1 /*
2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
14
15 #define COOKIE_STATE_FORMAT_VERSION 1
16
17 /*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23 */
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27 /*
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
33 */
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
37
38 /*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
tls_parse_ctos_renegotiate(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
43 {
44 unsigned int ilen;
45 const unsigned char *data;
46
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
51 return 0;
52 }
53
54 /* Check that the extension matches */
55 if (ilen != s->s3.previous_client_finished_len) {
56 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
57 return 0;
58 }
59
60 if (memcmp(data, s->s3.previous_client_finished,
61 s->s3.previous_client_finished_len)) {
62 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
63 return 0;
64 }
65
66 s->s3.send_connection_binding = 1;
67
68 return 1;
69 }
70
71 /*-
72 * The servername extension is treated as follows:
73 *
74 * - Only the hostname type is supported with a maximum length of 255.
75 * - The servername is rejected if too long or if it contains zeros,
76 * in which case an fatal alert is generated.
77 * - The servername field is maintained together with the session cache.
78 * - When a session is resumed, the servername call back invoked in order
79 * to allow the application to position itself to the right context.
80 * - The servername is acknowledged if it is new for a session or when
81 * it is identical to a previously used for the same session.
82 * Applications can control the behaviour. They can at any time
83 * set a 'desirable' servername for a new SSL object. This can be the
84 * case for example with HTTPS when a Host: header field is received and
85 * a renegotiation is requested. In this case, a possible servername
86 * presented in the new client hello is only acknowledged if it matches
87 * the value of the Host: field.
88 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
89 * if they provide for changing an explicit servername context for the
90 * session, i.e. when the session has been established with a servername
91 * extension.
92 * - On session reconnect, the servername extension may be absent.
93 */
tls_parse_ctos_server_name(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)94 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
95 X509 *x, size_t chainidx)
96 {
97 unsigned int servname_type;
98 PACKET sni, hostname;
99
100 if (!PACKET_as_length_prefixed_2(pkt, &sni)
101 /* ServerNameList must be at least 1 byte long. */
102 || PACKET_remaining(&sni) == 0) {
103 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
104 return 0;
105 }
106
107 /*
108 * Although the intent was for server_name to be extensible, RFC 4366
109 * was not clear about it; and so OpenSSL among other implementations,
110 * always and only allows a 'host_name' name types.
111 * RFC 6066 corrected the mistake but adding new name types
112 * is nevertheless no longer feasible, so act as if no other
113 * SNI types can exist, to simplify parsing.
114 *
115 * Also note that the RFC permits only one SNI value per type,
116 * i.e., we can only have a single hostname.
117 */
118 if (!PACKET_get_1(&sni, &servname_type)
119 || servname_type != TLSEXT_NAMETYPE_host_name
120 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
121 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
122 return 0;
123 }
124
125 /*
126 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
127 * we always use the SNI value from the handshake.
128 */
129 if (!s->hit || SSL_IS_TLS13(s)) {
130 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
131 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
132 return 0;
133 }
134
135 if (PACKET_contains_zero_byte(&hostname)) {
136 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
137 return 0;
138 }
139
140 /*
141 * Store the requested SNI in the SSL as temporary storage.
142 * If we accept it, it will get stored in the SSL_SESSION as well.
143 */
144 OPENSSL_free(s->ext.hostname);
145 s->ext.hostname = NULL;
146 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
148 return 0;
149 }
150
151 s->servername_done = 1;
152 } else {
153 /*
154 * In TLSv1.2 and below we should check if the SNI is consistent between
155 * the initial handshake and the resumption. In TLSv1.3 SNI is not
156 * associated with the session.
157 */
158 s->servername_done = (s->session->ext.hostname != NULL)
159 && PACKET_equal(&hostname, s->session->ext.hostname,
160 strlen(s->session->ext.hostname));
161 }
162
163 return 1;
164 }
165
tls_parse_ctos_maxfragmentlen(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)166 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx)
168 {
169 unsigned int value;
170
171 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
172 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
173 return 0;
174 }
175
176 /* Received |value| should be a valid max-fragment-length code. */
177 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
178 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
179 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
180 return 0;
181 }
182
183 /*
184 * When doing a full handshake or a renegotiation max_fragment_len_mode will
185 * be TLSEXT_max_fragment_length_UNSPECIFIED
186 *
187 * In case of a resumption max_fragment_len_mode will be one of
188 * TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512,
189 * TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048.
190 * TLSEXT_max_fragment_length_4096
191 *
192 * RFC 6066: The negotiated length applies for the duration of the session
193 * including session resumptions.
194 *
195 * So we only set the value in case it is unspecified.
196 */
197 if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
198 /*
199 * Store it in session, so it'll become binding for us
200 * and we'll include it in a next Server Hello.
201 */
202 s->session->ext.max_fragment_len_mode = value;
203
204 return 1;
205 }
206
207 #ifndef OPENSSL_NO_SRP
tls_parse_ctos_srp(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)208 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
209 size_t chainidx)
210 {
211 PACKET srp_I;
212
213 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
214 || PACKET_contains_zero_byte(&srp_I)) {
215 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
216 return 0;
217 }
218
219 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
220 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
221 return 0;
222 }
223
224 return 1;
225 }
226 #endif
227
tls_parse_ctos_ec_pt_formats(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)228 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
229 X509 *x, size_t chainidx)
230 {
231 PACKET ec_point_format_list;
232
233 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
234 || PACKET_remaining(&ec_point_format_list) == 0) {
235 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
236 return 0;
237 }
238
239 if (!s->hit) {
240 if (!PACKET_memdup(&ec_point_format_list,
241 &s->ext.peer_ecpointformats,
242 &s->ext.peer_ecpointformats_len)) {
243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
244 return 0;
245 }
246 }
247
248 return 1;
249 }
250
tls_parse_ctos_session_ticket(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)251 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
252 X509 *x, size_t chainidx)
253 {
254 if (s->ext.session_ticket_cb &&
255 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
256 PACKET_remaining(pkt),
257 s->ext.session_ticket_cb_arg)) {
258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
259 return 0;
260 }
261
262 return 1;
263 }
264
tls_parse_ctos_sig_algs_cert(SSL * s,PACKET * pkt,ossl_unused unsigned int context,ossl_unused X509 * x,ossl_unused size_t chainidx)265 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
266 ossl_unused unsigned int context,
267 ossl_unused X509 *x,
268 ossl_unused size_t chainidx)
269 {
270 PACKET supported_sig_algs;
271
272 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
273 || PACKET_remaining(&supported_sig_algs) == 0) {
274 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
275 return 0;
276 }
277
278 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
279 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
280 return 0;
281 }
282
283 return 1;
284 }
285
tls_parse_ctos_sig_algs(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)286 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
287 size_t chainidx)
288 {
289 PACKET supported_sig_algs;
290
291 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
292 || PACKET_remaining(&supported_sig_algs) == 0) {
293 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
294 return 0;
295 }
296
297 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
298 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
299 return 0;
300 }
301
302 return 1;
303 }
304
305 #ifndef OPENSSL_NO_OCSP
tls_parse_ctos_status_request(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)306 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
307 X509 *x, size_t chainidx)
308 {
309 PACKET responder_id_list, exts;
310
311 /* We ignore this in a resumption handshake */
312 if (s->hit)
313 return 1;
314
315 /* Not defined if we get one of these in a client Certificate */
316 if (x != NULL)
317 return 1;
318
319 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
321 return 0;
322 }
323
324 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
325 /*
326 * We don't know what to do with any other type so ignore it.
