */
  570. s->s3.tmp.pkey = key_share_key;
  571. s->s3.group_id = curve_id;
  572. OPENSSL_free(encoded_point);
  573. return 1;
  574. err:
  575. if (s->s3.tmp.pkey == NULL)
  576. EVP_PKEY_free(key_share_key);
  577. OPENSSL_free(encoded_point);
  578. return 0;
  579. }
  580. #endif
  581. EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
  582. unsigned int context, X509 *x,
  583. size_t chainidx)
  584. {
  585. #ifndef OPENSSL_NO_TLS1_3
  586. size_t i, num_groups = 0;
  587. const uint16_t *pgroups = NULL;
  588. uint16_t curve_id = 0;
  589. /* key_share extension */
  590. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  591. /* Extension data sub-packet */
  592. || !WPACKET_start_sub_packet_u16(pkt)
  593. /* KeyShare list sub-packet */
  594. || !WPACKET_start_sub_packet_u16(pkt)) {
  595. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  596. return EXT_RETURN_FAIL;
  597. }
  598. tls1_get_supported_groups(s, &pgroups, &num_groups);
  599. /*
  600. * Make the number of key_shares sent configurable. For
  601. * now, we just send one
  602. */
  603. if (s->s3.group_id != 0) {
  604. curve_id = s->s3.group_id;
  605. } else {
  606. for (i = 0; i < num_groups; i++) {
  607. if (ssl_group_id_internal_to_tls13(pgroups[i]) == 0)
  608. continue;
  609. if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
  610. continue;
  611. curve_id = pgroups[i];
  612. break;
  613. }
  614. }
  615. if (curve_id == 0) {
  616. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
  617. return EXT_RETURN_FAIL;
  618. }
  619. if (!add_key_share(s, pkt, curve_id)) {
  620. /* SSLfatal() already called */
  621. return EXT_RETURN_FAIL;
  622. }
  623. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  624. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  625. return EXT_RETURN_FAIL;
  626. }
  627. return EXT_RETURN_SENT;
  628. #else
  629. return EXT_RETURN_NOT_SENT;
  630. #endif
  631. }
  632. EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,
  633. unsigned int context,
  634. X509 *x, size_t chainidx)
  635. {
  636. EXT_RETURN ret = EXT_RETURN_FAIL;
  637. /* Should only be set if we've had an HRR */
  638. if (s->ext.tls13_cookie_len == 0)
  639. return EXT_RETURN_NOT_SENT;
  640. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
  641. /* Extension data sub-packet */
  642. || !WPACKET_start_sub_packet_u16(pkt)
  643. || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
  644. s->ext.tls13_cookie_len)
  645. || !WPACKET_close(pkt)) {
  646. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  647. goto end;
  648. }
  649. ret = EXT_RETURN_SENT;
  650. end:
  651. OPENSSL_free(s->ext.tls13_cookie);
  652. s->ext.tls13_cookie = NULL;
  653. s->ext.tls13_cookie_len = 0;
  654. return ret;
  655. }
  656. EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
  657. unsigned int context, X509 *x,
  658. size_t chainidx)
  659. {
  660. #ifndef OPENSSL_NO_PSK
  661. char identity[PSK_MAX_IDENTITY_LEN + 1];
  662. #endif /* OPENSSL_NO_PSK */
  663. const unsigned char *id = NULL;
  664. size_t idlen = 0;
  665. SSL_SESSION *psksess = NULL;
  666. SSL_SESSION *edsess = NULL;
  667. const EVP_MD *handmd = NULL;
  668. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  669. if (s->hello_retry_request == SSL_HRR_PENDING)
  670. handmd = ssl_handshake_md(s);
  671. if (s->psk_use_session_cb != NULL
  672. && (!s->psk_use_session_cb(ssl, handmd, &id, &idlen, &psksess)
  673. || (psksess != NULL
  674. && psksess->ssl_version != TLS1_3_VERSION))) {
  675. SSL_SESSION_free(psksess);
  676. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
  677. return EXT_RETURN_FAIL;
  678. }
  679. #ifndef OPENSSL_NO_PSK
  680. if (psksess == NULL && s->psk_client_callback != NULL) {
  681. unsigned char psk[PSK_MAX_PSK_LEN];
  682. size_t psklen = 0;
  683. memset(identity, 0, sizeof(identity));
  684. psklen = s->psk_client_callback(ssl, NULL,
  685. identity, sizeof(identity) - 1,
  686. psk, sizeof(psk));
  687. if (psklen > PSK_MAX_PSK_LEN) {
  688. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
  689. return EXT_RETURN_FAIL;
  690. } else if (psklen > 0) {
  691. const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
  692. const SSL_CIPHER *cipher;
  693. idlen = strlen(identity);
  694. if (idlen > PSK_MAX_IDENTITY_LEN) {
  695. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  696. return EXT_RETURN_FAIL;
  697. }
  698. id = (unsigned char *)identity;
  699. /*
  700. * We found a PSK using an old style callback. We don't know
  701. * the digest so we default to SHA256 as per the TLSv1.3 spec
  702. */
  703. cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
  704. if (cipher == NULL) {
  705. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  706. return EXT_RETURN_FAIL;
  707. }
  708. psksess = SSL_SESSION_new();
