2
0

extensions_srvr.c 66 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915
  1. /*
  2. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ocsp.h>
  10. #include "../ssl_locl.h"
  11. #include "statem_locl.h"
  12. #include "internal/cryptlib.h"
  13. #define COOKIE_STATE_FORMAT_VERSION 0
  14. /*
  15. * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
  16. * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
  17. * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
  18. * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
  19. * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
  20. */
  21. #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
  22. + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
  23. /*
  24. * Message header + 2 bytes for protocol version + number of random bytes +
  25. * + 1 byte for legacy session id length + number of bytes in legacy session id
  26. * + 2 bytes for ciphersuite + 1 byte for legacy compression
  27. * + 2 bytes for extension block length + 6 bytes for key_share extension
  28. * + 4 bytes for cookie extension header + the number of bytes in the cookie
  29. */
  30. #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
  31. + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
  32. + MAX_COOKIE_SIZE)
  33. /*
  34. * Parse the client's renegotiation binding and abort if it's not right
  35. */
  36. int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
  37. X509 *x, size_t chainidx)
  38. {
  39. unsigned int ilen;
  40. const unsigned char *data;
  41. /* Parse the length byte */
  42. if (!PACKET_get_1(pkt, &ilen)
  43. || !PACKET_get_bytes(pkt, &data, ilen)) {
  44. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
  45. SSL_R_RENEGOTIATION_ENCODING_ERR);
  46. return 0;
  47. }
  48. /* Check that the extension matches */
  49. if (ilen != s->s3->previous_client_finished_len) {
  50. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
  51. SSL_R_RENEGOTIATION_MISMATCH);
  52. return 0;
  53. }
  54. if (memcmp(data, s->s3->previous_client_finished,
  55. s->s3->previous_client_finished_len)) {
  56. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
  57. SSL_R_RENEGOTIATION_MISMATCH);
  58. return 0;
  59. }
  60. s->s3->send_connection_binding = 1;
  61. return 1;
  62. }
  63. /*-
  64. * The servername extension is treated as follows:
  65. *
  66. * - Only the hostname type is supported with a maximum length of 255.
  67. * - The servername is rejected if too long or if it contains zeros,
  68. * in which case an fatal alert is generated.
  69. * - The servername field is maintained together with the session cache.
  70. * - When a session is resumed, the servername call back invoked in order
  71. * to allow the application to position itself to the right context.
  72. * - The servername is acknowledged if it is new for a session or when
  73. * it is identical to a previously used for the same session.
  74. * Applications can control the behaviour. They can at any time
  75. * set a 'desirable' servername for a new SSL object. This can be the
  76. * case for example with HTTPS when a Host: header field is received and
  77. * a renegotiation is requested. In this case, a possible servername
  78. * presented in the new client hello is only acknowledged if it matches
  79. * the value of the Host: field.
  80. * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  81. * if they provide for changing an explicit servername context for the
  82. * session, i.e. when the session has been established with a servername
  83. * extension.
  84. * - On session reconnect, the servername extension may be absent.
  85. */
  86. int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
  87. X509 *x, size_t chainidx)
  88. {
  89. unsigned int servname_type;
  90. PACKET sni, hostname;
  91. if (!PACKET_as_length_prefixed_2(pkt, &sni)
  92. /* ServerNameList must be at least 1 byte long. */
  93. || PACKET_remaining(&sni) == 0) {
  94. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
  95. SSL_R_BAD_EXTENSION);
  96. return 0;
  97. }
  98. /*
  99. * Although the intent was for server_name to be extensible, RFC 4366
  100. * was not clear about it; and so OpenSSL among other implementations,
  101. * always and only allows a 'host_name' name types.
  102. * RFC 6066 corrected the mistake but adding new name types
  103. * is nevertheless no longer feasible, so act as if no other
  104. * SNI types can exist, to simplify parsing.
  105. *
  106. * Also note that the RFC permits only one SNI value per type,
  107. * i.e., we can only have a single hostname.
  108. */
  109. if (!PACKET_get_1(&sni, &servname_type)
  110. || servname_type != TLSEXT_NAMETYPE_host_name
  111. || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
  112. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
  113. SSL_R_BAD_EXTENSION);
  114. return 0;
  115. }
  116. if (!s->hit) {
  117. if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
  118. SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
  119. SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
  120. SSL_R_BAD_EXTENSION);
  121. return 0;
  122. }
  123. if (PACKET_contains_zero_byte(&hostname)) {
  124. SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
  125. SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
  126. SSL_R_BAD_EXTENSION);
  127. return 0;
  128. }
  129. OPENSSL_free(s->session->ext.hostname);
  130. s->session->ext.hostname = NULL;
  131. if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
  132. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
  133. ERR_R_INTERNAL_ERROR);
  134. return 0;
  135. }
  136. s->servername_done = 1;
  137. } else {
  138. /*
  139. * TODO(openssl-team): if the SNI doesn't match, we MUST
  140. * fall back to a full handshake.
  141. */
  142. s->servername_done = s->session->ext.hostname
  143. && PACKET_equal(&hostname, s->session->ext.hostname,
  144. strlen(s->session->ext.hostname));
  145. if (!s->servername_done && s->session->ext.hostname != NULL)
  146. s->ext.early_data_ok = 0;
  147. }
  148. return 1;
  149. }
  150. int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
  151. X509 *x, size_t chainidx)
  152. {
  153. unsigned int value;
  154. if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
  155. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
  156. SSL_R_BAD_EXTENSION);
  157. return 0;
  158. }
  159. /* Received |value| should be a valid max-fragment-length code. */
  160. if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
  161. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  162. SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
  163. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  164. return 0;
  165. }
  166. /*
  167. * RFC 6066: The negotiated length applies for the duration of the session
  168. * including session resumptions.
  169. * We should receive the same code as in resumed session !
  170. */
  171. if (s->hit && s->session->ext.max_fragment_len_mode != value) {
  172. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  173. SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
  174. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  175. return 0;
  176. }
  177. /*
  178. * Store it in session, so it'll become binding for us
  179. * and we'll include it in a next Server Hello.
  180. */
  181. s->session->ext.max_fragment_len_mode = value;
  182. return 1;
  183. }
  184. #ifndef OPENSSL_NO_SRP
  185. int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  186. size_t chainidx)
  187. {
  188. PACKET srp_I;
  189. if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
  190. || PACKET_contains_zero_byte(&srp_I)) {
  191. SSLfatal(s, SSL_AD_DECODE_ERROR,
  192. SSL_F_TLS_PARSE_CTOS_SRP,
  193. SSL_R_BAD_EXTENSION);
  194. return 0;
  195. }
  196. /*
  197. * TODO(openssl-team): currently, we re-authenticate the user
  198. * upon resumption. Instead, we MUST ignore the login.
