extensions_srvr.c 65 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913
  1. /*
  2. * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ocsp.h>
  10. #include "../ssl_local.h"
  11. #include "statem_local.h"
  12. #include "internal/cryptlib.h"
  13. #define COOKIE_STATE_FORMAT_VERSION 0
  14. /*
  15. * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
  16. * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
  17. * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
  18. * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
  19. * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
  20. */
  21. #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
  22. + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
  23. /*
  24. * Message header + 2 bytes for protocol version + number of random bytes +
  25. * + 1 byte for legacy session id length + number of bytes in legacy session id
  26. * + 2 bytes for ciphersuite + 1 byte for legacy compression
  27. * + 2 bytes for extension block length + 6 bytes for key_share extension
  28. * + 4 bytes for cookie extension header + the number of bytes in the cookie
  29. */
  30. #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
  31. + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
  32. + MAX_COOKIE_SIZE)
  33. /*
  34. * Parse the client's renegotiation binding and abort if it's not right
  35. */
  36. int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
  37. X509 *x, size_t chainidx)
  38. {
  39. unsigned int ilen;
  40. const unsigned char *data;
  41. /* Parse the length byte */
  42. if (!PACKET_get_1(pkt, &ilen)
  43. || !PACKET_get_bytes(pkt, &data, ilen)) {
  44. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
  45. return 0;
  46. }
  47. /* Check that the extension matches */
  48. if (ilen != s->s3.previous_client_finished_len) {
  49. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
  50. return 0;
  51. }
  52. if (memcmp(data, s->s3.previous_client_finished,
  53. s->s3.previous_client_finished_len)) {
  54. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
  55. return 0;
  56. }
  57. s->s3.send_connection_binding = 1;
  58. return 1;
  59. }
  60. /*-
  61. * The servername extension is treated as follows:
  62. *
  63. * - Only the hostname type is supported with a maximum length of 255.
  64. * - The servername is rejected if too long or if it contains zeros,
  65. * in which case an fatal alert is generated.
  66. * - The servername field is maintained together with the session cache.
  67. * - When a session is resumed, the servername call back invoked in order
  68. * to allow the application to position itself to the right context.
  69. * - The servername is acknowledged if it is new for a session or when
  70. * it is identical to a previously used for the same session.
  71. * Applications can control the behaviour. They can at any time
  72. * set a 'desirable' servername for a new SSL object. This can be the
  73. * case for example with HTTPS when a Host: header field is received and
  74. * a renegotiation is requested. In this case, a possible servername
  75. * presented in the new client hello is only acknowledged if it matches
  76. * the value of the Host: field.
  77. * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  78. * if they provide for changing an explicit servername context for the
  79. * session, i.e. when the session has been established with a servername
  80. * extension.
  81. * - On session reconnect, the servername extension may be absent.
  82. */
  83. int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
  84. X509 *x, size_t chainidx)
  85. {
  86. unsigned int servname_type;
  87. PACKET sni, hostname;
  88. if (!PACKET_as_length_prefixed_2(pkt, &sni)
  89. /* ServerNameList must be at least 1 byte long. */
  90. || PACKET_remaining(&sni) == 0) {
  91. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  92. return 0;
  93. }
  94. /*
  95. * Although the intent was for server_name to be extensible, RFC 4366
  96. * was not clear about it; and so OpenSSL among other implementations,
  97. * always and only allows a 'host_name' name types.
  98. * RFC 6066 corrected the mistake but adding new name types
  99. * is nevertheless no longer feasible, so act as if no other
  100. * SNI types can exist, to simplify parsing.
  101. *
  102. * Also note that the RFC permits only one SNI value per type,
  103. * i.e., we can only have a single hostname.
  104. */
  105. if (!PACKET_get_1(&sni, &servname_type)
  106. || servname_type != TLSEXT_NAMETYPE_host_name
  107. || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
  108. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  109. return 0;
  110. }
  111. /*
  112. * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
  113. * we always use the SNI value from the handshake.
  114. */
  115. if (!s->hit || SSL_IS_TLS13(s)) {
  116. if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
  117. SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
  118. return 0;
  119. }
  120. if (PACKET_contains_zero_byte(&hostname)) {
  121. SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
  122. return 0;
  123. }
  124. /*
  125. * Store the requested SNI in the SSL as temporary storage.
  126. * If we accept it, it will get stored in the SSL_SESSION as well.
  127. */
  128. OPENSSL_free(s->ext.hostname);
  129. s->ext.hostname = NULL;
  130. if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
  131. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  132. return 0;
  133. }
  134. s->servername_done = 1;
  135. } else {
  136. /*
  137. * In TLSv1.2 and below we should check if the SNI is consistent between
  138. * the initial handshake and the resumption. In TLSv1.3 SNI is not
  139. * associated with the session.
  140. */
  141. s->servername_done = (s->session->ext.hostname != NULL)
  142. && PACKET_equal(&hostname, s->session->ext.hostname,
  143. strlen(s->session->ext.hostname));
  144. }
  145. return 1;
  146. }
  147. int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
  148. X509 *x, size_t chainidx)
  149. {
  150. unsigned int value;
  151. if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
  152. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  153. return 0;
  154. }
  155. /* Received |value| should be a valid max-fragment-length code. */
  156. if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
  157. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  158. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  159. return 0;
  160. }
  161. /*
  162. * RFC 6066: The negotiated length applies for the duration of the session
  163. * including session resumptions.
  164. * We should receive the same code as in resumed session !
  165. */
  166. if (s->hit && s->session->ext.max_fragment_len_mode != value) {
  167. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  168. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  169. return 0;
  170. }
  171. /*
  172. * Store it in session, so it'll become binding for us
  173. * and we'll include it in a next Server Hello.