  709. if (psksess == NULL
  710. || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
  711. || !SSL_SESSION_set_cipher(psksess, cipher)
  712. || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
  713. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  714. OPENSSL_cleanse(psk, psklen);
  715. return EXT_RETURN_FAIL;
  716. }
  717. OPENSSL_cleanse(psk, psklen);
  718. }
  719. }
  720. #endif /* OPENSSL_NO_PSK */
  721. SSL_SESSION_free(s->psksession);
  722. s->psksession = psksess;
  723. if (psksess != NULL) {
  724. OPENSSL_free(s->psksession_id);
  725. s->psksession_id = OPENSSL_memdup(id, idlen);
  726. if (s->psksession_id == NULL) {
  727. s->psksession_id_len = 0;
  728. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  729. return EXT_RETURN_FAIL;
  730. }
  731. s->psksession_id_len = idlen;
  732. }
  733. if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
  734. || (s->session->ext.max_early_data == 0
  735. && (psksess == NULL || psksess->ext.max_early_data == 0))) {
  736. s->max_early_data = 0;
  737. return EXT_RETURN_NOT_SENT;
  738. }
  739. edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
  740. s->max_early_data = edsess->ext.max_early_data;
  741. if (edsess->ext.hostname != NULL) {
  742. if (s->ext.hostname == NULL
  743. || (s->ext.hostname != NULL
  744. && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
  745. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  746. SSL_R_INCONSISTENT_EARLY_DATA_SNI);
  747. return EXT_RETURN_FAIL;
  748. }
  749. }
  750. if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
  751. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
  752. return EXT_RETURN_FAIL;
  753. }
  754. /*
  755. * Verify that we are offering an ALPN protocol consistent with the early
  756. * data.
  757. */
  758. if (edsess->ext.alpn_selected != NULL) {
  759. PACKET prots, alpnpkt;
  760. int found = 0;
  761. if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
  762. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  763. return EXT_RETURN_FAIL;
  764. }
  765. while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
  766. if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
  767. edsess->ext.alpn_selected_len)) {
  768. found = 1;
  769. break;
  770. }
  771. }
  772. if (!found) {
  773. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  774. SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
  775. return EXT_RETURN_FAIL;
  776. }
  777. }
  778. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  779. || !WPACKET_start_sub_packet_u16(pkt)
  780. || !WPACKET_close(pkt)) {
  781. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  782. return EXT_RETURN_FAIL;
  783. }
  784. /*
  785. * We set this to rejected here. Later, if the server acknowledges the
  786. * extension, we set it to accepted.
  787. */
  788. s->ext.early_data = SSL_EARLY_DATA_REJECTED;
  789. s->ext.early_data_ok = 1;
  790. return EXT_RETURN_SENT;
  791. }
  792. #define F5_WORKAROUND_MIN_MSG_LEN 0xff
  793. #define F5_WORKAROUND_MAX_MSG_LEN 0x200
  794. /*
  795. * PSK pre binder overhead =
  796. * 2 bytes for TLSEXT_TYPE_psk
  797. * 2 bytes for extension length
  798. * 2 bytes for identities list length
  799. * 2 bytes for identity length
  800. * 4 bytes for obfuscated_ticket_age
  801. * 2 bytes for binder list length
  802. * 1 byte for binder length
  803. * The above excludes the number of bytes for the identity itself and the
  804. * subsequent binder bytes
  805. */
  806. #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
  807. EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,
  808. unsigned int context, X509 *x,
  809. size_t chainidx)
  810. {
  811. unsigned char *padbytes;
  812. size_t hlen;
  813. if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
  814. return EXT_RETURN_NOT_SENT;
  815. /*
  816. * Add padding to workaround bugs in F5 terminators. See RFC7685.
  817. * This code calculates the length of all extensions added so far but
  818. * excludes the PSK extension (because that MUST be written last). Therefore
  819. * this extension MUST always appear second to last.
  820. */
  821. if (!WPACKET_get_total_written(pkt, &hlen)) {
  822. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  823. return EXT_RETURN_FAIL;
  824. }
  825. /*
  826. * If we're going to send a PSK then that will be written out after this
  827. * extension, so we need to calculate how long it is going to be.
  828. */
  829. if (s->session->ssl_version == TLS1_3_VERSION
  830. && s->session->ext.ticklen != 0
  831. && s->session->cipher != NULL) {
  832. const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),
  833. s->session->cipher->algorithm2);
  834. if (md != NULL) {
  835. /*
  836. * Add the fixed PSK overhead, the identity length and the binder
  837. * length.
