1 /* 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ocsp.h> 11 #include "../ssl_local.h" 12 #include "internal/cryptlib.h" 13 #include "statem_local.h" 14 15 EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, 16 unsigned int context, X509 *x, 17 size_t chainidx) 18 { 19 /* Add RI if renegotiating */ 20 if (!s->renegotiate) 21 return EXT_RETURN_NOT_SENT; 22 23 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 24 || !WPACKET_start_sub_packet_u16(pkt) 25 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished, 26 s->s3.previous_client_finished_len) 27 || !WPACKET_close(pkt)) { 28 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 29 return EXT_RETURN_FAIL; 30 } 31 32 return EXT_RETURN_SENT; 33 } 34 35 EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, 36 unsigned int context, X509 *x, 37 size_t chainidx) 38 { 39 if (s->ext.hostname == NULL) 40 return EXT_RETURN_NOT_SENT; 41 42 /* Add TLS extension servername to the Client Hello message */ 43 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 44 /* Sub-packet for server_name extension */ 45 || !WPACKET_start_sub_packet_u16(pkt) 46 /* Sub-packet for servername list (always 1 hostname)*/ 47 || !WPACKET_start_sub_packet_u16(pkt) 48 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) 49 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, 50 strlen(s->ext.hostname)) 51 || !WPACKET_close(pkt) 52 || !WPACKET_close(pkt)) { 53 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 54 return EXT_RETURN_FAIL; 55 } 56 57 return EXT_RETURN_SENT; 58 } 59 60 /* Push a Max Fragment Len extension into ClientHello */ 61 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, 62 unsigned int context, X509 *x, 63 size_t chainidx) 64 { 65 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) 66 return EXT_RETURN_NOT_SENT; 67 68 /* Add Max Fragment Length extension if client enabled it. */ 69 /*- 70 * 4 bytes for this extension type and extension length 71 * 1 byte for the Max Fragment Length code value. 72 */ 73 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 74 /* Sub-packet for Max Fragment Length extension (1 byte) */ 75 || !WPACKET_start_sub_packet_u16(pkt) 76 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) 77 || !WPACKET_close(pkt)) { 78 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 79 return EXT_RETURN_FAIL; 80 } 81 82 return EXT_RETURN_SENT; 83 } 84 85 #ifndef OPENSSL_NO_SRP 86 EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, 87 X509 *x, size_t chainidx) 88 { 89 /* Add SRP username if there is one */ 90 if (s->srp_ctx.login == NULL) 91 return EXT_RETURN_NOT_SENT; 92 93 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) 94 /* Sub-packet for SRP extension */ 95 || !WPACKET_start_sub_packet_u16(pkt) 96 || !WPACKET_start_sub_packet_u8(pkt) 97 /* login must not be zero...internal error if so */ 98 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 99 || !WPACKET_memcpy(pkt, s->srp_ctx.login, 100 strlen(s->srp_ctx.login)) 101 || !WPACKET_close(pkt) 102 || !WPACKET_close(pkt)) { 103 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 104 return EXT_RETURN_FAIL; 105 } 106 107 return EXT_RETURN_SENT; 108 } 109 #endif 110 111 static int use_ecc(SSL *s, int min_version, int max_version) 112 { 113 int i, end, ret = 0; 114 unsigned long alg_k, alg_a; 115 STACK_OF(SSL_CIPHER) *cipher_stack = NULL; 116 const uint16_t *pgroups = NULL; 117 size_t num_groups, j; 118 119 /* See if we support any ECC ciphersuites */ 120 if (s->version == SSL3_VERSION) 121 return 0; 122 123 cipher_stack = SSL_get1_supported_ciphers(s); 124 end = sk_SSL_CIPHER_num(cipher_stack); 125 for (i = 0; i < end; i++) { 126 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 127 128 alg_k = c->algorithm_mkey; 129 alg_a = c->algorithm_auth; 130 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 131 || (alg_a & SSL_aECDSA) 132 || c->min_tls >= TLS1_3_VERSION) { 133 ret = 1; 134 break; 135 } 136 } 137 sk_SSL_CIPHER_free(cipher_stack); 138 if (!ret) 139 return 0; 140 141 /* Check we have at least