1 /* 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ocsp.h> 11 #include "../ssl_local.h" 12 #include "internal/cryptlib.h" 13 #include "statem_local.h" 14 15 EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, 16 unsigned int context, X509 *x, 17 size_t chainidx) 18 { 19 /* Add RI if renegotiating */ 20 if (!s->renegotiate) 21 return EXT_RETURN_NOT_SENT; 22 23 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 24 || !WPACKET_start_sub_packet_u16(pkt) 25 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished, 26 s->s3->previous_client_finished_len) 27 || !WPACKET_close(pkt)) { 28 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, 29 ERR_R_INTERNAL_ERROR); 30 return EXT_RETURN_FAIL; 31 } 32 33 return EXT_RETURN_SENT; 34 } 35 36 EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, 37 unsigned int context, X509 *x, 38 size_t chainidx) 39 { 40 if (s->ext.hostname == NULL) 41 return EXT_RETURN_NOT_SENT; 42 43 /* Add TLS extension servername to the Client Hello message */ 44 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 45 /* Sub-packet for server_name extension */ 46 || !WPACKET_start_sub_packet_u16(pkt) 47 /* Sub-packet for servername list (always 1 hostname)*/ 48 || !WPACKET_start_sub_packet_u16(pkt) 49 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) 50 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, 51 strlen(s->ext.hostname)) 52 || !WPACKET_close(pkt) 53 || !WPACKET_close(pkt)) { 54 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, 55 ERR_R_INTERNAL_ERROR); 56 return EXT_RETURN_FAIL; 57 } 58 59 return EXT_RETURN_SENT; 60 } 61 62 /* Push a Max Fragment Len extension into ClientHello */ 63 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, 64 unsigned int context, X509 *x, 65 size_t chainidx) 66 { 67 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) 68 return EXT_RETURN_NOT_SENT; 69 70 /* Add Max Fragment Length extension if client enabled it. */ 71 /*- 72 * 4 bytes for this extension type and extension length 73 * 1 byte for the Max Fragment Length code value. 74 */ 75 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 76 /* Sub-packet for Max Fragment Length extension (1 byte) */ 77 || !WPACKET_start_sub_packet_u16(pkt) 78 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) 79 || !WPACKET_close(pkt)) { 80 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 81 SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); 82 return EXT_RETURN_FAIL; 83 } 84 85 return EXT_RETURN_SENT; 86 } 87 88 #ifndef OPENSSL_NO_SRP 89 EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, 90 X509 *x, size_t chainidx) 91 { 92 /* Add SRP username if there is one */ 93 if (s->srp_ctx.login == NULL) 94 return EXT_RETURN_NOT_SENT; 95 96 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) 97 /* Sub-packet for SRP extension */ 98 || !WPACKET_start_sub_packet_u16(pkt) 99 || !WPACKET_start_sub_packet_u8(pkt) 100 /* login must not be zero...internal error if so */ 101 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 102 || !WPACKET_memcpy(pkt, s->srp_ctx.login, 103 strlen(s->srp_ctx.login)) 104 || !WPACKET_close(pkt) 105 || !WPACKET_close(pkt)) { 106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP, 107 ERR_R_INTERNAL_ERROR); 108 return EXT_RETURN_FAIL; 109 } 110 111 return EXT_RETURN_SENT; 112 } 113 #endif 114 115 #ifndef OPENSSL_NO_EC 116 static int use_ecc(SSL *s) 117 { 118 int i, end, ret = 0; 119 unsigned long alg_k, alg_a; 120 STACK_OF(SSL_CIPHER) *cipher_stack = NULL; 121 const uint16_t *pgroups = NULL; 122 size_t num_groups, j; 123 124 /* See if we support any ECC ciphersuites */ 125 if (s->version == SSL3_VERSION) 126 return 0; 127 128 cipher_stack = SSL_get1_supported_ciphers(s); 129 end = sk_SSL_CIPHER_num(cipher_stack); 130 for (i = 0; i < end; i++) { 131 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 132 133 alg_k = c->algorithm_mkey; 134 alg_a = c->algorithm_auth; 135 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 136 || (alg_a & SSL_aECDSA) 137 || c->min_tls >= TLS1_3_VERSION) { 138 ret = 1; 139 break; 140 } 141 } 142 143 sk_SSL_CIPHER_free(cipher_stack); 144 if (!ret) 145 return 0; 146 147 /* Check we have at least one EC supported group */ 148 tls1_get_supported_groups(s, &pgroups, &num_groups); 149 for (j = 0; j < num_groups; j++) { 150 uint16_t ctmp = pgroups[j]; 151 152 if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) 153 return 1; 154 } 155 156 return 0; 157 } 158 159 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, 160 unsigned int context, X509 *x, 161 size_t chainidx) 162 { 163 const unsigned char *pformats; 164 size_t num_formats; 165 166 if (!use_ecc(s)) 167 return EXT_RETURN_NOT_SENT; 168 169 /* Add TLS extension ECPointFormats to the ClientHello message */ 170 tls1_get_formatlist(s, &pformats, &num_formats); 171 172 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 173 /* Sub-packet for formats extension */ 174 || !WPACKET_start_sub_packet_u16(pkt) 175 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) 176 || !WPACKET_close(pkt)) { 177 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 178 SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 179 return EXT_RETURN_FAIL; 180 } 181 182 return EXT_RETURN_SENT; 183 } 184 185 EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, 186 unsigned int context, X509 *x, 187 size_t chainidx) 188 { 189 const uint16_t *pgroups = NULL; 190 size_t num_groups = 0, i; 191 192 if (!use_ecc(s)) 193 return EXT_RETURN_NOT_SENT; 194 195 /* 196 * Add TLS extension supported_groups to the ClientHello message 197 */ 198 /* TODO(TLS1.3): Add support for DHE groups */ 199 tls1_get_supported_groups(s, &pgroups, &num_groups); 200 201 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 202 /* Sub-packet for supported_groups extension */ 203 || !WPACKET_start_sub_packet_u16(pkt) 204 || !WPACKET_start_sub_packet_u16(pkt)) { 205 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 206 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 207 ERR_R_INTERNAL_ERROR); 208 return EXT_RETURN_FAIL; 209 } 210 /* Copy curve ID if supported */ 211 for (i = 0; i < num_groups; i++) { 212 uint16_t ctmp = pgroups[i]; 213 214 if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { 215 if (!WPACKET_put_bytes_u16(pkt, ctmp)) { 216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 217 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 218 ERR_R_INTERNAL_ERROR); 219 return EXT_RETURN_FAIL; 220 } 221 } 222 } 223 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 225 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 226 ERR_R_INTERNAL_ERROR); 227 return EXT_RETURN_FAIL; 228 } 229 230 return EXT_RETURN_SENT; 231 } 232 #endif 233 234 EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, 235 unsigned int context, X509 *x, 236 size_t chainidx) 237 { 238 size_t ticklen; 239 240 if (!tls_use_ticket(s)) 241 return EXT_RETURN_NOT_SENT; 242 243 if (!s->new_session && s->session != NULL 244 && s->session->ext.tick != NULL 245 && s->session->ssl_version != TLS1_3_VERSION) { 246 ticklen = s->session->ext.ticklen; 247 } else if (s->session && s->ext.session_ticket != NULL 248 && s->ext.session_ticket->data != NULL) { 249 ticklen = s->ext.session_ticket->length; 250 s->session->ext.tick = OPENSSL_malloc(ticklen); 251 if (s->session->ext.tick == NULL) { 252 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 253 SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, 254 ERR_R_INTERNAL_ERROR); 255 return EXT_RETURN_FAIL; 256 } 257 memcpy(s->session->ext.tick, 258 s->ext.session_ticket->data, ticklen); 259 