  838. */
  839. hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
  840. + EVP_MD_get_size(md);
  841. }
  842. }
  843. if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
  844. /* Calculate the amount of padding we need to add */
  845. hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
  846. /*
  847. * Take off the size of extension header itself (2 bytes for type and
  848. * 2 bytes for length bytes), but ensure that the extension is at least
  849. * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
  850. * 8.x are intolerant of that condition)
  851. */
  852. if (hlen > 4)
  853. hlen -= 4;
  854. else
  855. hlen = 1;
  856. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
  857. || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
  858. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  859. return EXT_RETURN_FAIL;
  860. }
  861. memset(padbytes, 0, hlen);
  862. }
  863. return EXT_RETURN_SENT;
  864. }
  865. /*
  866. * Construct the pre_shared_key extension
  867. */
  868. EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
  869. unsigned int context,
  870. X509 *x, size_t chainidx)
  871. {
  872. #ifndef OPENSSL_NO_TLS1_3
  873. uint32_t agesec, agems = 0;
  874. size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
  875. unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
  876. const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
  877. int dores = 0;
  878. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  879. s->ext.tick_identity = 0;
  880. /*
  881. * Note: At this stage of the code we only support adding a single
  882. * resumption PSK. If we add support for multiple PSKs then the length
  883. * calculations in the padding extension will need to be adjusted.
  884. */
  885. /*
  886. * If this is an incompatible or new session then we have nothing to resume
  887. * so don't add this extension.
  888. */
  889. if (s->session->ssl_version != TLS1_3_VERSION
  890. || (s->session->ext.ticklen == 0 && s->psksession == NULL))
  891. return EXT_RETURN_NOT_SENT;
  892. if (s->hello_retry_request == SSL_HRR_PENDING)
  893. handmd = ssl_handshake_md(s);
  894. if (s->session->ext.ticklen != 0) {
  895. /* Get the digest associated with the ciphersuite in the session */
  896. if (s->session->cipher == NULL) {
  897. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  898. return EXT_RETURN_FAIL;
  899. }
  900. mdres = ssl_md(sctx, s->session->cipher->algorithm2);
  901. if (mdres == NULL) {
  902. /*
  903. * Don't recognize this cipher so we can't use the session.
  904. * Ignore it
  905. */
  906. goto dopsksess;
  907. }
  908. if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
  909. /*
  910. * Selected ciphersuite hash does not match the hash for the session
  911. * so we can't use it.
  912. */
  913. goto dopsksess;
  914. }
  915. /*
  916. * Technically the C standard just says time() returns a time_t and says
  917. * nothing about the encoding of that type. In practice most
  918. * implementations follow POSIX which holds it as an integral type in
  919. * seconds since epoch. We've already made the assumption that we can do
  920. * this in multiple places in the code, so portability shouldn't be an
  921. * issue.
  922. */
  923. agesec = (uint32_t)(time(NULL) - s->session->time);
  924. /*
  925. * We calculate the age in seconds but the server may work in ms. Due to
  926. * rounding errors we could overestimate the age by up to 1s. It is
  927. * better to underestimate it. Otherwise, if the RTT is very short, when
  928. * the server calculates the age reported by the client it could be
  929. * bigger than the age calculated on the server - which should never
  930. * happen.
  931. */
  932. if (agesec > 0)
  933. agesec--;
  934. if (s->session->ext.tick_lifetime_hint < agesec) {
  935. /* Ticket is too old. Ignore it. */
  936. goto dopsksess;
  937. }
  938. /*
  939. * Calculate age in ms. We're just doing it to nearest second. Should be
  940. * good enough.
  941. */
  942. agems = agesec * (uint32_t)1000;
  943. if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
  944. /*
  945. * Overflow. Shouldn't happen unless this is a *really* old session.
  946. * If so we just ignore it.
  947. */
  948. goto dopsksess;
  949. }
  950. /*
  951. * Obfuscate the age. Overflow here is fine, this addition is supposed
  952. * to be mod 2^32.
  953. */
  954. agems += s->session->ext.tick_age_add;
  955. reshashsize = EVP_MD_get_size(mdres);
  956. s->ext.tick_identity++;
  957. dores = 1;
  958. }
  959. dopsksess:
  960. if (!dores && s->psksession == NULL)
  961. return EXT_RETURN_NOT_SENT;
  962. if (s->psksession != NULL) {
  963. mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);
  964. if (mdpsk == NULL) {
  965. /*
  966. * Don't recognize this cipher so we can't use the session.
  967. * If this happens it's an application bug.
  968. */
  969. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
  970. return EXT_RETURN_FAIL;
  971. }
  972. if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
  973. /*
  974. * Selected ciphersuite hash does not match the hash for the PSK
  975. * session. This is an application bug.