one EC supported group */ 142 tls1_get_supported_groups(s, &pgroups, &num_groups); 143 for (j = 0; j < num_groups; j++) { 144 uint16_t ctmp = pgroups[j]; 145 146 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL) 147 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) 148 return 1; 149 } 150 151 return 0; 152 } 153 154 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, 155 unsigned int context, X509 *x, 156 size_t chainidx) 157 { 158 const unsigned char *pformats; 159 size_t num_formats; 160 int reason, min_version, max_version; 161 162 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 163 if (reason != 0) { 164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 165 return EXT_RETURN_FAIL; 166 } 167 if (!use_ecc(s, min_version, max_version)) 168 return EXT_RETURN_NOT_SENT; 169 170 /* Add TLS extension ECPointFormats to the ClientHello message */ 171 tls1_get_formatlist(s, &pformats, &num_formats); 172 173 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 174 /* Sub-packet for formats extension */ 175 || !WPACKET_start_sub_packet_u16(pkt) 176 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) 177 || !WPACKET_close(pkt)) { 178 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 179 return EXT_RETURN_FAIL; 180 } 181 182 return EXT_RETURN_SENT; 183 } 184 185 EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, 186 unsigned int context, X509 *x, 187 size_t chainidx) 188 { 189 const uint16_t *pgroups = NULL; 190 size_t num_groups = 0, i, tls13added = 0, added = 0; 191 int min_version, max_version, reason; 192 193 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 194 if (reason != 0) { 195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 196 return EXT_RETURN_FAIL; 197 } 198 199 /* 200 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore 201 * if we don't have EC support then we don't send this extension. 202 */ 203 if (!use_ecc(s, min_version, max_version) 204 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)) 205 return EXT_RETURN_NOT_SENT; 206 207 /* 208 * Add TLS extension supported_groups to the ClientHello message 209 */ 210 tls1_get_supported_groups(s, &pgroups, &num_groups); 211 212 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 213 /* Sub-packet for supported_groups extension */ 214 || !WPACKET_start_sub_packet_u16(pkt) 215 || !WPACKET_start_sub_packet_u16(pkt) 216 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { 217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 218 return EXT_RETURN_FAIL; 219 } 220 /* Copy group ID if supported */ 221 for (i = 0; i < num_groups; i++) { 222 uint16_t ctmp = pgroups[i]; 223 int okfortls13; 224 225 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13) 226 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { 227 if (!WPACKET_put_bytes_u16(pkt, ctmp)) { 228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 229 return EXT_RETURN_FAIL; 230 } 231 if (okfortls13 && max_version == TLS1_3_VERSION) 232 tls13added++; 233 added++; 234 } 235 } 236 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 237 if (added == 0) 238 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 239 "No groups enabled for max supported SSL/TLS version"); 240 else 241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 242 return EXT_RETURN_FAIL; 243 } 244 245 if (tls13added == 0 && max_version == TLS1_3_VERSION) { 246 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 247 "No groups enabled for max supported SSL/TLS version"); 248 return EXT_RETURN_FAIL; 249 } 250 251 return EXT_RETURN_SENT; 252 } 253 254 EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, 255 unsigned int context, X509 *x, 256 size_t chainidx) 257 { 258 size_t ticklen; 259 260 if (!tls_use_ticket(s)) 261 return EXT_RETURN_NOT_SENT; 262 263 if (!s->new_session && s->session != NULL 264 && s->session->ext.tick != NULL 265 && s->session->ssl_version != TLS1_3_VERSION) { 266 ticklen = s->session->ext.ticklen; 267 } else if (s->session && s->ext.session_ticket != NULL 268 && s->ext.session_ticket->data != NULL) { 269 ticklen = s->ext.session_ticket->length; 270 s->session->ext.tick = OPENSSL_malloc(ticklen); 271 if (s->session->ext.tick == NULL) { 272 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 273 return EXT_RETURN_FAIL; 274 } 275 memcpy(s->session->ext.tick, 276 s->ext.session_ticket->data, ticklen); 277 s->session->ext.ticklen = ticklen; 278 } else { 279 ticklen = 0; 280 } 281 282 if (ticklen == 0 && s->ext.session_ticket != NULL && 283 s->ext.session_ticket->data == NULL) 284 return EXT_RETURN_NOT_SENT; 285 286 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 287 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { 288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 289 return EXT_RETURN_FAIL; 290 } 291 292 return EXT_RETURN_SENT; 293 } 294 295 EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, 296 unsigned int context, X509 *x, 297 size_t chainidx) 298 { 299 size_t salglen; 300 const uint16_t *salg; 301 302 if (!SSL_CLIENT_USE_SIGALGS(s)) 303 return EXT_RETURN_NOT_SENT; 304 305 salglen = tls12_get_psigalgs(s, 1, &salg); 306 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) 307 /* Sub-packet for sig-algs extension */ 308 || !WPACKET_start_sub_packet_u16(pkt) 309 /* Sub-packet for the actual list */ 310 || !WPACKET_start_sub_packet_u16(pkt) 311 || !tls12_copy_sigalgs(s, pkt, salg, salglen) 312 || !WPACKET_close(pkt) 313 || !WPACKET_close(pkt)) { 314 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 315 return EXT_RETURN_FAIL; 316 } 317 318 return EXT_RETURN_SENT; 319 } 320 321 #ifndef OPENSSL_NO_OCSP 322 EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, 323 unsigned int context, X509 *x, 324 size_t chainidx) 325 { 326 int i; 327 328 /* This extension isn't defined for client Certificates */ 329 if (x != NULL) 330 return EXT_RETURN_NOT_SENT; 331 332 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) 333 return EXT_RETURN_NOT_SENT; 334 335 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 336 /* Sub-packet for status request extension */ 337 || !WPACKET_start_sub_packet_u16(pkt) 338 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) 339 /* Sub-packet for the ids */ 340 || !WPACKET_start_sub_packet_u16(pkt)) { 341 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 342 return EXT_RETURN_FAIL; 343 } 344 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { 345 unsigned char *idbytes; 346 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); 347 int idlen = i2d_OCSP_RESPID(id, NULL); 348 349 if (idlen <= 0 350 /* Sub-packet for an individual id */ 351 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) 352 || i2d_OCSP_RESPID(id, &idbytes) != idlen) { 353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 354 return EXT_RETURN_FAIL; 355 } 356 } 357 if (!WPACKET_close(pkt) 358 || !WPACKET_start_sub_packet_u16(pkt)) { 359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 360 return EXT_RETURN_FAIL; 361 } 362 if (s->ext.ocsp.exts) { 363 unsigned char *extbytes; 364 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); 365 366 if (extlen < 0) { 367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 368 return EXT_RETURN_FAIL; 369 } 370 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) 371 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) 372 != extlen) { 373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 374 return EXT_RETURN_FAIL; 375 } 376 } 377 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 379 return EXT_RETURN_FAIL; 380 } 381 382 return EXT_RETURN_SENT; 383 } 384 #endif 385 386 #ifndef OPENSSL_NO_NEXTPROTONEG 387 EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, 388 X509 *x, size_t chainidx) 389 { 390 if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 391 return EXT_RETURN_NOT_SENT; 392 393 /* 394 * The client advertises an empty extension to indicate its support 395 * for Next Protocol Negotiation 396 */ 397 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 398 || !WPACKET_put_bytes_u16(pkt, 0)) { 399 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 