327 */
328 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
329 return 1;
330 }
331
332 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
333 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
334 return 0;
335 }
336
337 /*
338 * We remove any OCSP_RESPIDs from a previous handshake
339 * to prevent unbounded memory growth - CVE-2016-6304
340 */
341 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
342 if (PACKET_remaining(&responder_id_list) > 0) {
343 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
344 if (s->ext.ocsp.ids == NULL) {
345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
346 return 0;
347 }
348 } else {
349 s->ext.ocsp.ids = NULL;
350 }
351
352 while (PACKET_remaining(&responder_id_list) > 0) {
353 OCSP_RESPID *id;
354 PACKET responder_id;
355 const unsigned char *id_data;
356
357 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
358 || PACKET_remaining(&responder_id) == 0) {
359 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
360 return 0;
361 }
362
363 id_data = PACKET_data(&responder_id);
364 id = d2i_OCSP_RESPID(NULL, &id_data,
365 (int)PACKET_remaining(&responder_id));
366 if (id == NULL) {
367 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
368 return 0;
369 }
370
371 if (id_data != PACKET_end(&responder_id)) {
372 OCSP_RESPID_free(id);
373 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
374
375 return 0;
376 }
377
378 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
379 OCSP_RESPID_free(id);
380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
381
382 return 0;
383 }
384 }
385
386 /* Read in request_extensions */
387 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
388 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
389 return 0;
390 }
391
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
394
395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
396 X509_EXTENSION_free);
397 s->ext.ocsp.exts =
398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
400 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
401 return 0;
402 }
403 }
404
405 return 1;
406 }
407 #endif
408
409 #ifndef OPENSSL_NO_NEXTPROTONEG
tls_parse_ctos_npn(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)410 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
411 size_t chainidx)
412 {
413 /*
414 * We shouldn't accept this extension on a
415 * renegotiation.
416 */
417 if (SSL_IS_FIRST_HANDSHAKE(s))
418 s->s3.npn_seen = 1;
419
420 return 1;
421 }
422 #endif
423
424 /*
425 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
426 * extension, not including type and length. Returns: 1 on success, 0 on error.
427 */
tls_parse_ctos_alpn(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)428 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
429 size_t chainidx)
430 {
431 PACKET protocol_list, save_protocol_list, protocol;
432
433 if (!SSL_IS_FIRST_HANDSHAKE(s))
434 return 1;
435
436 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
437 || PACKET_remaining(&protocol_list) < 2) {
438 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
439 return 0;
440 }
441
442 save_protocol_list = protocol_list;
443 do {
444 /* Protocol names can't be empty. */
445 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
446 || PACKET_remaining(&protocol) == 0) {
447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
448 return 0;
449 }
450 } while (PACKET_remaining(&protocol_list) != 0);
451
452 OPENSSL_free(s->s3.alpn_proposed);
453 s->s3.alpn_proposed = NULL;
454 s->s3.alpn_proposed_len = 0;
455 if (!PACKET_memdup(&save_protocol_list,
456 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
458 return 0;
459 }
460
461 return 1;
462 }
463
464 #ifndef OPENSSL_NO_SRTP
tls_parse_ctos_use_srtp(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)465 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
466 size_t chainidx)
467 {
468 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
469 unsigned int ct, mki_len, id;
470 int i, srtp_pref;
471 PACKET subpkt;
472
473 /* Ignore this if we have no SRTP profiles */
474 if (SSL_get_srtp_profiles(s) == NULL)
475 return 1;
476
477 /* Pull off the length of the cipher suite list and check it is even */
478 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
479 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
480 SSLfatal(s, SSL_AD_DECODE_ERROR,
481 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
482 return 0;
483 }
484
485 srvr = SSL_get_srtp_profiles(s);
486 s->srtp_profile = NULL;
487 /* Search all profiles for a match initially */
488 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
489
490 while (PACKET_remaining(&subpkt)) {
491 if (!PACKET_get_net_2(&subpkt, &id)) {
492 SSLfatal(s, SSL_AD_DECODE_ERROR,
493 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
494 return 0;
495 }
496
497 /*
498 * Only look for match in profiles of higher preference than
499 * current match.
500 * If no profiles have been have been configured then this
501 * does nothing.