  976. */
  977. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
  978. return EXT_RETURN_FAIL;
  979. }
  980. pskhashsize = EVP_MD_get_size(mdpsk);
  981. }
  982. /* Create the extension, but skip over the binder for now */
  983. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
  984. || !WPACKET_start_sub_packet_u16(pkt)
  985. || !WPACKET_start_sub_packet_u16(pkt)) {
  986. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  987. return EXT_RETURN_FAIL;
  988. }
  989. if (dores) {
  990. if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
  991. s->session->ext.ticklen)
  992. || !WPACKET_put_bytes_u32(pkt, agems)) {
  993. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  994. return EXT_RETURN_FAIL;
  995. }
  996. }
  997. if (s->psksession != NULL) {
  998. if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
  999. s->psksession_id_len)
  1000. || !WPACKET_put_bytes_u32(pkt, 0)) {
  1001. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1002. return EXT_RETURN_FAIL;
  1003. }
  1004. s->ext.tick_identity++;
  1005. }
  1006. if (!WPACKET_close(pkt)
  1007. || !WPACKET_get_total_written(pkt, &binderoffset)
  1008. || !WPACKET_start_sub_packet_u16(pkt)
  1009. || (dores
  1010. && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
  1011. || (s->psksession != NULL
  1012. && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
  1013. || !WPACKET_close(pkt)
  1014. || !WPACKET_close(pkt)
  1015. || !WPACKET_get_total_written(pkt, &msglen)
  1016. /*
  1017. * We need to fill in all the sub-packet lengths now so we can
  1018. * calculate the HMAC of the message up to the binders
  1019. */
  1020. || !WPACKET_fill_lengths(pkt)) {
  1021. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1022. return EXT_RETURN_FAIL;
  1023. }
  1024. msgstart = WPACKET_get_curr(pkt) - msglen;
  1025. if (dores
  1026. && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
  1027. resbinder, s->session, 1, 0) != 1) {
  1028. /* SSLfatal() already called */
  1029. return EXT_RETURN_FAIL;
  1030. }
  1031. if (s->psksession != NULL
  1032. && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
  1033. pskbinder, s->psksession, 1, 1) != 1) {
  1034. /* SSLfatal() already called */
  1035. return EXT_RETURN_FAIL;
  1036. }
  1037. return EXT_RETURN_SENT;
  1038. #else
  1039. return EXT_RETURN_NOT_SENT;
  1040. #endif
  1041. }
  1042. EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,
  1043. ossl_unused unsigned int context,
  1044. ossl_unused X509 *x,
  1045. ossl_unused size_t chainidx)
  1046. {
  1047. #ifndef OPENSSL_NO_TLS1_3
  1048. if (!s->pha_enabled)
  1049. return EXT_RETURN_NOT_SENT;
  1050. /* construct extension - 0 length, no contents */
  1051. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
  1052. || !WPACKET_start_sub_packet_u16(pkt)
  1053. || !WPACKET_close(pkt)) {
  1054. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1055. return EXT_RETURN_FAIL;
  1056. }
  1057. s->post_handshake_auth = SSL_PHA_EXT_SENT;
  1058. return EXT_RETURN_SENT;
  1059. #else
  1060. return EXT_RETURN_NOT_SENT;
  1061. #endif
  1062. }
  1063. /*
  1064. * Parse the server's renegotiation binding and abort if it's not right
  1065. */
  1066. int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
  1067. unsigned int context,
  1068. X509 *x, size_t chainidx)
  1069. {
  1070. size_t expected_len = s->s3.previous_client_finished_len
  1071. + s->s3.previous_server_finished_len;
  1072. size_t ilen;
  1073. const unsigned char *data;
  1074. /* Check for logic errors */
  1075. if (!ossl_assert(expected_len == 0
  1076. || s->s3.previous_client_finished_len != 0)
  1077. || !ossl_assert(expected_len == 0
  1078. || s->s3.previous_server_finished_len != 0)) {
  1079. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1080. return 0;
  1081. }
  1082. /* Parse the length byte */
  1083. if (!PACKET_get_1_len(pkt, &ilen)) {
  1084. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
  1085. return 0;
  1086. }
  1087. /* Consistency check */
  1088. if (PACKET_remaining(pkt) != ilen) {
  1089. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
  1090. return 0;
  1091. }
  1092. /* Check that the extension matches */
  1093. if (ilen != expected_len) {
  1094. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
  1095. return 0;
  1096. }
  1097. if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
  1098. || memcmp(data, s->s3.previous_client_finished,
  1099. s->s3.previous_client_finished_len) != 0) {
  1100. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
  1101. return 0;
  1102. }
  1103. if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
  1104. || memcmp(data, s->s3.previous_server_finished,
  1105. s->s3.previous_server_finished_len) != 0) {
  1106. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
  1107. return 0;
  1108. }
  1109. s->s3.send_connection_binding = 1;
  1110. return 1;
  1111. }
  1112. /* Parse the server's max fragment len extension packet */
  1113. int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
  1114. unsigned int context,
  1115. X509 *x, size_t chainidx)
  1116. {
  1117. unsigned int value;
  1118. if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
  1119. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1120. return 0;
  1121. }
  1122. /* |value| should contains a valid max-fragment-length code. */
  1123. if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
  1124. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1125. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  1126. return 0;
  1127. }
  1128. /* Must be the same value as client-configured one who was sent to server */
  1129. /*-
  1130. * RFC 6066: if a client receives a maximum fragment length negotiation
  1131. * response that differs from the length it requested, ...