  174. */
  175. s->session->ext.max_fragment_len_mode = value;
  176. return 1;
  177. }
  178. #ifndef OPENSSL_NO_SRP
  179. int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  180. size_t chainidx)
  181. {
  182. PACKET srp_I;
  183. if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
  184. || PACKET_contains_zero_byte(&srp_I)) {
  185. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  186. return 0;
  187. }
  188. if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
  189. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  190. return 0;
  191. }
  192. return 1;
  193. }
  194. #endif
  195. int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
  196. X509 *x, size_t chainidx)
  197. {
  198. PACKET ec_point_format_list;
  199. if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
  200. || PACKET_remaining(&ec_point_format_list) == 0) {
  201. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  202. return 0;
  203. }
  204. if (!s->hit) {
  205. if (!PACKET_memdup(&ec_point_format_list,
  206. &s->ext.peer_ecpointformats,
  207. &s->ext.peer_ecpointformats_len)) {
  208. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  209. return 0;
  210. }
  211. }
  212. return 1;
  213. }
  214. int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
  215. X509 *x, size_t chainidx)
  216. {
  217. if (s->ext.session_ticket_cb &&
  218. !s->ext.session_ticket_cb(s, PACKET_data(pkt),
  219. PACKET_remaining(pkt),
  220. s->ext.session_ticket_cb_arg)) {
  221. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  222. return 0;
  223. }
  224. return 1;
  225. }
  226. int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
  227. ossl_unused unsigned int context,
  228. ossl_unused X509 *x,
  229. ossl_unused size_t chainidx)
  230. {
  231. PACKET supported_sig_algs;
  232. if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
  233. || PACKET_remaining(&supported_sig_algs) == 0) {
  234. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  235. return 0;
  236. }
  237. if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
  238. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  239. return 0;
  240. }
  241. return 1;
  242. }
  243. int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  244. size_t chainidx)
  245. {
  246. PACKET supported_sig_algs;
  247. if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
  248. || PACKET_remaining(&supported_sig_algs) == 0) {
  249. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  250. return 0;
  251. }
  252. if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
  253. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  254. return 0;
  255. }
  256. return 1;
  257. }
  258. #ifndef OPENSSL_NO_OCSP
  259. int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
  260. X509 *x, size_t chainidx)
  261. {
  262. PACKET responder_id_list, exts;
  263. /* We ignore this in a resumption handshake */
  264. if (s->hit)
  265. return 1;
  266. /* Not defined if we get one of these in a client Certificate */
  267. if (x != NULL)
  268. return 1;
  269. if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
  270. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  271. return 0;
  272. }
  273. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
  274. /*
  275. * We don't know what to do with any other type so ignore it.
  276. */
  277. s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
  278. return 1;
  279. }
  280. if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
  281. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  282. return 0;
  283. }
  284. /*
  285. * We remove any OCSP_RESPIDs from a previous handshake
  286. * to prevent unbounded memory growth - CVE-2016-6304
  287. */
  288. sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
  289. if (PACKET_remaining(&responder_id_list) > 0) {
  290. s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
  291. if (s->ext.ocsp.ids == NULL) {
  292. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  293. return 0;
  294. }
  295. } else {
  296. s->ext.ocsp.ids = NULL;
  297. }
  298. while (PACKET_remaining(&responder_id_list) > 0) {
  299. OCSP_RESPID *id;
  300. PACKET responder_id;
  301. const unsigned char *id_data;
  302. if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
  303. || PACKET_remaining(&responder_id) == 0) {
  304. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  305. return 0;
  306. }
  307. id_data = PACKET_data(&responder_id);
  308. id = d2i_OCSP_RESPID(NULL, &id_data,
  309. (int)PACKET_remaining(&responder_id));
  310. if (id == NULL) {
  311. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  312. return 0;
  313. }
  314. if (id_data != PACKET_end(&responder_id)) {
  315. OCSP_RESPID_free(id);
  316. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  317. return 0;
  318. }
  319. if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
  320. OCSP_RESPID_free(id);
  321. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  322. return 0;
  323. }
  324. }
  325. /* Read in request_extensions */
  326. if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
  327. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  328. return 0;
  329. }
  330. if (PACKET_remaining(&exts) > 0) {
  331. const unsigned char *ext_data = PACKET_data(&exts);
  332. sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
  333. X509_EXTENSION_free);
  334. s->ext.ocsp.exts =
  335. d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
  336. if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
  337. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  338. return 0;
  339. }
  340. }
  341. return 1;
  342. }
  343. #endif
  344. #ifndef OPENSSL_NO_NEXTPROTONEG
  345. int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  346. size_t chainidx)
  347. {
  348. /*
  349. * We shouldn't accept this extension on a
  350. * renegotiation.
  351. */
  352. if (SSL_IS_FIRST_HANDSHAKE(s))
  353. s->s3.npn_seen = 1;
  354. return 1;
  355. }
  356. #endif
  357. /*
  358. * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
  359. * extension, not including type and length. Returns: 1 on success, 0 on error.
  360. */
  361. int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  362. size_t chainidx)
  363. {
  364. PACKET protocol_list, save_protocol_list, protocol;
  365. if (!SSL_IS_FIRST_HANDSHAKE(s))
  366. return 1;
  367. if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
  368. || PACKET_remaining(&protocol_list) < 2) {
  369. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  370. return 0;
  371. }
  372. save_protocol_list = protocol_list;
  373. do {
  374. /* Protocol names can't be empty. */
  375. if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
  376. || PACKET_remaining(&protocol) == 0) {
  377. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  378. return 0;
  379. }
  380. } while (PACKET_remaining(&protocol_list) != 0);
  381. OPENSSL_free(s->s3.alpn_proposed);
  382. s->s3.alpn_proposed = NULL;
  383. s->s3.alpn_proposed_len = 0;
  384. if (!PACKET_memdup(&save_protocol_list,
  385. &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
  386. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  387. return 0;
  388. }
  389. return 1;
  390. }
  391. #ifndef OPENSSL_NO_SRTP
  392. int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  393. size_t chainidx)
  394. {
  395. STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
  396. unsigned int ct, mki_len, id;
  397. int i, srtp_pref;
  398. PACKET subpkt;
  399. /* Ignore this if we have no SRTP profiles */
  400. if (SSL_get_srtp_profiles(s) == NULL)
  401. return 1;
  402. /* Pull off the length of the cipher suite list and check it is even */
  403. if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
  404. || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
  405. SSLfatal(s, SSL_AD_DECODE_ERROR,
  406. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  407. return 0;
  408. }
  409. srvr = SSL_get_srtp_profiles(s);
  410. s->srtp_profile = NULL;
  411. /* Search all profiles for a match initially */
  412. srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
  413. while (PACKET_remaining(&subpkt)) {
  414. if (!PACKET_get_net_2(&subpkt, &id)) {
  415. SSLfatal(s, SSL_AD_DECODE_ERROR,
  416. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  417. return 0;
  418. }
  419. /*
  420. * Only look for match in profiles of higher preference than
  421. * current match.
  422. * If no profiles have been have been configured then this
  423. * does nothing.