502 */
503 for (i = 0; i < srtp_pref; i++) {
504 SRTP_PROTECTION_PROFILE *sprof =
505 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
506
507 if (sprof->id == id) {
508 s->srtp_profile = sprof;
509 srtp_pref = i;
510 break;
511 }
512 }
513 }
514
515 /* Now extract the MKI value as a sanity check, but discard it for now */
516 if (!PACKET_get_1(pkt, &mki_len)) {
517 SSLfatal(s, SSL_AD_DECODE_ERROR,
518 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
519 return 0;
520 }
521
522 if (!PACKET_forward(pkt, mki_len)
523 || PACKET_remaining(pkt)) {
524 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
525 return 0;
526 }
527
528 return 1;
529 }
530 #endif
531
tls_parse_ctos_etm(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)532 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
533 size_t chainidx)
534 {
535 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
536 s->ext.use_etm = 1;
537
538 return 1;
539 }
540
541 /*
542 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
543 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
544 */
tls_parse_ctos_psk_kex_modes(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)545 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
546 X509 *x, size_t chainidx)
547 {
548 #ifndef OPENSSL_NO_TLS1_3
549 PACKET psk_kex_modes;
550 unsigned int mode;
551
552 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
553 || PACKET_remaining(&psk_kex_modes) == 0) {
554 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
555 return 0;
556 }
557
558 while (PACKET_get_1(&psk_kex_modes, &mode)) {
559 if (mode == TLSEXT_KEX_MODE_KE_DHE)
560 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
561 else if (mode == TLSEXT_KEX_MODE_KE
562 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
563 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
564 }
565 #endif
566
567 return 1;
568 }
569
570 /*
571 * Process a key_share extension received in the ClientHello. |pkt| contains
572 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
573 */
tls_parse_ctos_key_share(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)574 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
575 size_t chainidx)
576 {
577 #ifndef OPENSSL_NO_TLS1_3
578 unsigned int group_id;
579 PACKET key_share_list, encoded_pt;
580 const uint16_t *clntgroups, *srvrgroups;
581 size_t clnt_num_groups, srvr_num_groups;
582 int found = 0;
583
584 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
585 return 1;
586
587 /* Sanity check */
588 if (s->s3.peer_tmp != NULL) {
589 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
590 return 0;
591 }
592
593 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
594 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
595 return 0;
596 }
597
598 /* Get our list of supported groups */
599 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
600 /* Get the clients list of supported groups. */
601 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
602 if (clnt_num_groups == 0) {
603 /*
604 * This can only happen if the supported_groups extension was not sent,
605 * because we verify that the length is non-zero when we process that
606 * extension.
607 */
608 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
609 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
610 return 0;
611 }
612
613 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
614 /*
615 * If we set a group_id already, then we must have sent an HRR
616 * requesting a new key_share. If we haven't got one then that is an
617 * error
618 */
619 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
620 return 0;
621 }
622
623 while (PACKET_remaining(&key_share_list) > 0) {
624 if (!PACKET_get_net_2(&key_share_list, &group_id)
625 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
626 || PACKET_remaining(&encoded_pt) == 0) {
627 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
628 return 0;
629 }
630
631 /*
632 * If we already found a suitable key_share we loop through the
633 * rest to verify the structure, but don't process them.
634 */
635 if (found)
636 continue;
637
638 /*
639 * If we sent an HRR then the key_share sent back MUST be for the group
640 * we requested, and must be the only key_share sent.
641 */
642 if (s->s3.group_id != 0
643 && (group_id != s->s3.group_id
644 || PACKET_remaining(&key_share_list) != 0)) {
645 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
646 return 0;
647 }
648
649 /* Check if this share is in supported_groups sent from client */
650 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
651 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
652 return 0;
653 }
654
655 /* Check if this share is for a group we can use */
656 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
657 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
658 /*
659 * We tolerate but ignore a group id that we don't think is
660 * suitable for TLSv1.3
661 */
662 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
663 0, NULL)) {
664 /* Share not suitable */
665 continue;
666 }
667
668 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
669 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
670 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
671 return 0;
672 }
673
674 s->s3.group_id = group_id;
675 /* Cache the selected group ID in the SSL_SESSION */
676 s->session->kex_group = group_id;
677
678 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
679 PACKET_data(&encoded_pt),
680 PACKET_remaining(&encoded_pt)) <= 0) {
681 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
682 return 0;
683 }
684
685 found = 1;
686 }
687 #endif
688
689 return 1;
690 }
691
tls_parse_ctos_cookie(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)692 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
693 size_t chainidx)
694 {
695 #ifndef OPENSSL_NO_TLS1_3
696 unsigned int format, version, key_share, group_id;
697 EVP_MD_CTX *hctx;
698 EVP_PKEY *pkey;
699 PACKET cookie, raw, chhash, appcookie;
700 WPACKET hrrpkt;
701 const unsigned char *data, *mdin, *ciphdata;
702 unsigned char hmac[SHA256_DIGEST_LENGTH];
703 unsigned char hrr[MAX_HRR_SIZE];
704 size_t rawlen, hmaclen, hrrlen, ciphlen;
705 uint64_t tm, now;
706
707 /* Ignore any cookie if we're not set up to verify it */
708 if (s->ctx->verify_stateless_cookie_cb == NULL
709 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
710 return 1;
711
712 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
713 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
714 return 0;
715 }
716
717 raw = cookie;
718 data = PACKET_data(&raw);
719 rawlen = PACKET_remaining(&raw);
720 if (rawlen < SHA256_DIGEST_LENGTH
721 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
722 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
723 return 0;
724 }
725 mdin = PACKET_data(&raw);
726
727 /* Verify the HMAC of the cookie */
728 hctx = EVP_MD_CTX_create();
729 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
730 s->ctx->propq,
731 s->session_ctx->ext.cookie_hmac_key,
732 sizeof(s->session_ctx->ext.cookie_hmac_key));
733 if (hctx == NULL || pkey == NULL) {
734 EVP_MD_CTX_free(hctx);
735 EVP_PKEY_free(pkey);
736 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
737 return 0;
738 }
739
740 hmaclen = SHA256_DIGEST_LENGTH;
741 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
742 s->ctx->propq, pkey, NULL) <= 0
743 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
744 rawlen - SHA256_DIGEST_LENGTH) <= 0
745 || hmaclen != SHA256_DIGEST_LENGTH) {
746 EVP_MD_CTX_free(hctx);
747 EVP_PKEY_free(pkey);
748 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
749 return 0;
750 }
751
752 EVP_MD_CTX_free(hctx);
753 EVP_PKEY_free(pkey);
754
755 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
756 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
757 return 0;
758 }
759
760 if (!PACKET_get_net_2(&cookie, &format)) {
761 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
762 return 0;
763 }
764 /* Check the cookie format is something we recognise. Ignore it if not */
765 if (format != COOKIE_STATE_FORMAT_VERSION)
766 return 1;
767
768 /*
769 * The rest of these checks really shouldn't fail since we have verified the
770 * HMAC above.
771 */
772
773 /* Check the version number is sane */
774 if (!PACKET_get_net_2(&cookie, &version)) {
775 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
776 return 0;
777 }
778 if (version != TLS1_3_VERSION) {
779 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
780 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
781 return 0;
782 }
783
784 if (!PACKET_get_net_2(&cookie, &group_id)) {
785 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
786 return 0;
787 }
788
789 ciphdata = PACKET_data(&cookie);
790 if (!PACKET_forward(&cookie, 2)) {
791 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
792 return 0;
793 }
794 if (group_id != s->s3.group_id
795 || s->s3.tmp.new_cipher
796 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
797 /*
798 * We chose a different cipher or group id this time around to what is
799 * in the cookie. Something must have changed.