  1132. * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
  1133. */
  1134. if (value != s->ext.max_fragment_len_mode) {
  1135. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1136. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  1137. return 0;
  1138. }
  1139. /*
  1140. * Maximum Fragment Length Negotiation succeeded.
  1141. * The negotiated Maximum Fragment Length is binding now.
  1142. */
  1143. s->session->ext.max_fragment_len_mode = value;
  1144. return 1;
  1145. }
  1146. int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,
  1147. unsigned int context,
  1148. X509 *x, size_t chainidx)
  1149. {
  1150. if (s->ext.hostname == NULL) {
  1151. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1152. return 0;
  1153. }
  1154. if (PACKET_remaining(pkt) > 0) {
  1155. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1156. return 0;
  1157. }
  1158. if (!s->hit) {
  1159. if (s->session->ext.hostname != NULL) {
  1160. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1161. return 0;
  1162. }
  1163. s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
  1164. if (s->session->ext.hostname == NULL) {
  1165. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1166. return 0;
  1167. }
  1168. }
  1169. return 1;
  1170. }
  1171. int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
  1172. unsigned int context,
  1173. X509 *x, size_t chainidx)
  1174. {
  1175. size_t ecpointformats_len;
  1176. PACKET ecptformatlist;
  1177. if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
  1178. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1179. return 0;
  1180. }
  1181. if (!s->hit) {
  1182. ecpointformats_len = PACKET_remaining(&ecptformatlist);
  1183. if (ecpointformats_len == 0) {
  1184. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
  1185. return 0;
  1186. }
  1187. s->ext.peer_ecpointformats_len = 0;
  1188. OPENSSL_free(s->ext.peer_ecpointformats);
  1189. s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
  1190. if (s->ext.peer_ecpointformats == NULL) {
  1191. s->ext.peer_ecpointformats_len = 0;
  1192. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1193. return 0;
  1194. }
  1195. s->ext.peer_ecpointformats_len = ecpointformats_len;
  1196. if (!PACKET_copy_bytes(&ecptformatlist,
  1197. s->ext.peer_ecpointformats,
  1198. ecpointformats_len)) {
  1199. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1200. return 0;
  1201. }
  1202. }
  1203. return 1;
  1204. }
  1205. int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
  1206. unsigned int context,
  1207. X509 *x, size_t chainidx)
  1208. {
  1209. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1210. if (s->ext.session_ticket_cb != NULL &&
  1211. !s->ext.session_ticket_cb(ssl, PACKET_data(pkt),
  1212. PACKET_remaining(pkt),
  1213. s->ext.session_ticket_cb_arg)) {
  1214. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
  1215. return 0;
  1216. }
  1217. if (!tls_use_ticket(s)) {
  1218. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1219. return 0;
  1220. }
  1221. if (PACKET_remaining(pkt) > 0) {
  1222. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1223. return 0;
  1224. }
  1225. s->ext.ticket_expected = 1;
  1226. return 1;
  1227. }
  1228. #ifndef OPENSSL_NO_OCSP
  1229. int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
  1230. unsigned int context,
  1231. X509 *x, size_t chainidx)
  1232. {
  1233. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
  1234. /* We ignore this if the server sends a CertificateRequest */
  1235. return 1;
  1236. }
  1237. /*
  1238. * MUST only be sent if we've requested a status
  1239. * request message. In TLS <= 1.2 it must also be empty.
  1240. */
  1241. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
  1242. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1243. return 0;
  1244. }
  1245. if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
  1246. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1247. return 0;
  1248. }
  1249. if (SSL_CONNECTION_IS_TLS13(s)) {
  1250. /* We only know how to handle this if it's for the first Certificate in
  1251. * the chain. We ignore any other responses.
  1252. */
  1253. if (chainidx != 0)
  1254. return 1;
  1255. /* SSLfatal() already called */
  1256. return tls_process_cert_status_body(s, pkt);
  1257. }
  1258. /* Set flag to expect CertificateStatus message */
  1259. s->ext.status_expected = 1;
  1260. return 1;
  1261. }
  1262. #endif
  1263. #ifndef OPENSSL_NO_CT
  1264. int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1265. X509 *x, size_t chainidx)
  1266. {
  1267. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
  1268. /* We ignore this if the server sends it in a CertificateRequest */
  1269. return 1;
  1270. }
  1271. /*
  1272. * Only take it if we asked for it - i.e if there is no CT validation
  1273. * callback set, then a custom extension MAY be processing it, so we
  1274. * need to let control continue to flow to that.
  1275. */
  1276. if (s->ct_validation_callback != NULL) {
  1277. size_t size = PACKET_remaining(pkt);
  1278. /* Simply copy it off for later processing */
  1279. OPENSSL_free(s->ext.scts);
  1280. s->ext.scts = NULL;
  1281. s->ext.scts_len = (uint16_t)size;
  1282. if (size > 0) {
  1283. s->ext.scts = OPENSSL_malloc(size);
  1284. if (s->ext.scts == NULL) {
  1285. s->ext.scts_len = 0;
  1286. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  1287. return 0;
  1288. }
  1289. if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
  1290. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1291. return 0;
  1292. }
  1293. }
  1294. } else {
  1295. ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
  1296. ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
  1297. /*
  1298. * If we didn't ask for it then there must be a custom extension,
  1299. * otherwise this is unsolicited.
