1e71b7053SJung-uk Kim /* 2e71b7053SJung-uk Kim * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. 3e71b7053SJung-uk Kim * 4e71b7053SJung-uk Kim * Licensed under the OpenSSL license (the "License"). You may not use 5e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy 6e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at 7e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html 8e71b7053SJung-uk Kim */ 9e71b7053SJung-uk Kim 10e71b7053SJung-uk Kim #include <openssl/ocsp.h> 11e71b7053SJung-uk Kim #include "../ssl_locl.h" 12e71b7053SJung-uk Kim #include "internal/cryptlib.h" 13e71b7053SJung-uk Kim #include "statem_locl.h" 14e71b7053SJung-uk Kim 15e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, 16e71b7053SJung-uk Kim unsigned int context, X509 *x, 17e71b7053SJung-uk Kim size_t chainidx) 18e71b7053SJung-uk Kim { 19e71b7053SJung-uk Kim /* Add RI if renegotiating */ 20e71b7053SJung-uk Kim if (!s->renegotiate) 21e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 22e71b7053SJung-uk Kim 23e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 24e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 25e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished, 26e71b7053SJung-uk Kim s->s3->previous_client_finished_len) 27e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 28e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, 29e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 30e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 31e71b7053SJung-uk Kim } 32e71b7053SJung-uk Kim 33e71b7053SJung-uk Kim return EXT_RETURN_SENT; 34e71b7053SJung-uk Kim } 35e71b7053SJung-uk Kim 36e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, 37e71b7053SJung-uk Kim unsigned int context, X509 *x, 38e71b7053SJung-uk Kim size_t chainidx) 39e71b7053SJung-uk Kim { 40e71b7053SJung-uk Kim if (s->ext.hostname == NULL) 41e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 42e71b7053SJung-uk Kim 43e71b7053SJung-uk Kim /* Add TLS extension servername to the Client Hello message */ 44e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 45e71b7053SJung-uk Kim /* Sub-packet for server_name extension */ 46e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 47e71b7053SJung-uk Kim /* Sub-packet for servername list (always 1 hostname)*/ 48e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 49e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) 50e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, 51e71b7053SJung-uk Kim strlen(s->ext.hostname)) 52e71b7053SJung-uk Kim || !WPACKET_close(pkt) 53e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 54e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, 55e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 56e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 57e71b7053SJung-uk Kim } 58e71b7053SJung-uk Kim 59e71b7053SJung-uk Kim return EXT_RETURN_SENT; 60e71b7053SJung-uk Kim } 61e71b7053SJung-uk Kim 62e71b7053SJung-uk Kim /* Push a Max Fragment Len extension into ClientHello */ 63e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, 64e71b7053SJung-uk Kim unsigned int context, X509 *x, 65e71b7053SJung-uk Kim size_t chainidx) 66e71b7053SJung-uk Kim { 67e71b7053SJung-uk Kim if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) 68e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 69e71b7053SJung-uk Kim 70e71b7053SJung-uk Kim /* Add Max Fragment Length extension if client enabled it. */ 71e71b7053SJung-uk Kim /*- 72e71b7053SJung-uk Kim * 4 bytes for this extension type and extension length 73e71b7053SJung-uk Kim * 1 byte for the Max Fragment Length code value. 74e71b7053SJung-uk Kim */ 75e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 76e71b7053SJung-uk Kim /* Sub-packet for Max Fragment Length extension (1 byte) */ 77e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 78e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) 79e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 80e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 81e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); 82e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 83e71b7053SJung-uk Kim } 84e71b7053SJung-uk Kim 85e71b7053SJung-uk Kim return EXT_RETURN_SENT; 86e71b7053SJung-uk Kim } 87e71b7053SJung-uk Kim 88e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP 89e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, 90e71b7053SJung-uk Kim X509 *x, size_t chainidx) 91e71b7053SJung-uk Kim { 92e71b7053SJung-uk Kim /* Add SRP username if there is one */ 93e71b7053SJung-uk Kim if (s->srp_ctx.login == NULL) 94e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 95e71b7053SJung-uk Kim 96e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) 97e71b7053SJung-uk Kim /* Sub-packet for SRP extension */ 98e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 99e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u8(pkt) 100e71b7053SJung-uk Kim /* login must not be zero...internal error if so */ 101e71b7053SJung-uk Kim || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 102e71b7053SJung-uk Kim || !WPACKET_memcpy(pkt, s->srp_ctx.login, 103e71b7053SJung-uk Kim strlen(s->srp_ctx.login)) 104e71b7053SJung-uk Kim || !WPACKET_close(pkt) 105e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 106e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP, 107e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 108e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 109e71b7053SJung-uk Kim } 110e71b7053SJung-uk Kim 111e71b7053SJung-uk Kim return EXT_RETURN_SENT; 112e71b7053SJung-uk Kim } 113e71b7053SJung-uk Kim #endif 114e71b7053SJung-uk Kim 115e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 116e71b7053SJung-uk Kim static int use_ecc(SSL *s) 117e71b7053SJung-uk Kim { 118*c9cf7b5cSJung-uk Kim int i, end, ret = 0; 119e71b7053SJung-uk Kim unsigned long alg_k, alg_a; 120e71b7053SJung-uk Kim STACK_OF(SSL_CIPHER) *cipher_stack = NULL; 121e71b7053SJung-uk Kim 122e71b7053SJung-uk Kim /* See if we support any ECC ciphersuites */ 123e71b7053SJung-uk Kim if (s->version == SSL3_VERSION) 124e71b7053SJung-uk Kim return 0; 125e71b7053SJung-uk Kim 126*c9cf7b5cSJung-uk Kim cipher_stack = SSL_get1_supported_ciphers(s); 127e71b7053SJung-uk Kim end = sk_SSL_CIPHER_num(cipher_stack); 128e71b7053SJung-uk Kim for (i = 0; i < end; i++) { 129e71b7053SJung-uk Kim const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 130e71b7053SJung-uk Kim 131e71b7053SJung-uk Kim alg_k = c->algorithm_mkey; 132e71b7053SJung-uk Kim alg_a = c->algorithm_auth; 133e71b7053SJung-uk Kim if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 134e71b7053SJung-uk Kim || (alg_a & SSL_aECDSA) 135*c9cf7b5cSJung-uk Kim || c->min_tls >= TLS1_3_VERSION) { 136*c9cf7b5cSJung-uk Kim ret = 1; 137*c9cf7b5cSJung-uk Kim break; 138*c9cf7b5cSJung-uk Kim } 139e71b7053SJung-uk Kim } 140e71b7053SJung-uk Kim 141*c9cf7b5cSJung-uk Kim sk_SSL_CIPHER_free(cipher_stack); 142*c9cf7b5cSJung-uk Kim return ret; 143e71b7053SJung-uk Kim } 144e71b7053SJung-uk Kim 145e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, 146e71b7053SJung-uk Kim unsigned int context, X509 *x, 147e71b7053SJung-uk Kim size_t chainidx) 148e71b7053SJung-uk Kim { 149e71b7053SJung-uk Kim const unsigned char *pformats; 150e71b7053SJung-uk Kim size_t num_formats; 151e71b7053SJung-uk Kim 152e71b7053SJung-uk Kim if (!use_ecc(s)) 153e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 154e71b7053SJung-uk Kim 155e71b7053SJung-uk Kim /* Add TLS extension ECPointFormats to the ClientHello message */ 156e71b7053SJung-uk Kim tls1_get_formatlist(s, &pformats, &num_formats); 157e71b7053SJung-uk Kim 158e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 159e71b7053SJung-uk Kim /* Sub-packet for formats extension */ 160e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 161e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) 162e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 163e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 164e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 165e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 166e71b7053SJung-uk Kim } 167e71b7053SJung-uk Kim 168e71b7053SJung-uk Kim return EXT_RETURN_SENT; 169e71b7053SJung-uk Kim } 170e71b7053SJung-uk Kim 171e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, 172e71b7053SJung-uk Kim unsigned int context, X509 *x, 173e71b7053SJung-uk Kim size_t chainidx) 174e71b7053SJung-uk Kim { 175e71b7053SJung-uk Kim const uint16_t *pgroups = NULL; 176e71b7053SJung-uk Kim size_t num_groups = 0, i; 177e71b7053SJung-uk Kim 178e71b7053SJung-uk Kim if (!use_ecc(s)) 179e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 180e71b7053SJung-uk Kim 181e71b7053SJung-uk Kim /* 182e71b7053SJung-uk Kim * Add TLS extension supported_groups to the ClientHello message 183e71b7053SJung-uk Kim */ 184e71b7053SJung-uk Kim /* TODO(TLS1.3): Add support for DHE groups */ 185e71b7053SJung-uk Kim tls1_get_supported_groups(s, &pgroups, &num_groups); 186e71b7053SJung-uk Kim 187e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 188e71b7053SJung-uk Kim /* Sub-packet for supported_groups extension */ 189e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 190e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt)) { 191e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 192e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 193e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 194e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 195e71b7053SJung-uk Kim } 196e71b7053SJung-uk Kim /* Copy curve ID if supported */ 197e71b7053SJung-uk Kim for (i = 0; i < num_groups; i++) { 198e71b7053SJung-uk Kim uint16_t ctmp = pgroups[i]; 199e71b7053SJung-uk Kim 200e71b7053SJung-uk Kim if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { 201e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, ctmp)) { 202e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 203e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 204e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 205e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 206e71b7053SJung-uk Kim } 207e71b7053SJung-uk Kim } 208e71b7053SJung-uk Kim } 209e71b7053SJung-uk Kim if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 210e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 211e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 212e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 213e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 214e71b7053SJung-uk Kim } 215e71b7053SJung-uk Kim 216e71b7053SJung-uk Kim return EXT_RETURN_SENT; 217e71b7053SJung-uk Kim } 218e71b7053SJung-uk Kim #endif 219e71b7053SJung-uk Kim 220e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, 221e71b7053SJung-uk Kim unsigned int context, X509 *x, 222e71b7053SJung-uk Kim size_t chainidx) 223e71b7053SJung-uk Kim { 224e71b7053SJung-uk Kim size_t ticklen; 225e71b7053SJung-uk Kim 226e71b7053SJung-uk Kim if (!tls_use_ticket(s)) 227e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 228e71b7053SJung-uk Kim 229e71b7053SJung-uk Kim if (!s->new_session && s->session != NULL 230e71b7053SJung-uk Kim && s->session->ext.tick != NULL 231e71b7053SJung-uk Kim && s->session->ssl_version != TLS1_3_VERSION) { 232e71b7053SJung-uk Kim ticklen = s->session->ext.ticklen; 233e71b7053SJung-uk Kim } else if (s->session && s->ext.session_ticket != NULL 234e71b7053SJung-uk Kim && s->ext.session_ticket->data != NULL) { 235e71b7053SJung-uk Kim ticklen = s->ext.session_ticket->length; 236e71b7053SJung-uk Kim s->session->ext.tick = OPENSSL_malloc(ticklen); 237e71b7053SJung-uk Kim if (s->session->ext.tick == NULL) { 238e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 239e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, 240e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 241e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 242e71b7053SJung-uk Kim } 243e71b7053SJung-uk Kim memcpy(s->session->ext.tick, 244e71b7053SJung-uk Kim s->ext.session_ticket->data, ticklen); 245e71b7053SJung-uk Kim s->session->ext.ticklen = ticklen; 246e71b7053SJung-uk Kim } else { 247e71b7053SJung-uk Kim ticklen = 0; 248e71b7053SJung-uk Kim } 249e71b7053SJung-uk Kim 