800 */
801 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
802 return 0;
803 }
804
805 if (!PACKET_get_1(&cookie, &key_share)
806 || !PACKET_get_net_8(&cookie, &tm)
807 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
808 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
809 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
810 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
811 return 0;
812 }
813
814 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
815 now = time(NULL);
816 if (tm > now || (now - tm) > 600) {
817 /* Cookie is stale. Ignore it */
818 return 1;
819 }
820
821 /* Verify the app cookie */
822 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
823 PACKET_remaining(&appcookie)) == 0) {
824 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
825 return 0;
826 }
827
828 /*
829 * Reconstruct the HRR that we would have sent in response to the original
830 * ClientHello so we can add it to the transcript hash.
831 * Note: This won't work with custom HRR extensions
832 */
833 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
835 return 0;
836 }
837 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
838 || !WPACKET_start_sub_packet_u24(&hrrpkt)
839 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
840 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
841 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
842 s->tmp_session_id_len)
843 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
844 &ciphlen)
845 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
846 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
847 WPACKET_cleanup(&hrrpkt);
848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
849 return 0;
850 }
851 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
852 || !WPACKET_start_sub_packet_u16(&hrrpkt)
853 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
854 || !WPACKET_close(&hrrpkt)) {
855 WPACKET_cleanup(&hrrpkt);
856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
857 return 0;
858 }
859 if (key_share) {
860 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
861 || !WPACKET_start_sub_packet_u16(&hrrpkt)
862 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
863 || !WPACKET_close(&hrrpkt)) {
864 WPACKET_cleanup(&hrrpkt);
865 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
866 return 0;
867 }
868 }
869 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
870 || !WPACKET_start_sub_packet_u16(&hrrpkt)
871 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
872 || !WPACKET_close(&hrrpkt) /* cookie extension */
873 || !WPACKET_close(&hrrpkt) /* extension block */
874 || !WPACKET_close(&hrrpkt) /* message */
875 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
876 || !WPACKET_finish(&hrrpkt)) {
877 WPACKET_cleanup(&hrrpkt);
878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
879 return 0;
880 }
881
882 /* Reconstruct the transcript hash */
883 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
884 PACKET_remaining(&chhash), hrr,
885 hrrlen)) {
886 /* SSLfatal() already called */
887 return 0;
888 }
889
890 /* Act as if this ClientHello came after a HelloRetryRequest */
891 s->hello_retry_request = SSL_HRR_PENDING;
892
893 s->ext.cookieok = 1;
894 #endif
895
896 return 1;
897 }
898
tls_parse_ctos_supported_groups(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)899 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
900 X509 *x, size_t chainidx)
901 {
902 PACKET supported_groups_list;
903
904 /* Each group is 2 bytes and we must have at least 1. */
905 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
906 || PACKET_remaining(&supported_groups_list) == 0
907 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
908 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
909 return 0;
910 }
911
912 if (!s->hit || SSL_IS_TLS13(s)) {
913 OPENSSL_free(s->ext.peer_supportedgroups);
914 s->ext.peer_supportedgroups = NULL;
915 s->ext.peer_supportedgroups_len = 0;
916 if (!tls1_save_u16(&supported_groups_list,
917 &s->ext.peer_supportedgroups,
918 &s->ext.peer_supportedgroups_len)) {
919 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
920 return 0;
921 }
922 }
923
924 return 1;
925 }
926
tls_parse_ctos_ems(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)927 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
928 size_t chainidx)
929 {
930 /* The extension must always be empty */
931 if (PACKET_remaining(pkt) != 0) {
932 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
933 return 0;
934 }
935
936 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
937 return 1;
938
939 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
940
941 return 1;
942 }
943
944
tls_parse_ctos_early_data(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)945 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
946 X509 *x, size_t chainidx)
947 {
948 if (PACKET_remaining(pkt) != 0) {
949 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
950 return 0;
951 }
952
953 if (s->hello_retry_request != SSL_HRR_NONE) {
954 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
955 return 0;
956 }
957
958 return 1;
959 }
960
tls_get_stateful_ticket(SSL * s,PACKET * tick,SSL_SESSION ** sess)961 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
962 SSL_SESSION **sess)
963 {
964 SSL_SESSION *tmpsess = NULL;
965
966 s->ext.ticket_expected = 1;
967
968 switch (PACKET_remaining(tick)) {
969 case 0:
970 return SSL_TICKET_EMPTY;
971
972 case SSL_MAX_SSL_SESSION_ID_LENGTH:
973 break;
974
975 default:
976 return SSL_TICKET_NO_DECRYPT;
977 }
978
979 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
980 SSL_MAX_SSL_SESSION_ID_LENGTH);
981
982 if (tmpsess == NULL)
983 return SSL_TICKET_NO_DECRYPT;
984
985 *sess = tmpsess;
986 return SSL_TICKET_SUCCESS;
987 }
988
tls_parse_ctos_psk(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)989 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
990 size_t chainidx)
991 {
992 PACKET identities, binders, binder;
993 size_t binderoffset, hashsize;
994 SSL_SESSION *sess = NULL;
995 unsigned int id, i, ext = 0;
996 const EVP_MD *md = NULL;
997
998 /*
999 * If we have no PSK kex mode that we recognise then we can't resume so
1000 * ignore this extension
1001 */
1002 if ((s->ext.psk_kex_mode
1003 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1004 return 1;
1005
1006 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1007 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1008 return 0;
1009 }
1010
1011 s->ext.ticket_expected = 0;
1012 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1013 PACKET identity;
1014 unsigned long ticket_agel;
1015 size_t idlen;
1016
1017 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1018 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1019 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1020 return 0;
1021 }
1022
1023 idlen = PACKET_remaining(&identity);
1024 if (s->psk_find_session_cb != NULL
1025 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1026 &sess)) {
1027 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1028 return 0;
1029 }
1030
1031 #ifndef OPENSSL_NO_PSK
1032 if(sess == NULL
1033 && s->psk_server_callback != NULL
1034 && idlen <= PSK_MAX_IDENTITY_LEN) {
1035 char *pskid = NULL;
1036 unsigned char pskdata[PSK_MAX_PSK_LEN];
1037 unsigned int pskdatalen;
1038
1039 if (!PACKET_strndup(&identity, &pskid)) {
1040 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1041 return 0;
1042 }
1043 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1044 sizeof(pskdata));
1045 OPENSSL_free(pskid);
1046 if (pskdatalen > PSK_MAX_PSK_LEN) {
1047 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1048 return 0;
1049 } else if (pskdatalen > 0) {
1050 const SSL_CIPHER *cipher;
1051 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1052
1053 /*
1054 * We found a PSK using an old style callback. We don't know
1055 * the digest so we default to SHA256 as per the TLSv1.3 spec
1056 */
1057 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1058 if (cipher == NULL) {
1059 OPENSSL_cleanse(pskdata, pskdatalen);
1060 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1061 return 0;
1062 }
1063
1064 sess = SSL_SESSION_new();
1065 if (sess == NULL
1066 || !SSL_SESSION_set1_master_key(sess, pskdata,
1067 pskdatalen)
1068 || !SSL_SESSION_set_cipher(sess, cipher)
1069 || !SSL_SESSION_set_protocol_version(sess,
1070 TLS1_3_VERSION)) {
1071 OPENSSL_cleanse(pskdata, pskdatalen);
1072 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1073 goto err;
1074 }
1075 OPENSSL_cleanse(pskdata, pskdatalen);
1076 }
1077 }
1078 #endif /* OPENSSL_NO_PSK */
1079
1080 if (sess != NULL) {
1081 /* We found a PSK */
1082 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1083
1084 if (sesstmp == NULL) {
1085 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1086 return 0;
1087 }
1088 SSL_SESSION_free(sess);
1089 sess = sesstmp;
1090
1091 /*
1092 * We've just been told to use this session for this context so
1093 * make sure the sid_ctx matches up.