s->session->ext.ticklen = ticklen; 260 } else { 261 ticklen = 0; 262 } 263 264 if (ticklen == 0 && s->ext.session_ticket != NULL && 265 s->ext.session_ticket->data == NULL) 266 return EXT_RETURN_NOT_SENT; 267 268 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 269 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { 270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 271 SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); 272 return EXT_RETURN_FAIL; 273 } 274 275 return EXT_RETURN_SENT; 276 } 277 278 EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, 279 unsigned int context, X509 *x, 280 size_t chainidx) 281 { 282 size_t salglen; 283 const uint16_t *salg; 284 285 if (!SSL_CLIENT_USE_SIGALGS(s)) 286 return EXT_RETURN_NOT_SENT; 287 288 salglen = tls12_get_psigalgs(s, 1, &salg); 289 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) 290 /* Sub-packet for sig-algs extension */ 291 || !WPACKET_start_sub_packet_u16(pkt) 292 /* Sub-packet for the actual list */ 293 || !WPACKET_start_sub_packet_u16(pkt) 294 || !tls12_copy_sigalgs(s, pkt, salg, salglen) 295 || !WPACKET_close(pkt) 296 || !WPACKET_close(pkt)) { 297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, 298 ERR_R_INTERNAL_ERROR); 299 return EXT_RETURN_FAIL; 300 } 301 302 return EXT_RETURN_SENT; 303 } 304 305 #ifndef OPENSSL_NO_OCSP 306 EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, 307 unsigned int context, X509 *x, 308 size_t chainidx) 309 { 310 int i; 311 312 /* This extension isn't defined for client Certificates */ 313 if (x != NULL) 314 return EXT_RETURN_NOT_SENT; 315 316 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) 317 return EXT_RETURN_NOT_SENT; 318 319 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 320 /* Sub-packet for status request extension */ 321 || !WPACKET_start_sub_packet_u16(pkt) 322 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) 323 /* Sub-packet for the ids */ 324 || !WPACKET_start_sub_packet_u16(pkt)) { 325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 326 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 327 return EXT_RETURN_FAIL; 328 } 329 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { 330 unsigned char *idbytes; 331 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); 332 int idlen = i2d_OCSP_RESPID(id, NULL); 333 334 if (idlen <= 0 335 /* Sub-packet for an individual id */ 336 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) 337 || i2d_OCSP_RESPID(id, &idbytes) != idlen) { 338 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 339 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 340 ERR_R_INTERNAL_ERROR); 341 return EXT_RETURN_FAIL; 342 } 343 } 344 if (!WPACKET_close(pkt) 345 || !WPACKET_start_sub_packet_u16(pkt)) { 346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 347 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 348 return EXT_RETURN_FAIL; 349 } 350 if (s->ext.ocsp.exts) { 351 unsigned char *extbytes; 352 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); 353 354 if (extlen < 0) { 355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 356 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 357 ERR_R_INTERNAL_ERROR); 358 return EXT_RETURN_FAIL; 359 } 360 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) 361 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) 362 != extlen) { 363 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 364 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 365 ERR_R_INTERNAL_ERROR); 366 return EXT_RETURN_FAIL; 367 } 368 } 369 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 371 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 372 return EXT_RETURN_FAIL; 373 } 374 375 return EXT_RETURN_SENT; 376 } 377 #endif 378 379 #ifndef OPENSSL_NO_NEXTPROTONEG 380 EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, 381 X509 *x, size_t chainidx) 382 { 383 if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 384 return EXT_RETURN_NOT_SENT; 385 386 /* 387 * The client advertises an empty extension to indicate its support 388 * for Next Protocol Negotiation 389 */ 390 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 391 || !WPACKET_put_bytes_u16(pkt, 0)) { 392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN, 393 ERR_R_INTERNAL_ERROR); 394 return EXT_RETURN_FAIL; 395 } 396 397 return EXT_RETURN_SENT; 398 } 399 #endif 400 401 EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, 402 X509 *x, size_t chainidx) 403 { 404 s->s3->alpn_sent = 0; 405 406 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 407 return EXT_RETURN_NOT_SENT; 408 409 if (!WPACKET_put_bytes_u16(pkt, 410 TLSEXT_TYPE_application_layer_protocol_negotiation) 411 /* Sub-packet ALPN extension */ 412 || !WPACKET_start_sub_packet_u16(pkt) 413 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) 414 || !WPACKET_close(pkt)) { 415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN, 416 ERR_R_INTERNAL_ERROR); 417 return EXT_RETURN_FAIL; 418 } 419 s->s3->alpn_sent = 1; 420 421 return EXT_RETURN_SENT; 422 } 423 424 425 #ifndef OPENSSL_NO_SRTP 426 EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, 427 unsigned int context, X509 *x, 428 size_t chainidx) 429 { 430 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s); 431 int i, end; 432 433 if (clnt == NULL) 434 return EXT_RETURN_NOT_SENT; 435 436 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 437 /* Sub-packet for SRTP extension */ 438 || !WPACKET_start_sub_packet_u16(pkt) 439 /* Sub-packet for the protection profile list */ 440 || !WPACKET_start_sub_packet_u16(pkt)) { 441 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, 442 ERR_R_INTERNAL_ERROR); 443 return EXT_RETURN_FAIL; 444 } 445 446 end = sk_SRTP_PROTECTION_PROFILE_num(clnt); 447 for (i = 0; i < end; i++) { 448 const SRTP_PROTECTION_PROFILE *prof = 449 sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 450 451 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { 452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 453 SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); 454 return EXT_RETURN_FAIL; 455 } 456 } 457 if (!WPACKET_close(pkt) 458 /* Add an empty use_mki value */ 459 || !WPACKET_put_bytes_u8(pkt, 0) 460 || !WPACKET_close(pkt)) { 461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, 462 ERR_R_INTERNAL_ERROR); 463 return EXT_RETURN_FAIL; 464 } 465 466 return EXT_RETURN_SENT; 467 } 468 #endif 469 470 EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, 471 X509 *x, size_t chainidx) 472 { 473 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 474 return EXT_RETURN_NOT_SENT; 475 476 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 477 || !WPACKET_put_bytes_u16(pkt, 0)) { 478 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM, 479 ERR_R_INTERNAL_ERROR); 480 return EXT_RETURN_FAIL; 481 } 482 483 return EXT_RETURN_SENT; 484 } 485 486 #ifndef OPENSSL_NO_CT 487 EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, 488 X509 *x, size_t chainidx) 489 { 490 if (s->ct_validation_callback == NULL) 491 return EXT_RETURN_NOT_SENT; 492 493 /* Not defined for client Certificates */ 494 if (x != NULL) 495 return EXT_RETURN_NOT_SENT; 496 497 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) 498 || !WPACKET_put_bytes_u16(pkt, 0)) { 499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT, 500 ERR_R_INTERNAL_ERROR); 501 return EXT_RETURN_FAIL; 502 } 503 504 return EXT_RETURN_SENT; 505 } 506 #endif 507 508 EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, 509 X509 *x, size_t chainidx) 510 { 511 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 512 || !WPACKET_put_bytes_u16(pkt, 0)) { 513 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS, 514 ERR_R_INTERNAL_ERROR); 515 return EXT_RETURN_FAIL; 516 } 517 518 return EXT_RETURN_SENT; 519 } 520 521 EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, 522 unsigned int context, X509 *x, 523 size_t chainidx) 524 { 525 int currv, min_version, max_version, reason; 526 527 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 528 if (reason != 0) { 529 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 530 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason); 531 return EXT_RETURN_FAIL; 532 } 533 534 /* 535 * Don't include this if we can't negotiate TLSv1.3. We can do a straight 536 * comparison here because we will never be called in DTLS. 537 */ 538 if (max_version < TLS1_3_VERSION) 539 return EXT_RETURN_NOT_SENT; 540 541 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 542 || !WPACKET_start_sub_packet_u16(pkt) 543 || !WPACKET_start_sub_packet_u8(pkt)) { 544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 545 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 546 ERR_R_INTERNAL_ERROR); 547 return EXT_RETURN_FAIL; 548 } 549 550 for (currv = max_version; currv >= min_version; currv--) { 551 if (!WPACKET_put_bytes_u16(pkt, currv)) { 552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 553 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 554 ERR_R_INTERNAL_ERROR); 555 return EXT_RETURN_FAIL; 556 } 557 } 558 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 559 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 560 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 561 ERR_R_INTERNAL_ERROR); 562 return EXT_RETURN_FAIL; 563 } 564 565 return EXT_RETURN_SENT; 566 } 567 568 /* 569 * Construct a psk_kex_modes extension. 570 */ 571 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, 572 unsigned int context, X509 *x, 573 size_t chainidx) 574 { 575 #ifndef OPENSSL_NO_TLS1_3 576 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; 577 578 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) 579 || !WPACKET_start_sub_packet_u16(pkt) 580 || !WPACKET_start_sub_packet_u8(pkt) 581 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) 582 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) 583 || !WPACKET_close(pkt) 584 || !WPACKET_close(pkt)) { 585 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 586 SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR); 587 return EXT_RETURN_FAIL; 588 } 589 590 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; 591 if (nodhe) 592 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 593 #endif 594 595 return EXT_RETURN_SENT; 596 } 597 598 #ifndef OPENSSL_NO_TLS1_3 599 static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) 600 { 601 unsigned char *encoded_point = NULL; 602 EVP_PKEY *key_share_key = NULL; 603 size_t encodedlen; 604 605 if (s->s3->tmp.pkey != NULL) { 606 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) { 607 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, 608 ERR_R_INTERNAL_ERROR); 609 return 0; 610 } 611 /* 612 * Could happen if we got an HRR that wasn't requesting a new key_share 613 */ 614 key_share_key = s->s3->tmp.pkey; 615 } else { 616 key_share_key = ssl_generate_pkey_group(s, curve_id); 617 if (key_share_key == NULL) { 618 /* SSLfatal() already called */ 619 return 0; 620 } 621 } 622 623 /* Encode the public key. */ 624 encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, 625 &encoded_point); 626 if (encodedlen == 0) { 627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB); 628 goto err; 629 } 630 631 /* Create KeyShareEntry */ 632 if (!WPACKET_put_bytes_u16(pkt, curve_id) 633 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { 634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, 635 ERR_R_INTERNAL_ERROR); 636 goto err; 637 } 638 639 /* 640 * TODO(TLS1.3): When changing to send more than one key_share we're 641 * going to need to be able to save more than one EVP_PKEY. For now 642 * we reuse the existing tmp.pkey 643 */ 644 s->s3->tmp.pkey = key_share_key; 645 s->s3->group_id = curve_id; 646 OPENSSL_free(encoded_point); 647 648 return 1; 649 err: 650 if (s->s3->tmp.pkey == NULL) 651 EVP_PKEY_free(key_share_key); 652 OPENSSL_free(encoded_point); 653 return 0; 654 } 655 #endif 656 657 EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, 658 unsigned int context, X509 *x, 659 size_t chainidx) 660 { 661 #ifndef OPENSSL_NO_TLS1_3 662 size_t i, num_groups = 0; 663 const uint16_t *pgroups = NULL; 664 uint16_t curve_id = 0; 665 666 /* key_share extension */ 667 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 668 /* Extension data sub-packet */ 669 || !WPACKET_start_sub_packet_u16(pkt) 670 /* KeyShare list sub-packet */ 671 || !WPACKET_start_sub_packet_u16(pkt)) { 672 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 673 ERR_R_INTERNAL_ERROR); 674 return EXT_RETURN_FAIL; 675 } 676 677 tls1_get_supported_groups(s, &pgroups, &num_groups); 678 679 /* 680 * TODO(TLS1.3): Make the number of key_shares sent configurable. For 681 * now, just send one 682 */ 683 if (s->s3->group_id != 0) { 684 curve_id = s->s3->group_id; 685 } else { 686 for (i = 0; i < num_groups; i++) { 687 688 if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) 689 continue; 690 691 curve_id = pgroups[i]; 692 break; 693 } 694 } 695 696 if (curve_id == 0) { 697 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 698 SSL_R_NO_SUITABLE_KEY_SHARE); 699 return EXT_RETURN_FAIL; 700 } 701 702 if (!add_key_share(s, pkt, curve_id)) { 703 /* SSLfatal() already called */ 704 return EXT_RETURN_FAIL; 705 } 706 707 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 708 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 709 ERR_R_INTERNAL_ERROR); 710 return EXT_RETURN_FAIL; 711 } 712 return EXT_RETURN_SENT; 713 #else 714 return EXT_RETURN_NOT_SENT; 715 #endif 716 } 717 718 EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, 719 X509 *x, size_t chainidx) 720 { 721 EXT_RETURN ret = EXT_RETURN_FAIL; 722 723 /* Should only be set if we've had an HRR */ 724 if (s->ext.tls13_cookie_len == 0) 725 return EXT_RETURN_NOT_SENT; 726 727 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 728 /* Extension data sub-packet */ 729 || !WPACKET_start_sub_packet_u16(pkt) 730 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, 731 s->ext.tls13_cookie_len) 732 || !WPACKET_close(pkt)) { 733 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, 734 ERR_R_INTERNAL_ERROR); 735 goto end; 736 } 737 738 ret = EXT_RETURN_SENT; 739 end: 740 OPENSSL_free(s->ext.tls13_cookie); 741 s->ext.tls13_cookie = NULL; 742 s->ext.tls13_cookie_len = 0; 743 744 return ret; 745 } 746 747 EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, 748 unsigned int context, X509 *x, 749 size_t chainidx) 750 { 751 #ifndef OPENSSL_NO_PSK 752 char identity[PSK_MAX_IDENTITY_LEN + 1]; 753 #endif /* OPENSSL_NO_PSK */ 754 const unsigned char *id = NULL; 755 size_t idlen = 0; 756 SSL_SESSION *psksess = NULL; 757 SSL_SESSION *edsess = NULL; 758 const EVP_MD *handmd = NULL; 759 760 if (s->hello_retry_request == SSL_HRR_PENDING) 761 handmd = ssl_handshake_md(s); 762 763 if (s->psk_use_session_cb != NULL 764 && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess) 765 || (psksess != NULL 766 && psksess->ssl_version != TLS1_3_VERSION))) { 767 SSL_SESSION_free(psksess); 768 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 769 SSL_R_BAD_PSK); 770 return EXT_RETURN_FAIL; 771 } 772 773 #ifndef OPENSSL_NO_PSK 774 if (psksess == NULL && s->psk_client_callback != NULL) { 