  424. */
  425. for (i = 0; i < srtp_pref; i++) {
  426. SRTP_PROTECTION_PROFILE *sprof =
  427. sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
  428. if (sprof->id == id) {
  429. s->srtp_profile = sprof;
  430. srtp_pref = i;
  431. break;
  432. }
  433. }
  434. }
  435. /* Now extract the MKI value as a sanity check, but discard it for now */
  436. if (!PACKET_get_1(pkt, &mki_len)) {
  437. SSLfatal(s, SSL_AD_DECODE_ERROR,
  438. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  439. return 0;
  440. }
  441. if (!PACKET_forward(pkt, mki_len)
  442. || PACKET_remaining(pkt)) {
  443. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
  444. return 0;
  445. }
  446. return 1;
  447. }
  448. #endif
  449. int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  450. size_t chainidx)
  451. {
  452. if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
  453. s->ext.use_etm = 1;
  454. return 1;
  455. }
  456. /*
  457. * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
  458. * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
  459. */
  460. int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
  461. X509 *x, size_t chainidx)
  462. {
  463. #ifndef OPENSSL_NO_TLS1_3
  464. PACKET psk_kex_modes;
  465. unsigned int mode;
  466. if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
  467. || PACKET_remaining(&psk_kex_modes) == 0) {
  468. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  469. return 0;
  470. }
  471. while (PACKET_get_1(&psk_kex_modes, &mode)) {
  472. if (mode == TLSEXT_KEX_MODE_KE_DHE)
  473. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
  474. else if (mode == TLSEXT_KEX_MODE_KE
  475. && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
  476. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
  477. }
  478. #endif
  479. return 1;
  480. }
  481. /*
  482. * Process a key_share extension received in the ClientHello. |pkt| contains
  483. * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
  484. */
  485. int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  486. size_t chainidx)
  487. {
  488. #ifndef OPENSSL_NO_TLS1_3
  489. unsigned int group_id;
  490. PACKET key_share_list, encoded_pt;
  491. const uint16_t *clntgroups, *srvrgroups;
  492. size_t clnt_num_groups, srvr_num_groups;
  493. int found = 0;
  494. if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
  495. return 1;
  496. /* Sanity check */
  497. if (s->s3.peer_tmp != NULL) {
  498. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  499. return 0;
  500. }
  501. if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
  502. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  503. return 0;
  504. }
  505. /* Get our list of supported groups */
  506. tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
  507. /* Get the clients list of supported groups. */
  508. tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
  509. if (clnt_num_groups == 0) {
  510. /*
  511. * This can only happen if the supported_groups extension was not sent,
  512. * because we verify that the length is non-zero when we process that
  513. * extension.
  514. */
  515. SSLfatal(s, SSL_AD_MISSING_EXTENSION,
  516. SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
  517. return 0;
  518. }
  519. if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
  520. /*
  521. * If we set a group_id already, then we must have sent an HRR
  522. * requesting a new key_share. If we haven't got one then that is an
  523. * error
  524. */
  525. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  526. return 0;
  527. }
  528. while (PACKET_remaining(&key_share_list) > 0) {
  529. if (!PACKET_get_net_2(&key_share_list, &group_id)
  530. || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
  531. || PACKET_remaining(&encoded_pt) == 0) {
  532. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  533. return 0;
  534. }
  535. /*
  536. * If we already found a suitable key_share we loop through the
  537. * rest to verify the structure, but don't process them.
  538. */
  539. if (found)
  540. continue;
  541. /*
  542. * If we sent an HRR then the key_share sent back MUST be for the group
  543. * we requested, and must be the only key_share sent.
  544. */
  545. if (s->s3.group_id != 0
  546. && (ssl_group_id_tls13_to_internal(group_id) != s->s3.group_id
  547. || PACKET_remaining(&key_share_list) != 0)) {
  548. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  549. return 0;
  550. }
  551. /* Check if this share is in supported_groups sent from client */
  552. if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
  553. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  554. return 0;
  555. }
  556. /* Check if this share is for a group we can use */
  557. if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
  558. /* Share not suitable */
  559. continue;
  560. }
  561. s->s3.group_id = group_id;
  562. /* Cache the selected group ID in the SSL_SESSION */
  563. s->session->kex_group = group_id;
  564. group_id = ssl_group_id_tls13_to_internal(group_id);
  565. if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
  566. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  567. SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
  568. return 0;
  569. }
  570. if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
  571. PACKET_data(&encoded_pt),
  572. PACKET_remaining(&encoded_pt)) <= 0) {
  573. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
  574. return 0;
  575. }
  576. found = 1;
  577. }
  578. #endif
  579. return 1;
  580. }
  581. int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  582. size_t chainidx)
  583. {
  584. #ifndef OPENSSL_NO_TLS1_3
  585. unsigned int format, version, key_share, group_id;
  586. EVP_MD_CTX *hctx;
  587. EVP_PKEY *pkey;
  588. PACKET cookie, raw, chhash, appcookie;
  589. WPACKET hrrpkt;
  590. const unsigned char *data, *mdin, *ciphdata;
  591. unsigned char hmac[SHA256_DIGEST_LENGTH];
  592. unsigned char hrr[MAX_HRR_SIZE];
  593. size_t rawlen, hmaclen, hrrlen, ciphlen;
  594. unsigned long tm, now;
  595. /* Ignore any cookie if we're not set up to verify it */
  596. if (s->ctx->verify_stateless_cookie_cb == NULL
  597. || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
  598. return 1;
  599. if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
  600. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  601. return 0;
  602. }
  603. raw = cookie;
  604. data = PACKET_data(&raw);
  605. rawlen = PACKET_remaining(&raw);
  606. if (rawlen < SHA256_DIGEST_LENGTH
  607. || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
  608. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  609. return 0;
  610. }
  611. mdin = PACKET_data(&raw);
  612. /* Verify the HMAC of the cookie */
  613. hctx = EVP_MD_CTX_create();
  614. pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
  615. s->ctx->propq,
  616. s->session_ctx->ext.cookie_hmac_key,
  617. sizeof(s->session_ctx->ext.cookie_hmac_key));
  618. if (hctx == NULL || pkey == NULL) {
  619. EVP_MD_CTX_free(hctx);
  620. EVP_PKEY_free(pkey);
  621. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  622. return 0;
  623. }
  624. hmaclen = SHA256_DIGEST_LENGTH;
  625. if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
  626. s->ctx->propq, pkey, NULL) <= 0
  627. || EVP_DigestSign(hctx, hmac, &hmaclen, data,
  628. rawlen - SHA256_DIGEST_LENGTH) <= 0
  629. || hmaclen != SHA256_DIGEST_LENGTH) {
  630. EVP_MD_CTX_free(hctx);
  631. EVP_PKEY_free(pkey);
  632. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  633. return 0;
  634. }
  635. EVP_MD_CTX_free(hctx);
  636. EVP_PKEY_free(pkey);
  637. if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
  638. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
  639. return 0;
  640. }
  641. if (!PACKET_get_net_2(&cookie, &format)) {
  642. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  643. return 0;
  644. }
  645. /* Check the cookie format is something we recognise. Ignore it if not */
  646. if (format != COOKIE_STATE_FORMAT_VERSION)
  647. return 1;
  648. /*
  649. * The rest of these checks really shouldn't fail since we have verified the
  650. * HMAC above.