250e71b7053SJung-uk Kim if (ticklen == 0 && s->ext.session_ticket != NULL && 251e71b7053SJung-uk Kim s->ext.session_ticket->data == NULL) 252e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 253e71b7053SJung-uk Kim 254e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 255e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { 256e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 257e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); 258e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 259e71b7053SJung-uk Kim } 260e71b7053SJung-uk Kim 261e71b7053SJung-uk Kim return EXT_RETURN_SENT; 262e71b7053SJung-uk Kim } 263e71b7053SJung-uk Kim 264e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, 265e71b7053SJung-uk Kim unsigned int context, X509 *x, 266e71b7053SJung-uk Kim size_t chainidx) 267e71b7053SJung-uk Kim { 268e71b7053SJung-uk Kim size_t salglen; 269e71b7053SJung-uk Kim const uint16_t *salg; 270e71b7053SJung-uk Kim 271e71b7053SJung-uk Kim if (!SSL_CLIENT_USE_SIGALGS(s)) 272e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 273e71b7053SJung-uk Kim 274e71b7053SJung-uk Kim salglen = tls12_get_psigalgs(s, 1, &salg); 275e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) 276e71b7053SJung-uk Kim /* Sub-packet for sig-algs extension */ 277e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 278e71b7053SJung-uk Kim /* Sub-packet for the actual list */ 279e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 280e71b7053SJung-uk Kim || !tls12_copy_sigalgs(s, pkt, salg, salglen) 281e71b7053SJung-uk Kim || !WPACKET_close(pkt) 282e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 283e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, 284e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 285e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 286e71b7053SJung-uk Kim } 287e71b7053SJung-uk Kim 288e71b7053SJung-uk Kim return EXT_RETURN_SENT; 289e71b7053SJung-uk Kim } 290e71b7053SJung-uk Kim 291e71b7053SJung-uk Kim #ifndef OPENSSL_NO_OCSP 292e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, 293e71b7053SJung-uk Kim unsigned int context, X509 *x, 294e71b7053SJung-uk Kim size_t chainidx) 295e71b7053SJung-uk Kim { 296e71b7053SJung-uk Kim int i; 297e71b7053SJung-uk Kim 298e71b7053SJung-uk Kim /* This extension isn't defined for client Certificates */ 299e71b7053SJung-uk Kim if (x != NULL) 300e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 301e71b7053SJung-uk Kim 302e71b7053SJung-uk Kim if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) 303e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 304e71b7053SJung-uk Kim 305e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 306e71b7053SJung-uk Kim /* Sub-packet for status request extension */ 307e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 308e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) 309e71b7053SJung-uk Kim /* Sub-packet for the ids */ 310e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt)) { 311e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 312e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 313e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 314e71b7053SJung-uk Kim } 315e71b7053SJung-uk Kim for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { 316e71b7053SJung-uk Kim unsigned char *idbytes; 317e71b7053SJung-uk Kim OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); 318e71b7053SJung-uk Kim int idlen = i2d_OCSP_RESPID(id, NULL); 319e71b7053SJung-uk Kim 320e71b7053SJung-uk Kim if (idlen <= 0 321e71b7053SJung-uk Kim /* Sub-packet for an individual id */ 322e71b7053SJung-uk Kim || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) 323e71b7053SJung-uk Kim || i2d_OCSP_RESPID(id, &idbytes) != idlen) { 324e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 325e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 326e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 327e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 328e71b7053SJung-uk Kim } 329e71b7053SJung-uk Kim } 330e71b7053SJung-uk Kim if (!WPACKET_close(pkt) 331e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt)) { 332e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 333e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 334e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 335e71b7053SJung-uk Kim } 336e71b7053SJung-uk Kim if (s->ext.ocsp.exts) { 337e71b7053SJung-uk Kim unsigned char *extbytes; 338e71b7053SJung-uk Kim int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); 339e71b7053SJung-uk Kim 340e71b7053SJung-uk Kim if (extlen < 0) { 341e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 342e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 343e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 344e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 345e71b7053SJung-uk Kim } 346e71b7053SJung-uk Kim if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) 347e71b7053SJung-uk Kim || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) 348e71b7053SJung-uk Kim != extlen) { 349e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 350e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 351e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 352e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 353e71b7053SJung-uk Kim } 354e71b7053SJung-uk Kim } 355e71b7053SJung-uk Kim if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 356e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 357e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 358e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 359e71b7053SJung-uk Kim } 360e71b7053SJung-uk Kim 361e71b7053SJung-uk Kim return EXT_RETURN_SENT; 362e71b7053SJung-uk Kim } 363e71b7053SJung-uk Kim #endif 364e71b7053SJung-uk Kim 365e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 366e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, 367e71b7053SJung-uk Kim X509 *x, size_t chainidx) 368e71b7053SJung-uk Kim { 369e71b7053SJung-uk Kim if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 370e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 371e71b7053SJung-uk Kim 372e71b7053SJung-uk Kim /* 373e71b7053SJung-uk Kim * The client advertises an empty extension to indicate its support 374e71b7053SJung-uk Kim * for Next Protocol Negotiation 375e71b7053SJung-uk Kim */ 376e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 377e71b7053SJung-uk Kim || !WPACKET_put_bytes_u16(pkt, 0)) { 378e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN, 379e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 380e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 381e71b7053SJung-uk Kim } 382e71b7053SJung-uk Kim 383e71b7053SJung-uk Kim return EXT_RETURN_SENT; 384e71b7053SJung-uk Kim } 385e71b7053SJung-uk Kim #endif 386e71b7053SJung-uk Kim 387e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, 388e71b7053SJung-uk Kim X509 *x, size_t chainidx) 389e71b7053SJung-uk Kim { 390e71b7053SJung-uk Kim s->s3->alpn_sent = 0; 391e71b7053SJung-uk Kim 392e71b7053SJung-uk Kim if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 393e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 394e71b7053SJung-uk Kim 395e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, 396e71b7053SJung-uk Kim TLSEXT_TYPE_application_layer_protocol_negotiation) 397e71b7053SJung-uk Kim /* Sub-packet ALPN extension */ 398e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 399e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) 400e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 401e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN, 402e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 403e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 404e71b7053SJung-uk Kim } 405e71b7053SJung-uk Kim s->s3->alpn_sent = 1; 406e71b7053SJung-uk Kim 407e71b7053SJung-uk Kim return EXT_RETURN_SENT; 408e71b7053SJung-uk Kim } 409e71b7053SJung-uk Kim 410e71b7053SJung-uk Kim 411e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRTP 412e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, 413e71b7053SJung-uk Kim unsigned int context, X509 *x, 414e71b7053SJung-uk Kim size_t chainidx) 415e71b7053SJung-uk Kim { 416e71b7053SJung-uk Kim STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s); 417e71b7053SJung-uk Kim int i, end; 418e71b7053SJung-uk Kim 419e71b7053SJung-uk Kim if (clnt == NULL) 420e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 421e71b7053SJung-uk Kim 422e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 423e71b7053SJung-uk Kim /* Sub-packet for SRTP extension */ 424e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 425e71b7053SJung-uk Kim /* Sub-packet for the protection profile list */ 426e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt)) { 427e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, 428e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 429e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 430e71b7053SJung-uk Kim } 431e71b7053SJung-uk Kim 432e71b7053SJung-uk Kim end = sk_SRTP_PROTECTION_PROFILE_num(clnt); 433e71b7053SJung-uk Kim for (i = 0; i < end; i++) { 434e71b7053SJung-uk Kim const SRTP_PROTECTION_PROFILE *prof = 435e71b7053SJung-uk Kim sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 436e71b7053SJung-uk Kim 437e71b7053SJung-uk Kim if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { 438e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 439e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); 440e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 441e71b7053SJung-uk Kim } 442e71b7053SJung-uk Kim } 443e71b7053SJung-uk Kim if (!WPACKET_close(pkt) 444e71b7053SJung-uk Kim /* Add an empty use_mki value */ 445e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(pkt, 0) 446e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 447e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, 448e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 449e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 450e71b7053SJung-uk Kim } 451e71b7053SJung-uk Kim 452e71b7053SJung-uk Kim return EXT_RETURN_SENT; 453e71b7053SJung-uk Kim } 454e71b7053SJung-uk Kim #endif 455e71b7053SJung-uk Kim 456e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, 457e71b7053SJung-uk Kim X509 *x, size_t chainidx) 458e71b7053SJung-uk Kim { 459e71b7053SJung-uk Kim if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 460e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 461e71b7053SJung-uk Kim 462e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 463e71b7053SJung-uk Kim || !WPACKET_put_bytes_u16(pkt, 0)) { 464e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM, 465e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 466e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 467e71b7053SJung-uk Kim } 468e71b7053SJung-uk Kim 469e71b7053SJung-uk Kim return EXT_RETURN_SENT; 470e71b7053SJung-uk Kim } 471e71b7053SJung-uk Kim 472e71b7053SJung-uk Kim #ifndef OPENSSL_NO_CT 473e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, 474e71b7053SJung-uk Kim X509 *x, size_t chainidx) 475e71b7053SJung-uk Kim { 476e71b7053SJung-uk Kim if (s->ct_validation_callback == NULL) 477e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 478e71b7053SJung-uk Kim 479e71b7053SJung-uk Kim /* Not defined for client Certificates */ 480e71b7053SJung-uk Kim if (x != NULL) 481e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 482e71b7053SJung-uk Kim 483e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) 484e71b7053SJung-uk Kim || !WPACKET_put_bytes_u16(pkt, 0)) { 485e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT, 486e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 487e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 488e71b7053SJung-uk Kim } 489e71b7053SJung-uk Kim 490e71b7053SJung-uk Kim return EXT_RETURN_SENT; 491e71b7053SJung-uk Kim } 492e71b7053SJung-uk Kim #endif 493e71b7053SJung-uk Kim 494e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, 495e71b7053SJung-uk Kim X509 *x, size_t chainidx) 496e71b7053SJung-uk Kim { 497e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 498e71b7053SJung-uk Kim || !WPACKET_put_bytes_u16(pkt, 0)) { 499e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS, 