  199. */
  200. if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
  201. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
  202. ERR_R_INTERNAL_ERROR);
  203. return 0;
  204. }
  205. return 1;
  206. }
  207. #endif
  208. #ifndef OPENSSL_NO_EC
  209. int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
  210. X509 *x, size_t chainidx)
  211. {
  212. PACKET ec_point_format_list;
  213. if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
  214. || PACKET_remaining(&ec_point_format_list) == 0) {
  215. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
  216. SSL_R_BAD_EXTENSION);
  217. return 0;
  218. }
  219. if (!s->hit) {
  220. if (!PACKET_memdup(&ec_point_format_list,
  221. &s->session->ext.ecpointformats,
  222. &s->session->ext.ecpointformats_len)) {
  223. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  224. SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
  225. return 0;
  226. }
  227. }
  228. return 1;
  229. }
  230. #endif /* OPENSSL_NO_EC */
  231. int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
  232. X509 *x, size_t chainidx)
  233. {
  234. if (s->ext.session_ticket_cb &&
  235. !s->ext.session_ticket_cb(s, PACKET_data(pkt),
  236. PACKET_remaining(pkt),
  237. s->ext.session_ticket_cb_arg)) {
  238. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  239. SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  240. return 0;
  241. }
  242. return 1;
  243. }
  244. int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
  245. X509 *x, size_t chainidx)
  246. {
  247. PACKET supported_sig_algs;
  248. if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
  249. || PACKET_remaining(&supported_sig_algs) == 0) {
  250. SSLfatal(s, SSL_AD_DECODE_ERROR,
  251. SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
  252. return 0;
  253. }
  254. if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
  255. SSLfatal(s, SSL_AD_DECODE_ERROR,
  256. SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
  257. return 0;
  258. }
  259. return 1;
  260. }
  261. int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  262. size_t chainidx)
  263. {
  264. PACKET supported_sig_algs;
  265. if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
  266. || PACKET_remaining(&supported_sig_algs) == 0) {
  267. SSLfatal(s, SSL_AD_DECODE_ERROR,
  268. SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
  269. return 0;
  270. }
  271. if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
  272. SSLfatal(s, SSL_AD_DECODE_ERROR,
  273. SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
  274. return 0;
  275. }
  276. return 1;
  277. }
  278. #ifndef OPENSSL_NO_OCSP
  279. int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
  280. X509 *x, size_t chainidx)
  281. {
  282. PACKET responder_id_list, exts;
  283. /* We ignore this in a resumption handshake */
  284. if (s->hit)
  285. return 1;
  286. /* Not defined if we get one of these in a client Certificate */
  287. if (x != NULL)
  288. return 1;
  289. if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
  290. SSLfatal(s, SSL_AD_DECODE_ERROR,
  291. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  292. return 0;
  293. }
  294. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
  295. /*
  296. * We don't know what to do with any other type so ignore it.
  297. */
  298. s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
  299. return 1;
  300. }
  301. if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
  302. SSLfatal(s, SSL_AD_DECODE_ERROR,
  303. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  304. return 0;
  305. }
  306. /*
  307. * We remove any OCSP_RESPIDs from a previous handshake
  308. * to prevent unbounded memory growth - CVE-2016-6304
  309. */
  310. sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
  311. if (PACKET_remaining(&responder_id_list) > 0) {
  312. s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
  313. if (s->ext.ocsp.ids == NULL) {
  314. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  315. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
  316. return 0;
  317. }
  318. } else {
  319. s->ext.ocsp.ids = NULL;
  320. }
  321. while (PACKET_remaining(&responder_id_list) > 0) {
  322. OCSP_RESPID *id;
  323. PACKET responder_id;
  324. const unsigned char *id_data;
  325. if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
  326. || PACKET_remaining(&responder_id) == 0) {
  327. SSLfatal(s, SSL_AD_DECODE_ERROR,
  328. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  329. return 0;
  330. }
  331. id_data = PACKET_data(&responder_id);
  332. /* TODO(size_t): Convert d2i_* to size_t */
  333. id = d2i_OCSP_RESPID(NULL, &id_data,
  334. (int)PACKET_remaining(&responder_id));
  335. if (id == NULL) {
  336. SSLfatal(s, SSL_AD_DECODE_ERROR,
  337. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  338. return 0;
  339. }
  340. if (id_data != PACKET_end(&responder_id)) {
  341. OCSP_RESPID_free(id);
  342. SSLfatal(s, SSL_AD_DECODE_ERROR,
  343. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  344. return 0;
  345. }
  346. if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
  347. OCSP_RESPID_free(id);
  348. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  349. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  350. return 0;
  351. }
  352. }
  353. /* Read in request_extensions */
  354. if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
  355. SSLfatal(s, SSL_AD_DECODE_ERROR,
  356. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  357. return 0;
  358. }
  359. if (PACKET_remaining(&exts) > 0) {
  360. const unsigned char *ext_data = PACKET_data(&exts);
  361. sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
  362. X509_EXTENSION_free);
  363. s->ext.ocsp.exts =
  364. d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
  365. if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
  366. SSLfatal(s, SSL_AD_DECODE_ERROR,
  367. SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  368. return 0;
  369. }
  370. }
  371. return 1;
  372. }
  373. #endif
  374. #ifndef OPENSSL_NO_NEXTPROTONEG
  375. int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  376. size_t chainidx)
  377. {
  378. /*
  379. * We shouldn't accept this extension on a
  380. * renegotiation.
  381. */
  382. if (SSL_IS_FIRST_HANDSHAKE(s))
  383. s->s3->npn_seen = 1;
  384. return 1;
  385. }
  386. #endif
  387. /*
  388. * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
  389. * extension, not including type and length. Returns: 1 on success, 0 on error.
  390. */
  391. int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  392. size_t chainidx)
  393. {
  394. PACKET protocol_list, save_protocol_list, protocol;
  395. if (!SSL_IS_FIRST_HANDSHAKE(s))
  396. return 1;
  397. if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
  398. || PACKET_remaining(&protocol_list) < 2) {
  399. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
  400. SSL_R_BAD_EXTENSION);
  401. return 0;
  402. }
  403. save_protocol_list = protocol_list;
  404. do {
  405. /* Protocol names can't be empty. */
  406. if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
  407. || PACKET_remaining(&protocol) == 0) {
  408. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
  409. SSL_R_BAD_EXTENSION);
  410. return 0;
  411. }
  412. } while (PACKET_remaining(&protocol_list) != 0);
  413. OPENSSL_free(s->s3->alpn_proposed);
  414. s->s3->alpn_proposed = NULL;
  415. s->s3->alpn_proposed_len = 0;
  416. if (!PACKET_memdup(&save_protocol_list,
  417. &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
  418. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
  419. ERR_R_INTERNAL_ERROR);
  420. return 0;
  421. }
  422. return 1;
  423. }
  424. #ifndef OPENSSL_NO_SRTP
  425. int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  426. size_t chainidx)
  427. {
  428. STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
  429. unsigned int ct, mki_len, id;
  430. int i, srtp_pref;
  431. PACKET subpkt;
  432. /* Ignore this if we have no SRTP profiles */
  433. if (SSL_get_srtp_profiles(s) == NULL)
  434. return 1;
  435. /* Pull off the length of the cipher suite list and check it is even */
  436. if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
  437. || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
  438. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
  439. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  440. return 0;
  441. }
  442. srvr = SSL_get_srtp_profiles(s);
  443. s->srtp_profile = NULL;
  444. /* Search all profiles for a match initially */
  445. srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
  446. while (PACKET_remaining(&subpkt)) {
  447. if (!PACKET_get_net_2(&subpkt, &id)) {
  448. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
  449. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  450. return 0;
  451. }
  452. /*
  453. * Only look for match in profiles of higher preference than
  454. * current match.