  651. */
  652. /* Check the version number is sane */
  653. if (!PACKET_get_net_2(&cookie, &version)) {
  654. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  655. return 0;
  656. }
  657. if (version != TLS1_3_VERSION) {
  658. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  659. SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
  660. return 0;
  661. }
  662. if (!PACKET_get_net_2(&cookie, &group_id)) {
  663. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  664. return 0;
  665. }
  666. ciphdata = PACKET_data(&cookie);
  667. if (!PACKET_forward(&cookie, 2)) {
  668. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  669. return 0;
  670. }
  671. if (group_id != s->s3.group_id
  672. || s->s3.tmp.new_cipher
  673. != ssl_get_cipher_by_char(s, ciphdata, 0)) {
  674. /*
  675. * We chose a different cipher or group id this time around to what is
  676. * in the cookie. Something must have changed.
  677. */
  678. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
  679. return 0;
  680. }
  681. if (!PACKET_get_1(&cookie, &key_share)
  682. || !PACKET_get_net_4(&cookie, &tm)
  683. || !PACKET_get_length_prefixed_2(&cookie, &chhash)
  684. || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
  685. || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
  686. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  687. return 0;
  688. }
  689. /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
  690. now = (unsigned long)time(NULL);
  691. if (tm > now || (now - tm) > 600) {
  692. /* Cookie is stale. Ignore it */
  693. return 1;
  694. }
  695. /* Verify the app cookie */
  696. if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
  697. PACKET_remaining(&appcookie)) == 0) {
  698. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
  699. return 0;
  700. }
  701. /*
  702. * Reconstruct the HRR that we would have sent in response to the original
  703. * ClientHello so we can add it to the transcript hash.
  704. * Note: This won't work with custom HRR extensions
  705. */
  706. if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
  707. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  708. return 0;
  709. }
  710. if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
  711. || !WPACKET_start_sub_packet_u24(&hrrpkt)
  712. || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
  713. || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
  714. || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
  715. s->tmp_session_id_len)
  716. || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
  717. &ciphlen)
  718. || !WPACKET_put_bytes_u8(&hrrpkt, 0)
  719. || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
  720. WPACKET_cleanup(&hrrpkt);
  721. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  722. return 0;
  723. }
  724. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
  725. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  726. || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
  727. || !WPACKET_close(&hrrpkt)) {
  728. WPACKET_cleanup(&hrrpkt);
  729. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  730. return 0;
  731. }
  732. if (key_share) {
  733. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
  734. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  735. || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
  736. || !WPACKET_close(&hrrpkt)) {
  737. WPACKET_cleanup(&hrrpkt);
  738. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  739. return 0;
  740. }
  741. }
  742. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
  743. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  744. || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
  745. || !WPACKET_close(&hrrpkt) /* cookie extension */
  746. || !WPACKET_close(&hrrpkt) /* extension block */
  747. || !WPACKET_close(&hrrpkt) /* message */
  748. || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
  749. || !WPACKET_finish(&hrrpkt)) {
  750. WPACKET_cleanup(&hrrpkt);
  751. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  752. return 0;
  753. }
  754. /* Reconstruct the transcript hash */
  755. if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
  756. PACKET_remaining(&chhash), hrr,
  757. hrrlen)) {
  758. /* SSLfatal() already called */
  759. return 0;
  760. }
  761. /* Act as if this ClientHello came after a HelloRetryRequest */
  762. s->hello_retry_request = 1;
  763. s->ext.cookieok = 1;
  764. #endif
  765. return 1;
  766. }
  767. int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
  768. X509 *x, size_t chainidx)
  769. {
  770. PACKET supported_groups_list;
  771. /* Each group is 2 bytes and we must have at least 1. */
  772. if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
  773. || PACKET_remaining(&supported_groups_list) == 0
  774. || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
  775. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  776. return 0;
  777. }
  778. if (!s->hit || SSL_IS_TLS13(s)) {
  779. OPENSSL_free(s->ext.peer_supportedgroups);
  780. s->ext.peer_supportedgroups = NULL;
  781. s->ext.peer_supportedgroups_len = 0;
  782. if (!tls1_save_u16(&supported_groups_list,
  783. &s->ext.peer_supportedgroups,
  784. &s->ext.peer_supportedgroups_len)) {
  785. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  786. return 0;
  787. }
  788. }
  789. return 1;
  790. }
  791. int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  792. size_t chainidx)
  793. {
  794. /* The extension must always be empty */
  795. if (PACKET_remaining(pkt) != 0) {
  796. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  797. return 0;
  798. }
  799. if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
  800. return 1;
  801. s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
  802. return 1;
  803. }
  804. int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
  805. X509 *x, size_t chainidx)
  806. {
  807. if (PACKET_remaining(pkt) != 0) {
  808. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  809. return 0;
  810. }
  811. if (s->hello_retry_request != SSL_HRR_NONE) {
  812. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
  813. return 0;
  814. }
  815. return 1;
  816. }
  817. static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
  818. SSL_SESSION **sess)
  819. {
  820. SSL_SESSION *tmpsess = NULL;
  821. s->ext.ticket_expected = 1;
  822. switch (PACKET_remaining(tick)) {
  823. case 0:
  824. return SSL_TICKET_EMPTY;
  825. case SSL_MAX_SSL_SESSION_ID_LENGTH:
  826. break;
  827. default:
  828. return SSL_TICKET_NO_DECRYPT;
  829. }
  830. tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
  831. SSL_MAX_SSL_SESSION_ID_LENGTH);
  832. if (tmpsess == NULL)
  833. return SSL_TICKET_NO_DECRYPT;
  834. *sess = tmpsess;
  835. return SSL_TICKET_SUCCESS;
  836. }
  837. int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  838. size_t chainidx)
  839. {
  840. PACKET identities, binders, binder;
  841. size_t binderoffset, hashsize;
  842. SSL_SESSION *sess = NULL;
  843. unsigned int id, i, ext = 0;
  844. const EVP_MD *md = NULL;
  845. /*
  846. * If we have no PSK kex mode that we recognise then we can't resume so
  847. * ignore this extension
  848. */
  849. if ((s->ext.psk_kex_mode
  850. & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
  851. return 1;
  852. if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
  853. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  854. return 0;
  855. }
  856. s->ext.ticket_expected = 0;
  857. for (id = 0; PACKET_remaining(&identities) != 0; id++) {
  858. PACKET identity;
  859. unsigned long ticket_agel;
  860. size_t idlen;
  861. if (!PACKET_get_length_prefixed_2(&identities, &identity)
  862. || !PACKET_get_net_4(&identities, &ticket_agel)) {
  863. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  864. return 0;
  865. }
  866. idlen = PACKET_remaining(&identity);