  1300. */
  1301. if (custom_ext_find(&s->cert->custext, role,
  1302. TLSEXT_TYPE_signed_certificate_timestamp,
  1303. NULL) == NULL) {
  1304. SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1305. return 0;
  1306. }
  1307. if (!custom_ext_parse(s, context,
  1308. TLSEXT_TYPE_signed_certificate_timestamp,
  1309. PACKET_data(pkt), PACKET_remaining(pkt),
  1310. x, chainidx)) {
  1311. /* SSLfatal already called */
  1312. return 0;
  1313. }
  1314. }
  1315. return 1;
  1316. }
  1317. #endif
  1318. #ifndef OPENSSL_NO_NEXTPROTONEG
  1319. /*
  1320. * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  1321. * elements of zero length are allowed and the set of elements must exactly
  1322. * fill the length of the block. Returns 1 on success or 0 on failure.
  1323. */
  1324. static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)
  1325. {
  1326. PACKET tmp_protocol;
  1327. while (PACKET_remaining(pkt)) {
  1328. if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
  1329. || PACKET_remaining(&tmp_protocol) == 0) {
  1330. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1331. return 0;
  1332. }
  1333. }
  1334. return 1;
  1335. }
  1336. int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1337. X509 *x, size_t chainidx)
  1338. {
  1339. unsigned char *selected;
  1340. unsigned char selected_len;
  1341. PACKET tmppkt;
  1342. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1343. /* Check if we are in a renegotiation. If so ignore this extension */
  1344. if (!SSL_IS_FIRST_HANDSHAKE(s))
  1345. return 1;
  1346. /* We must have requested it. */
  1347. if (sctx->ext.npn_select_cb == NULL) {
  1348. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1349. return 0;
  1350. }
  1351. /* The data must be valid */
  1352. tmppkt = *pkt;
  1353. if (!ssl_next_proto_validate(s, &tmppkt)) {
  1354. /* SSLfatal() already called */
  1355. return 0;
  1356. }
  1357. if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
  1358. &selected, &selected_len,
  1359. PACKET_data(pkt), PACKET_remaining(pkt),
  1360. sctx->ext.npn_select_cb_arg) !=
  1361. SSL_TLSEXT_ERR_OK) {
  1362. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
  1363. return 0;
  1364. }
  1365. /*
  1366. * Could be non-NULL if server has sent multiple NPN extensions in
  1367. * a single Serverhello
  1368. */
  1369. OPENSSL_free(s->ext.npn);
  1370. s->ext.npn = OPENSSL_malloc(selected_len);
  1371. if (s->ext.npn == NULL) {
  1372. s->ext.npn_len = 0;
  1373. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1374. return 0;
  1375. }
  1376. memcpy(s->ext.npn, selected, selected_len);
  1377. s->ext.npn_len = selected_len;
  1378. s->s3.npn_seen = 1;
  1379. return 1;
  1380. }
  1381. #endif
  1382. int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1383. X509 *x, size_t chainidx)
  1384. {
  1385. size_t len;
  1386. /* We must have requested it. */
  1387. if (!s->s3.alpn_sent) {
  1388. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
  1389. return 0;
  1390. }
  1391. /*-
  1392. * The extension data consists of:
  1393. * uint16 list_length
  1394. * uint8 proto_length;
  1395. * uint8 proto[proto_length];
  1396. */
  1397. if (!PACKET_get_net_2_len(pkt, &len)
  1398. || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
  1399. || PACKET_remaining(pkt) != len) {
  1400. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1401. return 0;
  1402. }
  1403. OPENSSL_free(s->s3.alpn_selected);
  1404. s->s3.alpn_selected = OPENSSL_malloc(len);
  1405. if (s->s3.alpn_selected == NULL) {
  1406. s->s3.alpn_selected_len = 0;
  1407. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1408. return 0;
  1409. }
  1410. if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
  1411. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1412. return 0;
  1413. }
  1414. s->s3.alpn_selected_len = len;
  1415. if (s->session->ext.alpn_selected == NULL
  1416. || s->session->ext.alpn_selected_len != len
  1417. || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
  1418. != 0) {
  1419. /* ALPN not consistent with the old session so cannot use early_data */
  1420. s->ext.early_data_ok = 0;
  1421. }
  1422. if (!s->hit) {
  1423. /*
  1424. * This is a new session and so alpn_selected should have been
  1425. * initialised to NULL. We should update it with the selected ALPN.