  455. * If no profiles have been have been configured then this
  456. * does nothing.
  457. */
  458. for (i = 0; i < srtp_pref; i++) {
  459. SRTP_PROTECTION_PROFILE *sprof =
  460. sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
  461. if (sprof->id == id) {
  462. s->srtp_profile = sprof;
  463. srtp_pref = i;
  464. break;
  465. }
  466. }
  467. }
  468. /* Now extract the MKI value as a sanity check, but discard it for now */
  469. if (!PACKET_get_1(pkt, &mki_len)) {
  470. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
  471. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  472. return 0;
  473. }
  474. if (!PACKET_forward(pkt, mki_len)
  475. || PACKET_remaining(pkt)) {
  476. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
  477. SSL_R_BAD_SRTP_MKI_VALUE);
  478. return 0;
  479. }
  480. return 1;
  481. }
  482. #endif
  483. int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  484. size_t chainidx)
  485. {
  486. if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
  487. s->ext.use_etm = 1;
  488. return 1;
  489. }
  490. /*
  491. * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
  492. * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
  493. */
  494. int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
  495. X509 *x, size_t chainidx)
  496. {
  497. #ifndef OPENSSL_NO_TLS1_3
  498. PACKET psk_kex_modes;
  499. unsigned int mode;
  500. if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
  501. || PACKET_remaining(&psk_kex_modes) == 0) {
  502. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
  503. SSL_R_BAD_EXTENSION);
  504. return 0;
  505. }
  506. while (PACKET_get_1(&psk_kex_modes, &mode)) {
  507. if (mode == TLSEXT_KEX_MODE_KE_DHE)
  508. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
  509. else if (mode == TLSEXT_KEX_MODE_KE
  510. && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
  511. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
  512. }
  513. #endif
  514. return 1;
  515. }
  516. /*
  517. * Process a key_share extension received in the ClientHello. |pkt| contains
  518. * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
  519. */
  520. int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  521. size_t chainidx)
  522. {
  523. #ifndef OPENSSL_NO_TLS1_3
  524. unsigned int group_id;
  525. PACKET key_share_list, encoded_pt;
  526. const uint16_t *clntgroups, *srvrgroups;
  527. size_t clnt_num_groups, srvr_num_groups;
  528. int found = 0;
  529. if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
  530. return 1;
  531. /* Sanity check */
  532. if (s->s3->peer_tmp != NULL) {
  533. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
  534. ERR_R_INTERNAL_ERROR);
  535. return 0;
  536. }
  537. if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
  538. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
  539. SSL_R_LENGTH_MISMATCH);
  540. return 0;
  541. }
  542. /* Get our list of supported groups */
  543. tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
  544. /* Get the clients list of supported groups. */
  545. tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
  546. if (clnt_num_groups == 0) {
  547. /*
  548. * This can only happen if the supported_groups extension was not sent,
  549. * because we verify that the length is non-zero when we process that
  550. * extension.
  551. */
  552. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
  553. SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
  554. return 0;
  555. }
  556. if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
  557. /*
  558. * If we set a group_id already, then we must have sent an HRR
  559. * requesting a new key_share. If we haven't got one then that is an
  560. * error
  561. */
  562. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
  563. SSL_R_BAD_KEY_SHARE);
  564. return 0;
  565. }
  566. while (PACKET_remaining(&key_share_list) > 0) {
  567. if (!PACKET_get_net_2(&key_share_list, &group_id)
  568. || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
  569. || PACKET_remaining(&encoded_pt) == 0) {
  570. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
  571. SSL_R_LENGTH_MISMATCH);
  572. return 0;
  573. }
  574. /*
  575. * If we already found a suitable key_share we loop through the
  576. * rest to verify the structure, but don't process them.
  577. */
  578. if (found)
  579. continue;
  580. /*
  581. * If we sent an HRR then the key_share sent back MUST be for the group
  582. * we requested, and must be the only key_share sent.
  583. */
  584. if (s->s3->group_id != 0
  585. && (group_id != s->s3->group_id
  586. || PACKET_remaining(&key_share_list) != 0)) {
  587. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  588. SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
  589. return 0;
  590. }
  591. /* Check if this share is in supported_groups sent from client */
  592. if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
  593. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  594. SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
  595. return 0;
  596. }
  597. /* Check if this share is for a group we can use */
  598. if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
  599. /* Share not suitable */
  600. continue;
  601. }
  602. if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
  603. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
  604. SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
  605. return 0;
  606. }
  607. s->s3->group_id = group_id;
  608. if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
  609. PACKET_data(&encoded_pt),
  610. PACKET_remaining(&encoded_pt))) {
  611. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  612. SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
  613. return 0;
  614. }
  615. found = 1;
  616. }
  617. #endif
  618. return 1;
  619. }
  620. int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  621. size_t chainidx)
  622. {
  623. #ifndef OPENSSL_NO_TLS1_3
  624. unsigned int format, version, key_share, group_id;
  625. EVP_MD_CTX *hctx;
  626. EVP_PKEY *pkey;
  627. PACKET cookie, raw, chhash, appcookie;
  628. WPACKET hrrpkt;
  629. const unsigned char *data, *mdin, *ciphdata;
  630. unsigned char hmac[SHA256_DIGEST_LENGTH];
  631. unsigned char hrr[MAX_HRR_SIZE];
  632. size_t rawlen, hmaclen, hrrlen, ciphlen;
  633. unsigned long tm, now;
  634. /* Ignore any cookie if we're not set up to verify it */
  635. if (s->ctx->verify_stateless_cookie_cb == NULL
  636. || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
  637. return 1;
  638. if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
  639. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  640. SSL_R_LENGTH_MISMATCH);
  641. return 0;
  642. }
  643. raw = cookie;
  644. data = PACKET_data(&raw);
  645. rawlen = PACKET_remaining(&raw);
  646. if (rawlen < SHA256_DIGEST_LENGTH
  647. || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
  648. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  649. SSL_R_LENGTH_MISMATCH);
  650. return 0;
  651. }
  652. mdin = PACKET_data(&raw);
  653. /* Verify the HMAC of the cookie */
  654. hctx = EVP_MD_CTX_create();
  655. pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
  656. s->session_ctx->ext.cookie_hmac_key,
  657. sizeof(s->session_ctx->ext
  658. .cookie_hmac_key));
  659. if (hctx == NULL || pkey == NULL) {
  660. EVP_MD_CTX_free(hctx);
  661. EVP_PKEY_free(pkey);
  662. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  663. ERR_R_MALLOC_FAILURE);
  664. return 0;
  665. }
  666. hmaclen = SHA256_DIGEST_LENGTH;
  667. if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
  668. || EVP_DigestSign(hctx, hmac, &hmaclen, data,
  669. rawlen - SHA256_DIGEST_LENGTH) <= 0
  670. || hmaclen != SHA256_DIGEST_LENGTH) {
  671. EVP_MD_CTX_free(hctx);
  672. EVP_PKEY_free(pkey);
  673. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  674. ERR_R_INTERNAL_ERROR);
  675. return 0;
  676. }
  677. EVP_MD_CTX_free(hctx);
  678. EVP_PKEY_free(pkey);
  679. if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
  680. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
  681. SSL_R_COOKIE_MISMATCH);
  682. return 0;
  683. }
  684. if (!PACKET_get_net_2(&cookie, &format)) {
  685. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  686. SSL_R_LENGTH_MISMATCH);
  687. return 0;
  688. }
  689. /* Check the cookie format is something we recognise. Ignore it if not */
  690. if (format != COOKIE_STATE_FORMAT_VERSION)
  691. return 1;
  692. /*
  693. * The rest of these checks really shouldn't fail since we have verified the
  694. * HMAC above.