  867. if (s->psk_find_session_cb != NULL
  868. && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
  869. &sess)) {
  870. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
  871. return 0;
  872. }
  873. #ifndef OPENSSL_NO_PSK
  874. if (sess == NULL
  875. && s->psk_server_callback != NULL
  876. && idlen <= PSK_MAX_IDENTITY_LEN) {
  877. char *pskid = NULL;
  878. unsigned char pskdata[PSK_MAX_PSK_LEN];
  879. unsigned int pskdatalen;
  880. if (!PACKET_strndup(&identity, &pskid)) {
  881. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  882. return 0;
  883. }
  884. pskdatalen = s->psk_server_callback(s, pskid, pskdata,
  885. sizeof(pskdata));
  886. OPENSSL_free(pskid);
  887. if (pskdatalen > PSK_MAX_PSK_LEN) {
  888. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  889. return 0;
  890. } else if (pskdatalen > 0) {
  891. const SSL_CIPHER *cipher;
  892. const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
  893. /*
  894. * We found a PSK using an old style callback. We don't know
  895. * the digest so we default to SHA256 as per the TLSv1.3 spec
  896. */
  897. cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
  898. if (cipher == NULL) {
  899. OPENSSL_cleanse(pskdata, pskdatalen);
  900. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  901. return 0;
  902. }
  903. sess = SSL_SESSION_new();
  904. if (sess == NULL
  905. || !SSL_SESSION_set1_master_key(sess, pskdata,
  906. pskdatalen)
  907. || !SSL_SESSION_set_cipher(sess, cipher)
  908. || !SSL_SESSION_set_protocol_version(sess,
  909. TLS1_3_VERSION)) {
  910. OPENSSL_cleanse(pskdata, pskdatalen);
  911. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  912. goto err;
  913. }
  914. OPENSSL_cleanse(pskdata, pskdatalen);
  915. }
  916. }
  917. #endif /* OPENSSL_NO_PSK */
  918. if (sess != NULL) {
  919. /* We found a PSK */
  920. SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
  921. if (sesstmp == NULL) {
  922. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  923. return 0;
  924. }
  925. SSL_SESSION_free(sess);
  926. sess = sesstmp;
  927. /*
  928. * We've just been told to use this session for this context so
  929. * make sure the sid_ctx matches up.
  930. */
  931. memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
  932. sess->sid_ctx_length = s->sid_ctx_length;
  933. ext = 1;
  934. if (id == 0)
  935. s->ext.early_data_ok = 1;
  936. s->ext.ticket_expected = 1;
  937. } else {
  938. uint32_t ticket_age = 0, now, agesec, agems;
  939. int ret;
  940. /*
  941. * If we are using anti-replay protection then we behave as if
  942. * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
  943. * is no point in using full stateless tickets.
  944. */
  945. if ((s->options & SSL_OP_NO_TICKET) != 0
  946. || (s->max_early_data > 0
  947. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
  948. ret = tls_get_stateful_ticket(s, &identity, &sess);
  949. else
  950. ret = tls_decrypt_ticket(s, PACKET_data(&identity),
  951. PACKET_remaining(&identity), NULL, 0,
  952. &sess);
  953. if (ret == SSL_TICKET_EMPTY) {
  954. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  955. return 0;
  956. }
  957. if (ret == SSL_TICKET_FATAL_ERR_MALLOC
  958. || ret == SSL_TICKET_FATAL_ERR_OTHER) {
  959. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  960. return 0;
  961. }
  962. if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
  963. continue;
  964. /* Check for replay */
  965. if (s->max_early_data > 0
  966. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
  967. && !SSL_CTX_remove_session(s->session_ctx, sess)) {
  968. SSL_SESSION_free(sess);
  969. sess = NULL;
  970. continue;
  971. }
  972. ticket_age = (uint32_t)ticket_agel;
  973. now = (uint32_t)time(NULL);
  974. agesec = now - (uint32_t)sess->time;
  975. agems = agesec * (uint32_t)1000;
  976. ticket_age -= sess->ext.tick_age_add;
  977. /*
  978. * For simplicity we do our age calculations in seconds. If the
  979. * client does it in ms then it could appear that their ticket age
  980. * is longer than ours (our ticket age calculation should always be
  981. * slightly longer than the client's due to the network latency).
  982. * Therefore we add 1000ms to our age calculation to adjust for
  983. * rounding errors.
  984. */
  985. if (id == 0
  986. && sess->timeout >= (long)agesec
  987. && agems / (uint32_t)1000 == agesec
  988. && ticket_age <= agems + 1000
  989. && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
  990. /*
  991. * Ticket age is within tolerance and not expired. We allow it
  992. * for early data
  993. */
  994. s->ext.early_data_ok = 1;
  995. }
  996. }
  997. md = ssl_md(s->ctx, sess->cipher->algorithm2);
  998. if (md == NULL) {
  999. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1000. goto err;
  1001. }
  1002. if (!EVP_MD_is_a(md,
  1003. EVP_MD_get0_name(ssl_md(s->ctx,
  1004. s->s3.tmp.new_cipher->algorithm2)))) {
  1005. /* The ciphersuite is not compatible with this session. */
  1006. SSL_SESSION_free(sess);
  1007. sess = NULL;
  1008. s->ext.early_data_ok = 0;
  1009. s->ext.ticket_expected = 0;
  1010. continue;
  1011. }
  1012. break;
  1013. }
  1014. if (sess == NULL)
  1015. return 1;
  1016. binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
  1017. hashsize = EVP_MD_get_size(md);
  1018. if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
  1019. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1020. goto err;
  1021. }
  1022. for (i = 0; i <= id; i++) {
  1023. if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
  1024. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1025. goto err;
  1026. }
  1027. }
  1028. if (PACKET_remaining(&binder) != hashsize) {
  1029. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1030. goto err;
  1031. }
  1032. if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
  1033. binderoffset, PACKET_data(&binder), NULL, sess, 0,
  1034. ext) != 1) {
  1035. /* SSLfatal() already called */
  1036. goto err;
  1037. }
  1038. s->ext.tick_identity = id;
  1039. SSL_SESSION_free(s->session);
  1040. s->session = sess;
  1041. return 1;
  1042. err:
  1043. SSL_SESSION_free(sess);
  1044. return 0;
  1045. }
  1046. int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
  1047. ossl_unused unsigned int context,
  1048. ossl_unused X509 *x,
  1049. ossl_unused size_t chainidx)
  1050. {
  1051. if (PACKET_remaining(pkt) != 0) {
  1052. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1053. SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
  1054. return 0;
  1055. }
  1056. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  1057. return 1;
  1058. }
  1059. /*
  1060. * Add the server's renegotiation binding
  1061. */
  1062. EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
  1063. unsigned int context, X509 *x,
  1064. size_t chainidx)
  1065. {
  1066. if (!s->s3.send_connection_binding)
  1067. return EXT_RETURN_NOT_SENT;
  1068. /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
  1069. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
  1070. || !WPACKET_start_sub_packet_u16(pkt)
  1071. || !WPACKET_start_sub_packet_u8(pkt)
  1072. || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
  1073. s->s3.previous_client_finished_len)
  1074. || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
  1075. s->s3.previous_server_finished_len)
  1076. || !WPACKET_close(pkt)
  1077. || !WPACKET_close(pkt)) {
  1078. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1079. return EXT_RETURN_FAIL;
  1080. }
  1081. return EXT_RETURN_SENT;
  1082. }
  1083. EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
  1084. unsigned int context, X509 *x,
  1085. size_t chainidx)
  1086. {
  1087. if (s->servername_done != 1)
  1088. return EXT_RETURN_NOT_SENT;
  1089. /*
  1090. * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
  1091. * We just use the servername from the initial handshake.