500e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 501e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 502e71b7053SJung-uk Kim } 503e71b7053SJung-uk Kim 504e71b7053SJung-uk Kim return EXT_RETURN_SENT; 505e71b7053SJung-uk Kim } 506e71b7053SJung-uk Kim 507e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, 508e71b7053SJung-uk Kim unsigned int context, X509 *x, 509e71b7053SJung-uk Kim size_t chainidx) 510e71b7053SJung-uk Kim { 511e71b7053SJung-uk Kim int currv, min_version, max_version, reason; 512e71b7053SJung-uk Kim 513e71b7053SJung-uk Kim reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 514e71b7053SJung-uk Kim if (reason != 0) { 515e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 516e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason); 517e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 518e71b7053SJung-uk Kim } 519e71b7053SJung-uk Kim 520e71b7053SJung-uk Kim /* 521e71b7053SJung-uk Kim * Don't include this if we can't negotiate TLSv1.3. We can do a straight 522e71b7053SJung-uk Kim * comparison here because we will never be called in DTLS. 523e71b7053SJung-uk Kim */ 524e71b7053SJung-uk Kim if (max_version < TLS1_3_VERSION) 525e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 526e71b7053SJung-uk Kim 527e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 528e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 529e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u8(pkt)) { 530e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 531e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 532e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 533e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 534e71b7053SJung-uk Kim } 535e71b7053SJung-uk Kim 536e71b7053SJung-uk Kim for (currv = max_version; currv >= min_version; currv--) { 537e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, currv)) { 538e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 539e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 540e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 541e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 542e71b7053SJung-uk Kim } 543e71b7053SJung-uk Kim } 544e71b7053SJung-uk Kim if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 545e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 546e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 547e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 548e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 549e71b7053SJung-uk Kim } 550e71b7053SJung-uk Kim 551e71b7053SJung-uk Kim return EXT_RETURN_SENT; 552e71b7053SJung-uk Kim } 553e71b7053SJung-uk Kim 554e71b7053SJung-uk Kim /* 555e71b7053SJung-uk Kim * Construct a psk_kex_modes extension. 556e71b7053SJung-uk Kim */ 557e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, 558e71b7053SJung-uk Kim unsigned int context, X509 *x, 559e71b7053SJung-uk Kim size_t chainidx) 560e71b7053SJung-uk Kim { 561e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 562e71b7053SJung-uk Kim int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; 563e71b7053SJung-uk Kim 564e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) 565e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 566e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u8(pkt) 567e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) 568e71b7053SJung-uk Kim || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) 569e71b7053SJung-uk Kim || !WPACKET_close(pkt) 570e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 571e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 572e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR); 573e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 574e71b7053SJung-uk Kim } 575e71b7053SJung-uk Kim 576e71b7053SJung-uk Kim s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; 577e71b7053SJung-uk Kim if (nodhe) 578e71b7053SJung-uk Kim s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 579e71b7053SJung-uk Kim #endif 580e71b7053SJung-uk Kim 581e71b7053SJung-uk Kim return EXT_RETURN_SENT; 582e71b7053SJung-uk Kim } 583e71b7053SJung-uk Kim 584e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 585e71b7053SJung-uk Kim static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) 586e71b7053SJung-uk Kim { 587e71b7053SJung-uk Kim unsigned char *encoded_point = NULL; 588e71b7053SJung-uk Kim EVP_PKEY *key_share_key = NULL; 589e71b7053SJung-uk Kim size_t encodedlen; 590e71b7053SJung-uk Kim 591e71b7053SJung-uk Kim if (s->s3->tmp.pkey != NULL) { 592e71b7053SJung-uk Kim if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) { 593e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, 594e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 595e71b7053SJung-uk Kim return 0; 596e71b7053SJung-uk Kim } 597e71b7053SJung-uk Kim /* 598e71b7053SJung-uk Kim * Could happen if we got an HRR that wasn't requesting a new key_share 599e71b7053SJung-uk Kim */ 600e71b7053SJung-uk Kim key_share_key = s->s3->tmp.pkey; 601e71b7053SJung-uk Kim } else { 602e71b7053SJung-uk Kim key_share_key = ssl_generate_pkey_group(s, curve_id); 603e71b7053SJung-uk Kim if (key_share_key == NULL) { 604e71b7053SJung-uk Kim /* SSLfatal() already called */ 605e71b7053SJung-uk Kim return 0; 606e71b7053SJung-uk Kim } 607e71b7053SJung-uk Kim } 608e71b7053SJung-uk Kim 609e71b7053SJung-uk Kim /* Encode the public key. */ 610e71b7053SJung-uk Kim encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, 611e71b7053SJung-uk Kim &encoded_point); 612e71b7053SJung-uk Kim if (encodedlen == 0) { 613e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB); 614e71b7053SJung-uk Kim goto err; 615e71b7053SJung-uk Kim } 616e71b7053SJung-uk Kim 617e71b7053SJung-uk Kim /* Create KeyShareEntry */ 618e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, curve_id) 619e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { 620e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, 621e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 622e71b7053SJung-uk Kim goto err; 623e71b7053SJung-uk Kim } 624e71b7053SJung-uk Kim 625e71b7053SJung-uk Kim /* 626e71b7053SJung-uk Kim * TODO(TLS1.3): When changing to send more than one key_share we're 627e71b7053SJung-uk Kim * going to need to be able to save more than one EVP_PKEY. For now 628e71b7053SJung-uk Kim * we reuse the existing tmp.pkey 629e71b7053SJung-uk Kim */ 630e71b7053SJung-uk Kim s->s3->tmp.pkey = key_share_key; 631e71b7053SJung-uk Kim s->s3->group_id = curve_id; 632e71b7053SJung-uk Kim OPENSSL_free(encoded_point); 633e71b7053SJung-uk Kim 634e71b7053SJung-uk Kim return 1; 635e71b7053SJung-uk Kim err: 636e71b7053SJung-uk Kim if (s->s3->tmp.pkey == NULL) 637e71b7053SJung-uk Kim EVP_PKEY_free(key_share_key); 638e71b7053SJung-uk Kim OPENSSL_free(encoded_point); 639e71b7053SJung-uk Kim return 0; 640e71b7053SJung-uk Kim } 641e71b7053SJung-uk Kim #endif 642e71b7053SJung-uk Kim 643e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, 644e71b7053SJung-uk Kim unsigned int context, X509 *x, 645e71b7053SJung-uk Kim size_t chainidx) 646e71b7053SJung-uk Kim { 647e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 648e71b7053SJung-uk Kim size_t i, num_groups = 0; 649e71b7053SJung-uk Kim const uint16_t *pgroups = NULL; 650e71b7053SJung-uk Kim uint16_t curve_id = 0; 651e71b7053SJung-uk Kim 652e71b7053SJung-uk Kim /* key_share extension */ 653e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 654e71b7053SJung-uk Kim /* Extension data sub-packet */ 655e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 656e71b7053SJung-uk Kim /* KeyShare list sub-packet */ 657e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt)) { 658e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 659e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 660e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 661e71b7053SJung-uk Kim } 662e71b7053SJung-uk Kim 663e71b7053SJung-uk Kim tls1_get_supported_groups(s, &pgroups, &num_groups); 664e71b7053SJung-uk Kim 665e71b7053SJung-uk Kim /* 666e71b7053SJung-uk Kim * TODO(TLS1.3): Make the number of key_shares sent configurable. For 667e71b7053SJung-uk Kim * now, just send one 668e71b7053SJung-uk Kim */ 669e71b7053SJung-uk Kim if (s->s3->group_id != 0) { 670e71b7053SJung-uk Kim curve_id = s->s3->group_id; 671e71b7053SJung-uk Kim } else { 672e71b7053SJung-uk Kim for (i = 0; i < num_groups; i++) { 673e71b7053SJung-uk Kim 674e71b7053SJung-uk Kim if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) 675e71b7053SJung-uk Kim continue; 676e71b7053SJung-uk Kim 677e71b7053SJung-uk Kim curve_id = pgroups[i]; 678e71b7053SJung-uk Kim break; 679e71b7053SJung-uk Kim } 680e71b7053SJung-uk Kim } 681e71b7053SJung-uk Kim 682e71b7053SJung-uk Kim if (curve_id == 0) { 683e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 684e71b7053SJung-uk Kim SSL_R_NO_SUITABLE_KEY_SHARE); 685e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 686e71b7053SJung-uk Kim } 687e71b7053SJung-uk Kim 688e71b7053SJung-uk Kim if (!add_key_share(s, pkt, curve_id)) { 689e71b7053SJung-uk Kim /* SSLfatal() already called */ 690e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 691e71b7053SJung-uk Kim } 692e71b7053SJung-uk Kim 693e71b7053SJung-uk Kim if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 694e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 695e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 696e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 697e71b7053SJung-uk Kim } 698e71b7053SJung-uk Kim return EXT_RETURN_SENT; 699e71b7053SJung-uk Kim #else 700e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 701e71b7053SJung-uk Kim #endif 702e71b7053SJung-uk Kim } 703e71b7053SJung-uk Kim 704e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, 705e71b7053SJung-uk Kim X509 *x, size_t chainidx) 706e71b7053SJung-uk Kim { 707e71b7053SJung-uk Kim EXT_RETURN ret = EXT_RETURN_FAIL; 708e71b7053SJung-uk Kim 709e71b7053SJung-uk Kim /* Should only be set if we've had an HRR */ 710e71b7053SJung-uk Kim if (s->ext.tls13_cookie_len == 0) 711e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 712e71b7053SJung-uk Kim 713e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 714e71b7053SJung-uk Kim /* Extension data sub-packet */ 715e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 716e71b7053SJung-uk Kim || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, 717e71b7053SJung-uk Kim s->ext.tls13_cookie_len) 718e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 719e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, 720e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 721e71b7053SJung-uk Kim goto end; 722e71b7053SJung-uk Kim } 723e71b7053SJung-uk Kim 724e71b7053SJung-uk Kim ret = EXT_RETURN_SENT; 725e71b7053SJung-uk Kim end: 726e71b7053SJung-uk Kim OPENSSL_free(s->ext.tls13_cookie); 727e71b7053SJung-uk Kim s->ext.tls13_cookie = NULL; 728e71b7053SJung-uk Kim s->ext.tls13_cookie_len = 0; 729e71b7053SJung-uk Kim 730e71b7053SJung-uk Kim return ret; 731e71b7053SJung-uk Kim } 732e71b7053SJung-uk Kim 733e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, 734e71b7053SJung-uk Kim unsigned int context, X509 *x, 735e71b7053SJung-uk Kim size_t chainidx) 736e71b7053SJung-uk Kim { 737e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK 738e71b7053SJung-uk Kim char identity[PSK_MAX_IDENTITY_LEN + 1]; 739e71b7053SJung-uk Kim #endif /* OPENSSL_NO_PSK */ 740e71b7053SJung-uk Kim const unsigned char *id = NULL; 741e71b7053SJung-uk Kim size_t idlen = 0; 742e71b7053SJung-uk Kim SSL_SESSION *psksess = NULL; 743e71b7053SJung-uk Kim SSL_SESSION *edsess = NULL; 744e71b7053SJung-uk Kim const EVP_MD *handmd = NULL; 745e71b7053SJung-uk Kim 746e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING) 747e71b7053SJung-uk Kim handmd = ssl_handshake_md(s); 748e71b7053SJung-uk Kim 749e71b7053SJung-uk Kim if (s->psk_use_session_cb != NULL 750e71b7053SJung-uk Kim && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess) 751e71b7053SJung-uk Kim || (psksess != NULL 752e71b7053SJung-uk Kim && psksess->ssl_version != TLS1_3_VERSION))) { 753e71b7053SJung-uk Kim SSL_SESSION_free(psksess); 754e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 755e71b7053SJung-uk Kim SSL_R_BAD_PSK); 