775 unsigned char psk[PSK_MAX_PSK_LEN]; 776 size_t psklen = 0; 777 778 memset(identity, 0, sizeof(identity)); 779 psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1, 780 psk, sizeof(psk)); 781 782 if (psklen > PSK_MAX_PSK_LEN) { 783 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 784 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 785 return EXT_RETURN_FAIL; 786 } else if (psklen > 0) { 787 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 788 const SSL_CIPHER *cipher; 789 790 idlen = strlen(identity); 791 if (idlen > PSK_MAX_IDENTITY_LEN) { 792 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 793 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 794 ERR_R_INTERNAL_ERROR); 795 return EXT_RETURN_FAIL; 796 } 797 id = (unsigned char *)identity; 798 799 /* 800 * We found a PSK using an old style callback. We don't know 801 * the digest so we default to SHA256 as per the TLSv1.3 spec 802 */ 803 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); 804 if (cipher == NULL) { 805 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 806 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 807 ERR_R_INTERNAL_ERROR); 808 return EXT_RETURN_FAIL; 809 } 810 811 psksess = SSL_SESSION_new(); 812 if (psksess == NULL 813 || !SSL_SESSION_set1_master_key(psksess, psk, psklen) 814 || !SSL_SESSION_set_cipher(psksess, cipher) 815 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { 816 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 817 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 818 ERR_R_INTERNAL_ERROR); 819 OPENSSL_cleanse(psk, psklen); 820 return EXT_RETURN_FAIL; 821 } 822 OPENSSL_cleanse(psk, psklen); 823 } 824 } 825 #endif /* OPENSSL_NO_PSK */ 826 827 SSL_SESSION_free(s->psksession); 828 s->psksession = psksess; 829 if (psksess != NULL) { 830 OPENSSL_free(s->psksession_id); 831 s->psksession_id = OPENSSL_memdup(id, idlen); 832 if (s->psksession_id == NULL) { 833 s->psksession_id_len = 0; 834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 835 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 836 return EXT_RETURN_FAIL; 837 } 838 s->psksession_id_len = idlen; 839 } 840 841 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING 842 || (s->session->ext.max_early_data == 0 843 && (psksess == NULL || psksess->ext.max_early_data == 0))) { 844 s->max_early_data = 0; 845 return EXT_RETURN_NOT_SENT; 846 } 847 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; 848 s->max_early_data = edsess->ext.max_early_data; 849 850 if (edsess->ext.hostname != NULL) { 851 if (s->ext.hostname == NULL 852 || (s->ext.hostname != NULL 853 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { 854 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 855 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 856 SSL_R_INCONSISTENT_EARLY_DATA_SNI); 857 return EXT_RETURN_FAIL; 858 } 859 } 860 861 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { 862 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 863 SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 864 return EXT_RETURN_FAIL; 865 } 866 867 /* 868 * Verify that we are offering an ALPN protocol consistent with the early 869 * data. 870 */ 871 if (edsess->ext.alpn_selected != NULL) { 872 PACKET prots, alpnpkt; 873 int found = 0; 874 875 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { 876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 877 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 878 return EXT_RETURN_FAIL; 879 } 880 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { 881 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, 882 edsess->ext.alpn_selected_len)) { 883 found = 1; 884 break; 885 } 886 } 887 if (!found) { 888 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 889 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 890 SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 891 return EXT_RETURN_FAIL; 892 } 893 } 894 895 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 896 || !WPACKET_start_sub_packet_u16(pkt) 897 || !WPACKET_close(pkt)) { 898 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 899 ERR_R_INTERNAL_ERROR); 900 return EXT_RETURN_FAIL; 901 } 902 903 /* 904 * We set this to rejected here. Later, if the server acknowledges the 905 * extension, we set it to accepted. 906 */ 907 s->ext.early_data = SSL_EARLY_DATA_REJECTED; 908 s->ext.early_data_ok = 1; 909 910 return EXT_RETURN_SENT; 911 } 912 913 #define F5_WORKAROUND_MIN_MSG_LEN 0xff 914 #define F5_WORKAROUND_MAX_MSG_LEN 0x200 915 916 /* 917 * PSK pre binder overhead = 918 * 2 bytes for TLSEXT_TYPE_psk 919 * 2 bytes for extension length 920 * 2 bytes for identities list length 921 * 2 bytes for identity length 922 * 4 bytes for obfuscated_ticket_age 923 * 2 bytes for binder list length 924 * 1 byte for binder length 925 * The above excludes the number of bytes for the identity itself and the 926 * subsequent binder bytes 927 */ 928 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) 929 930 EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, 931 unsigned int context, X509 *x, 932 size_t chainidx) 933 { 934 unsigned char *padbytes; 935 size_t hlen; 936 937 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) 938 return EXT_RETURN_NOT_SENT; 939 940 /* 941 * Add padding to workaround bugs in F5 terminators. See RFC7685. 942 * This code calculates the length of all extensions added so far but 943 * excludes the PSK extension (because that MUST be written last). Therefore 944 * this extension MUST always appear second to last. 945 */ 946 if (!WPACKET_get_total_written(pkt, &hlen)) { 947 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, 948 ERR_R_INTERNAL_ERROR); 949 return EXT_RETURN_FAIL; 950 } 951 952 /* 953 * If we're going to send a PSK then that will be written out after this 954 * extension, so we need to calculate how long it is going to be. 955 */ 956 if (s->session->ssl_version == TLS1_3_VERSION 957 && s->session->ext.ticklen != 0 958 && s->session->cipher != NULL) { 959 const EVP_MD *md = ssl_md(s->session->cipher->algorithm2); 960 961 if (md != NULL) { 962 /* 963 * Add the fixed PSK overhead, the identity length and the binder 964 * length. 965 */ 966 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen 967 + EVP_MD_size(md); 968 } 969 } 970 971 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { 972 /* Calculate the amount of padding we need to add */ 973 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; 974 975 /* 976 * Take off the size of extension header itself (2 bytes for type and 977 * 2 bytes for length bytes), but ensure that the extension is at least 978 * 1 byte long so as not to have an empty extension last (WebSphere 7.x, 979 * 8.x are intolerant of that condition) 980 */ 981 if (hlen > 4) 982 hlen -= 4; 983 else 984 hlen = 1; 985 986 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) 987 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { 988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, 989 ERR_R_INTERNAL_ERROR); 990 return EXT_RETURN_FAIL; 991 } 992 memset(padbytes, 0, hlen); 993 } 994 995 return EXT_RETURN_SENT; 996 } 997 998 /* 999 * Construct the pre_shared_key extension 1000 */ 1001 EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, 1002 X509 *x, size_t chainidx) 1003 { 1004 #ifndef OPENSSL_NO_TLS1_3 1005 uint32_t now, agesec, agems = 0; 1006 size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; 1007 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; 1008 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; 1009 int dores = 0; 1010 1011 s->ext.tick_identity = 0; 1012 1013 /* 1014 * Note: At this stage of the code we only support adding a single 1015 * resumption PSK. If we add support for multiple PSKs then the length 1016 * calculations in the padding extension will need to be adjusted. 