  1092. */
  1093. if (s->hit && !SSL_IS_TLS13(s))
  1094. return EXT_RETURN_NOT_SENT;
  1095. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
  1096. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1097. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1098. return EXT_RETURN_FAIL;
  1099. }
  1100. return EXT_RETURN_SENT;
  1101. }
  1102. /* Add/include the server's max fragment len extension into ServerHello */
  1103. EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
  1104. unsigned int context, X509 *x,
  1105. size_t chainidx)
  1106. {
  1107. if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
  1108. return EXT_RETURN_NOT_SENT;
  1109. /*-
  1110. * 4 bytes for this extension type and extension length
  1111. * 1 byte for the Max Fragment Length code value.
  1112. */
  1113. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
  1114. || !WPACKET_start_sub_packet_u16(pkt)
  1115. || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
  1116. || !WPACKET_close(pkt)) {
  1117. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1118. return EXT_RETURN_FAIL;
  1119. }
  1120. return EXT_RETURN_SENT;
  1121. }
  1122. EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
  1123. unsigned int context, X509 *x,
  1124. size_t chainidx)
  1125. {
  1126. unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  1127. unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  1128. int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
  1129. && (s->ext.peer_ecpointformats != NULL);
  1130. const unsigned char *plist;
  1131. size_t plistlen;
  1132. if (!using_ecc)
  1133. return EXT_RETURN_NOT_SENT;
  1134. tls1_get_formatlist(s, &plist, &plistlen);
  1135. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
  1136. || !WPACKET_start_sub_packet_u16(pkt)
  1137. || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
  1138. || !WPACKET_close(pkt)) {
  1139. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1140. return EXT_RETURN_FAIL;
  1141. }
  1142. return EXT_RETURN_SENT;
  1143. }
  1144. EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
  1145. unsigned int context, X509 *x,
  1146. size_t chainidx)
  1147. {
  1148. const uint16_t *groups;
  1149. size_t numgroups, i, first = 1;
  1150. int version;
  1151. /* s->s3.group_id is non zero if we accepted a key_share */
  1152. if (s->s3.group_id == 0)
  1153. return EXT_RETURN_NOT_SENT;
  1154. /* Get our list of supported groups */
  1155. tls1_get_supported_groups(s, &groups, &numgroups);
  1156. if (numgroups == 0) {
  1157. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1158. return EXT_RETURN_FAIL;
  1159. }
  1160. /* Copy group ID if supported */
  1161. version = SSL_version(s);
  1162. for (i = 0; i < numgroups; i++) {
  1163. uint16_t group = groups[i];
  1164. if (tls_valid_group(s, group, version, version, 0, NULL)
  1165. && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
  1166. if (first) {
  1167. /*
  1168. * Check if the client is already using our preferred group. If
  1169. * so we don't need to add this extension
  1170. */
  1171. if (s->s3.group_id == group)
  1172. return EXT_RETURN_NOT_SENT;
  1173. /* Add extension header */
  1174. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
  1175. /* Sub-packet for supported_groups extension */
  1176. || !WPACKET_start_sub_packet_u16(pkt)
  1177. || !WPACKET_start_sub_packet_u16(pkt)) {
  1178. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1179. return EXT_RETURN_FAIL;
  1180. }
  1181. first = 0;
  1182. }
  1183. if (!WPACKET_put_bytes_u16(pkt, group)) {
  1184. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1185. return EXT_RETURN_FAIL;
  1186. }
  1187. }
  1188. }
  1189. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  1190. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1191. return EXT_RETURN_FAIL;
  1192. }
  1193. return EXT_RETURN_SENT;
  1194. }
  1195. EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
  1196. unsigned int context, X509 *x,
  1197. size_t chainidx)
  1198. {
  1199. if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
  1200. s->ext.ticket_expected = 0;
  1201. return EXT_RETURN_NOT_SENT;
  1202. }
  1203. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
  1204. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1205. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1206. return EXT_RETURN_FAIL;
  1207. }
  1208. return EXT_RETURN_SENT;
  1209. }
  1210. #ifndef OPENSSL_NO_OCSP
  1211. EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
  1212. unsigned int context, X509 *x,
  1213. size_t chainidx)
  1214. {
  1215. /* We don't currently support this extension inside a CertificateRequest */
  1216. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
  1217. return EXT_RETURN_NOT_SENT;
  1218. if (!s->ext.status_expected)
  1219. return EXT_RETURN_NOT_SENT;
  1220. if (SSL_IS_TLS13(s) && chainidx != 0)
  1221. return EXT_RETURN_NOT_SENT;
  1222. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
  1223. || !WPACKET_start_sub_packet_u16(pkt)) {
  1224. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1225. return EXT_RETURN_FAIL;
  1226. }
  1227. /*
  1228. * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
  1229. * send back an empty extension, with the certificate status appearing as a
  1230. * separate message
  1231. */
  1232. if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
  1233. /* SSLfatal() already called */
  1234. return EXT_RETURN_FAIL;
  1235. }
  1236. if (!WPACKET_close(pkt)) {
  1237. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1238. return EXT_RETURN_FAIL;
  1239. }
  1240. return EXT_RETURN_SENT;
  1241. }
  1242. #endif
  1243. #ifndef OPENSSL_NO_NEXTPROTONEG
  1244. EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
  1245. unsigned int context, X509 *x,
  1246. size_t chainidx)
  1247. {
  1248. const unsigned char *npa;
  1249. unsigned int npalen;
  1250. int ret;
  1251. int npn_seen = s->s3.npn_seen;
  1252. s->s3.npn_seen = 0;
  1253. if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
  1254. return EXT_RETURN_NOT_SENT;
  1255. ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
  1256. s->ctx->ext.npn_advertised_cb_arg);
  1257. if (ret == SSL_TLSEXT_ERR_OK) {
  1258. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
  1259. || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
  1260. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1261. return EXT_RETURN_FAIL;
  1262. }
  1263. s->s3.npn_seen = 1;
  1264. }
  1265. return EXT_RETURN_SENT;
  1266. }
  1267. #endif
  1268. EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