  695. */
  696. /* Check the version number is sane */
  697. if (!PACKET_get_net_2(&cookie, &version)) {
  698. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  699. SSL_R_LENGTH_MISMATCH);
  700. return 0;
  701. }
  702. if (version != TLS1_3_VERSION) {
  703. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
  704. SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
  705. return 0;
  706. }
  707. if (!PACKET_get_net_2(&cookie, &group_id)) {
  708. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  709. SSL_R_LENGTH_MISMATCH);
  710. return 0;
  711. }
  712. ciphdata = PACKET_data(&cookie);
  713. if (!PACKET_forward(&cookie, 2)) {
  714. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  715. SSL_R_LENGTH_MISMATCH);
  716. return 0;
  717. }
  718. if (group_id != s->s3->group_id
  719. || s->s3->tmp.new_cipher
  720. != ssl_get_cipher_by_char(s, ciphdata, 0)) {
  721. /*
  722. * We chose a different cipher or group id this time around to what is
  723. * in the cookie. Something must have changed.
  724. */
  725. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
  726. SSL_R_BAD_CIPHER);
  727. return 0;
  728. }
  729. if (!PACKET_get_1(&cookie, &key_share)
  730. || !PACKET_get_net_4(&cookie, &tm)
  731. || !PACKET_get_length_prefixed_2(&cookie, &chhash)
  732. || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
  733. || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
  734. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  735. SSL_R_LENGTH_MISMATCH);
  736. return 0;
  737. }
  738. /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
  739. now = (unsigned long)time(NULL);
  740. if (tm > now || (now - tm) > 600) {
  741. /* Cookie is stale. Ignore it */
  742. return 1;
  743. }
  744. /* Verify the app cookie */
  745. if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
  746. PACKET_remaining(&appcookie)) == 0) {
  747. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
  748. SSL_R_COOKIE_MISMATCH);
  749. return 0;
  750. }
  751. /*
  752. * Reconstruct the HRR that we would have sent in response to the original
  753. * ClientHello so we can add it to the transcript hash.
  754. * Note: This won't work with custom HRR extensions
  755. */
  756. if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
  757. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  758. ERR_R_INTERNAL_ERROR);
  759. return 0;
  760. }
  761. if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
  762. || !WPACKET_start_sub_packet_u24(&hrrpkt)
  763. || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
  764. || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
  765. || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
  766. s->tmp_session_id_len)
  767. || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
  768. &ciphlen)
  769. || !WPACKET_put_bytes_u8(&hrrpkt, 0)
  770. || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
  771. WPACKET_cleanup(&hrrpkt);
  772. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  773. ERR_R_INTERNAL_ERROR);
  774. return 0;
  775. }
  776. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
  777. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  778. /* TODO(TLS1.3): Fix this before release */
  779. || !WPACKET_put_bytes_u16(&hrrpkt, s->version_draft)
  780. || !WPACKET_close(&hrrpkt)) {
  781. WPACKET_cleanup(&hrrpkt);
  782. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  783. ERR_R_INTERNAL_ERROR);
  784. return 0;
  785. }
  786. if (key_share) {
  787. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
  788. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  789. || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
  790. || !WPACKET_close(&hrrpkt)) {
  791. WPACKET_cleanup(&hrrpkt);
  792. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  793. ERR_R_INTERNAL_ERROR);
  794. return 0;
  795. }
  796. }
  797. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
  798. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  799. || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
  800. || !WPACKET_close(&hrrpkt) /* cookie extension */
  801. || !WPACKET_close(&hrrpkt) /* extension block */
  802. || !WPACKET_close(&hrrpkt) /* message */
  803. || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
  804. || !WPACKET_finish(&hrrpkt)) {
  805. WPACKET_cleanup(&hrrpkt);
  806. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
  807. ERR_R_INTERNAL_ERROR);
  808. return 0;
  809. }
  810. /* Reconstruct the transcript hash */
  811. if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
  812. PACKET_remaining(&chhash), hrr,
  813. hrrlen)) {
  814. /* SSLfatal() already called */
  815. return 0;
  816. }
  817. /* Act as if this ClientHello came after a HelloRetryRequest */
  818. s->hello_retry_request = 1;
  819. s->ext.cookieok = 1;
  820. #endif
  821. return 1;
  822. }
  823. #ifndef OPENSSL_NO_EC
  824. int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
  825. X509 *x, size_t chainidx)
  826. {
  827. PACKET supported_groups_list;
  828. /* Each group is 2 bytes and we must have at least 1. */
  829. if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
  830. || PACKET_remaining(&supported_groups_list) == 0
  831. || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
  832. SSLfatal(s, SSL_AD_DECODE_ERROR,
  833. SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
  834. return 0;
  835. }
  836. if (!s->hit || SSL_IS_TLS13(s)) {
  837. OPENSSL_free(s->session->ext.supportedgroups);
  838. s->session->ext.supportedgroups = NULL;
  839. s->session->ext.supportedgroups_len = 0;
  840. if (!tls1_save_u16(&supported_groups_list,
  841. &s->session->ext.supportedgroups,
  842. &s->session->ext.supportedgroups_len)) {
  843. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  844. SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
  845. ERR_R_INTERNAL_ERROR);
  846. return 0;
  847. }
  848. }
  849. return 1;
  850. }
  851. #endif
  852. int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  853. size_t chainidx)
  854. {
  855. /* The extension must always be empty */