1017 */ 1018 1019 /* 1020 * If this is an incompatible or new session then we have nothing to resume 1021 * so don't add this extension. 1022 */ 1023 if (s->session->ssl_version != TLS1_3_VERSION 1024 || (s->session->ext.ticklen == 0 && s->psksession == NULL)) 1025 return EXT_RETURN_NOT_SENT; 1026 1027 if (s->hello_retry_request == SSL_HRR_PENDING) 1028 handmd = ssl_handshake_md(s); 1029 1030 if (s->session->ext.ticklen != 0) { 1031 /* Get the digest associated with the ciphersuite in the session */ 1032 if (s->session->cipher == NULL) { 1033 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1034 ERR_R_INTERNAL_ERROR); 1035 return EXT_RETURN_FAIL; 1036 } 1037 mdres = ssl_md(s->session->cipher->algorithm2); 1038 if (mdres == NULL) { 1039 /* 1040 * Don't recognize this cipher so we can't use the session. 1041 * Ignore it 1042 */ 1043 goto dopsksess; 1044 } 1045 1046 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { 1047 /* 1048 * Selected ciphersuite hash does not match the hash for the session 1049 * so we can't use it. 1050 */ 1051 goto dopsksess; 1052 } 1053 1054 /* 1055 * Technically the C standard just says time() returns a time_t and says 1056 * nothing about the encoding of that type. In practice most 1057 * implementations follow POSIX which holds it as an integral type in 1058 * seconds since epoch. We've already made the assumption that we can do 1059 * this in multiple places in the code, so portability shouldn't be an 1060 * issue. 1061 */ 1062 now = (uint32_t)time(NULL); 1063 agesec = now - (uint32_t)s->session->time; 1064 /* 1065 * We calculate the age in seconds but the server may work in ms. Due to 1066 * rounding errors we could overestimate the age by up to 1s. It is 1067 * better to underestimate it. Otherwise, if the RTT is very short, when 1068 * the server calculates the age reported by the client it could be 1069 * bigger than the age calculated on the server - which should never 1070 * happen. 1071 */ 1072 if (agesec > 0) 1073 agesec--; 1074 1075 if (s->session->ext.tick_lifetime_hint < agesec) { 1076 /* Ticket is too old. Ignore it. */ 1077 goto dopsksess; 1078 } 1079 1080 /* 1081 * Calculate age in ms. We're just doing it to nearest second. Should be 1082 * good enough. 1083 */ 1084 agems = agesec * (uint32_t)1000; 1085 1086 if (agesec != 0 && agems / (uint32_t)1000 != agesec) { 1087 /* 1088 * Overflow. Shouldn't happen unless this is a *really* old session. 1089 * If so we just ignore it. 1090 */ 1091 goto dopsksess; 1092 } 1093 1094 /* 1095 * Obfuscate the age. Overflow here is fine, this addition is supposed 1096 * to be mod 2^32. 1097 */ 1098 agems += s->session->ext.tick_age_add; 1099 1100 reshashsize = EVP_MD_size(mdres); 1101 s->ext.tick_identity++; 1102 dores = 1; 1103 } 1104 1105 dopsksess: 1106 if (!dores && s->psksession == NULL) 1107 return EXT_RETURN_NOT_SENT; 1108 1109 if (s->psksession != NULL) { 1110 mdpsk = ssl_md(s->psksession->cipher->algorithm2); 1111 if (mdpsk == NULL) { 1112 /* 1113 * Don't recognize this cipher so we can't use the session. 1114 * If this happens it's an application bug. 1115 */ 1116 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1117 SSL_R_BAD_PSK); 1118 return EXT_RETURN_FAIL; 1119 } 1120 1121 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { 1122 /* 1123 * Selected ciphersuite hash does not match the hash for the PSK 1124 * session. This is an application bug. 1125 */ 1126 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1127 SSL_R_BAD_PSK); 1128 return EXT_RETURN_FAIL; 1129 } 1130 1131 pskhashsize = EVP_MD_size(mdpsk); 1132 } 1133 1134 /* Create the extension, but skip over the binder for now */ 1135 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1136 || !WPACKET_start_sub_packet_u16(pkt) 1137 || !WPACKET_start_sub_packet_u16(pkt)) { 1138 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1139 ERR_R_INTERNAL_ERROR); 1140 return EXT_RETURN_FAIL; 1141 } 1142 1143 if (dores) { 1144 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, 1145 s->session->ext.ticklen) 1146 || !WPACKET_put_bytes_u32(pkt, agems)) { 1147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1148 ERR_R_INTERNAL_ERROR); 1149 return EXT_RETURN_FAIL; 1150 } 1151 } 1152 1153 if (s->psksession != NULL) { 1154 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, 1155 s->psksession_id_len) 1156 || !WPACKET_put_bytes_u32(pkt, 0)) { 1157 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1158 ERR_R_INTERNAL_ERROR); 1159 return EXT_RETURN_FAIL; 1160 } 1161 s->ext.tick_identity++; 1162 } 1163 1164 if (!WPACKET_close(pkt) 1165 || !WPACKET_get_total_written(pkt, &binderoffset) 1166 || !WPACKET_start_sub_packet_u16(pkt) 1167 || (dores 1168 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) 1169 || (s->psksession != NULL 1170 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) 1171 || !WPACKET_close(pkt) 1172 || !WPACKET_close(pkt) 1173 || !WPACKET_get_total_written(pkt, &msglen) 1174 /* 1175 * We need to fill in all the sub-packet lengths now so we can 1176 * calculate the HMAC of the message up to the binders 1177 */ 1178 || !WPACKET_fill_lengths(pkt)) { 1179 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1180 ERR_R_INTERNAL_ERROR); 1181 return EXT_RETURN_FAIL; 1182 } 1183 1184 msgstart = WPACKET_get_curr(pkt) - msglen; 1185 1186 if (dores 1187 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, 1188 resbinder, s->session, 1, 0) != 1) { 1189 /* SSLfatal() already called */ 1190 return EXT_RETURN_FAIL; 1191 } 1192 1193 if (s->psksession != NULL 1194 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, 1195 pskbinder, s->psksession, 1, 1) != 1) { 1196 /* SSLfatal() already called */ 1197 return EXT_RETURN_FAIL; 1198 } 1199 1200 return EXT_RETURN_SENT; 1201 #else 1202 return EXT_RETURN_NOT_SENT; 1203 #endif 1204 } 1205 1206 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, 1207 unsigned int context, 1208 X509 *x, size_t chainidx) 1209 { 1210 #ifndef OPENSSL_NO_TLS1_3 1211 if (!s->pha_enabled) 1212 return EXT_RETURN_NOT_SENT; 1213 1214 /* construct extension - 0 length, no contents */ 1215 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) 1216 || !WPACKET_start_sub_packet_u16(pkt) 1217 || !WPACKET_close(pkt)) { 1218 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1219 SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH, 1220 ERR_R_INTERNAL_ERROR); 1221 return EXT_RETURN_FAIL; 1222 } 1223 1224 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1225 1226 return EXT_RETURN_SENT; 1227 #else 1228 return EXT_RETURN_NOT_SENT; 1229 #endif 1230 } 1231 1232 1233 /* 1234 * Parse the server's renegotiation binding and abort if it's not right 1235 */ 1236 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, 1237 X509 *x, size_t chainidx) 1238 { 1239 size_t expected_len = s->s3->previous_client_finished_len 1240 + s->s3->previous_server_finished_len; 1241 size_t ilen; 1242 const unsigned char *data; 1243 1244 /* Check for logic errors */ 1245 if (!ossl_assert(expected_len == 0 1246 || s->s3->previous_client_finished_len != 0) 1247 || !ossl_assert(expected_len == 0 1248 || s->s3->previous_server_finished_len != 0)) { 1249 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1250 ERR_R_INTERNAL_ERROR); 1251 return 0; 1252 } 1253 1254 /* Parse the length byte */ 1255 if (!PACKET_get_1_len(pkt, &ilen)) { 