  1269. X509 *x, size_t chainidx)
  1270. {
  1271. if (s->s3.alpn_selected == NULL)
  1272. return EXT_RETURN_NOT_SENT;
  1273. if (!WPACKET_put_bytes_u16(pkt,
  1274. TLSEXT_TYPE_application_layer_protocol_negotiation)
  1275. || !WPACKET_start_sub_packet_u16(pkt)
  1276. || !WPACKET_start_sub_packet_u16(pkt)
  1277. || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
  1278. s->s3.alpn_selected_len)
  1279. || !WPACKET_close(pkt)
  1280. || !WPACKET_close(pkt)) {
  1281. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1282. return EXT_RETURN_FAIL;
  1283. }
  1284. return EXT_RETURN_SENT;
  1285. }
  1286. #ifndef OPENSSL_NO_SRTP
  1287. EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
  1288. unsigned int context, X509 *x,
  1289. size_t chainidx)
  1290. {
  1291. if (s->srtp_profile == NULL)
  1292. return EXT_RETURN_NOT_SENT;
  1293. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
  1294. || !WPACKET_start_sub_packet_u16(pkt)
  1295. || !WPACKET_put_bytes_u16(pkt, 2)
  1296. || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
  1297. || !WPACKET_put_bytes_u8(pkt, 0)
  1298. || !WPACKET_close(pkt)) {
  1299. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1300. return EXT_RETURN_FAIL;
  1301. }
  1302. return EXT_RETURN_SENT;
  1303. }
  1304. #endif
  1305. EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
  1306. X509 *x, size_t chainidx)
  1307. {
  1308. if (!s->ext.use_etm)
  1309. return EXT_RETURN_NOT_SENT;
  1310. /*
  1311. * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
  1312. * for other cases too.
  1313. */
  1314. if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
  1315. || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
  1316. || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
  1317. || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
  1318. || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
  1319. || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
  1320. s->ext.use_etm = 0;
  1321. return EXT_RETURN_NOT_SENT;
  1322. }
  1323. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
  1324. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1325. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1326. return EXT_RETURN_FAIL;
  1327. }
  1328. return EXT_RETURN_SENT;
  1329. }
  1330. EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
  1331. X509 *x, size_t chainidx)
  1332. {
  1333. if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
  1334. return EXT_RETURN_NOT_SENT;
  1335. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
  1336. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1337. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1338. return EXT_RETURN_FAIL;
  1339. }
  1340. return EXT_RETURN_SENT;
  1341. }
  1342. EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
  1343. unsigned int context, X509 *x,
  1344. size_t chainidx)
  1345. {
  1346. if (!ossl_assert(SSL_IS_TLS13(s))) {
  1347. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1348. return EXT_RETURN_FAIL;
  1349. }
  1350. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
  1351. || !WPACKET_start_sub_packet_u16(pkt)
  1352. || !WPACKET_put_bytes_u16(pkt, s->version)
  1353. || !WPACKET_close(pkt)) {
  1354. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1355. return EXT_RETURN_FAIL;
  1356. }
  1357. return EXT_RETURN_SENT;
  1358. }
  1359. EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
  1360. unsigned int context, X509 *x,
  1361. size_t chainidx)
  1362. {
  1363. #ifndef OPENSSL_NO_TLS1_3
  1364. unsigned char *encodedPoint;
  1365. size_t encoded_pt_len = 0;
  1366. EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
  1367. const TLS_GROUP_INFO *ginf = NULL;
  1368. if (s->hello_retry_request == SSL_HRR_PENDING) {
  1369. if (ckey != NULL) {
  1370. /* Original key_share was acceptable so don't ask for another one */
  1371. return EXT_RETURN_NOT_SENT;
  1372. }
  1373. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  1374. || !WPACKET_start_sub_packet_u16(pkt)
  1375. || !WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(
  1376. s->s3.group_id))
  1377. || !WPACKET_close(pkt)) {
  1378. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1379. return EXT_RETURN_FAIL;
  1380. }
  1381. return EXT_RETURN_SENT;
  1382. }
  1383. if (ckey == NULL) {
  1384. /* No key_share received from client - must be resuming */
  1385. if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
  1386. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1387. return EXT_RETURN_FAIL;
  1388. }
  1389. return EXT_RETURN_NOT_SENT;
  1390. }
  1391. if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
  1392. /*
  1393. * PSK ('hit') and explicitly not doing DHE (if the client sent the
  1394. * DHE option we always take it); don't send key share.
  1395. */
  1396. return EXT_RETURN_NOT_SENT;
  1397. }
  1398. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  1399. || !WPACKET_start_sub_packet_u16(pkt)
  1400. || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
  1401. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1402. return EXT_RETURN_FAIL;
  1403. }
  1404. if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) {
  1405. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1406. return EXT_RETURN_FAIL;
  1407. }
  1408. if (!ginf->is_kem) {
  1409. /* Regular KEX */
  1410. skey = ssl_generate_pkey(s, ckey);
  1411. if (skey == NULL) {
  1412. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  1413. return EXT_RETURN_FAIL;
  1414. }
  1415. /* Generate encoding of server key */
  1416. encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
  1417. if (encoded_pt_len == 0) {
  1418. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  1419. EVP_PKEY_free(skey);
  1420. return EXT_RETURN_FAIL;
  1421. }
  1422. if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
  1423. || !WPACKET_close(pkt)) {
  1424. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1425. EVP_PKEY_free(skey);
  1426. OPENSSL_free(encodedPoint);
  1427. return EXT_RETURN_FAIL;
  1428. }
  1429. OPENSSL_free(encodedPoint);
  1430. /*
  1431. * This causes the crypto state to be updated based on the derived keys
  1432. */
  1433. s->s3.tmp.pkey = skey;
  1434. if (ssl_derive(s, skey, ckey, 1) == 0) {
  1435. /* SSLfatal() already called */
  1436. return EXT_RETURN_FAIL;
  1437. }
  1438. } else {
  1439. /* KEM mode */
  1440. unsigned char *ct = NULL;
  1441. size_t ctlen = 0;
  1442. /*
  1443. * This does not update the crypto state.
  1444. *
  1445. * The generated pms is stored in `s->s3.tmp.pms` to be later used via
  1446. * ssl_gensecret().