  856. if (PACKET_remaining(pkt) != 0) {
  857. SSLfatal(s, SSL_AD_DECODE_ERROR,
  858. SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
  859. return 0;
  860. }
  861. s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
  862. return 1;
  863. }
  864. int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
  865. X509 *x, size_t chainidx)
  866. {
  867. if (PACKET_remaining(pkt) != 0) {
  868. SSLfatal(s, SSL_AD_DECODE_ERROR,
  869. SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
  870. return 0;
  871. }
  872. if (s->hello_retry_request != SSL_HRR_NONE) {
  873. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  874. SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
  875. return 0;
  876. }
  877. return 1;
  878. }
  879. int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  880. size_t chainidx)
  881. {
  882. PACKET identities, binders, binder;
  883. size_t binderoffset, hashsize;
  884. SSL_SESSION *sess = NULL;
  885. unsigned int id, i, ext = 0;
  886. const EVP_MD *md = NULL;
  887. /*
  888. * If we have no PSK kex mode that we recognise then we can't resume so
  889. * ignore this extension
  890. */
  891. if ((s->ext.psk_kex_mode
  892. & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
  893. return 1;
  894. if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
  895. SSLfatal(s, SSL_AD_DECODE_ERROR,
  896. SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
  897. return 0;
  898. }
  899. s->ext.ticket_expected = 0;
  900. for (id = 0; PACKET_remaining(&identities) != 0; id++) {
  901. PACKET identity;
  902. unsigned long ticket_agel;
  903. size_t idlen;
  904. if (!PACKET_get_length_prefixed_2(&identities, &identity)
  905. || !PACKET_get_net_4(&identities, &ticket_agel)) {
  906. SSLfatal(s, SSL_AD_DECODE_ERROR,
  907. SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
  908. return 0;
  909. }
  910. idlen = PACKET_remaining(&identity);
  911. if (s->psk_find_session_cb != NULL
  912. && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
  913. &sess)) {
  914. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  915. SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
  916. return 0;
  917. }
  918. #ifndef OPENSSL_NO_PSK
  919. if(sess == NULL
  920. && s->psk_server_callback != NULL
  921. && idlen <= PSK_MAX_IDENTITY_LEN) {
  922. char *pskid = NULL;
  923. unsigned char pskdata[PSK_MAX_PSK_LEN];
  924. unsigned int pskdatalen;
  925. if (!PACKET_strndup(&identity, &pskid)) {
  926. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
  927. ERR_R_INTERNAL_ERROR);
  928. return 0;
  929. }
  930. pskdatalen = s->psk_server_callback(s, pskid, pskdata,
  931. sizeof(pskdata));
  932. OPENSSL_free(pskid);
  933. if (pskdatalen > PSK_MAX_PSK_LEN) {
  934. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
  935. ERR_R_INTERNAL_ERROR);
  936. return 0;
  937. } else if (pskdatalen > 0) {
  938. const SSL_CIPHER *cipher;
  939. const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
  940. /*
  941. * We found a PSK using an old style callback. We don't know
  942. * the digest so we default to SHA256 as per the TLSv1.3 spec
  943. */
  944. cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
  945. if (cipher == NULL) {
  946. OPENSSL_cleanse(pskdata, pskdatalen);
  947. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
  948. ERR_R_INTERNAL_ERROR);
  949. return 0;
  950. }
  951. sess = SSL_SESSION_new();
  952. if (sess == NULL
  953. || !SSL_SESSION_set1_master_key(sess, pskdata,
  954. pskdatalen)
  955. || !SSL_SESSION_set_cipher(sess, cipher)
  956. || !SSL_SESSION_set_protocol_version(sess,
  957. TLS1_3_VERSION)) {
  958. OPENSSL_cleanse(pskdata, pskdatalen);
  959. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
  960. ERR_R_INTERNAL_ERROR);
  961. goto err;
  962. }
  963. OPENSSL_cleanse(pskdata, pskdatalen);
  964. }
  965. }
  966. #endif /* OPENSSL_NO_PSK */
  967. if (sess != NULL) {
  968. /* We found a PSK */
  969. SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
  970. if (sesstmp == NULL) {
  971. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  972. SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
  973. return 0;
  974. }
  975. SSL_SESSION_free(sess);
  976. sess = sesstmp;
  977. /*
  978. * We've just been told to use this session for this context so
  979. * make sure the sid_ctx matches up.
  980. */
  981. memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
  982. sess->sid_ctx_length = s->sid_ctx_length;
  983. ext = 1;
  984. if (id == 0)
  985. s->ext.early_data_ok = 1;
  986. } else {
  987. uint32_t ticket_age = 0, now, agesec, agems;
  988. int ret;
  989. ret = tls_decrypt_ticket(s, PACKET_data(&identity),
  990. PACKET_remaining(&identity), NULL, 0,
  991. &sess);
  992. if (ret == SSL_TICKET_EMPTY) {
  993. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
  994. SSL_R_BAD_EXTENSION);
  995. return 0;
  996. }
  997. if (ret == SSL_TICKET_FATAL_ERR_MALLOC
  998. || ret == SSL_TICKET_FATAL_ERR_OTHER) {
  999. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1000. SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
  1001. return 0;
  1002. }
  1003. if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
  1004. continue;
  1005. /* Check for replay */
  1006. if (s->max_early_data > 0
  1007. && !SSL_CTX_remove_session(s->session_ctx, sess)) {
  1008. SSL_SESSION_free(sess);
  1009. sess = NULL;
  1010. continue;
  1011. }
  1012. ticket_age = (uint32_t)ticket_agel;
  1013. now = (uint32_t)time(NULL);
  1014. agesec = now - (uint32_t)sess->time;
  1015. agems = agesec * (uint32_t)1000;
  1016. ticket_age -= sess->ext.tick_age_add;
  1017. /*
  1018. * For simplicity we do our age calculations in seconds. If the
  1019. * client does it in ms then it could appear that their ticket age
  1020. * is longer than ours (our ticket age calculation should always be
  1021. * slightly longer than the client's due to the network latency).
  1022. * Therefore we add 1000ms to our age calculation to adjust for
  1023. * rounding errors.