756e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 757e71b7053SJung-uk Kim } 758e71b7053SJung-uk Kim 759e71b7053SJung-uk Kim #ifndef OPENSSL_NO_PSK 760e71b7053SJung-uk Kim if (psksess == NULL && s->psk_client_callback != NULL) { 761e71b7053SJung-uk Kim unsigned char psk[PSK_MAX_PSK_LEN]; 762e71b7053SJung-uk Kim size_t psklen = 0; 763e71b7053SJung-uk Kim 764e71b7053SJung-uk Kim memset(identity, 0, sizeof(identity)); 765e71b7053SJung-uk Kim psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1, 766e71b7053SJung-uk Kim psk, sizeof(psk)); 767e71b7053SJung-uk Kim 768e71b7053SJung-uk Kim if (psklen > PSK_MAX_PSK_LEN) { 769e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 770e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 771e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 772e71b7053SJung-uk Kim } else if (psklen > 0) { 773e71b7053SJung-uk Kim const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 774e71b7053SJung-uk Kim const SSL_CIPHER *cipher; 775e71b7053SJung-uk Kim 776e71b7053SJung-uk Kim idlen = strlen(identity); 777e71b7053SJung-uk Kim if (idlen > PSK_MAX_IDENTITY_LEN) { 778e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 779e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 780e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 781e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 782e71b7053SJung-uk Kim } 783e71b7053SJung-uk Kim id = (unsigned char *)identity; 784e71b7053SJung-uk Kim 785e71b7053SJung-uk Kim /* 786e71b7053SJung-uk Kim * We found a PSK using an old style callback. We don't know 787e71b7053SJung-uk Kim * the digest so we default to SHA256 as per the TLSv1.3 spec 788e71b7053SJung-uk Kim */ 789e71b7053SJung-uk Kim cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); 790e71b7053SJung-uk Kim if (cipher == NULL) { 791e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 792e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 793e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 794e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 795e71b7053SJung-uk Kim } 796e71b7053SJung-uk Kim 797e71b7053SJung-uk Kim psksess = SSL_SESSION_new(); 798e71b7053SJung-uk Kim if (psksess == NULL 799e71b7053SJung-uk Kim || !SSL_SESSION_set1_master_key(psksess, psk, psklen) 800e71b7053SJung-uk Kim || !SSL_SESSION_set_cipher(psksess, cipher) 801e71b7053SJung-uk Kim || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { 802e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 803e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 804e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 805e71b7053SJung-uk Kim OPENSSL_cleanse(psk, psklen); 806e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 807e71b7053SJung-uk Kim } 808e71b7053SJung-uk Kim OPENSSL_cleanse(psk, psklen); 809e71b7053SJung-uk Kim } 810e71b7053SJung-uk Kim } 811e71b7053SJung-uk Kim #endif /* OPENSSL_NO_PSK */ 812e71b7053SJung-uk Kim 813e71b7053SJung-uk Kim SSL_SESSION_free(s->psksession); 814e71b7053SJung-uk Kim s->psksession = psksess; 815e71b7053SJung-uk Kim if (psksess != NULL) { 816e71b7053SJung-uk Kim OPENSSL_free(s->psksession_id); 817e71b7053SJung-uk Kim s->psksession_id = OPENSSL_memdup(id, idlen); 818e71b7053SJung-uk Kim if (s->psksession_id == NULL) { 819e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 820e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 821e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 822e71b7053SJung-uk Kim } 823e71b7053SJung-uk Kim s->psksession_id_len = idlen; 824e71b7053SJung-uk Kim } 825e71b7053SJung-uk Kim 826e71b7053SJung-uk Kim if (s->early_data_state != SSL_EARLY_DATA_CONNECTING 827e71b7053SJung-uk Kim || (s->session->ext.max_early_data == 0 828e71b7053SJung-uk Kim && (psksess == NULL || psksess->ext.max_early_data == 0))) { 829e71b7053SJung-uk Kim s->max_early_data = 0; 830e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 831e71b7053SJung-uk Kim } 832e71b7053SJung-uk Kim edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; 833e71b7053SJung-uk Kim s->max_early_data = edsess->ext.max_early_data; 834e71b7053SJung-uk Kim 835e71b7053SJung-uk Kim if (edsess->ext.hostname != NULL) { 836e71b7053SJung-uk Kim if (s->ext.hostname == NULL 837e71b7053SJung-uk Kim || (s->ext.hostname != NULL 838e71b7053SJung-uk Kim && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { 839e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 840e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 841e71b7053SJung-uk Kim SSL_R_INCONSISTENT_EARLY_DATA_SNI); 842e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 843e71b7053SJung-uk Kim } 844e71b7053SJung-uk Kim } 845e71b7053SJung-uk Kim 846e71b7053SJung-uk Kim if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { 847e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 848e71b7053SJung-uk Kim SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 849e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 850e71b7053SJung-uk Kim } 851e71b7053SJung-uk Kim 852e71b7053SJung-uk Kim /* 853e71b7053SJung-uk Kim * Verify that we are offering an ALPN protocol consistent with the early 854e71b7053SJung-uk Kim * data. 855e71b7053SJung-uk Kim */ 856e71b7053SJung-uk Kim if (edsess->ext.alpn_selected != NULL) { 857e71b7053SJung-uk Kim PACKET prots, alpnpkt; 858e71b7053SJung-uk Kim int found = 0; 859e71b7053SJung-uk Kim 860e71b7053SJung-uk Kim if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { 861e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 862e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 863e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 864e71b7053SJung-uk Kim } 865e71b7053SJung-uk Kim while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { 866e71b7053SJung-uk Kim if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, 867e71b7053SJung-uk Kim edsess->ext.alpn_selected_len)) { 868e71b7053SJung-uk Kim found = 1; 869e71b7053SJung-uk Kim break; 870e71b7053SJung-uk Kim } 871e71b7053SJung-uk Kim } 872e71b7053SJung-uk Kim if (!found) { 873e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 874e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 875e71b7053SJung-uk Kim SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 876e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 877e71b7053SJung-uk Kim } 878e71b7053SJung-uk Kim } 879e71b7053SJung-uk Kim 880e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 881e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 882e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 883e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 884e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 885e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 886e71b7053SJung-uk Kim } 887e71b7053SJung-uk Kim 888e71b7053SJung-uk Kim /* 889e71b7053SJung-uk Kim * We set this to rejected here. Later, if the server acknowledges the 890e71b7053SJung-uk Kim * extension, we set it to accepted. 891e71b7053SJung-uk Kim */ 892e71b7053SJung-uk Kim s->ext.early_data = SSL_EARLY_DATA_REJECTED; 893e71b7053SJung-uk Kim s->ext.early_data_ok = 1; 894e71b7053SJung-uk Kim 895e71b7053SJung-uk Kim return EXT_RETURN_SENT; 896e71b7053SJung-uk Kim } 897e71b7053SJung-uk Kim 898e71b7053SJung-uk Kim #define F5_WORKAROUND_MIN_MSG_LEN 0xff 899e71b7053SJung-uk Kim #define F5_WORKAROUND_MAX_MSG_LEN 0x200 900e71b7053SJung-uk Kim 901e71b7053SJung-uk Kim /* 902e71b7053SJung-uk Kim * PSK pre binder overhead = 903e71b7053SJung-uk Kim * 2 bytes for TLSEXT_TYPE_psk 904e71b7053SJung-uk Kim * 2 bytes for extension length 905e71b7053SJung-uk Kim * 2 bytes for identities list length 906e71b7053SJung-uk Kim * 2 bytes for identity length 907e71b7053SJung-uk Kim * 4 bytes for obfuscated_ticket_age 908e71b7053SJung-uk Kim * 2 bytes for binder list length 909e71b7053SJung-uk Kim * 1 byte for binder length 910e71b7053SJung-uk Kim * The above excludes the number of bytes for the identity itself and the 911e71b7053SJung-uk Kim * subsequent binder bytes 912e71b7053SJung-uk Kim */ 913e71b7053SJung-uk Kim #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) 914e71b7053SJung-uk Kim 915e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, 916e71b7053SJung-uk Kim unsigned int context, X509 *x, 917e71b7053SJung-uk Kim size_t chainidx) 918e71b7053SJung-uk Kim { 919e71b7053SJung-uk Kim unsigned char *padbytes; 920e71b7053SJung-uk Kim size_t hlen; 921e71b7053SJung-uk Kim 922e71b7053SJung-uk Kim if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) 923e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 924e71b7053SJung-uk Kim 925e71b7053SJung-uk Kim /* 926e71b7053SJung-uk Kim * Add padding to workaround bugs in F5 terminators. See RFC7685. 927e71b7053SJung-uk Kim * This code calculates the length of all extensions added so far but 928e71b7053SJung-uk Kim * excludes the PSK extension (because that MUST be written last). Therefore 929e71b7053SJung-uk Kim * this extension MUST always appear second to last. 930e71b7053SJung-uk Kim */ 931e71b7053SJung-uk Kim if (!WPACKET_get_total_written(pkt, &hlen)) { 932e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, 933e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 934e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 935e71b7053SJung-uk Kim } 936e71b7053SJung-uk Kim 937e71b7053SJung-uk Kim /* 938e71b7053SJung-uk Kim * If we're going to send a PSK then that will be written out after this 939e71b7053SJung-uk Kim * extension, so we need to calculate how long it is going to be. 940e71b7053SJung-uk Kim */ 941e71b7053SJung-uk Kim if (s->session->ssl_version == TLS1_3_VERSION 942e71b7053SJung-uk Kim && s->session->ext.ticklen != 0 943e71b7053SJung-uk Kim && s->session->cipher != NULL) { 944e71b7053SJung-uk Kim const EVP_MD *md = ssl_md(s->session->cipher->algorithm2); 945e71b7053SJung-uk Kim 946e71b7053SJung-uk Kim if (md != NULL) { 947e71b7053SJung-uk Kim /* 948e71b7053SJung-uk Kim * Add the fixed PSK overhead, the identity length and the binder 949e71b7053SJung-uk Kim * length. 950e71b7053SJung-uk Kim */ 951e71b7053SJung-uk Kim hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen 952e71b7053SJung-uk Kim + EVP_MD_size(md); 953e71b7053SJung-uk Kim } 954e71b7053SJung-uk Kim } 955e71b7053SJung-uk Kim 956e71b7053SJung-uk Kim if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { 957e71b7053SJung-uk Kim /* Calculate the amount of padding we need to add */ 958e71b7053SJung-uk Kim hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; 959e71b7053SJung-uk Kim 960e71b7053SJung-uk Kim /* 961e71b7053SJung-uk Kim * Take off the size of extension header itself (2 bytes for type and 962e71b7053SJung-uk Kim * 2 bytes for length bytes), but ensure that the extension is at least 963e71b7053SJung-uk Kim * 1 byte long so as not to have an empty extension last (WebSphere 7.x, 964e71b7053SJung-uk Kim * 8.x are intolerant of that condition) 965e71b7053SJung-uk Kim */ 966e71b7053SJung-uk Kim if (hlen > 4) 967e71b7053SJung-uk Kim hlen -= 4; 968e71b7053SJung-uk Kim else 969e71b7053SJung-uk Kim hlen = 1; 970e71b7053SJung-uk Kim 971e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) 972e71b7053SJung-uk Kim || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { 973e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, 974e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 975e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 976e71b7053SJung-uk Kim } 977e71b7053SJung-uk Kim memset(padbytes, 0, hlen); 978e71b7053SJung-uk Kim } 979e71b7053SJung-uk Kim 980e71b7053SJung-uk Kim return EXT_RETURN_SENT; 981e71b7053SJung-uk Kim } 982e71b7053SJung-uk Kim 983e71b7053SJung-uk Kim /* 984e71b7053SJung-uk Kim * Construct the pre_shared_key extension 985e71b7053SJung-uk Kim */ 986e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, 987e71b7053SJung-uk Kim X509 *x, size_t chainidx) 988e71b7053SJung-uk Kim { 989e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 990e71b7053SJung-uk Kim uint32_t now, agesec, agems = 0; 991e71b7053SJung-uk Kim size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; 992e71b7053SJung-uk Kim unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; 993e71b7053SJung-uk Kim const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; 994e71b7053SJung-uk Kim int dores = 0; 995e71b7053SJung-uk Kim 996e71b7053SJung-uk Kim s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY; 997e71b7053SJung-uk Kim 998e71b7053SJung-uk Kim /* 999e71b7053SJung-uk Kim * Note: At this stage of the code we only support adding a single 1000e71b7053SJung-uk Kim * resumption PSK. If we add support for multiple PSKs then the length 1001e71b7053SJung-uk Kim * calculations in the padding extension will need to be adjusted. 