1256 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1257 SSL_R_RENEGOTIATION_ENCODING_ERR); 1258 return 0; 1259 } 1260 1261 /* Consistency check */ 1262 if (PACKET_remaining(pkt) != ilen) { 1263 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1264 SSL_R_RENEGOTIATION_ENCODING_ERR); 1265 return 0; 1266 } 1267 1268 /* Check that the extension matches */ 1269 if (ilen != expected_len) { 1270 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1271 SSL_R_RENEGOTIATION_MISMATCH); 1272 return 0; 1273 } 1274 1275 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len) 1276 || memcmp(data, s->s3->previous_client_finished, 1277 s->s3->previous_client_finished_len) != 0) { 1278 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1279 SSL_R_RENEGOTIATION_MISMATCH); 1280 return 0; 1281 } 1282 1283 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len) 1284 || memcmp(data, s->s3->previous_server_finished, 1285 s->s3->previous_server_finished_len) != 0) { 1286 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1287 SSL_R_RENEGOTIATION_MISMATCH); 1288 return 0; 1289 } 1290 s->s3->send_connection_binding = 1; 1291 1292 return 1; 1293 } 1294 1295 /* Parse the server's max fragment len extension packet */ 1296 int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, 1297 X509 *x, size_t chainidx) 1298 { 1299 unsigned int value; 1300 1301 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 1302 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1303 SSL_R_BAD_EXTENSION); 1304 return 0; 1305 } 1306 1307 /* |value| should contains a valid max-fragment-length code. */ 1308 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 1309 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1310 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1311 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1312 return 0; 1313 } 1314 1315 /* Must be the same value as client-configured one who was sent to server */ 1316 /*- 1317 * RFC 6066: if a client receives a maximum fragment length negotiation 1318 * response that differs from the length it requested, ... 1319 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert 1320 */ 1321 if (value != s->ext.max_fragment_len_mode) { 1322 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1323 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1324 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1325 return 0; 1326 } 1327 1328 /* 1329 * Maximum Fragment Length Negotiation succeeded. 1330 * The negotiated Maximum Fragment Length is binding now. 1331 */ 1332 s->session->ext.max_fragment_len_mode = value; 1333 1334 return 1; 1335 } 1336 1337 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, 1338 X509 *x, size_t chainidx) 1339 { 1340 if (s->ext.hostname == NULL) { 1341 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1342 ERR_R_INTERNAL_ERROR); 1343 return 0; 1344 } 1345 1346 if (PACKET_remaining(pkt) > 0) { 1347 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1348 SSL_R_BAD_EXTENSION); 1349 return 0; 1350 } 1351 1352 if (!s->hit) { 1353 if (s->session->ext.hostname != NULL) { 1354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1355 ERR_R_INTERNAL_ERROR); 1356 return 0; 1357 } 1358 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 1359 if (s->session->ext.hostname == NULL) { 1360 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1361 ERR_R_INTERNAL_ERROR); 1362 return 0; 1363 } 1364 } 1365 1366 return 1; 1367 } 1368 1369 #ifndef OPENSSL_NO_EC 1370 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, 1371 X509 *x, size_t chainidx) 1372 { 1373 size_t ecpointformats_len; 1374 PACKET ecptformatlist; 1375 1376 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { 1377 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, 1378 SSL_R_BAD_EXTENSION); 1379 return 0; 1380 } 1381 if (!s->hit) { 1382 ecpointformats_len = PACKET_remaining(&ecptformatlist); 1383 if (ecpointformats_len == 0) { 1384 SSLfatal(s, SSL_AD_DECODE_ERROR, 1385 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH); 1386 return 0; 1387 } 1388 1389 s->ext.peer_ecpointformats_len = 0; 1390 OPENSSL_free(s->ext.peer_ecpointformats); 1391 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); 1392 if (s->ext.peer_ecpointformats == NULL) { 1393 s->ext.peer_ecpointformats_len = 0; 1394 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1395 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 1396 return 0; 1397 } 1398 1399 s->ext.peer_ecpointformats_len = ecpointformats_len; 1400 1401 if (!PACKET_copy_bytes(&ecptformatlist, 1402 s->ext.peer_ecpointformats, 1403 ecpointformats_len)) { 1404 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1405 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 1406 return 0; 1407 } 1408 } 1409 1410 return 1; 1411 } 1412 #endif 1413 1414 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, 1415 X509 *x, size_t chainidx) 1416 { 1417 if (s->ext.session_ticket_cb != NULL && 1418 !s->ext.session_ticket_cb(s, PACKET_data(pkt), 1419 PACKET_remaining(pkt), 1420 s->ext.session_ticket_cb_arg)) { 1421 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1422 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1423 return 0; 1424 } 1425 1426 if (!tls_use_ticket(s)) { 1427 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 1428 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1429 return 0; 1430 } 1431 if (PACKET_remaining(pkt) > 0) { 1432 SSLfatal(s, SSL_AD_DECODE_ERROR, 1433 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1434 return 0; 1435 } 1436 1437 s->ext.ticket_expected = 1; 1438 1439 return 1; 1440 } 1441 1442 #ifndef OPENSSL_NO_OCSP 1443 int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, 1444 X509 *x, size_t chainidx) 1445 { 1446 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1447 /* We ignore this if the server sends a CertificateRequest */ 1448 /* TODO(TLS1.3): Add support for this */ 1449 return 1; 1450 } 1451 1452 /* 1453 * MUST only be sent if we've requested a status 1454 * request message. In TLS <= 1.2 it must also be empty. 1455 */ 1456 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 1457 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 1458 SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); 1459 return 0; 1460 } 1461 if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { 1462 SSLfatal(s, SSL_AD_DECODE_ERROR, 1463 SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); 1464 return 0; 1465 } 1466 1467 if (SSL_IS_TLS13(s)) { 1468 /* We only know how to handle this if it's for the first Certificate in 1469 * the chain. We ignore any other responses. 1470 */ 1471 if (chainidx != 0) 1472 return 1; 1473 1474 /* SSLfatal() already called */ 1475 return tls_process_cert_status_body(s, pkt); 1476 } 1477 1478 /* Set flag to expect CertificateStatus message */ 1479 s->ext.status_expected = 1; 1480 1481 return 1; 1482 } 1483 #endif 1484 1485 1486 #ifndef OPENSSL_NO_CT 1487 int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1488 size_t chainidx) 1489 { 1490 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1491 /* We ignore this if the server sends it in a CertificateRequest */ 1492 /* TODO(TLS1.3): Add support for this */ 1493 return 1; 1494 } 1495 1496 /* 1497 * Only take it if we asked for it - i.e if there is no CT validation 1498 * callback set, then a custom extension MAY be processing it, so we 1499 * need to let control continue to flow to that. 1500 */ 1501 if (s->ct_validation_callback != NULL) { 1502 size_t size = PACKET_remaining(pkt); 1503 1504 /* Simply copy it off for later processing */ 1505 OPENSSL_free(s->ext.scts); 1506 s->ext.scts = NULL; 1507 1508 s->ext.scts_len = (uint16_t)size; 1509 if (size > 0) { 1510 s->ext.scts = OPENSSL_malloc(size); 1511 if (s->ext.scts == NULL) { 1512 s->ext.scts_len = 0; 1513 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, 1514 ERR_R_MALLOC_FAILURE); 1515 return 0; 1516 } 1517 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { 1518 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, 1519 ERR_R_INTERNAL_ERROR); 1520 return 0; 1521 } 1522 } 1523 } else { 1524 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 1525 ? ENDPOINT_CLIENT : ENDPOINT_BOTH; 1526 1527 /* 1528 * If we didn't ask for it then there must be a custom extension, 1529 * otherwise this is unsolicited. 