  1426. */
  1427. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1428. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1429. return 0;
  1430. }
  1431. s->session->ext.alpn_selected =
  1432. OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
  1433. if (s->session->ext.alpn_selected == NULL) {
  1434. s->session->ext.alpn_selected_len = 0;
  1435. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1436. return 0;
  1437. }
  1438. s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
  1439. }
  1440. return 1;
  1441. }
  1442. #ifndef OPENSSL_NO_SRTP
  1443. int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
  1444. unsigned int context, X509 *x, size_t chainidx)
  1445. {
  1446. unsigned int id, ct, mki;
  1447. int i;
  1448. STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
  1449. SRTP_PROTECTION_PROFILE *prof;
  1450. if (!PACKET_get_net_2(pkt, &ct) || ct != 2
  1451. || !PACKET_get_net_2(pkt, &id)
  1452. || !PACKET_get_1(pkt, &mki)
  1453. || PACKET_remaining(pkt) != 0) {
  1454. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1455. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  1456. return 0;
  1457. }
  1458. if (mki != 0) {
  1459. /* Must be no MKI, since we never offer one */
  1460. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
  1461. return 0;
  1462. }
  1463. /* Throw an error if the server gave us an unsolicited extension */
  1464. clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));
  1465. if (clnt == NULL) {
  1466. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
  1467. return 0;
  1468. }
  1469. /*
  1470. * Check to see if the server gave us something we support (and
  1471. * presumably offered)
  1472. */
  1473. for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
  1474. prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
  1475. if (prof->id == id) {
  1476. s->srtp_profile = prof;
  1477. return 1;
  1478. }
  1479. }
  1480. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1481. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  1482. return 0;
  1483. }
  1484. #endif
  1485. int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1486. X509 *x, size_t chainidx)
  1487. {
  1488. /* Ignore if inappropriate ciphersuite */
  1489. if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
  1490. && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
  1491. && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
  1492. && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
  1493. && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
  1494. && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
  1495. && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
  1496. s->ext.use_etm = 1;
  1497. return 1;
  1498. }
  1499. int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1500. X509 *x, size_t chainidx)
  1501. {
  1502. if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
  1503. return 1;
  1504. s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
  1505. if (!s->hit)
  1506. s->session->flags |= SSL_SESS_FLAG_EXTMS;
  1507. return 1;
  1508. }
  1509. int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,
  1510. unsigned int context,
  1511. X509 *x, size_t chainidx)
  1512. {
  1513. unsigned int version;
  1514. if (!PACKET_get_net_2(pkt, &version)
  1515. || PACKET_remaining(pkt) != 0) {
  1516. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1517. return 0;
  1518. }
  1519. /*
  1520. * The only protocol version we support which is valid in this extension in
  1521. * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
  1522. */
  1523. if (version != TLS1_3_VERSION) {
  1524. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1525. SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
  1526. return 0;
  1527. }
  1528. /* We ignore this extension for HRRs except to sanity check it */
  1529. if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
  1530. return 1;
  1531. /* We just set it here. We validate it in ssl_choose_client_version */
  1532. s->version = version;
  1533. s->rlayer.rrlmethod->set_protocol_version(s->rlayer.rrl, version);
  1534. return 1;
  1535. }
  1536. int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
  1537. unsigned int context, X509 *x,
  1538. size_t chainidx)
  1539. {
  1540. #ifndef OPENSSL_NO_TLS1_3
  1541. unsigned int group_id;
  1542. PACKET encoded_pt;
  1543. EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
  1544. const TLS_GROUP_INFO *ginf = NULL;
  1545. /* Sanity check */
  1546. if (ckey == NULL || s->s3.peer_tmp != NULL) {
  1547. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1548. return 0;
  1549. }
  1550. if (!PACKET_get_net_2(pkt, &group_id)) {
  1551. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1552. return 0;
  1553. }
  1554. group_id = ssl_group_id_tls13_to_internal(group_id);
  1555. if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
  1556. const uint16_t *pgroups = NULL;
  1557. size_t i, num_groups;
  1558. if (PACKET_remaining(pkt) != 0) {
  1559. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1560. return 0;
  1561. }
  1562. /*
  1563. * It is an error if the HelloRetryRequest wants a key_share that we
  1564. * already sent in the first ClientHello
  1565. */
  1566. if (group_id == s->s3.group_id) {
  1567. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  1568. return 0;
  1569. }
  1570. /* Validate the selected group is one we support */
  1571. tls1_get_supported_groups(s, &pgroups, &num_groups);
  1572. for (i = 0; i < num_groups; i++) {
  1573. if (group_id == pgroups[i])
  1574. break;
  1575. }
  1576. if (i >= num_groups
  1577. || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
  1578. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  1579. return 0;
  1580. }
  1581. s->s3.group_id = group_id;
  1582. EVP_PKEY_free(s->s3.tmp.pkey);
  1583. s->s3.tmp.pkey = NULL;
  1584. return 1;
  1585. }
  1586. if (group_id != s->s3.group_id) {
  1587. /*
  1588. * This isn't for the group that we sent in the original
  1589. * key_share!