1094 */
1095 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1096 sess->sid_ctx_length = s->sid_ctx_length;
1097 ext = 1;
1098 if (id == 0)
1099 s->ext.early_data_ok = 1;
1100 s->ext.ticket_expected = 1;
1101 } else {
1102 uint32_t ticket_age = 0, agesec, agems;
1103 int ret;
1104
1105 /*
1106 * If we are using anti-replay protection then we behave as if
1107 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1108 * is no point in using full stateless tickets.
1109 */
1110 if ((s->options & SSL_OP_NO_TICKET) != 0
1111 || (s->max_early_data > 0
1112 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1113 ret = tls_get_stateful_ticket(s, &identity, &sess);
1114 else
1115 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1116 PACKET_remaining(&identity), NULL, 0,
1117 &sess);
1118
1119 if (ret == SSL_TICKET_EMPTY) {
1120 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1121 return 0;
1122 }
1123
1124 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1125 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1126 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1127 return 0;
1128 }
1129 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1130 continue;
1131
1132 /* Check for replay */
1133 if (s->max_early_data > 0
1134 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1135 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1136 SSL_SESSION_free(sess);
1137 sess = NULL;
1138 continue;
1139 }
1140
1141 ticket_age = (uint32_t)ticket_agel;
1142 agesec = (uint32_t)(time(NULL) - sess->time);
1143 agems = agesec * (uint32_t)1000;
1144 ticket_age -= sess->ext.tick_age_add;
1145
1146 /*
1147 * For simplicity we do our age calculations in seconds. If the
1148 * client does it in ms then it could appear that their ticket age
1149 * is longer than ours (our ticket age calculation should always be
1150 * slightly longer than the client's due to the network latency).
1151 * Therefore we add 1000ms to our age calculation to adjust for
1152 * rounding errors.
1153 */
1154 if (id == 0
1155 && sess->timeout >= (long)agesec
1156 && agems / (uint32_t)1000 == agesec
1157 && ticket_age <= agems + 1000
1158 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1159 /*
1160 * Ticket age is within tolerance and not expired. We allow it
1161 * for early data
1162 */
1163 s->ext.early_data_ok = 1;
1164 }
1165 }
1166
1167 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1168 if (md == NULL) {
1169 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1170 goto err;
1171 }
1172 if (!EVP_MD_is_a(md,
1173 EVP_MD_get0_name(ssl_md(s->ctx,
1174 s->s3.tmp.new_cipher->algorithm2)))) {
1175 /* The ciphersuite is not compatible with this session. */
1176 SSL_SESSION_free(sess);
1177 sess = NULL;
1178 s->ext.early_data_ok = 0;
1179 s->ext.ticket_expected = 0;
1180 continue;
1181 }
1182 break;
1183 }
1184
1185 if (sess == NULL)
1186 return 1;
1187
1188 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1189 hashsize = EVP_MD_get_size(md);
1190
1191 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1192 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1193 goto err;
1194 }
1195
1196 for (i = 0; i <= id; i++) {
1197 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1198 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1199 goto err;
1200 }
1201 }
1202
1203 if (PACKET_remaining(&binder) != hashsize) {
1204 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1205 goto err;
1206 }
1207 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1208 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1209 ext) != 1) {
1210 /* SSLfatal() already called */
1211 goto err;
1212 }
1213
1214 s->ext.tick_identity = id;
1215
1216 SSL_SESSION_free(s->session);
1217 s->session = sess;
1218 return 1;
1219 err:
1220 SSL_SESSION_free(sess);
1221 return 0;
1222 }
1223
tls_parse_ctos_post_handshake_auth(SSL * s,PACKET * pkt,ossl_unused unsigned int context,ossl_unused X509 * x,ossl_unused size_t chainidx)1224 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
1225 ossl_unused unsigned int context,
1226 ossl_unused X509 *x,
1227 ossl_unused size_t chainidx)
1228 {
1229 if (PACKET_remaining(pkt) != 0) {
1230 SSLfatal(s, SSL_AD_DECODE_ERROR,
1231 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1232 return 0;
1233 }
1234
1235 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1236
1237 return 1;
1238 }
1239
1240 /*
1241 * Add the server's renegotiation binding
1242 */
tls_construct_stoc_renegotiate(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1243 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1244 unsigned int context, X509 *x,
1245 size_t chainidx)
1246 {
1247 if (!s->s3.send_connection_binding)
1248 return EXT_RETURN_NOT_SENT;
1249
1250 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1251 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1252 || !WPACKET_start_sub_packet_u16(pkt)
1253 || !WPACKET_start_sub_packet_u8(pkt)
1254 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1255 s->s3.previous_client_finished_len)
1256 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1257 s->s3.previous_server_finished_len)
1258 || !WPACKET_close(pkt)
1259 || !WPACKET_close(pkt)) {
1260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1261 return EXT_RETURN_FAIL;
1262 }
1263
1264 return EXT_RETURN_SENT;
1265 }
1266
tls_construct_stoc_server_name(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1267 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1268 unsigned int context, X509 *x,
1269 size_t chainidx)
1270 {
1271 if (s->servername_done != 1)
1272 return EXT_RETURN_NOT_SENT;
1273
1274 /*
1275 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1276 * We just use the servername from the initial handshake.