1530 */ 1531 if (custom_ext_find(&s->cert->custext, role, 1532 TLSEXT_TYPE_signed_certificate_timestamp, 1533 NULL) == NULL) { 1534 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT, 1535 SSL_R_BAD_EXTENSION); 1536 return 0; 1537 } 1538 1539 if (!custom_ext_parse(s, context, 1540 TLSEXT_TYPE_signed_certificate_timestamp, 1541 PACKET_data(pkt), PACKET_remaining(pkt), 1542 x, chainidx)) { 1543 /* SSLfatal already called */ 1544 return 0; 1545 } 1546 } 1547 1548 return 1; 1549 } 1550 #endif 1551 1552 1553 #ifndef OPENSSL_NO_NEXTPROTONEG 1554 /* 1555 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1556 * elements of zero length are allowed and the set of elements must exactly 1557 * fill the length of the block. Returns 1 on success or 0 on failure. 1558 */ 1559 static int ssl_next_proto_validate(SSL *s, PACKET *pkt) 1560 { 1561 PACKET tmp_protocol; 1562 1563 while (PACKET_remaining(pkt)) { 1564 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 1565 || PACKET_remaining(&tmp_protocol) == 0) { 1566 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE, 1567 SSL_R_BAD_EXTENSION); 1568 return 0; 1569 } 1570 } 1571 1572 return 1; 1573 } 1574 1575 int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1576 size_t chainidx) 1577 { 1578 unsigned char *selected; 1579 unsigned char selected_len; 1580 PACKET tmppkt; 1581 1582 /* Check if we are in a renegotiation. If so ignore this extension */ 1583 if (!SSL_IS_FIRST_HANDSHAKE(s)) 1584 return 1; 1585 1586 /* We must have requested it. */ 1587 if (s->ctx->ext.npn_select_cb == NULL) { 1588 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN, 1589 SSL_R_BAD_EXTENSION); 1590 return 0; 1591 } 1592 1593 /* The data must be valid */ 1594 tmppkt = *pkt; 1595 if (!ssl_next_proto_validate(s, &tmppkt)) { 1596 /* SSLfatal() already called */ 1597 return 0; 1598 } 1599 if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len, 1600 PACKET_data(pkt), 1601 PACKET_remaining(pkt), 1602 s->ctx->ext.npn_select_cb_arg) != 1603 SSL_TLSEXT_ERR_OK) { 1604 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN, 1605 SSL_R_BAD_EXTENSION); 1606 return 0; 1607 } 1608 1609 /* 1610 * Could be non-NULL if server has sent multiple NPN extensions in 1611 * a single Serverhello 1612 */ 1613 OPENSSL_free(s->ext.npn); 1614 s->ext.npn = OPENSSL_malloc(selected_len); 1615 if (s->ext.npn == NULL) { 1616 s->ext.npn_len = 0; 1617 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN, 1618 ERR_R_INTERNAL_ERROR); 1619 return 0; 1620 } 1621 1622 memcpy(s->ext.npn, selected, selected_len); 1623 s->ext.npn_len = selected_len; 1624 s->s3->npn_seen = 1; 1625 1626 return 1; 1627 } 1628 #endif 1629 1630 int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1631 size_t chainidx) 1632 { 1633 size_t len; 1634 1635 /* We must have requested it. */ 1636 if (!s->s3->alpn_sent) { 1637 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN, 1638 SSL_R_BAD_EXTENSION); 1639 return 0; 1640 } 1641 /*- 1642 * The extension data consists of: 1643 * uint16 list_length 1644 * uint8 proto_length; 1645 * uint8 proto[proto_length]; 1646 */ 1647 if (!PACKET_get_net_2_len(pkt, &len) 1648 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) 1649 || PACKET_remaining(pkt) != len) { 1650 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1651 SSL_R_BAD_EXTENSION); 1652 return 0; 1653 } 1654 OPENSSL_free(s->s3->alpn_selected); 1655 s->s3->alpn_selected = OPENSSL_malloc(len); 1656 if (s->s3->alpn_selected == NULL) { 1657 s->s3->alpn_selected_len = 0; 1658 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1659 ERR_R_INTERNAL_ERROR); 1660 return 0; 1661 } 1662 if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) { 1663 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1664 SSL_R_BAD_EXTENSION); 1665 return 0; 1666 } 1667 s->s3->alpn_selected_len = len; 1668 1669 if (s->session->ext.alpn_selected == NULL 1670 || s->session->ext.alpn_selected_len != len 1671 || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len) 1672 != 0) { 1673 /* ALPN not consistent with the old session so cannot use early_data */ 1674 s->ext.early_data_ok = 0; 1675 } 1676 if (!s->hit) { 1677 /* 1678 * This is a new session and so alpn_selected should have been 1679 * initialised to NULL. We should update it with the selected ALPN. 1680 */ 1681 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 1682 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1683 ERR_R_INTERNAL_ERROR); 1684 return 0; 1685 } 1686 s->session->ext.alpn_selected = 1687 OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); 1688 if (s->session->ext.alpn_selected == NULL) { 1689 s->session->ext.alpn_selected_len = 0; 1690 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1691 ERR_R_INTERNAL_ERROR); 1692 return 0; 1693 } 1694 s->session->ext.alpn_selected_len = s->s3->alpn_selected_len; 1695 } 1696 1697 return 1; 1698 } 1699 1700 #ifndef OPENSSL_NO_SRTP 1701 int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1702 size_t chainidx) 1703 { 1704 unsigned int id, ct, mki; 1705 int i; 1706 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1707 SRTP_PROTECTION_PROFILE *prof; 1708 1709 if (!PACKET_get_net_2(pkt, &ct) || ct != 2 1710 || !PACKET_get_net_2(pkt, &id) 1711 || !PACKET_get_1(pkt, &mki) 1712 || PACKET_remaining(pkt) != 0) { 1713 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1714 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1715 return 0; 1716 } 1717 1718 if (mki != 0) { 1719 /* Must be no MKI, since we never offer one */ 1720 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1721 SSL_R_BAD_SRTP_MKI_VALUE); 1722 return 0; 1723 } 1724 1725 /* Throw an error if the server gave us an unsolicited extension */ 1726 clnt = SSL_get_srtp_profiles(s); 1727 if (clnt == NULL) { 1728 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1729 SSL_R_NO_SRTP_PROFILES); 1730 return 0; 1731 } 1732 1733 /* 1734 * Check to see if the server gave us something we support (and 1735 * presumably offered) 1736 */ 1737 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1738 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 1739 1740 if (prof->id == id) { 1741 s->srtp_profile = prof; 1742 return 1; 1743 } 1744 } 1745 1746 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1747 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1748 return 0; 1749 } 1750 #endif 1751 1752 int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1753 size_t chainidx) 1754 { 1755 /* Ignore if inappropriate ciphersuite */ 1756 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 1757 && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD 1758 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4 1759 && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT 1760 && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12) 1761 s->ext.use_etm = 1; 1762 1763 return 1; 1764 } 1765 1766 int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1767 size_t chainidx) 1768 { 1769 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; 1770 if (!s->hit) 1771 s->session->flags |= SSL_SESS_FLAG_EXTMS; 1772 1773 return 1; 1774 } 1775 1776 int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, 1777 X509 *x, size_t chainidx) 1778 { 1779 unsigned int version; 1780 1781 if (!PACKET_get_net_2(pkt, &version) 1782 || PACKET_remaining(pkt) != 0) { 1783 SSLfatal(s, SSL_AD_DECODE_ERROR, 1784 SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, 1785 SSL_R_LENGTH_MISMATCH); 1786 return 0; 1787 } 1788 1789 /* 1790 * The only protocol version we support which is valid in this extension in 1791 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. 