  1590. */
  1591. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  1592. return 0;
  1593. }
  1594. /* Retain this group in the SSL_SESSION */
  1595. if (!s->hit) {
  1596. s->session->kex_group = group_id;
  1597. } else if (group_id != s->session->kex_group) {
  1598. /*
  1599. * If this is a resumption but changed what group was used, we need
  1600. * to record the new group in the session, but the session is not
  1601. * a new session and could be in use by other threads. So, make
  1602. * a copy of the session to record the new information so that it's
  1603. * useful for any sessions resumed from tickets issued on this
  1604. * connection.
  1605. */
  1606. SSL_SESSION *new_sess;
  1607. if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
  1608. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  1609. return 0;
  1610. }
  1611. SSL_SESSION_free(s->session);
  1612. s->session = new_sess;
  1613. s->session->kex_group = group_id;
  1614. }
  1615. if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
  1616. group_id)) == NULL) {
  1617. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  1618. return 0;
  1619. }
  1620. if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
  1621. || PACKET_remaining(&encoded_pt) == 0) {
  1622. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1623. return 0;
  1624. }
  1625. if (!ginf->is_kem) {
  1626. /* Regular KEX */
  1627. skey = EVP_PKEY_new();
  1628. if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
  1629. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
  1630. EVP_PKEY_free(skey);
  1631. return 0;
  1632. }
  1633. if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
  1634. PACKET_remaining(&encoded_pt)) <= 0) {
  1635. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
  1636. EVP_PKEY_free(skey);
  1637. return 0;
  1638. }
  1639. if (ssl_derive(s, ckey, skey, 1) == 0) {
  1640. /* SSLfatal() already called */
  1641. EVP_PKEY_free(skey);
  1642. return 0;
  1643. }
  1644. s->s3.peer_tmp = skey;
  1645. } else {
  1646. /* KEM Mode */
  1647. const unsigned char *ct = PACKET_data(&encoded_pt);
  1648. size_t ctlen = PACKET_remaining(&encoded_pt);
  1649. if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
  1650. /* SSLfatal() already called */
  1651. return 0;
  1652. }
  1653. }
  1654. s->s3.did_kex = 1;
  1655. #endif
  1656. return 1;
  1657. }
  1658. int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  1659. X509 *x, size_t chainidx)
  1660. {
  1661. PACKET cookie;
  1662. if (!PACKET_as_length_prefixed_2(pkt, &cookie)
  1663. || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
  1664. &s->ext.tls13_cookie_len)) {
  1665. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1666. return 0;
  1667. }
  1668. return 1;
  1669. }
  1670. int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,
  1671. unsigned int context,
  1672. X509 *x, size_t chainidx)
  1673. {
  1674. if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
  1675. unsigned long max_early_data;
  1676. if (!PACKET_get_net_4(pkt, &max_early_data)
  1677. || PACKET_remaining(pkt) != 0) {
  1678. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
  1679. return 0;
  1680. }
  1681. s->session->ext.max_early_data = max_early_data;
  1682. return 1;
  1683. }
  1684. if (PACKET_remaining(pkt) != 0) {
  1685. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1686. return 0;
  1687. }
  1688. if (!s->ext.early_data_ok
  1689. || !s->hit) {
  1690. /*
  1691. * If we get here then we didn't send early data, or we didn't resume
  1692. * using the first identity, or the SNI/ALPN is not consistent so the
  1693. * server should not be accepting it.
  1694. */
  1695. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
  1696. return 0;
  1697. }
  1698. s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
  1699. return 1;
  1700. }
  1701. int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,
  1702. unsigned int context, X509 *x,
  1703. size_t chainidx)
  1704. {
  1705. #ifndef OPENSSL_NO_TLS1_3
  1706. unsigned int identity;
  1707. if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
  1708. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  1709. return 0;
  1710. }
  1711. if (identity >= (unsigned int)s->ext.tick_identity) {
  1712. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
  1713. return 0;
  1714. }
  1715. /*
  1716. * Session resumption tickets are always sent before PSK tickets. If the
  1717. * ticket index is 0 then it must be for a session resumption ticket if we
  1718. * sent two tickets, or if we didn't send a PSK ticket.
  1719. */
  1720. if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
  1721. s->hit = 1;
  1722. SSL_SESSION_free(s->psksession);
  1723. s->psksession = NULL;
  1724. return 1;
  1725. }
  1726. if (s->psksession == NULL) {
  1727. /* Should never happen */
  1728. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1729. return 0;
  1730. }
  1731. /*
  1732. * If we used the external PSK for sending early_data then s->early_secret
  1733. * is already set up, so don't overwrite it. Otherwise we copy the
  1734. * early_secret across that we generated earlier.
  1735. */
  1736. if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
  1737. && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
  1738. || s->session->ext.max_early_data > 0
  1739. || s->psksession->ext.max_early_data == 0)
  1740. memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
  1741. SSL_SESSION_free(s->session);
  1742. s->session = s->psksession;
  1743. s->psksession = NULL;
  1744. s->hit = 1;
  1745. /* Early data is only allowed if we used the first ticket */
  1746. if (identity != 0)
  1747. s->ext.early_data_ok = 0;
  1748. #endif
  1749. return 1;
  1750. }