400 return EXT_RETURN_FAIL; 401 } 402 403 return EXT_RETURN_SENT; 404 } 405 #endif 406 407 EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, 408 X509 *x, size_t chainidx) 409 { 410 s->s3.alpn_sent = 0; 411 412 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 413 return EXT_RETURN_NOT_SENT; 414 415 if (!WPACKET_put_bytes_u16(pkt, 416 TLSEXT_TYPE_application_layer_protocol_negotiation) 417 /* Sub-packet ALPN extension */ 418 || !WPACKET_start_sub_packet_u16(pkt) 419 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) 420 || !WPACKET_close(pkt)) { 421 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 422 return EXT_RETURN_FAIL; 423 } 424 s->s3.alpn_sent = 1; 425 426 return EXT_RETURN_SENT; 427 } 428 429 430 #ifndef OPENSSL_NO_SRTP 431 EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, 432 unsigned int context, X509 *x, 433 size_t chainidx) 434 { 435 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s); 436 int i, end; 437 438 if (clnt == NULL) 439 return EXT_RETURN_NOT_SENT; 440 441 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 442 /* Sub-packet for SRTP extension */ 443 || !WPACKET_start_sub_packet_u16(pkt) 444 /* Sub-packet for the protection profile list */ 445 || !WPACKET_start_sub_packet_u16(pkt)) { 446 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 447 return EXT_RETURN_FAIL; 448 } 449 450 end = sk_SRTP_PROTECTION_PROFILE_num(clnt); 451 for (i = 0; i < end; i++) { 452 const SRTP_PROTECTION_PROFILE *prof = 453 sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 454 455 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { 456 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 457 return EXT_RETURN_FAIL; 458 } 459 } 460 if (!WPACKET_close(pkt) 461 /* Add an empty use_mki value */ 462 || !WPACKET_put_bytes_u8(pkt, 0) 463 || !WPACKET_close(pkt)) { 464 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 465 return EXT_RETURN_FAIL; 466 } 467 468 return EXT_RETURN_SENT; 469 } 470 #endif 471 472 EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, 473 X509 *x, size_t chainidx) 474 { 475 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 476 return EXT_RETURN_NOT_SENT; 477 478 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 479 || !WPACKET_put_bytes_u16(pkt, 0)) { 480 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 481 return EXT_RETURN_FAIL; 482 } 483 484 return EXT_RETURN_SENT; 485 } 486 487 #ifndef OPENSSL_NO_CT 488 EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, 489 X509 *x, size_t chainidx) 490 { 491 if (s->ct_validation_callback == NULL) 492 return EXT_RETURN_NOT_SENT; 493 494 /* Not defined for client Certificates */ 495 if (x != NULL) 496 return EXT_RETURN_NOT_SENT; 497 498 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) 499 || !WPACKET_put_bytes_u16(pkt, 0)) { 500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 501 return EXT_RETURN_FAIL; 502 } 503 504 return EXT_RETURN_SENT; 505 } 506 #endif 507 508 EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, 509 X509 *x, size_t chainidx) 510 { 511 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 512 return EXT_RETURN_NOT_SENT; 513 514 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 515 || !WPACKET_put_bytes_u16(pkt, 0)) { 516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 517 return EXT_RETURN_FAIL; 518 } 519 520 return EXT_RETURN_SENT; 521 } 522 523 EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, 524 unsigned int context, X509 *x, 525 size_t chainidx) 526 { 527 int currv, min_version, max_version, reason; 528 529 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 530 if (reason != 0) { 531 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 532 return EXT_RETURN_FAIL; 533 } 534 535 /* 536 * Don't include this if we can't negotiate TLSv1.3. We can do a straight 537 * comparison here because we will never be called in DTLS. 538 */ 539 if (max_version < TLS1_3_VERSION) 540 return EXT_RETURN_NOT_SENT; 541 542 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 543 || !WPACKET_start_sub_packet_u16(pkt) 544 || !WPACKET_start_sub_packet_u8(pkt)) { 545 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 546 return EXT_RETURN_FAIL; 547 } 548 549 for (currv = max_version; currv >= min_version; currv--) { 550 if (!WPACKET_put_bytes_u16(pkt, currv)) { 551 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 552 return EXT_RETURN_FAIL; 553 } 554 } 555 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 557 return EXT_RETURN_FAIL; 558 } 559 560 return EXT_RETURN_SENT; 561 } 562 563 /* 564 * Construct a psk_kex_modes extension. 