1277 */
1278 if (s->hit && !SSL_IS_TLS13(s))
1279 return EXT_RETURN_NOT_SENT;
1280
1281 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1282 || !WPACKET_put_bytes_u16(pkt, 0)) {
1283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1284 return EXT_RETURN_FAIL;
1285 }
1286
1287 return EXT_RETURN_SENT;
1288 }
1289
1290 /* Add/include the server's max fragment len extension into ServerHello */
tls_construct_stoc_maxfragmentlen(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1291 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1292 unsigned int context, X509 *x,
1293 size_t chainidx)
1294 {
1295 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1296 return EXT_RETURN_NOT_SENT;
1297
1298 /*-
1299 * 4 bytes for this extension type and extension length
1300 * 1 byte for the Max Fragment Length code value.
1301 */
1302 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1303 || !WPACKET_start_sub_packet_u16(pkt)
1304 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1305 || !WPACKET_close(pkt)) {
1306 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1307 return EXT_RETURN_FAIL;
1308 }
1309
1310 return EXT_RETURN_SENT;
1311 }
1312
tls_construct_stoc_ec_pt_formats(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1313 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1314 unsigned int context, X509 *x,
1315 size_t chainidx)
1316 {
1317 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1318 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1319 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1320 && (s->ext.peer_ecpointformats != NULL);
1321 const unsigned char *plist;
1322 size_t plistlen;
1323
1324 if (!using_ecc)
1325 return EXT_RETURN_NOT_SENT;
1326
1327 tls1_get_formatlist(s, &plist, &plistlen);
1328 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1329 || !WPACKET_start_sub_packet_u16(pkt)
1330 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1331 || !WPACKET_close(pkt)) {
1332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1333 return EXT_RETURN_FAIL;
1334 }
1335
1336 return EXT_RETURN_SENT;
1337 }
1338
tls_construct_stoc_supported_groups(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1339 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1340 unsigned int context, X509 *x,
1341 size_t chainidx)
1342 {
1343 const uint16_t *groups;
1344 size_t numgroups, i, first = 1;
1345 int version;
1346
1347 /* s->s3.group_id is non zero if we accepted a key_share */
1348 if (s->s3.group_id == 0)
1349 return EXT_RETURN_NOT_SENT;
1350
1351 /* Get our list of supported groups */
1352 tls1_get_supported_groups(s, &groups, &numgroups);
1353 if (numgroups == 0) {
1354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1355 return EXT_RETURN_FAIL;
1356 }
1357
1358 /* Copy group ID if supported */
1359 version = SSL_version(s);
1360 for (i = 0; i < numgroups; i++) {
1361 uint16_t group = groups[i];
1362
1363 if (tls_valid_group(s, group, version, version, 0, NULL)
1364 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1365 if (first) {
1366 /*
1367 * Check if the client is already using our preferred group. If
1368 * so we don't need to add this extension
1369 */
1370 if (s->s3.group_id == group)
1371 return EXT_RETURN_NOT_SENT;
1372
1373 /* Add extension header */
1374 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1375 /* Sub-packet for supported_groups extension */
1376 || !WPACKET_start_sub_packet_u16(pkt)
1377 || !WPACKET_start_sub_packet_u16(pkt)) {
1378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1379 return EXT_RETURN_FAIL;
1380 }
1381
1382 first = 0;
1383 }
1384 if (!WPACKET_put_bytes_u16(pkt, group)) {
1385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1386 return EXT_RETURN_FAIL;
1387 }
1388 }
1389 }
1390
1391 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1393 return EXT_RETURN_FAIL;
1394 }
1395
1396 return EXT_RETURN_SENT;
1397 }
1398
tls_construct_stoc_session_ticket(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1399 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1400 unsigned int context, X509 *x,
1401 size_t chainidx)
1402 {
1403 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1404 s->ext.ticket_expected = 0;
1405 return EXT_RETURN_NOT_SENT;
1406 }
1407
1408 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1409 || !WPACKET_put_bytes_u16(pkt, 0)) {
1410 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1411 return EXT_RETURN_FAIL;
1412 }
1413
1414 return EXT_RETURN_SENT;
1415 }
1416
1417 #ifndef OPENSSL_NO_OCSP
tls_construct_stoc_status_request(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1418 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1419 unsigned int context, X509 *x,
1420 size_t chainidx)
1421 {
1422 /* We don't currently support this extension inside a CertificateRequest */
1423 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1424 return EXT_RETURN_NOT_SENT;
1425
1426 if (!s->ext.status_expected)
1427 return EXT_RETURN_NOT_SENT;
1428
1429 if (SSL_IS_TLS13(s) && chainidx != 0)
1430 return EXT_RETURN_NOT_SENT;
1431
1432 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1433 || !WPACKET_start_sub_packet_u16(pkt)) {
1434 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1435 return EXT_RETURN_FAIL;
1436 }
1437
1438 /*
1439 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1440 * send back an empty extension, with the certificate status appearing as a
1441 * separate message
1442 */
1443 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1444 /* SSLfatal() already called */
1445 return EXT_RETURN_FAIL;
1446 }
1447 if (!WPACKET_close(pkt)) {
1448 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1449 return EXT_RETURN_FAIL;
1450 }
1451
1452 return EXT_RETURN_SENT;
1453 }
1454 #endif
1455
1456 #ifndef OPENSSL_NO_NEXTPROTONEG
tls_construct_stoc_next_proto_neg(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1457 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1458 unsigned int context, X509 *x,
1459 size_t chainidx)
1460 {
1461 const unsigned char *npa;
1462 unsigned int npalen;
1463 int ret;
1464 int npn_seen = s->s3.npn_seen;
1465
1466 s->s3.npn_seen = 0;
1467 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1468 return EXT_RETURN_NOT_SENT;
1469
1470 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1471 s->ctx->ext.npn_advertised_cb_arg);
1472 if (ret == SSL_TLSEXT_ERR_OK) {
1473 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1474 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1475 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1476 return EXT_RETURN_FAIL;
1477 }
1478 s->s3.npn_seen = 1;
1479 return EXT_RETURN_SENT;
1480 }
1481
1482 return EXT_RETURN_NOT_SENT;