1002e71b7053SJung-uk Kim */ 1003e71b7053SJung-uk Kim 1004e71b7053SJung-uk Kim /* 1005e71b7053SJung-uk Kim * If this is an incompatible or new session then we have nothing to resume 1006e71b7053SJung-uk Kim * so don't add this extension. 1007e71b7053SJung-uk Kim */ 1008e71b7053SJung-uk Kim if (s->session->ssl_version != TLS1_3_VERSION 1009e71b7053SJung-uk Kim || (s->session->ext.ticklen == 0 && s->psksession == NULL)) 1010e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 1011e71b7053SJung-uk Kim 1012e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING) 1013e71b7053SJung-uk Kim handmd = ssl_handshake_md(s); 1014e71b7053SJung-uk Kim 1015e71b7053SJung-uk Kim if (s->session->ext.ticklen != 0) { 1016e71b7053SJung-uk Kim /* Get the digest associated with the ciphersuite in the session */ 1017e71b7053SJung-uk Kim if (s->session->cipher == NULL) { 1018e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1019e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1020e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1021e71b7053SJung-uk Kim } 1022e71b7053SJung-uk Kim mdres = ssl_md(s->session->cipher->algorithm2); 1023e71b7053SJung-uk Kim if (mdres == NULL) { 1024e71b7053SJung-uk Kim /* 1025e71b7053SJung-uk Kim * Don't recognize this cipher so we can't use the session. 1026e71b7053SJung-uk Kim * Ignore it 1027e71b7053SJung-uk Kim */ 1028e71b7053SJung-uk Kim goto dopsksess; 1029e71b7053SJung-uk Kim } 1030e71b7053SJung-uk Kim 1031e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { 1032e71b7053SJung-uk Kim /* 1033e71b7053SJung-uk Kim * Selected ciphersuite hash does not match the hash for the session 1034e71b7053SJung-uk Kim * so we can't use it. 1035e71b7053SJung-uk Kim */ 1036e71b7053SJung-uk Kim goto dopsksess; 1037e71b7053SJung-uk Kim } 1038e71b7053SJung-uk Kim 1039e71b7053SJung-uk Kim /* 1040e71b7053SJung-uk Kim * Technically the C standard just says time() returns a time_t and says 1041e71b7053SJung-uk Kim * nothing about the encoding of that type. In practice most 1042e71b7053SJung-uk Kim * implementations follow POSIX which holds it as an integral type in 1043e71b7053SJung-uk Kim * seconds since epoch. We've already made the assumption that we can do 1044e71b7053SJung-uk Kim * this in multiple places in the code, so portability shouldn't be an 1045e71b7053SJung-uk Kim * issue. 1046e71b7053SJung-uk Kim */ 1047e71b7053SJung-uk Kim now = (uint32_t)time(NULL); 1048e71b7053SJung-uk Kim agesec = now - (uint32_t)s->session->time; 1049e71b7053SJung-uk Kim /* 1050e71b7053SJung-uk Kim * We calculate the age in seconds but the server may work in ms. Due to 1051e71b7053SJung-uk Kim * rounding errors we could overestimate the age by up to 1s. It is 1052e71b7053SJung-uk Kim * better to underestimate it. Otherwise, if the RTT is very short, when 1053e71b7053SJung-uk Kim * the server calculates the age reported by the client it could be 1054e71b7053SJung-uk Kim * bigger than the age calculated on the server - which should never 1055e71b7053SJung-uk Kim * happen. 1056e71b7053SJung-uk Kim */ 1057e71b7053SJung-uk Kim if (agesec > 0) 1058e71b7053SJung-uk Kim agesec--; 1059e71b7053SJung-uk Kim 1060e71b7053SJung-uk Kim if (s->session->ext.tick_lifetime_hint < agesec) { 1061e71b7053SJung-uk Kim /* Ticket is too old. Ignore it. */ 1062e71b7053SJung-uk Kim goto dopsksess; 1063e71b7053SJung-uk Kim } 1064e71b7053SJung-uk Kim 1065e71b7053SJung-uk Kim /* 1066e71b7053SJung-uk Kim * Calculate age in ms. We're just doing it to nearest second. Should be 1067e71b7053SJung-uk Kim * good enough. 1068e71b7053SJung-uk Kim */ 1069e71b7053SJung-uk Kim agems = agesec * (uint32_t)1000; 1070e71b7053SJung-uk Kim 1071e71b7053SJung-uk Kim if (agesec != 0 && agems / (uint32_t)1000 != agesec) { 1072e71b7053SJung-uk Kim /* 1073e71b7053SJung-uk Kim * Overflow. Shouldn't happen unless this is a *really* old session. 1074e71b7053SJung-uk Kim * If so we just ignore it. 1075e71b7053SJung-uk Kim */ 1076e71b7053SJung-uk Kim goto dopsksess; 1077e71b7053SJung-uk Kim } 1078e71b7053SJung-uk Kim 1079e71b7053SJung-uk Kim /* 1080e71b7053SJung-uk Kim * Obfuscate the age. Overflow here is fine, this addition is supposed 1081e71b7053SJung-uk Kim * to be mod 2^32. 1082e71b7053SJung-uk Kim */ 1083e71b7053SJung-uk Kim agems += s->session->ext.tick_age_add; 1084e71b7053SJung-uk Kim 1085e71b7053SJung-uk Kim reshashsize = EVP_MD_size(mdres); 1086e71b7053SJung-uk Kim dores = 1; 1087e71b7053SJung-uk Kim } 1088e71b7053SJung-uk Kim 1089e71b7053SJung-uk Kim dopsksess: 1090e71b7053SJung-uk Kim if (!dores && s->psksession == NULL) 1091e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 1092e71b7053SJung-uk Kim 1093e71b7053SJung-uk Kim if (s->psksession != NULL) { 1094e71b7053SJung-uk Kim mdpsk = ssl_md(s->psksession->cipher->algorithm2); 1095e71b7053SJung-uk Kim if (mdpsk == NULL) { 1096e71b7053SJung-uk Kim /* 1097e71b7053SJung-uk Kim * Don't recognize this cipher so we can't use the session. 1098e71b7053SJung-uk Kim * If this happens it's an application bug. 1099e71b7053SJung-uk Kim */ 1100e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1101e71b7053SJung-uk Kim SSL_R_BAD_PSK); 1102e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1103e71b7053SJung-uk Kim } 1104e71b7053SJung-uk Kim 1105e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { 1106e71b7053SJung-uk Kim /* 1107e71b7053SJung-uk Kim * Selected ciphersuite hash does not match the hash for the PSK 1108e71b7053SJung-uk Kim * session. This is an application bug. 1109e71b7053SJung-uk Kim */ 1110e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1111e71b7053SJung-uk Kim SSL_R_BAD_PSK); 1112e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1113e71b7053SJung-uk Kim } 1114e71b7053SJung-uk Kim 1115e71b7053SJung-uk Kim pskhashsize = EVP_MD_size(mdpsk); 1116e71b7053SJung-uk Kim } 1117e71b7053SJung-uk Kim 1118e71b7053SJung-uk Kim /* Create the extension, but skip over the binder for now */ 1119e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1120e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 1121e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt)) { 1122e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1123e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1124e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1125e71b7053SJung-uk Kim } 1126e71b7053SJung-uk Kim 1127e71b7053SJung-uk Kim if (dores) { 1128e71b7053SJung-uk Kim if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, 1129e71b7053SJung-uk Kim s->session->ext.ticklen) 1130e71b7053SJung-uk Kim || !WPACKET_put_bytes_u32(pkt, agems)) { 1131e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1132e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1133e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1134e71b7053SJung-uk Kim } 1135e71b7053SJung-uk Kim } 1136e71b7053SJung-uk Kim 1137e71b7053SJung-uk Kim if (s->psksession != NULL) { 1138e71b7053SJung-uk Kim if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, 1139e71b7053SJung-uk Kim s->psksession_id_len) 1140e71b7053SJung-uk Kim || !WPACKET_put_bytes_u32(pkt, 0)) { 1141e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1142e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1143e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1144e71b7053SJung-uk Kim } 1145e71b7053SJung-uk Kim } 1146e71b7053SJung-uk Kim 1147e71b7053SJung-uk Kim if (!WPACKET_close(pkt) 1148e71b7053SJung-uk Kim || !WPACKET_get_total_written(pkt, &binderoffset) 1149e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 1150e71b7053SJung-uk Kim || (dores 1151e71b7053SJung-uk Kim && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) 1152e71b7053SJung-uk Kim || (s->psksession != NULL 1153e71b7053SJung-uk Kim && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) 1154e71b7053SJung-uk Kim || !WPACKET_close(pkt) 1155e71b7053SJung-uk Kim || !WPACKET_close(pkt) 1156e71b7053SJung-uk Kim || !WPACKET_get_total_written(pkt, &msglen) 1157e71b7053SJung-uk Kim /* 1158e71b7053SJung-uk Kim * We need to fill in all the sub-packet lengths now so we can 1159e71b7053SJung-uk Kim * calculate the HMAC of the message up to the binders 1160e71b7053SJung-uk Kim */ 1161e71b7053SJung-uk Kim || !WPACKET_fill_lengths(pkt)) { 1162e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1163e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1164e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1165e71b7053SJung-uk Kim } 1166e71b7053SJung-uk Kim 1167e71b7053SJung-uk Kim msgstart = WPACKET_get_curr(pkt) - msglen; 1168e71b7053SJung-uk Kim 1169e71b7053SJung-uk Kim if (dores 1170e71b7053SJung-uk Kim && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, 1171e71b7053SJung-uk Kim resbinder, s->session, 1, 0) != 1) { 1172e71b7053SJung-uk Kim /* SSLfatal() already called */ 1173e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1174e71b7053SJung-uk Kim } 1175e71b7053SJung-uk Kim 1176e71b7053SJung-uk Kim if (s->psksession != NULL 1177e71b7053SJung-uk Kim && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, 1178e71b7053SJung-uk Kim pskbinder, s->psksession, 1, 1) != 1) { 1179e71b7053SJung-uk Kim /* SSLfatal() already called */ 1180e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1181e71b7053SJung-uk Kim } 1182e71b7053SJung-uk Kim 1183e71b7053SJung-uk Kim if (dores) 1184e71b7053SJung-uk Kim s->session->ext.tick_identity = 0; 1185e71b7053SJung-uk Kim if (s->psksession != NULL) 1186e71b7053SJung-uk Kim s->psksession->ext.tick_identity = (dores ? 1 : 0); 1187e71b7053SJung-uk Kim 1188e71b7053SJung-uk Kim return EXT_RETURN_SENT; 1189e71b7053SJung-uk Kim #else 1190e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 1191e71b7053SJung-uk Kim #endif 1192e71b7053SJung-uk Kim } 1193e71b7053SJung-uk Kim 1194e71b7053SJung-uk Kim EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, 1195e71b7053SJung-uk Kim unsigned int context, 1196e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1197e71b7053SJung-uk Kim { 1198e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 1199e71b7053SJung-uk Kim if (!s->pha_enabled) 1200e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 1201e71b7053SJung-uk Kim 1202e71b7053SJung-uk Kim /* construct extension - 0 length, no contents */ 1203e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) 1204e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt) 1205e71b7053SJung-uk Kim || !WPACKET_close(pkt)) { 1206e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1207e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH, 1208e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1209e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1210e71b7053SJung-uk Kim } 1211e71b7053SJung-uk Kim 1212e71b7053SJung-uk Kim s->post_handshake_auth = SSL_PHA_EXT_SENT; 1213e71b7053SJung-uk Kim 1214e71b7053SJung-uk Kim return EXT_RETURN_SENT; 1215e71b7053SJung-uk Kim #else 1216e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 1217e71b7053SJung-uk Kim #endif 1218e71b7053SJung-uk Kim } 1219e71b7053SJung-uk Kim 1220e71b7053SJung-uk Kim 1221e71b7053SJung-uk Kim /* 1222e71b7053SJung-uk Kim * Parse the server's renegotiation binding and abort if it's not right 1223e71b7053SJung-uk Kim */ 1224e71b7053SJung-uk Kim int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, 1225e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1226e71b7053SJung-uk Kim { 1227e71b7053SJung-uk Kim size_t expected_len = s->s3->previous_client_finished_len 1228e71b7053SJung-uk Kim + s->s3->previous_server_finished_len; 1229e71b7053SJung-uk Kim size_t ilen; 1230e71b7053SJung-uk Kim const unsigned char *data; 1231e71b7053SJung-uk Kim 1232e71b7053SJung-uk Kim /* Check for logic errors */ 1233e71b7053SJung-uk Kim if (!ossl_assert(expected_len == 0 1234e71b7053SJung-uk Kim || s->s3->previous_client_finished_len != 0) 1235e71b7053SJung-uk Kim || !ossl_assert(expected_len == 0 1236e71b7053SJung-uk Kim || s->s3->previous_server_finished_len != 0)) { 1237e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1238e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1239e71b7053SJung-uk Kim return 0; 1240e71b7053SJung-uk Kim } 1241e71b7053SJung-uk Kim 1242e71b7053SJung-uk Kim /* Parse the length byte */ 1243e71b7053SJung-uk Kim if (!PACKET_get_1_len(pkt, &ilen)) { 1244e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1245e71b7053SJung-uk Kim SSL_R_RENEGOTIATION_ENCODING_ERR); 1246e71b7053SJung-uk Kim return 0; 1247e71b7053SJung-uk Kim } 1248e71b7053SJung-uk Kim 1249e71b7053SJung-uk Kim /* Consistency check */ 1250e71b7053SJung-uk Kim if (PACKET_remaining(pkt) != ilen) { 1251e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1252e71b7053SJung-uk Kim SSL_R_RENEGOTIATION_ENCODING_ERR); 1253e71b7053SJung-uk Kim return 0; 1254e71b7053SJung-uk Kim } 1255e71b7053SJung-uk Kim 1256e71b7053SJung-uk Kim /* Check that the extension matches */ 1257e71b7053SJung-uk Kim if (ilen != expected_len) { 1258e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1259e71b7053SJung-uk Kim SSL_R_RENEGOTIATION_MISMATCH); 1260e71b7053SJung-uk Kim return 0; 1261e71b7053SJung-uk Kim } 1262e71b7053SJung-uk Kim 1263e71b7053SJung-uk Kim if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len) 1264e71b7053SJung-uk Kim || memcmp(data, s->s3->previous_client_finished, 1265e71b7053SJung-uk Kim s->s3->previous_client_finished_len) != 0) { 1266e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1267e71b7053SJung-uk Kim SSL_R_RENEGOTIATION_MISMATCH); 1268e71b7053SJung-uk Kim return 0; 1269e71b7053SJung-uk Kim } 1270e71b7053SJung-uk Kim 1271e71b7053SJung-uk Kim if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len) 1272e71b7053SJung-uk Kim || memcmp(data, s->s3->previous_server_finished, 1273e71b7053SJung-uk Kim s->s3->previous_server_finished_len) != 0) { 1274e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1275e71b7053SJung-uk Kim SSL_R_RENEGOTIATION_MISMATCH); 1276e71b7053SJung-uk Kim return 0; 1277e71b7053SJung-uk Kim } 1278e71b7053SJung-uk Kim s->s3->send_connection_binding = 1; 1279e71b7053SJung-uk Kim 1280e71b7053SJung-uk Kim return 1; 1281e71b7053SJung-uk Kim } 1282e71b7053SJung-uk Kim 1283e71b7053SJung-uk Kim /* Parse the server's max fragment len extension packet */ 1284e71b7053SJung-uk Kim int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, 1285e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1286e71b7053SJung-uk Kim { 1287e71b7053SJung-uk Kim unsigned int value; 1288e71b7053SJung-uk Kim 1289e71b7053SJung-uk Kim if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 1290e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1291e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1292e71b7053SJung-uk Kim return 0; 1293e71b7053SJung-uk Kim } 1294e71b7053SJung-uk Kim 1295e71b7053SJung-uk Kim /* |value| should contains a valid max-fragment-length code. */ 1296e71b7053SJung-uk Kim if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 1297e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1298e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1299e71b7053SJung-uk Kim SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1300e71b7053SJung-uk Kim return 0; 1301e71b7053SJung-uk Kim } 1302e71b7053SJung-uk Kim 1303e71b7053SJung-uk Kim /* Must be the same value as client-configured one who was sent to server */ 1304e71b7053SJung-uk Kim /*- 1305e71b7053SJung-uk Kim * RFC 6066: if a client receives a maximum fragment length negotiation 1306e71b7053SJung-uk Kim * response that differs from the length it requested, ... 1307e71b7053SJung-uk Kim * It must abort with SSL_AD_ILLEGAL_PARAMETER alert 1308e71b7053SJung-uk Kim */ 1309e71b7053SJung-uk Kim if (value != s->ext.max_fragment_len_mode) { 1310e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1311e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1312e71b7053SJung-uk Kim SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1313e71b7053SJung-uk Kim return 0; 1314e71b7053SJung-uk Kim } 1315e71b7053SJung-uk Kim 1316e71b7053SJung-uk Kim /* 1317e71b7053SJung-uk Kim * Maximum Fragment Length Negotiation succeeded. 1318e71b7053SJung-uk Kim * The negotiated Maximum Fragment Length is binding now. 1319e71b7053SJung-uk Kim */ 1320e71b7053SJung-uk Kim s->session->ext.max_fragment_len_mode = value; 1321e71b7053SJung-uk Kim 1322e71b7053SJung-uk Kim return 1; 1323e71b7053SJung-uk Kim } 1324e71b7053SJung-uk Kim 1325e71b7053SJung-uk Kim int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, 1326e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1327e71b7053SJung-uk Kim { 1328e71b7053SJung-uk Kim if (s->ext.hostname == NULL) { 1329e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1330e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1331e71b7053SJung-uk Kim return 0; 1332e71b7053SJung-uk Kim } 1333e71b7053SJung-uk Kim 1334e71b7053SJung-uk Kim if (PACKET_remaining(pkt) > 0) { 1335e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1336e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1337e71b7053SJung-uk Kim return 0; 1338e71b7053SJung-uk Kim } 1339e71b7053SJung-uk Kim 1340e71b7053SJung-uk Kim if (!s->hit) { 1341e71b7053SJung-uk Kim if (s->session->ext.hostname != NULL) { 1342e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1343e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1344e71b7053SJung-uk Kim return 0; 1345e71b7053SJung-uk Kim } 1346e71b7053SJung-uk Kim s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 1347e71b7053SJung-uk Kim if (s->session->ext.hostname == NULL) { 1348e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1349e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1350e71b7053SJung-uk Kim return 0; 1351e71b7053SJung-uk Kim } 1352e71b7053SJung-uk Kim } 1353e71b7053SJung-uk Kim 1354e71b7053SJung-uk Kim return 1; 1355e71b7053SJung-uk Kim } 1356e71b7053SJung-uk Kim 1357e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 1358e71b7053SJung-uk Kim int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, 1359e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1360e71b7053SJung-uk Kim { 1361e71b7053SJung-uk Kim size_t ecpointformats_len; 1362e71b7053SJung-uk Kim PACKET ecptformatlist; 1363e71b7053SJung-uk Kim 1364e71b7053SJung-uk Kim if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { 1365e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, 1366e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1367e71b7053SJung-uk Kim return 0; 1368e71b7053SJung-uk Kim } 1369e71b7053SJung-uk Kim if (!s->hit) { 1370e71b7053SJung-uk Kim ecpointformats_len = PACKET_remaining(&ecptformatlist); 1371e71b7053SJung-uk Kim if (ecpointformats_len == 0) { 1372e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 1373e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH); 1374e71b7053SJung-uk Kim return 0; 1375e71b7053SJung-uk Kim } 1376e71b7053SJung-uk Kim 1377e71b7053SJung-uk Kim s->session->ext.ecpointformats_len = 0; 1378e71b7053SJung-uk Kim OPENSSL_free(s->session->ext.ecpointformats); 1379e71b7053SJung-uk Kim s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len); 1380e71b7053SJung-uk Kim if (s->session->ext.ecpointformats == NULL) { 1381e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1382e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 1383e71b7053SJung-uk Kim return 0; 1384e71b7053SJung-uk Kim } 1385e71b7053SJung-uk Kim 1386e71b7053SJung-uk Kim s->session->ext.ecpointformats_len = ecpointformats_len; 1387e71b7053SJung-uk Kim 1388e71b7053SJung-uk Kim if (!PACKET_copy_bytes(&ecptformatlist, 1389e71b7053SJung-uk Kim s->session->ext.ecpointformats, 1390e71b7053SJung-uk Kim ecpointformats_len)) { 1391e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1392e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 1393e71b7053SJung-uk Kim return 0; 1394e71b7053SJung-uk Kim } 1395e71b7053SJung-uk Kim } 1396e71b7053SJung-uk Kim 1397e71b7053SJung-uk Kim return 1; 1398e71b7053SJung-uk Kim } 1399e71b7053SJung-uk Kim #endif 1400e71b7053SJung-uk Kim 1401e71b7053SJung-uk Kim int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, 1402e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1403e71b7053SJung-uk Kim { 1404e71b7053SJung-uk Kim if (s->ext.session_ticket_cb != NULL && 1405e71b7053SJung-uk Kim !s->ext.session_ticket_cb(s, PACKET_data(pkt), 1406e71b7053SJung-uk Kim PACKET_remaining(pkt), 1407e71b7053SJung-uk Kim s->ext.session_ticket_cb_arg)) { 1408e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1409e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1410e71b7053SJung-uk Kim return 0; 1411e71b7053SJung-uk Kim } 1412e71b7053SJung-uk Kim 1413e71b7053SJung-uk Kim if (!tls_use_ticket(s)) { 1414e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 1415e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1416e71b7053SJung-uk Kim return 0; 1417e71b7053SJung-uk Kim } 1418e71b7053SJung-uk Kim if (PACKET_remaining(pkt) > 0) { 1419e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 1420e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1421e71b7053SJung-uk Kim return 0; 1422e71b7053SJung-uk Kim } 1423e71b7053SJung-uk Kim 1424e71b7053SJung-uk Kim s->ext.ticket_expected = 1; 1425e71b7053SJung-uk Kim 1426e71b7053SJung-uk Kim return 1; 1427e71b7053SJung-uk Kim } 1428e71b7053SJung-uk Kim 1429e71b7053SJung-uk Kim #ifndef OPENSSL_NO_OCSP 1430e71b7053SJung-uk Kim int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, 1431e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1432e71b7053SJung-uk Kim { 1433e71b7053SJung-uk Kim if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1434e71b7053SJung-uk Kim /* We ignore this if the server sends a CertificateRequest */ 1435e71b7053SJung-uk Kim /* TODO(TLS1.3): Add support for this */ 1436e71b7053SJung-uk Kim return 1; 1437e71b7053SJung-uk Kim } 1438e71b7053SJung-uk Kim 1439e71b7053SJung-uk Kim /* 1440e71b7053SJung-uk Kim * MUST only be sent if we've requested a status 1441e71b7053SJung-uk Kim * request message. In TLS <= 1.2 it must also be empty. 1442e71b7053SJung-uk Kim */ 1443e71b7053SJung-uk Kim if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 1444e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 1445e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); 1446e71b7053SJung-uk Kim return 0; 1447e71b7053SJung-uk Kim } 1448e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { 1449e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 1450e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); 1451e71b7053SJung-uk Kim return 0; 1452e71b7053SJung-uk Kim } 1453e71b7053SJung-uk Kim 1454e71b7053SJung-uk Kim if (SSL_IS_TLS13(s)) { 1455e71b7053SJung-uk Kim /* We only know how to handle this if it's for the first Certificate in 1456e71b7053SJung-uk Kim * the chain. We ignore any other responses. 