565 */ 566 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, 567 unsigned int context, X509 *x, 568 size_t chainidx) 569 { 570 #ifndef OPENSSL_NO_TLS1_3 571 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; 572 573 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) 574 || !WPACKET_start_sub_packet_u16(pkt) 575 || !WPACKET_start_sub_packet_u8(pkt) 576 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) 577 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) 578 || !WPACKET_close(pkt) 579 || !WPACKET_close(pkt)) { 580 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 581 return EXT_RETURN_FAIL; 582 } 583 584 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; 585 if (nodhe) 586 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 587 #endif 588 589 return EXT_RETURN_SENT; 590 } 591 592 #ifndef OPENSSL_NO_TLS1_3 593 static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) 594 { 595 unsigned char *encoded_point = NULL; 596 EVP_PKEY *key_share_key = NULL; 597 size_t encodedlen; 598 599 if (s->s3.tmp.pkey != NULL) { 600 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) { 601 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 602 return 0; 603 } 604 /* 605 * Could happen if we got an HRR that wasn't requesting a new key_share 606 */ 607 key_share_key = s->s3.tmp.pkey; 608 } else { 609 key_share_key = ssl_generate_pkey_group(s, curve_id); 610 if (key_share_key == NULL) { 611 /* SSLfatal() already called */ 612 return 0; 613 } 614 } 615 616 /* Encode the public key. */ 617 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key, 618 &encoded_point); 619 if (encodedlen == 0) { 620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 621 goto err; 622 } 623 624 /* Create KeyShareEntry */ 625 if (!WPACKET_put_bytes_u16(pkt, curve_id) 626 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { 627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 628 goto err; 629 } 630 631 /* 632 * When changing to send more than one key_share we're 633 * going to need to be able to save more than one EVP_PKEY. For now 634 * we reuse the existing tmp.pkey 635 */ 636 s->s3.tmp.pkey = key_share_key; 637 s->s3.group_id = curve_id; 638 OPENSSL_free(encoded_point); 639 640 return 1; 641 err: 642 if (s->s3.tmp.pkey == NULL) 643 EVP_PKEY_free(key_share_key); 644 OPENSSL_free(encoded_point); 645 return 0; 646 } 647 #endif 648 649 EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, 650 unsigned int context, X509 *x, 651 size_t chainidx) 652 { 653 #ifndef OPENSSL_NO_TLS1_3 654 size_t i, num_groups = 0; 655 const uint16_t *pgroups = NULL; 656 uint16_t curve_id = 0; 657 658 /* key_share extension */ 659 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 660 /* Extension data sub-packet */ 661 || !WPACKET_start_sub_packet_u16(pkt) 662 /* KeyShare list sub-packet */ 663 || !WPACKET_start_sub_packet_u16(pkt)) { 664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 665 return EXT_RETURN_FAIL; 666 } 667 668 tls1_get_supported_groups(s, &pgroups, &num_groups); 669 670 /* 671 * Make the number of key_shares sent configurable. For 672 * now, we just send one 673 */ 674 if (s->s3.group_id != 0) { 675 curve_id = s->s3.group_id; 676 } else { 677 for (i = 0; i < num_groups; i++) { 678 679 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) 680 continue; 681 682 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, 683 0, NULL)) 684 continue; 685 686 curve_id = pgroups[i]; 687 break; 688 } 689 } 