  1447. */
  1448. if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
  1449. /* SSLfatal() already called */
  1450. return EXT_RETURN_FAIL;
  1451. }
  1452. if (ctlen == 0) {
  1453. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1454. OPENSSL_free(ct);
  1455. return EXT_RETURN_FAIL;
  1456. }
  1457. if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
  1458. || !WPACKET_close(pkt)) {
  1459. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1460. OPENSSL_free(ct);
  1461. return EXT_RETURN_FAIL;
  1462. }
  1463. OPENSSL_free(ct);
  1464. /*
  1465. * This causes the crypto state to be updated based on the generated pms
  1466. */
  1467. if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
  1468. /* SSLfatal() already called */
  1469. return EXT_RETURN_FAIL;
  1470. }
  1471. }
  1472. s->s3.did_kex = 1;
  1473. return EXT_RETURN_SENT;
  1474. #else
  1475. return EXT_RETURN_FAIL;
  1476. #endif
  1477. }
  1478. EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
  1479. X509 *x, size_t chainidx)
  1480. {
  1481. #ifndef OPENSSL_NO_TLS1_3
  1482. unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
  1483. unsigned char *hmac, *hmac2;
  1484. size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
  1485. EVP_MD_CTX *hctx;
  1486. EVP_PKEY *pkey;
  1487. int ret = EXT_RETURN_FAIL;
  1488. if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
  1489. return EXT_RETURN_NOT_SENT;
  1490. if (s->ctx->gen_stateless_cookie_cb == NULL) {
  1491. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
  1492. return EXT_RETURN_FAIL;
  1493. }
  1494. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
  1495. || !WPACKET_start_sub_packet_u16(pkt)
  1496. || !WPACKET_start_sub_packet_u16(pkt)
  1497. || !WPACKET_get_total_written(pkt, &startlen)
  1498. || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
  1499. || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
  1500. || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
  1501. || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
  1502. || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
  1503. &ciphlen)
  1504. /* Is there a key_share extension present in this HRR? */
  1505. || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
  1506. || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
  1507. || !WPACKET_start_sub_packet_u16(pkt)
  1508. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
  1509. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1510. return EXT_RETURN_FAIL;
  1511. }
  1512. /*
  1513. * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
  1514. * on raw buffers, so we first reserve sufficient bytes (above) and then
  1515. * subsequently allocate them (below)
  1516. */
  1517. if (!ssl3_digest_cached_records(s, 0)
  1518. || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
  1519. /* SSLfatal() already called */
  1520. return EXT_RETURN_FAIL;
  1521. }
  1522. if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
  1523. || !ossl_assert(hashval1 == hashval2)
  1524. || !WPACKET_close(pkt)
  1525. || !WPACKET_start_sub_packet_u8(pkt)
  1526. || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
  1527. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1528. return EXT_RETURN_FAIL;
  1529. }
  1530. /* Generate the application cookie */
  1531. if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
  1532. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1533. return EXT_RETURN_FAIL;
  1534. }
  1535. if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
  1536. || !ossl_assert(appcookie1 == appcookie2)
  1537. || !WPACKET_close(pkt)
  1538. || !WPACKET_get_total_written(pkt, &totcookielen)
  1539. || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
  1540. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1541. return EXT_RETURN_FAIL;
  1542. }
  1543. hmaclen = SHA256_DIGEST_LENGTH;
  1544. totcookielen -= startlen;
  1545. if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
  1546. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1547. return EXT_RETURN_FAIL;
  1548. }
  1549. /* HMAC the cookie */
  1550. hctx = EVP_MD_CTX_create();
  1551. pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
  1552. s->ctx->propq,
  1553. s->session_ctx->ext.cookie_hmac_key,
  1554. sizeof(s->session_ctx->ext.cookie_hmac_key));
  1555. if (hctx == NULL || pkey == NULL) {
  1556. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  1557. goto err;
  1558. }
  1559. if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
  1560. s->ctx->propq, pkey, NULL) <= 0
  1561. || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
  1562. totcookielen) <= 0) {
  1563. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1564. goto err;
  1565. }
  1566. if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
  1567. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1568. goto err;
  1569. }
  1570. if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
  1571. || !ossl_assert(hmac == hmac2)
  1572. || !ossl_assert(cookie == hmac - totcookielen)
  1573. || !WPACKET_close(pkt)
  1574. || !WPACKET_close(pkt)) {
  1575. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1576. goto err;
  1577. }
  1578. ret = EXT_RETURN_SENT;
  1579. err:
  1580. EVP_MD_CTX_free(hctx);
  1581. EVP_PKEY_free(pkey);
  1582. return ret;
  1583. #else
  1584. return EXT_RETURN_FAIL;
  1585. #endif
  1586. }
  1587. EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
  1588. unsigned int context, X509 *x,
  1589. size_t chainidx)
  1590. {
  1591. const unsigned char cryptopro_ext[36] = {
  1592. 0xfd, 0xe8, /* 65000 */
  1593. 0x00, 0x20, /* 32 bytes length */
  1594. 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
  1595. 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
  1596. 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
  1597. 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
  1598. };
  1599. if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
  1600. && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
  1601. || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
  1602. return EXT_RETURN_NOT_SENT;
  1603. if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
  1604. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1605. return EXT_RETURN_FAIL;
  1606. }
  1607. return EXT_RETURN_SENT;
  1608. }
  1609. EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
  1610. unsigned int context, X509 *x,
  1611. size_t chainidx)
  1612. {
  1613. if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
  1614. if (s->max_early_data == 0)
  1615. return EXT_RETURN_NOT_SENT;
  1616. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  1617. || !WPACKET_start_sub_packet_u16(pkt)
  1618. || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
  1619. || !WPACKET_close(pkt)) {
  1620. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1621. return EXT_RETURN_FAIL;
  1622. }
  1623. return EXT_RETURN_SENT;
  1624. }
  1625. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
  1626. return EXT_RETURN_NOT_SENT;
  1627. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  1628. || !WPACKET_start_sub_packet_u16(pkt)
  1629. || !WPACKET_close(pkt)) {
  1630. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1631. return EXT_RETURN_FAIL;
  1632. }
  1633. return EXT_RETURN_SENT;
  1634. }
  1635. EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
  1636. X509 *x, size_t chainidx)
  1637. {
  1638. if (!s->hit)
  1639. return EXT_RETURN_NOT_SENT;
  1640. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
  1641. || !WPACKET_start_sub_packet_u16(pkt)
  1642. || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
  1643. || !WPACKET_close(pkt)) {
  1644. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1645. return EXT_RETURN_FAIL;
  1646. }
  1647. return EXT_RETURN_SENT;
  1648. }