1457e71b7053SJung-uk Kim */ 1458e71b7053SJung-uk Kim if (chainidx != 0) 1459e71b7053SJung-uk Kim return 1; 1460e71b7053SJung-uk Kim 1461e71b7053SJung-uk Kim /* SSLfatal() already called */ 1462e71b7053SJung-uk Kim return tls_process_cert_status_body(s, pkt); 1463e71b7053SJung-uk Kim } 1464e71b7053SJung-uk Kim 1465e71b7053SJung-uk Kim /* Set flag to expect CertificateStatus message */ 1466e71b7053SJung-uk Kim s->ext.status_expected = 1; 1467e71b7053SJung-uk Kim 1468e71b7053SJung-uk Kim return 1; 1469e71b7053SJung-uk Kim } 1470e71b7053SJung-uk Kim #endif 1471e71b7053SJung-uk Kim 1472e71b7053SJung-uk Kim 1473e71b7053SJung-uk Kim #ifndef OPENSSL_NO_CT 1474e71b7053SJung-uk Kim int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1475e71b7053SJung-uk Kim size_t chainidx) 1476e71b7053SJung-uk Kim { 1477e71b7053SJung-uk Kim if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1478e71b7053SJung-uk Kim /* We ignore this if the server sends it in a CertificateRequest */ 1479e71b7053SJung-uk Kim /* TODO(TLS1.3): Add support for this */ 1480e71b7053SJung-uk Kim return 1; 1481e71b7053SJung-uk Kim } 1482e71b7053SJung-uk Kim 1483e71b7053SJung-uk Kim /* 1484e71b7053SJung-uk Kim * Only take it if we asked for it - i.e if there is no CT validation 1485e71b7053SJung-uk Kim * callback set, then a custom extension MAY be processing it, so we 1486e71b7053SJung-uk Kim * need to let control continue to flow to that. 1487e71b7053SJung-uk Kim */ 1488e71b7053SJung-uk Kim if (s->ct_validation_callback != NULL) { 1489e71b7053SJung-uk Kim size_t size = PACKET_remaining(pkt); 1490e71b7053SJung-uk Kim 1491e71b7053SJung-uk Kim /* Simply copy it off for later processing */ 1492e71b7053SJung-uk Kim OPENSSL_free(s->ext.scts); 1493e71b7053SJung-uk Kim s->ext.scts = NULL; 1494e71b7053SJung-uk Kim 1495e71b7053SJung-uk Kim s->ext.scts_len = (uint16_t)size; 1496e71b7053SJung-uk Kim if (size > 0) { 1497e71b7053SJung-uk Kim s->ext.scts = OPENSSL_malloc(size); 1498e71b7053SJung-uk Kim if (s->ext.scts == NULL 1499e71b7053SJung-uk Kim || !PACKET_copy_bytes(pkt, s->ext.scts, size)) { 1500e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, 1501e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1502e71b7053SJung-uk Kim return 0; 1503e71b7053SJung-uk Kim } 1504e71b7053SJung-uk Kim } 1505e71b7053SJung-uk Kim } else { 1506e71b7053SJung-uk Kim ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 1507e71b7053SJung-uk Kim ? ENDPOINT_CLIENT : ENDPOINT_BOTH; 1508e71b7053SJung-uk Kim 1509e71b7053SJung-uk Kim /* 1510e71b7053SJung-uk Kim * If we didn't ask for it then there must be a custom extension, 1511e71b7053SJung-uk Kim * otherwise this is unsolicited. 1512e71b7053SJung-uk Kim */ 1513e71b7053SJung-uk Kim if (custom_ext_find(&s->cert->custext, role, 1514e71b7053SJung-uk Kim TLSEXT_TYPE_signed_certificate_timestamp, 1515e71b7053SJung-uk Kim NULL) == NULL) { 1516e71b7053SJung-uk Kim SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT, 1517e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1518e71b7053SJung-uk Kim return 0; 1519e71b7053SJung-uk Kim } 1520e71b7053SJung-uk Kim 1521e71b7053SJung-uk Kim if (!custom_ext_parse(s, context, 1522e71b7053SJung-uk Kim TLSEXT_TYPE_signed_certificate_timestamp, 1523e71b7053SJung-uk Kim PACKET_data(pkt), PACKET_remaining(pkt), 1524e71b7053SJung-uk Kim x, chainidx)) { 1525e71b7053SJung-uk Kim /* SSLfatal already called */ 1526e71b7053SJung-uk Kim return 0; 1527e71b7053SJung-uk Kim } 1528e71b7053SJung-uk Kim } 1529e71b7053SJung-uk Kim 1530e71b7053SJung-uk Kim return 1; 1531e71b7053SJung-uk Kim } 1532e71b7053SJung-uk Kim #endif 1533e71b7053SJung-uk Kim 1534e71b7053SJung-uk Kim 1535e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 1536e71b7053SJung-uk Kim /* 1537e71b7053SJung-uk Kim * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1538e71b7053SJung-uk Kim * elements of zero length are allowed and the set of elements must exactly 1539e71b7053SJung-uk Kim * fill the length of the block. Returns 1 on success or 0 on failure. 1540e71b7053SJung-uk Kim */ 1541e71b7053SJung-uk Kim static int ssl_next_proto_validate(SSL *s, PACKET *pkt) 1542e71b7053SJung-uk Kim { 1543e71b7053SJung-uk Kim PACKET tmp_protocol; 1544e71b7053SJung-uk Kim 1545e71b7053SJung-uk Kim while (PACKET_remaining(pkt)) { 1546e71b7053SJung-uk Kim if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 1547e71b7053SJung-uk Kim || PACKET_remaining(&tmp_protocol) == 0) { 1548e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE, 1549e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1550e71b7053SJung-uk Kim return 0; 1551e71b7053SJung-uk Kim } 1552e71b7053SJung-uk Kim } 1553e71b7053SJung-uk Kim 1554e71b7053SJung-uk Kim return 1; 1555e71b7053SJung-uk Kim } 1556e71b7053SJung-uk Kim 1557e71b7053SJung-uk Kim int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1558e71b7053SJung-uk Kim size_t chainidx) 1559e71b7053SJung-uk Kim { 1560e71b7053SJung-uk Kim unsigned char *selected; 1561e71b7053SJung-uk Kim unsigned char selected_len; 1562e71b7053SJung-uk Kim PACKET tmppkt; 1563e71b7053SJung-uk Kim 1564e71b7053SJung-uk Kim /* Check if we are in a renegotiation. If so ignore this extension */ 1565e71b7053SJung-uk Kim if (!SSL_IS_FIRST_HANDSHAKE(s)) 1566e71b7053SJung-uk Kim return 1; 1567e71b7053SJung-uk Kim 1568e71b7053SJung-uk Kim /* We must have requested it. */ 1569e71b7053SJung-uk Kim if (s->ctx->ext.npn_select_cb == NULL) { 1570e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN, 1571e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1572e71b7053SJung-uk Kim return 0; 1573e71b7053SJung-uk Kim } 1574e71b7053SJung-uk Kim 1575e71b7053SJung-uk Kim /* The data must be valid */ 1576e71b7053SJung-uk Kim tmppkt = *pkt; 1577e71b7053SJung-uk Kim if (!ssl_next_proto_validate(s, &tmppkt)) { 1578e71b7053SJung-uk Kim /* SSLfatal() already called */ 1579e71b7053SJung-uk Kim return 0; 1580e71b7053SJung-uk Kim } 1581e71b7053SJung-uk Kim if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len, 1582e71b7053SJung-uk Kim PACKET_data(pkt), 1583e71b7053SJung-uk Kim PACKET_remaining(pkt), 1584e71b7053SJung-uk Kim s->ctx->ext.npn_select_cb_arg) != 1585e71b7053SJung-uk Kim SSL_TLSEXT_ERR_OK) { 1586e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN, 1587e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1588e71b7053SJung-uk Kim return 0; 1589e71b7053SJung-uk Kim } 1590e71b7053SJung-uk Kim 1591e71b7053SJung-uk Kim /* 1592e71b7053SJung-uk Kim * Could be non-NULL if server has sent multiple NPN extensions in 1593e71b7053SJung-uk Kim * a single Serverhello 1594e71b7053SJung-uk Kim */ 1595e71b7053SJung-uk Kim OPENSSL_free(s->ext.npn); 1596e71b7053SJung-uk Kim s->ext.npn = OPENSSL_malloc(selected_len); 1597e71b7053SJung-uk Kim if (s->ext.npn == NULL) { 1598e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN, 1599e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1600e71b7053SJung-uk Kim return 0; 1601e71b7053SJung-uk Kim } 1602e71b7053SJung-uk Kim 1603e71b7053SJung-uk Kim memcpy(s->ext.npn, selected, selected_len); 1604e71b7053SJung-uk Kim s->ext.npn_len = selected_len; 1605e71b7053SJung-uk Kim s->s3->npn_seen = 1; 1606e71b7053SJung-uk Kim 1607e71b7053SJung-uk Kim return 1; 1608e71b7053SJung-uk Kim } 1609e71b7053SJung-uk Kim #endif 1610e71b7053SJung-uk Kim 1611e71b7053SJung-uk Kim int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1612e71b7053SJung-uk Kim size_t chainidx) 1613e71b7053SJung-uk Kim { 1614e71b7053SJung-uk Kim size_t len; 1615e71b7053SJung-uk Kim 1616e71b7053SJung-uk Kim /* We must have requested it. */ 1617e71b7053SJung-uk Kim if (!s->s3->alpn_sent) { 1618e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN, 1619e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1620e71b7053SJung-uk Kim return 0; 1621e71b7053SJung-uk Kim } 1622e71b7053SJung-uk Kim /*- 1623e71b7053SJung-uk Kim * The extension data consists of: 1624e71b7053SJung-uk Kim * uint16 list_length 1625e71b7053SJung-uk Kim * uint8 proto_length; 1626e71b7053SJung-uk Kim * uint8 proto[proto_length]; 1627e71b7053SJung-uk Kim */ 1628e71b7053SJung-uk Kim if (!PACKET_get_net_2_len(pkt, &len) 1629e71b7053SJung-uk Kim || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) 1630e71b7053SJung-uk Kim || PACKET_remaining(pkt) != len) { 1631e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1632e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1633e71b7053SJung-uk Kim return 0; 1634e71b7053SJung-uk Kim } 1635e71b7053SJung-uk Kim OPENSSL_free(s->s3->alpn_selected); 1636e71b7053SJung-uk Kim s->s3->alpn_selected = OPENSSL_malloc(len); 1637e71b7053SJung-uk Kim if (s->s3->alpn_selected == NULL) { 1638e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1639e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1640e71b7053SJung-uk Kim return 0; 1641e71b7053SJung-uk Kim } 1642e71b7053SJung-uk Kim if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) { 1643e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1644e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1645e71b7053SJung-uk Kim return 0; 1646e71b7053SJung-uk Kim } 1647e71b7053SJung-uk Kim s->s3->alpn_selected_len = len; 1648e71b7053SJung-uk Kim 1649e71b7053SJung-uk Kim if (s->session->ext.alpn_selected == NULL 1650e71b7053SJung-uk Kim || s->session->ext.alpn_selected_len != len 1651e71b7053SJung-uk Kim || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len) 1652e71b7053SJung-uk Kim != 0) { 1653e71b7053SJung-uk Kim /* ALPN not consistent with the old session so cannot use early_data */ 1654e71b7053SJung-uk Kim s->ext.early_data_ok = 0; 1655e71b7053SJung-uk Kim } 1656e71b7053SJung-uk Kim if (!s->hit) { 1657e71b7053SJung-uk Kim /* 1658e71b7053SJung-uk Kim * This is a new session and so alpn_selected should have been 1659e71b7053SJung-uk Kim * initialised to NULL. We should update it with the selected ALPN. 1660e71b7053SJung-uk Kim */ 1661e71b7053SJung-uk Kim if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 1662e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1663e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1664e71b7053SJung-uk Kim return 0; 1665e71b7053SJung-uk Kim } 1666e71b7053SJung-uk Kim s->session->ext.alpn_selected = 1667e71b7053SJung-uk Kim OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); 1668e71b7053SJung-uk Kim if (s->session->ext.alpn_selected == NULL) { 1669e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1670e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1671e71b7053SJung-uk Kim return 0; 1672e71b7053SJung-uk Kim } 1673e71b7053SJung-uk Kim s->session->ext.alpn_selected_len = s->s3->alpn_selected_len; 1674e71b7053SJung-uk Kim } 1675e71b7053SJung-uk Kim 1676e71b7053SJung-uk Kim return 1; 1677e71b7053SJung-uk Kim } 1678e71b7053SJung-uk Kim 1679e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRTP 1680e71b7053SJung-uk Kim int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1681e71b7053SJung-uk Kim size_t chainidx) 1682e71b7053SJung-uk Kim { 1683e71b7053SJung-uk Kim unsigned int id, ct, mki; 1684e71b7053SJung-uk Kim int i; 1685e71b7053SJung-uk Kim STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1686e71b7053SJung-uk Kim SRTP_PROTECTION_PROFILE *prof; 1687e71b7053SJung-uk Kim 1688e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &ct) || ct != 2 1689e71b7053SJung-uk Kim || !PACKET_get_net_2(pkt, &id) 1690e71b7053SJung-uk Kim || !PACKET_get_1(pkt, &mki) 1691e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) { 1692e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1693e71b7053SJung-uk Kim SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1694e71b7053SJung-uk Kim return 0; 1695e71b7053SJung-uk Kim } 1696e71b7053SJung-uk Kim 1697e71b7053SJung-uk Kim if (mki != 0) { 1698e71b7053SJung-uk Kim /* Must be no MKI, since we never offer one */ 1699e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1700e71b7053SJung-uk Kim SSL_R_BAD_SRTP_MKI_VALUE); 1701e71b7053SJung-uk Kim return 0; 1702e71b7053SJung-uk Kim } 1703e71b7053SJung-uk Kim 1704e71b7053SJung-uk Kim /* Throw an error if the server gave us an unsolicited extension */ 1705e71b7053SJung-uk Kim clnt = SSL_get_srtp_profiles(s); 1706e71b7053SJung-uk Kim if (clnt == NULL) { 1707e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1708e71b7053SJung-uk Kim SSL_R_NO_SRTP_PROFILES); 1709e71b7053SJung-uk Kim return 0; 1710e71b7053SJung-uk Kim } 1711e71b7053SJung-uk Kim 1712e71b7053SJung-uk Kim /* 1713e71b7053SJung-uk Kim * Check to see if the server gave us something we support (and 1714e71b7053SJung-uk Kim * presumably offered) 1715e71b7053SJung-uk Kim */ 1716e71b7053SJung-uk Kim for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1717e71b7053SJung-uk Kim prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 1718e71b7053SJung-uk Kim 1719e71b7053SJung-uk Kim if (prof->id == id) { 1720e71b7053SJung-uk Kim s->srtp_profile = prof; 1721e71b7053SJung-uk Kim return 1; 1722e71b7053SJung-uk Kim } 1723e71b7053SJung-uk Kim } 1724e71b7053SJung-uk Kim 1725e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1726e71b7053SJung-uk Kim SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1727e71b7053SJung-uk Kim return 0; 1728e71b7053SJung-uk Kim } 1729e71b7053SJung-uk Kim #endif 1730e71b7053SJung-uk Kim 1731e71b7053SJung-uk Kim int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1732e71b7053SJung-uk Kim size_t chainidx) 1733e71b7053SJung-uk Kim { 1734e71b7053SJung-uk Kim /* Ignore if inappropriate ciphersuite */ 1735e71b7053SJung-uk Kim if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 1736e71b7053SJung-uk Kim && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD 1737e71b7053SJung-uk Kim && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) 1738e71b7053SJung-uk Kim s->ext.use_etm = 1; 1739e71b7053SJung-uk Kim 1740e71b7053SJung-uk Kim return 1; 1741e71b7053SJung-uk Kim } 1742e71b7053SJung-uk Kim 1743e71b7053SJung-uk Kim int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1744e71b7053SJung-uk Kim size_t chainidx) 1745e71b7053SJung-uk Kim { 1746e71b7053SJung-uk Kim s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; 1747e71b7053SJung-uk Kim if (!s->hit) 1748e71b7053SJung-uk Kim s->session->flags |= SSL_SESS_FLAG_EXTMS; 1749e71b7053SJung-uk Kim 1750e71b7053SJung-uk Kim return 1; 1751e71b7053SJung-uk Kim } 1752e71b7053SJung-uk Kim 1753e71b7053SJung-uk Kim int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, 1754e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1755e71b7053SJung-uk Kim { 1756e71b7053SJung-uk Kim unsigned int version; 1757e71b7053SJung-uk Kim 1758e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &version) 1759e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) { 1760e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 1761e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, 1762e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 1763e71b7053SJung-uk Kim return 0; 1764e71b7053SJung-uk Kim } 1765e71b7053SJung-uk Kim 1766e71b7053SJung-uk Kim /* 1767e71b7053SJung-uk Kim * The only protocol version we support which is valid in this extension in 1768e71b7053SJung-uk Kim * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. 