  1024. */
  1025. if (id == 0
  1026. && sess->timeout >= (long)agesec
  1027. && agems / (uint32_t)1000 == agesec
  1028. && ticket_age <= agems + 1000
  1029. && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
  1030. /*
  1031. * Ticket age is within tolerance and not expired. We allow it
  1032. * for early data
  1033. */
  1034. s->ext.early_data_ok = 1;
  1035. }
  1036. }
  1037. md = ssl_md(sess->cipher->algorithm2);
  1038. if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
  1039. /* The ciphersuite is not compatible with this session. */
  1040. SSL_SESSION_free(sess);
  1041. sess = NULL;
  1042. s->ext.early_data_ok = 0;
  1043. continue;
  1044. }
  1045. break;
  1046. }
  1047. if (sess == NULL)
  1048. return 1;
  1049. binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
  1050. hashsize = EVP_MD_size(md);
  1051. if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
  1052. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
  1053. SSL_R_BAD_EXTENSION);
  1054. goto err;
  1055. }
  1056. for (i = 0; i <= id; i++) {
  1057. if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
  1058. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
  1059. SSL_R_BAD_EXTENSION);
  1060. goto err;
  1061. }
  1062. }
  1063. if (PACKET_remaining(&binder) != hashsize) {
  1064. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
  1065. SSL_R_BAD_EXTENSION);
  1066. goto err;
  1067. }
  1068. if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
  1069. binderoffset, PACKET_data(&binder), NULL, sess, 0,
  1070. ext) != 1) {
  1071. /* SSLfatal() already called */
  1072. goto err;
  1073. }
  1074. sess->ext.tick_identity = id;
  1075. SSL_SESSION_free(s->session);
  1076. s->session = sess;
  1077. return 1;
  1078. err:
  1079. SSL_SESSION_free(sess);
  1080. return 0;
  1081. }
  1082. int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
  1083. X509 *x, size_t chainidx)
  1084. {
  1085. if (PACKET_remaining(pkt) != 0) {
  1086. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
  1087. SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
  1088. return 0;
  1089. }
  1090. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  1091. return 1;
  1092. }
  1093. /*
  1094. * Add the server's renegotiation binding
  1095. */
  1096. EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
  1097. unsigned int context, X509 *x,
  1098. size_t chainidx)
  1099. {
  1100. if (!s->s3->send_connection_binding)
  1101. return EXT_RETURN_NOT_SENT;
  1102. /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
  1103. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
  1104. || !WPACKET_start_sub_packet_u16(pkt)
  1105. || !WPACKET_start_sub_packet_u8(pkt)
  1106. || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
  1107. s->s3->previous_client_finished_len)
  1108. || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
  1109. s->s3->previous_server_finished_len)
  1110. || !WPACKET_close(pkt)
  1111. || !WPACKET_close(pkt)) {
  1112. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
  1113. ERR_R_INTERNAL_ERROR);
  1114. return EXT_RETURN_FAIL;
  1115. }
  1116. return EXT_RETURN_SENT;
  1117. }
  1118. EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
  1119. unsigned int context, X509 *x,
  1120. size_t chainidx)
  1121. {
  1122. if (s->hit || s->servername_done != 1
  1123. || s->session->ext.hostname == NULL)
  1124. return EXT_RETURN_NOT_SENT;
  1125. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
  1126. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1127. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
  1128. ERR_R_INTERNAL_ERROR);
  1129. return EXT_RETURN_FAIL;
  1130. }
  1131. return EXT_RETURN_SENT;
  1132. }
  1133. /* Add/include the server's max fragment len extension into ServerHello */
  1134. EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
  1135. unsigned int context, X509 *x,
  1136. size_t chainidx)
  1137. {
  1138. if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
  1139. return EXT_RETURN_NOT_SENT;
  1140. /*-
  1141. * 4 bytes for this extension type and extension length
  1142. * 1 byte for the Max Fragment Length code value.
  1143. */
  1144. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
  1145. || !WPACKET_start_sub_packet_u16(pkt)
  1146. || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
  1147. || !WPACKET_close(pkt)) {
  1148. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1149. SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
  1150. return EXT_RETURN_FAIL;
  1151. }
  1152. return EXT_RETURN_SENT;
  1153. }
  1154. #ifndef OPENSSL_NO_EC
  1155. EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
  1156. unsigned int context, X509 *x,
  1157. size_t chainidx)
  1158. {
  1159. unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  1160. unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  1161. int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
  1162. && (s->session->ext.ecpointformats != NULL);
  1163. const unsigned char *plist;
  1164. size_t plistlen;
  1165. if (!using_ecc)
  1166. return EXT_RETURN_NOT_SENT;
  1167. tls1_get_formatlist(s, &plist, &plistlen);
  1168. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
  1169. || !WPACKET_start_sub_packet_u16(pkt)
  1170. || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
  1171. || !WPACKET_close(pkt)) {
  1172. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1173. SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
  1174. return EXT_RETURN_FAIL;
  1175. }
  1176. return EXT_RETURN_SENT;
  1177. }
  1178. #endif
  1179. #ifndef OPENSSL_NO_EC
  1180. EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
  1181. unsigned int context, X509 *x,
  1182. size_t chainidx)
  1183. {
  1184. const uint16_t *groups;
  1185. size_t numgroups, i, first = 1;
  1186. /* s->s3->group_id is non zero if we accepted a key_share */
  1187. if (s->s3->group_id == 0)
  1188. return EXT_RETURN_NOT_SENT;
  1189. /* Get our list of supported groups */
  1190. tls1_get_supported_groups(s, &groups, &numgroups);
  1191. if (numgroups == 0) {
  1192. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1193. SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
  1194. return EXT_RETURN_FAIL;
  1195. }
  1196. /* Copy group ID if supported */
  1197. for (i = 0; i < numgroups; i++) {
  1198. uint16_t group = groups[i];
  1199. if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
  1200. if (first) {
  1201. /*
  1202. * Check if the client is already using our preferred group. If
  1203. * so we don't need to add this extension
  1204. */
  1205. if (s->s3->group_id == group)
  1206. return EXT_RETURN_NOT_SENT;
  1207. /* Add extension header */
  1208. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
  1209. /* Sub-packet for supported_groups extension */
  1210. || !WPACKET_start_sub_packet_u16(pkt)
  1211. || !WPACKET_start_sub_packet_u16(pkt)) {
  1212. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1213. SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
  1214. ERR_R_INTERNAL_ERROR);
  1215. return EXT_RETURN_FAIL;
  1216. }
  1217. first = 0;
  1218. }
  1219. if (!WPACKET_put_bytes_u16(pkt, group)) {
  1220. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1221. SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
  1222. ERR_R_INTERNAL_ERROR);
  1223. return EXT_RETURN_FAIL;
  1224. }
  1225. }
  1226. }
  1227. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  1228. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1229. SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
  1230. ERR_R_INTERNAL_ERROR);
  1231. return EXT_RETURN_FAIL;
  1232. }
  1233. return EXT_RETURN_SENT;
  1234. }
  1235. #endif
  1236. EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
  1237. unsigned int context, X509 *x,
  1238. size_t chainidx)
  1239. {
  1240. if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
  1241. s->ext.ticket_expected = 0;
  1242. return EXT_RETURN_NOT_SENT;
  1243. }
  1244. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