1483 }
1484 #endif
1485
tls_construct_stoc_alpn(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1486 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1487 X509 *x, size_t chainidx)
1488 {
1489 if (s->s3.alpn_selected == NULL)
1490 return EXT_RETURN_NOT_SENT;
1491
1492 if (!WPACKET_put_bytes_u16(pkt,
1493 TLSEXT_TYPE_application_layer_protocol_negotiation)
1494 || !WPACKET_start_sub_packet_u16(pkt)
1495 || !WPACKET_start_sub_packet_u16(pkt)
1496 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1497 s->s3.alpn_selected_len)
1498 || !WPACKET_close(pkt)
1499 || !WPACKET_close(pkt)) {
1500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1501 return EXT_RETURN_FAIL;
1502 }
1503
1504 return EXT_RETURN_SENT;
1505 }
1506
1507 #ifndef OPENSSL_NO_SRTP
tls_construct_stoc_use_srtp(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1508 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1509 unsigned int context, X509 *x,
1510 size_t chainidx)
1511 {
1512 if (s->srtp_profile == NULL)
1513 return EXT_RETURN_NOT_SENT;
1514
1515 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1516 || !WPACKET_start_sub_packet_u16(pkt)
1517 || !WPACKET_put_bytes_u16(pkt, 2)
1518 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1519 || !WPACKET_put_bytes_u8(pkt, 0)
1520 || !WPACKET_close(pkt)) {
1521 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1522 return EXT_RETURN_FAIL;
1523 }
1524
1525 return EXT_RETURN_SENT;
1526 }
1527 #endif
1528
tls_construct_stoc_etm(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1529 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1530 X509 *x, size_t chainidx)
1531 {
1532 if (!s->ext.use_etm)
1533 return EXT_RETURN_NOT_SENT;
1534
1535 /*
1536 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1537 * for other cases too.
1538 */
1539 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1540 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1541 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1542 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1543 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1544 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1545 s->ext.use_etm = 0;
1546 return EXT_RETURN_NOT_SENT;
1547 }
1548
1549 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1550 || !WPACKET_put_bytes_u16(pkt, 0)) {
1551 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1552 return EXT_RETURN_FAIL;
1553 }
1554
1555 return EXT_RETURN_SENT;
1556 }
1557
tls_construct_stoc_ems(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1558 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1559 X509 *x, size_t chainidx)
1560 {
1561 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1562 return EXT_RETURN_NOT_SENT;
1563
1564 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1565 || !WPACKET_put_bytes_u16(pkt, 0)) {
1566 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1567 return EXT_RETURN_FAIL;
1568 }
1569
1570 return EXT_RETURN_SENT;
1571 }
1572
tls_construct_stoc_supported_versions(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1573 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1574 unsigned int context, X509 *x,
1575 size_t chainidx)
1576 {
1577 if (!ossl_assert(SSL_IS_TLS13(s))) {
1578 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1579 return EXT_RETURN_FAIL;
1580 }
1581
1582 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1583 || !WPACKET_start_sub_packet_u16(pkt)
1584 || !WPACKET_put_bytes_u16(pkt, s->version)
1585 || !WPACKET_close(pkt)) {
1586 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1587 return EXT_RETURN_FAIL;
1588 }
1589
1590 return EXT_RETURN_SENT;
1591 }
1592
tls_construct_stoc_key_share(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1593 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1594 unsigned int context, X509 *x,
1595 size_t chainidx)
1596 {
1597 #ifndef OPENSSL_NO_TLS1_3
1598 unsigned char *encodedPoint;
1599 size_t encoded_pt_len = 0;
1600 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1601 const TLS_GROUP_INFO *ginf = NULL;
1602
1603 if (s->hello_retry_request == SSL_HRR_PENDING) {
1604 if (ckey != NULL) {
1605 /* Original key_share was acceptable so don't ask for another one */
1606 return EXT_RETURN_NOT_SENT;
1607 }
1608 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1609 || !WPACKET_start_sub_packet_u16(pkt)
1610 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1611 || !WPACKET_close(pkt)) {
1612 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1613 return EXT_RETURN_FAIL;
1614 }
1615
1616 return EXT_RETURN_SENT;
1617 }
1618
1619 if (ckey == NULL) {
1620 /* No key_share received from client - must be resuming */
1621 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1622 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1623 return EXT_RETURN_FAIL;
1624 }
1625 return EXT_RETURN_NOT_SENT;
1626 }
1627 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1628 /*
1629 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1630 * DHE option we always take it); don't send key share.
1631 */
1632 return EXT_RETURN_NOT_SENT;
1633 }
1634
1635 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1636 || !WPACKET_start_sub_packet_u16(pkt)
1637 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1638 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1639 return EXT_RETURN_FAIL;
1640 }
1641
1642 if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) {
1643 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1644 return EXT_RETURN_FAIL;
1645 }
1646
1647 if (!ginf->is_kem) {
1648 /* Regular KEX */
1649 skey = ssl_generate_pkey(s, ckey);
1650 if (skey == NULL) {
1651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1652 return EXT_RETURN_FAIL;
1653 }
1654
1655 /* Generate encoding of server key */
1656 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1657 if (encoded_pt_len == 0) {
1658 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1659 EVP_PKEY_free(skey);
1660 return EXT_RETURN_FAIL;
1661 }
1662
1663 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1664 || !WPACKET_close(pkt)) {
1665 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1666 EVP_PKEY_free(skey);
1667 OPENSSL_free(encodedPoint);
1668 return EXT_RETURN_FAIL;
1669 }
1670 OPENSSL_free(encodedPoint);
1671
1672 /*
1673 * This causes the crypto state to be updated based on the derived keys
1674 */
1675 s->s3.tmp.pkey = skey;
1676 if (ssl_derive(s, skey, ckey, 1) == 0) {
1677 /* SSLfatal() already called */
1678 return EXT_RETURN_FAIL;
1679 }
1680 } else {
1681 /* KEM mode */
1682 unsigned char *ct = NULL;
1683 size_t ctlen = 0;
1684
1685 /*
1686 * This does not update the crypto state.