1769e71b7053SJung-uk Kim */ 1770e71b7053SJung-uk Kim if (version != TLS1_3_VERSION) { 1771e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1772e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, 1773e71b7053SJung-uk Kim SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1774e71b7053SJung-uk Kim return 0; 1775e71b7053SJung-uk Kim } 1776e71b7053SJung-uk Kim 1777e71b7053SJung-uk Kim /* We ignore this extension for HRRs except to sanity check it */ 1778e71b7053SJung-uk Kim if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) 1779e71b7053SJung-uk Kim return 1; 1780e71b7053SJung-uk Kim 1781e71b7053SJung-uk Kim /* We just set it here. We validate it in ssl_choose_client_version */ 1782e71b7053SJung-uk Kim s->version = version; 1783e71b7053SJung-uk Kim 1784e71b7053SJung-uk Kim return 1; 1785e71b7053SJung-uk Kim } 1786e71b7053SJung-uk Kim 1787e71b7053SJung-uk Kim int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1788e71b7053SJung-uk Kim size_t chainidx) 1789e71b7053SJung-uk Kim { 1790e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 1791e71b7053SJung-uk Kim unsigned int group_id; 1792e71b7053SJung-uk Kim PACKET encoded_pt; 1793e71b7053SJung-uk Kim EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL; 1794e71b7053SJung-uk Kim 1795e71b7053SJung-uk Kim /* Sanity check */ 1796e71b7053SJung-uk Kim if (ckey == NULL || s->s3->peer_tmp != NULL) { 1797e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1798e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1799e71b7053SJung-uk Kim return 0; 1800e71b7053SJung-uk Kim } 1801e71b7053SJung-uk Kim 1802e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &group_id)) { 1803e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1804e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 1805e71b7053SJung-uk Kim return 0; 1806e71b7053SJung-uk Kim } 1807e71b7053SJung-uk Kim 1808e71b7053SJung-uk Kim if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { 1809e71b7053SJung-uk Kim const uint16_t *pgroups = NULL; 1810e71b7053SJung-uk Kim size_t i, num_groups; 1811e71b7053SJung-uk Kim 1812e71b7053SJung-uk Kim if (PACKET_remaining(pkt) != 0) { 1813e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1814e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 1815e71b7053SJung-uk Kim return 0; 1816e71b7053SJung-uk Kim } 1817e71b7053SJung-uk Kim 1818e71b7053SJung-uk Kim /* 1819e71b7053SJung-uk Kim * It is an error if the HelloRetryRequest wants a key_share that we 1820e71b7053SJung-uk Kim * already sent in the first ClientHello 1821e71b7053SJung-uk Kim */ 1822e71b7053SJung-uk Kim if (group_id == s->s3->group_id) { 1823e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1824e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); 1825e71b7053SJung-uk Kim return 0; 1826e71b7053SJung-uk Kim } 1827e71b7053SJung-uk Kim 1828e71b7053SJung-uk Kim /* Validate the selected group is one we support */ 1829e71b7053SJung-uk Kim tls1_get_supported_groups(s, &pgroups, &num_groups); 1830e71b7053SJung-uk Kim for (i = 0; i < num_groups; i++) { 1831e71b7053SJung-uk Kim if (group_id == pgroups[i]) 1832e71b7053SJung-uk Kim break; 1833e71b7053SJung-uk Kim } 1834e71b7053SJung-uk Kim if (i >= num_groups 1835e71b7053SJung-uk Kim || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { 1836e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1837e71b7053SJung-uk Kim SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); 1838e71b7053SJung-uk Kim return 0; 1839e71b7053SJung-uk Kim } 1840e71b7053SJung-uk Kim 1841e71b7053SJung-uk Kim s->s3->group_id = group_id; 1842e71b7053SJung-uk Kim EVP_PKEY_free(s->s3->tmp.pkey); 1843e71b7053SJung-uk Kim s->s3->tmp.pkey = NULL; 1844e71b7053SJung-uk Kim return 1; 1845e71b7053SJung-uk Kim } 1846e71b7053SJung-uk Kim 1847e71b7053SJung-uk Kim if (group_id != s->s3->group_id) { 1848e71b7053SJung-uk Kim /* 1849e71b7053SJung-uk Kim * This isn't for the group that we sent in the original 1850e71b7053SJung-uk Kim * key_share! 1851e71b7053SJung-uk Kim */ 1852e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1853e71b7053SJung-uk Kim SSL_R_BAD_KEY_SHARE); 1854e71b7053SJung-uk Kim return 0; 1855e71b7053SJung-uk Kim } 1856e71b7053SJung-uk Kim 1857e71b7053SJung-uk Kim if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) 1858e71b7053SJung-uk Kim || PACKET_remaining(&encoded_pt) == 0) { 1859e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1860e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 1861e71b7053SJung-uk Kim return 0; 1862e71b7053SJung-uk Kim } 1863e71b7053SJung-uk Kim 1864e71b7053SJung-uk Kim skey = ssl_generate_pkey(ckey); 1865e71b7053SJung-uk Kim if (skey == NULL) { 1866e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1867e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 1868e71b7053SJung-uk Kim return 0; 1869e71b7053SJung-uk Kim } 1870e71b7053SJung-uk Kim if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt), 1871e71b7053SJung-uk Kim PACKET_remaining(&encoded_pt))) { 1872e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1873e71b7053SJung-uk Kim SSL_R_BAD_ECPOINT); 1874e71b7053SJung-uk Kim EVP_PKEY_free(skey); 1875e71b7053SJung-uk Kim return 0; 1876e71b7053SJung-uk Kim } 1877e71b7053SJung-uk Kim 1878e71b7053SJung-uk Kim if (ssl_derive(s, ckey, skey, 1) == 0) { 1879e71b7053SJung-uk Kim /* SSLfatal() already called */ 1880e71b7053SJung-uk Kim EVP_PKEY_free(skey); 1881e71b7053SJung-uk Kim return 0; 1882e71b7053SJung-uk Kim } 1883e71b7053SJung-uk Kim s->s3->peer_tmp = skey; 1884e71b7053SJung-uk Kim #endif 1885e71b7053SJung-uk Kim 1886e71b7053SJung-uk Kim return 1; 1887e71b7053SJung-uk Kim } 1888e71b7053SJung-uk Kim 1889e71b7053SJung-uk Kim int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1890e71b7053SJung-uk Kim size_t chainidx) 1891e71b7053SJung-uk Kim { 1892e71b7053SJung-uk Kim PACKET cookie; 1893e71b7053SJung-uk Kim 1894e71b7053SJung-uk Kim if (!PACKET_as_length_prefixed_2(pkt, &cookie) 1895e71b7053SJung-uk Kim || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, 1896e71b7053SJung-uk Kim &s->ext.tls13_cookie_len)) { 1897e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE, 1898e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 1899e71b7053SJung-uk Kim return 0; 1900e71b7053SJung-uk Kim } 1901e71b7053SJung-uk Kim 1902e71b7053SJung-uk Kim return 1; 1903e71b7053SJung-uk Kim } 1904e71b7053SJung-uk Kim 1905e71b7053SJung-uk Kim int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, 1906e71b7053SJung-uk Kim X509 *x, size_t chainidx) 1907e71b7053SJung-uk Kim { 1908e71b7053SJung-uk Kim if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 1909e71b7053SJung-uk Kim unsigned long max_early_data; 1910e71b7053SJung-uk Kim 1911e71b7053SJung-uk Kim if (!PACKET_get_net_4(pkt, &max_early_data) 1912e71b7053SJung-uk Kim || PACKET_remaining(pkt) != 0) { 1913e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1914e71b7053SJung-uk Kim SSL_R_INVALID_MAX_EARLY_DATA); 1915e71b7053SJung-uk Kim return 0; 1916e71b7053SJung-uk Kim } 1917e71b7053SJung-uk Kim 1918e71b7053SJung-uk Kim s->session->ext.max_early_data = max_early_data; 1919e71b7053SJung-uk Kim 1920e71b7053SJung-uk Kim return 1; 1921e71b7053SJung-uk Kim } 1922e71b7053SJung-uk Kim 1923e71b7053SJung-uk Kim if (PACKET_remaining(pkt) != 0) { 1924e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1925e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1926e71b7053SJung-uk Kim return 0; 1927e71b7053SJung-uk Kim } 1928e71b7053SJung-uk Kim 1929e71b7053SJung-uk Kim if (!s->ext.early_data_ok 1930e71b7053SJung-uk Kim || !s->hit 1931e71b7053SJung-uk Kim || s->session->ext.tick_identity != 0) { 1932e71b7053SJung-uk Kim /* 1933e71b7053SJung-uk Kim * If we get here then we didn't send early data, or we didn't resume 1934e71b7053SJung-uk Kim * using the first identity, or the SNI/ALPN is not consistent so the 1935e71b7053SJung-uk Kim * server should not be accepting it. 1936e71b7053SJung-uk Kim */ 1937e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1938e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1939e71b7053SJung-uk Kim return 0; 1940e71b7053SJung-uk Kim } 1941e71b7053SJung-uk Kim 1942e71b7053SJung-uk Kim s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 1943e71b7053SJung-uk Kim 1944e71b7053SJung-uk Kim return 1; 1945e71b7053SJung-uk Kim } 1946e71b7053SJung-uk Kim 1947e71b7053SJung-uk Kim int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1948e71b7053SJung-uk Kim size_t chainidx) 1949e71b7053SJung-uk Kim { 1950e71b7053SJung-uk Kim #ifndef OPENSSL_NO_TLS1_3 1951e71b7053SJung-uk Kim unsigned int identity; 1952e71b7053SJung-uk Kim 1953e71b7053SJung-uk Kim if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { 1954e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK, 1955e71b7053SJung-uk Kim SSL_R_LENGTH_MISMATCH); 1956e71b7053SJung-uk Kim return 0; 1957e71b7053SJung-uk Kim } 1958e71b7053SJung-uk Kim 1959e71b7053SJung-uk Kim if (s->session->ext.tick_identity == (int)identity) { 1960e71b7053SJung-uk Kim s->hit = 1; 1961e71b7053SJung-uk Kim SSL_SESSION_free(s->psksession); 1962e71b7053SJung-uk Kim s->psksession = NULL; 1963e71b7053SJung-uk Kim return 1; 1964e71b7053SJung-uk Kim } 1965e71b7053SJung-uk Kim 1966e71b7053SJung-uk Kim if (s->psksession == NULL 1967e71b7053SJung-uk Kim || s->psksession->ext.tick_identity != (int)identity) { 1968e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, 1969e71b7053SJung-uk Kim SSL_R_BAD_PSK_IDENTITY); 1970e71b7053SJung-uk Kim return 0; 1971e71b7053SJung-uk Kim } 1972e71b7053SJung-uk Kim 1973e71b7053SJung-uk Kim /* 1974e71b7053SJung-uk Kim * If we used the external PSK for sending early_data then s->early_secret 1975e71b7053SJung-uk Kim * is already set up, so don't overwrite it. Otherwise we copy the 1976e71b7053SJung-uk Kim * early_secret across that we generated earlier. 1977e71b7053SJung-uk Kim */ 1978e71b7053SJung-uk Kim if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 1979e71b7053SJung-uk Kim && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 1980e71b7053SJung-uk Kim || s->session->ext.max_early_data > 0 1981e71b7053SJung-uk Kim || s->psksession->ext.max_early_data == 0) 1982e71b7053SJung-uk Kim memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); 1983e71b7053SJung-uk Kim 1984e71b7053SJung-uk Kim SSL_SESSION_free(s->session); 1985e71b7053SJung-uk Kim s->session = s->psksession; 1986e71b7053SJung-uk Kim s->psksession = NULL; 1987e71b7053SJung-uk Kim s->hit = 1; 1988e71b7053SJung-uk Kim #endif 1989e71b7053SJung-uk Kim 1990e71b7053SJung-uk Kim return 1; 1991e71b7053SJung-uk Kim } 1992