1792 */ 1793 if (version != TLS1_3_VERSION) { 1794 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1795 SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, 1796 SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1797 return 0; 1798 } 1799 1800 /* We ignore this extension for HRRs except to sanity check it */ 1801 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) 1802 return 1; 1803 1804 /* We just set it here. We validate it in ssl_choose_client_version */ 1805 s->version = version; 1806 1807 return 1; 1808 } 1809 1810 int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1811 size_t chainidx) 1812 { 1813 #ifndef OPENSSL_NO_TLS1_3 1814 unsigned int group_id; 1815 PACKET encoded_pt; 1816 EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL; 1817 1818 /* Sanity check */ 1819 if (ckey == NULL || s->s3->peer_tmp != NULL) { 1820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1821 ERR_R_INTERNAL_ERROR); 1822 return 0; 1823 } 1824 1825 if (!PACKET_get_net_2(pkt, &group_id)) { 1826 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1827 SSL_R_LENGTH_MISMATCH); 1828 return 0; 1829 } 1830 1831 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { 1832 const uint16_t *pgroups = NULL; 1833 size_t i, num_groups; 1834 1835 if (PACKET_remaining(pkt) != 0) { 1836 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1837 SSL_R_LENGTH_MISMATCH); 1838 return 0; 1839 } 1840 1841 /* 1842 * It is an error if the HelloRetryRequest wants a key_share that we 1843 * already sent in the first ClientHello 1844 */ 1845 if (group_id == s->s3->group_id) { 1846 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1847 SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); 1848 return 0; 1849 } 1850 1851 /* Validate the selected group is one we support */ 1852 tls1_get_supported_groups(s, &pgroups, &num_groups); 1853 for (i = 0; i < num_groups; i++) { 1854 if (group_id == pgroups[i]) 1855 break; 1856 } 1857 if (i >= num_groups 1858 || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { 1859 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1860 SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); 1861 return 0; 1862 } 1863 1864 s->s3->group_id = group_id; 1865 EVP_PKEY_free(s->s3->tmp.pkey); 1866 s->s3->tmp.pkey = NULL; 1867 return 1; 1868 } 1869 1870 if (group_id != s->s3->group_id) { 1871 /* 1872 * This isn't for the group that we sent in the original 1873 * key_share! 1874 */ 1875 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1876 SSL_R_BAD_KEY_SHARE); 1877 return 0; 1878 } 1879 1880 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) 1881 || PACKET_remaining(&encoded_pt) == 0) { 1882 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1883 SSL_R_LENGTH_MISMATCH); 1884 return 0; 1885 } 1886 1887 skey = EVP_PKEY_new(); 1888 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { 1889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1890 ERR_R_MALLOC_FAILURE); 1891 EVP_PKEY_free(skey); 1892 return 0; 1893 } 1894 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt), 1895 PACKET_remaining(&encoded_pt))) { 1896 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1897 SSL_R_BAD_ECPOINT); 1898 EVP_PKEY_free(skey); 1899 return 0; 1900 } 1901 1902 if (ssl_derive(s, ckey, skey, 1) == 0) { 1903 /* SSLfatal() already called */ 1904 EVP_PKEY_free(skey); 1905 return 0; 1906 } 1907 s->s3->peer_tmp = skey; 1908 #endif 1909 1910 return 1; 1911 } 1912 1913 int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1914 size_t chainidx) 1915 { 1916 PACKET cookie; 1917 1918 if (!PACKET_as_length_prefixed_2(pkt, &cookie) 1919 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, 1920 &s->ext.tls13_cookie_len)) { 1921 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE, 1922 SSL_R_LENGTH_MISMATCH); 1923 return 0; 1924 } 1925 1926 return 1; 1927 } 1928 1929 int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, 1930 X509 *x, size_t chainidx) 1931 { 1932 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 1933 unsigned long max_early_data; 1934 1935 if (!PACKET_get_net_4(pkt, &max_early_data) 1936 || PACKET_remaining(pkt) != 0) { 1937 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1938 SSL_R_INVALID_MAX_EARLY_DATA); 1939 return 0; 1940 } 1941 1942 s->session->ext.max_early_data = max_early_data; 1943 1944 return 1; 1945 } 1946 1947 if (PACKET_remaining(pkt) != 0) { 1948 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1949 SSL_R_BAD_EXTENSION); 1950 return 0; 1951 } 1952 1953 if (!s->ext.early_data_ok 1954 || !s->hit) { 1955 /* 1956 * If we get here then we didn't send early data, or we didn't resume 1957 * using the first identity, or the SNI/ALPN is not consistent so the 1958 * server should not be accepting it. 1959 */ 1960 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1961 SSL_R_BAD_EXTENSION); 1962 return 0; 1963 } 1964 1965 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 1966 1967 return 1; 1968 } 1969 1970 int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1971 size_t chainidx) 1972 { 1973 #ifndef OPENSSL_NO_TLS1_3 1974 unsigned int identity; 1975 1976 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { 1977 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK, 1978 SSL_R_LENGTH_MISMATCH); 1979 return 0; 1980 } 1981 1982 if (identity >= (unsigned int)s->ext.tick_identity) { 1983 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, 1984 SSL_R_BAD_PSK_IDENTITY); 1985 return 0; 1986 } 1987 1988 /* 1989 * Session resumption tickets are always sent before PSK tickets. If the 1990 * ticket index is 0 then it must be for a session resumption ticket if we 1991 * sent two tickets, or if we didn't send a PSK ticket. 1992 */ 1993 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { 1994 s->hit = 1; 1995 SSL_SESSION_free(s->psksession); 1996 s->psksession = NULL; 1997 return 1; 1998 } 1999 2000 if (s->psksession == NULL) { 2001 /* Should never happen */ 2002 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK, 2003 ERR_R_INTERNAL_ERROR); 2004 return 0; 2005 } 2006 2007 /* 2008 * If we used the external PSK for sending early_data then s->early_secret 2009 * is already set up, so don't overwrite it. Otherwise we copy the 2010 * early_secret across that we generated earlier. 2011 */ 2012 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 2013 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 2014 || s->session->ext.max_early_data > 0 2015 || s->psksession->ext.max_early_data == 0) 2016 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); 2017 2018 SSL_SESSION_free(s->session); 2019 s->session = s->psksession; 2020 s->psksession = NULL; 2021 s->hit = 1; 2022 /* Early data is only allowed if we used the first ticket */ 2023 if (identity != 0) 2024 s->ext.early_data_ok = 0; 2025 #endif 2026 2027 return 1; 2028 } 2029