1687 *
1688 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1689 * ssl_gensecret().
1690 */
1691 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1692 /* SSLfatal() already called */
1693 return EXT_RETURN_FAIL;
1694 }
1695
1696 if (ctlen == 0) {
1697 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1698 OPENSSL_free(ct);
1699 return EXT_RETURN_FAIL;
1700 }
1701
1702 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1703 || !WPACKET_close(pkt)) {
1704 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1705 OPENSSL_free(ct);
1706 return EXT_RETURN_FAIL;
1707 }
1708 OPENSSL_free(ct);
1709
1710 /*
1711 * This causes the crypto state to be updated based on the generated pms
1712 */
1713 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1714 /* SSLfatal() already called */
1715 return EXT_RETURN_FAIL;
1716 }
1717 }
1718 s->s3.did_kex = 1;
1719 return EXT_RETURN_SENT;
1720 #else
1721 return EXT_RETURN_FAIL;
1722 #endif
1723 }
1724
tls_construct_stoc_cookie(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1725 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1726 X509 *x, size_t chainidx)
1727 {
1728 #ifndef OPENSSL_NO_TLS1_3
1729 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1730 unsigned char *hmac, *hmac2;
1731 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1732 EVP_MD_CTX *hctx;
1733 EVP_PKEY *pkey;
1734 int ret = EXT_RETURN_FAIL;
1735
1736 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1737 return EXT_RETURN_NOT_SENT;
1738
1739 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1740 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1741 return EXT_RETURN_FAIL;
1742 }
1743
1744 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1745 || !WPACKET_start_sub_packet_u16(pkt)
1746 || !WPACKET_start_sub_packet_u16(pkt)
1747 || !WPACKET_get_total_written(pkt, &startlen)
1748 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1749 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1750 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1751 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1752 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1753 &ciphlen)
1754 /* Is there a key_share extension present in this HRR? */
1755 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1756 || !WPACKET_put_bytes_u64(pkt, time(NULL))
1757 || !WPACKET_start_sub_packet_u16(pkt)
1758 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1760 return EXT_RETURN_FAIL;
1761 }
1762
1763 /*
1764 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1765 * on raw buffers, so we first reserve sufficient bytes (above) and then
1766 * subsequently allocate them (below)
1767 */
1768 if (!ssl3_digest_cached_records(s, 0)
1769 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1770 /* SSLfatal() already called */
1771 return EXT_RETURN_FAIL;
1772 }
1773
1774 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1775 || !ossl_assert(hashval1 == hashval2)
1776 || !WPACKET_close(pkt)
1777 || !WPACKET_start_sub_packet_u8(pkt)
1778 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1779 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1780 return EXT_RETURN_FAIL;
1781 }
1782
1783 /* Generate the application cookie */
1784 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1785 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1786 return EXT_RETURN_FAIL;
1787 }
1788
1789 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1790 || !ossl_assert(appcookie1 == appcookie2)
1791 || !WPACKET_close(pkt)
1792 || !WPACKET_get_total_written(pkt, &totcookielen)
1793 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1794 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1795 return EXT_RETURN_FAIL;
1796 }
1797 hmaclen = SHA256_DIGEST_LENGTH;
1798
1799 totcookielen -= startlen;
1800 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1801 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1802 return EXT_RETURN_FAIL;
1803 }
1804
1805 /* HMAC the cookie */
1806 hctx = EVP_MD_CTX_create();
1807 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
1808 s->ctx->propq,
1809 s->session_ctx->ext.cookie_hmac_key,
1810 sizeof(s->session_ctx->ext.cookie_hmac_key));
1811 if (hctx == NULL || pkey == NULL) {
1812 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1813 goto err;
1814 }
1815
1816 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
1817 s->ctx->propq, pkey, NULL) <= 0
1818 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1819 totcookielen) <= 0) {
1820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1821 goto err;
1822 }
1823
1824 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1825 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1826 goto err;
1827 }
1828
1829 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1830 || !ossl_assert(hmac == hmac2)
1831 || !ossl_assert(cookie == hmac - totcookielen)
1832 || !WPACKET_close(pkt)
1833 || !WPACKET_close(pkt)) {
1834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1835 goto err;
1836 }
1837
1838 ret = EXT_RETURN_SENT;
1839
1840 err:
1841 EVP_MD_CTX_free(hctx);
1842 EVP_PKEY_free(pkey);
1843 return ret;
1844 #else
1845 return EXT_RETURN_FAIL;
1846 #endif
1847 }
1848
tls_construct_stoc_cryptopro_bug(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1849 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1850 unsigned int context, X509 *x,
1851 size_t chainidx)
1852 {
1853 const unsigned char cryptopro_ext[36] = {
1854 0xfd, 0xe8, /* 65000 */
1855 0x00, 0x20, /* 32 bytes length */
1856 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1857 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1858 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1859 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1860 };
1861
1862 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1863 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1864 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1865 return EXT_RETURN_NOT_SENT;
1866
1867 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1869 return EXT_RETURN_FAIL;
1870 }
1871
1872 return EXT_RETURN_SENT;
1873 }
1874
tls_construct_stoc_early_data(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1875 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1876 unsigned int context, X509 *x,
1877 size_t chainidx)
1878 {
1879 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1880 if (s->max_early_data == 0)
1881 return EXT_RETURN_NOT_SENT;
1882
1883 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1884 || !WPACKET_start_sub_packet_u16(pkt)
1885 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1886 || !WPACKET_close(pkt)) {
1887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1888 return EXT_RETURN_FAIL;
1889 }
1890
1891 return EXT_RETURN_SENT;
1892 }
1893
1894 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1895 return EXT_RETURN_NOT_SENT;
1896
1897 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1898 || !WPACKET_start_sub_packet_u16(pkt)
1899 || !WPACKET_close(pkt)) {
1900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1901 return EXT_RETURN_FAIL;
1902 }
1903
1904 return EXT_RETURN_SENT;
1905 }
1906
tls_construct_stoc_psk(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1907 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1908 X509 *x, size_t chainidx)
1909 {
1910 if (!s->hit)
1911 return EXT_RETURN_NOT_SENT;
1912
1913 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1914 || !WPACKET_start_sub_packet_u16(pkt)
1915 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1916 || !WPACKET_close(pkt)) {
1917 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1918 return EXT_RETURN_FAIL;
1919 }
1920
1921 return EXT_RETURN_SENT;
1922 }
1923