  1245. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1246. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1247. SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  1248. return EXT_RETURN_FAIL;
  1249. }
  1250. return EXT_RETURN_SENT;
  1251. }
  1252. #ifndef OPENSSL_NO_OCSP
  1253. EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
  1254. unsigned int context, X509 *x,
  1255. size_t chainidx)
  1256. {
  1257. if (!s->ext.status_expected)
  1258. return EXT_RETURN_NOT_SENT;
  1259. if (SSL_IS_TLS13(s) && chainidx != 0)
  1260. return EXT_RETURN_NOT_SENT;
  1261. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
  1262. || !WPACKET_start_sub_packet_u16(pkt)) {
  1263. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1264. SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  1265. return EXT_RETURN_FAIL;
  1266. }
  1267. /*
  1268. * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
  1269. * send back an empty extension, with the certificate status appearing as a
  1270. * separate message
  1271. */
  1272. if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
  1273. /* SSLfatal() already called */
  1274. return EXT_RETURN_FAIL;
  1275. }
  1276. if (!WPACKET_close(pkt)) {
  1277. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1278. SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  1279. return EXT_RETURN_FAIL;
  1280. }
  1281. return EXT_RETURN_SENT;
  1282. }
  1283. #endif
  1284. #ifndef OPENSSL_NO_NEXTPROTONEG
  1285. EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
  1286. unsigned int context, X509 *x,
  1287. size_t chainidx)
  1288. {
  1289. const unsigned char *npa;
  1290. unsigned int npalen;
  1291. int ret;
  1292. int npn_seen = s->s3->npn_seen;
  1293. s->s3->npn_seen = 0;
  1294. if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
  1295. return EXT_RETURN_NOT_SENT;
  1296. ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
  1297. s->ctx->ext.npn_advertised_cb_arg);
  1298. if (ret == SSL_TLSEXT_ERR_OK) {
  1299. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
  1300. || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
  1301. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1302. SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
  1303. ERR_R_INTERNAL_ERROR);
  1304. return EXT_RETURN_FAIL;
  1305. }
  1306. s->s3->npn_seen = 1;
  1307. }
  1308. return EXT_RETURN_SENT;
  1309. }
  1310. #endif
  1311. EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
  1312. X509 *x, size_t chainidx)
  1313. {
  1314. if (s->s3->alpn_selected == NULL)
  1315. return EXT_RETURN_NOT_SENT;
  1316. if (!WPACKET_put_bytes_u16(pkt,
  1317. TLSEXT_TYPE_application_layer_protocol_negotiation)
  1318. || !WPACKET_start_sub_packet_u16(pkt)
  1319. || !WPACKET_start_sub_packet_u16(pkt)
  1320. || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
  1321. s->s3->alpn_selected_len)
  1322. || !WPACKET_close(pkt)
  1323. || !WPACKET_close(pkt)) {
  1324. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1325. SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
  1326. return EXT_RETURN_FAIL;
  1327. }
  1328. return EXT_RETURN_SENT;
  1329. }
  1330. #ifndef OPENSSL_NO_SRTP
  1331. EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
  1332. unsigned int context, X509 *x,
  1333. size_t chainidx)
  1334. {
  1335. if (s->srtp_profile == NULL)
  1336. return EXT_RETURN_NOT_SENT;
  1337. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
  1338. || !WPACKET_start_sub_packet_u16(pkt)
  1339. || !WPACKET_put_bytes_u16(pkt, 2)
  1340. || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
  1341. || !WPACKET_put_bytes_u8(pkt, 0)
  1342. || !WPACKET_close(pkt)) {
  1343. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
  1344. ERR_R_INTERNAL_ERROR);
  1345. return EXT_RETURN_FAIL;
  1346. }
  1347. return EXT_RETURN_SENT;
  1348. }
  1349. #endif
  1350. EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
  1351. X509 *x, size_t chainidx)
  1352. {
  1353. if (!s->ext.use_etm)
  1354. return EXT_RETURN_NOT_SENT;
  1355. /*
  1356. * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
  1357. * for other cases too.
  1358. */
  1359. if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
  1360. || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
  1361. || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
  1362. || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
  1363. s->ext.use_etm = 0;
  1364. return EXT_RETURN_NOT_SENT;
  1365. }
  1366. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
  1367. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1368. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
  1369. ERR_R_INTERNAL_ERROR);
  1370. return EXT_RETURN_FAIL;
  1371. }
  1372. return EXT_RETURN_SENT;
  1373. }
  1374. EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
  1375. X509 *x, size_t chainidx)
  1376. {
  1377. if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
  1378. return EXT_RETURN_NOT_SENT;
  1379. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
  1380. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1381. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
  1382. ERR_R_INTERNAL_ERROR);
  1383. return EXT_RETURN_FAIL;
  1384. }
  1385. return EXT_RETURN_SENT;
  1386. }
  1387. EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
  1388. unsigned int context, X509 *x,
  1389. size_t chainidx)
  1390. {
  1391. if (!ossl_assert(SSL_IS_TLS13(s))) {
  1392. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1393. SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
  1394. ERR_R_INTERNAL_ERROR);
  1395. return EXT_RETURN_FAIL;
  1396. }
  1397. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
  1398. || !WPACKET_start_sub_packet_u16(pkt)
  1399. /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
  1400. || !WPACKET_put_bytes_u16(pkt, s->version_draft)
  1401. || !WPACKET_close(pkt)) {
  1402. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1403. SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
  1404. ERR_R_INTERNAL_ERROR);
  1405. return EXT_RETURN_FAIL;
  1406. }
  1407. return EXT_RETURN_SENT;
  1408. }
  1409. EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
  1410. unsigned int context, X509 *x,
  1411. size_t chainidx)
  1412. {
  1413. #ifndef OPENSSL_NO_TLS1_3
  1414. unsigned char *encodedPoint;
  1415. size_t encoded_pt_len = 0;
  1416. EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
  1417. if (s->hello_retry_request == SSL_HRR_PENDING) {
  1418. if (ckey != NULL) {
  1419. /* Original key_share was acceptable so don't ask for another one */
  1420. return EXT_RETURN_NOT_SENT;
  1421. }
  1422. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  1423. || !WPACKET_start_sub_packet_u16(pkt)
  1424. || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
  1425. || !WPACKET_close(pkt)) {
  1426. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1427. SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
  1428. ERR_R_INTERNAL_ERROR);
  1429. return EXT_RETURN_FAIL;
  1430. }
  1431. return EXT_RETURN_SENT;
  1432. }
  1433. if (ckey == NULL) {
  1434. /* No key_share received from client - must be resuming */
  1435. if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
  1436. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1437. SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
  1438. return EXT_RETURN_FAIL;
  1439. }
  1440. return EXT_RETURN_NOT_SENT;
  1441. }
  1442. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  1443. || !WPACKET_start_sub_packet_u16(pkt)
  1444. || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
  1445. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1446. SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
  1447. return EXT_RETURN_FAIL;
  1448. }
  1449. skey = ssl_generate_pkey(ckey);
  1450. if (skey == NULL) {
  1451. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
  1452. ERR_R_MALLOC_FAILURE);
  1453. return EXT_RETURN_FAIL;
  1454. }
  1455. /* Generate encoding of server key */
  1456. encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
  1457. if (encoded_pt_len == 0) {
  1458. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
  1459. ERR_R_EC_LIB);
  1460. EVP_PKEY_free(skey);
  1461. return EXT_RETURN_FAIL;
  1462. }
  1463. if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
  1464. || !WPACKET_close(pkt)) {
  1465. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
  1466. ERR_R_INTERNAL_ERROR);
  1467. EVP_PKEY_free(skey);
  1468. OPENSSL_free(encodedPoint);
  1469. return EXT_RETURN_FAIL;
  1470. }
  1471. OPENSSL_free(encodedPoint);
  1472. /* This causes the crypto state to be updated based on the derived keys */
  1473. s->s3->tmp.pkey = skey;
  1474. if (ssl_derive(s, skey, ckey, 1) == 0) {
  1475. /* SSLfatal() already called */
  1476. return EXT_RETURN_FAIL;
  1477. }
  1478. return EXT_RETURN_SENT;
  1479. #else
  1480. return EXT_RETURN_FAIL;
  1481. #endif
  1482. }
  1483. EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
  1484. X509 *x, size_t chainidx)
  1485. {
  1486. #ifndef OPENSSL_NO_TLS1_3
  1487. unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
  1488. unsigned char *hmac, *hmac2;
  1489. size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
  1490. EVP_MD_CTX *hctx;
  1491. EVP_PKEY *pkey;
  1492. int ret = EXT_RETURN_FAIL;
  1493. if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
  1494. return EXT_RETURN_NOT_SENT;
  1495. if (s->ctx->gen_stateless_cookie_cb == NULL) {
  1496. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1497. SSL_R_NO_COOKIE_CALLBACK_SET);
  1498. return EXT_RETURN_FAIL;
  1499. }
  1500. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
  1501. || !WPACKET_start_sub_packet_u16(pkt)
  1502. || !WPACKET_start_sub_packet_u16(pkt)
  1503. || !WPACKET_get_total_written(pkt, &startlen)
  1504. || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
  1505. || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
  1506. || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
  1507. || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
  1508. || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
  1509. &ciphlen)
  1510. /* Is there a key_share extension present in this HRR? */
  1511. || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
  1512. || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
  1513. || !WPACKET_start_sub_packet_u16(pkt)
  1514. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
  1515. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1516. ERR_R_INTERNAL_ERROR);
  1517. return EXT_RETURN_FAIL;
  1518. }
  1519. /*
  1520. * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
  1521. * on raw buffers, so we first reserve sufficient bytes (above) and then
  1522. * subsequently allocate them (below)
  1523. */
  1524. if (!ssl3_digest_cached_records(s, 0)
  1525. || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
  1526. /* SSLfatal() already called */
  1527. return EXT_RETURN_FAIL;
  1528. }
  1529. if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
  1530. || !ossl_assert(hashval1 == hashval2)
  1531. || !WPACKET_close(pkt)
  1532. || !WPACKET_start_sub_packet_u8(pkt)
  1533. || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
  1534. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1535. ERR_R_INTERNAL_ERROR);
  1536. return EXT_RETURN_FAIL;
  1537. }
  1538. /* Generate the application cookie */
  1539. if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
  1540. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1541. SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1542. return EXT_RETURN_FAIL;
  1543. }
  1544. if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
  1545. || !ossl_assert(appcookie1 == appcookie2)
  1546. || !WPACKET_close(pkt)
  1547. || !WPACKET_get_total_written(pkt, &totcookielen)
  1548. || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
  1549. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1550. ERR_R_INTERNAL_ERROR);
  1551. return EXT_RETURN_FAIL;
  1552. }
  1553. hmaclen = SHA256_DIGEST_LENGTH;
  1554. totcookielen -= startlen;
  1555. if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
  1556. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1557. ERR_R_INTERNAL_ERROR);
  1558. return EXT_RETURN_FAIL;
  1559. }
  1560. /* HMAC the cookie */
  1561. hctx = EVP_MD_CTX_create();
  1562. pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
  1563. s->session_ctx->ext.cookie_hmac_key,
  1564. sizeof(s->session_ctx->ext
  1565. .cookie_hmac_key));
  1566. if (hctx == NULL || pkey == NULL) {
  1567. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1568. ERR_R_MALLOC_FAILURE);
  1569. goto err;
  1570. }
  1571. if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
  1572. || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
  1573. totcookielen) <= 0) {
  1574. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1575. ERR_R_INTERNAL_ERROR);
  1576. goto err;
  1577. }
  1578. if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
  1579. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1580. ERR_R_INTERNAL_ERROR);
  1581. goto err;
  1582. }
  1583. if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
  1584. || !ossl_assert(hmac == hmac2)
  1585. || !ossl_assert(cookie == hmac - totcookielen)
  1586. || !WPACKET_close(pkt)
  1587. || !WPACKET_close(pkt)) {
  1588. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
  1589. ERR_R_INTERNAL_ERROR);
  1590. goto err;
  1591. }
  1592. ret = EXT_RETURN_SENT;
  1593. err:
  1594. EVP_MD_CTX_free(hctx);
  1595. EVP_PKEY_free(pkey);
  1596. return ret;
  1597. #else
  1598. return EXT_RETURN_FAIL;
  1599. #endif
  1600. }
  1601. EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
  1602. unsigned int context, X509 *x,
  1603. size_t chainidx)
  1604. {
  1605. const unsigned char cryptopro_ext[36] = {
  1606. 0xfd, 0xe8, /* 65000 */
  1607. 0x00, 0x20, /* 32 bytes length */
  1608. 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
  1609. 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
  1610. 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
  1611. 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
  1612. };
  1613. if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
  1614. && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
  1615. || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
  1616. return EXT_RETURN_NOT_SENT;
  1617. if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
  1618. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1619. SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
  1620. return EXT_RETURN_FAIL;
  1621. }
  1622. return EXT_RETURN_SENT;
  1623. }
  1624. EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
  1625. unsigned int context, X509 *x,
  1626. size_t chainidx)
  1627. {
  1628. if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
  1629. if (s->max_early_data == 0)
  1630. return EXT_RETURN_NOT_SENT;
  1631. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  1632. || !WPACKET_start_sub_packet_u16(pkt)
  1633. || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
  1634. || !WPACKET_close(pkt)) {
  1635. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1636. SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
  1637. return EXT_RETURN_FAIL;
  1638. }
  1639. return EXT_RETURN_SENT;
  1640. }
  1641. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
  1642. return EXT_RETURN_NOT_SENT;
  1643. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  1644. || !WPACKET_start_sub_packet_u16(pkt)
  1645. || !WPACKET_close(pkt)) {
  1646. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
  1647. ERR_R_INTERNAL_ERROR);
  1648. return EXT_RETURN_FAIL;
  1649. }
  1650. return EXT_RETURN_SENT;
  1651. }
  1652. EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
  1653. X509 *x, size_t chainidx)
  1654. {
  1655. if (!s->hit)
  1656. return EXT_RETURN_NOT_SENT;
  1657. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
  1658. || !WPACKET_start_sub_packet_u16(pkt)
  1659. || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
  1660. || !WPACKET_close(pkt)) {
  1661. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1662. SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
  1663. return EXT_RETURN_FAIL;
  1664. }
  1665. return EXT_RETURN_SENT;
  1666. }