690 691 if (curve_id == 0) { 692 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 693 return EXT_RETURN_FAIL; 694 } 695 696 if (!add_key_share(s, pkt, curve_id)) { 697 /* SSLfatal() already called */ 698 return EXT_RETURN_FAIL; 699 } 700 701 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 702 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 703 return EXT_RETURN_FAIL; 704 } 705 return EXT_RETURN_SENT; 706 #else 707 return EXT_RETURN_NOT_SENT; 708 #endif 709 } 710 711 EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, 712 X509 *x, size_t chainidx) 713 { 714 EXT_RETURN ret = EXT_RETURN_FAIL; 715 716 /* Should only be set if we've had an HRR */ 717 if (s->ext.tls13_cookie_len == 0) 718 return EXT_RETURN_NOT_SENT; 719 720 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 721 /* Extension data sub-packet */ 722 || !WPACKET_start_sub_packet_u16(pkt) 723 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, 724 s->ext.tls13_cookie_len) 725 || !WPACKET_close(pkt)) { 726 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 727 goto end; 728 } 729 730 ret = EXT_RETURN_SENT; 731 end: 732 OPENSSL_free(s->ext.tls13_cookie); 733 s->ext.tls13_cookie = NULL; 734 s->ext.tls13_cookie_len = 0; 735 736 return ret; 737 } 738 739 EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, 740 unsigned int context, X509 *x, 741 size_t chainidx) 742 { 743 #ifndef OPENSSL_NO_PSK 744 char identity[PSK_MAX_IDENTITY_LEN + 1]; 745 #endif /* OPENSSL_NO_PSK */ 746 const unsigned char *id = NULL; 747 size_t idlen = 0; 748 SSL_SESSION *psksess = NULL; 749 SSL_SESSION *edsess = NULL; 750 const EVP_MD *handmd = NULL; 751 752 if (s->hello_retry_request == SSL_HRR_PENDING) 753 handmd = ssl_handshake_md(s); 754 755 if (s->psk_use_session_cb != NULL 756 && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess) 757 || (psksess != NULL 758 && psksess->ssl_version != TLS1_3_VERSION))) { 759 SSL_SESSION_free(psksess); 760 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 761 return EXT_RETURN_FAIL; 762 } 763 764 #ifndef OPENSSL_NO_PSK 765 if (psksess == NULL && s->psk_client_callback != NULL) { 766 unsigned char psk[PSK_MAX_PSK_LEN]; 767 size_t psklen = 0; 768 769 memset(identity, 0, sizeof(identity)); 770 psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1, 771 psk, sizeof(psk)); 772 773 if (psklen > PSK_MAX_PSK_LEN) { 774 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 775 return EXT_RETURN_FAIL; 776 } else if (psklen > 0) { 777 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 778 const SSL_CIPHER *cipher; 779 780 idlen = strlen(identity); 781 if (idlen > PSK_MAX_IDENTITY_LEN) { 782 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 783 return EXT_RETURN_FAIL; 784 } 785 id = (unsigned char *)identity; 786 787 /* 788 * We found a PSK using an old style callback. We don't know 789 * the digest so we default to SHA256 as per the TLSv1.3 spec 790 */ 791 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); 792 if (cipher == NULL) { 793 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 794 return EXT_RETURN_FAIL; 795 } 796 797 psksess = SSL_SESSION_new(); 798 if (psksess == NULL 799 || !SSL_SESSION_set1_master_key(psksess, psk, psklen) 800 || !SSL_SESSION_set_cipher(psksess, cipher) 801 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { 802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 803 OPENSSL_cleanse(psk, psklen); 804 return EXT_RETURN_FAIL; 805 } 806 OPENSSL_cleanse(psk, psklen); 807 } 808 } 809 #endif /* OPENSSL_NO_PSK */ 810 811 SSL_SESSION_free(s->psksession); 812 s->psksession = psksess; 813 if (psksess != NULL) { 814 OPENSSL_free(s->psksession_id); 815 s->psksession_id = OPENSSL_memdup(id, idlen); 816 if (s->psksession_id == NULL) { 817 s->psksession_id_len = 0; 818 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 819 return EXT_RETURN_FAIL; 820 } 821 s->psksession_id_len = idlen; 822 } 823 824 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING 825 || (s->session->ext.max_early_data == 0 826 && (psksess == NULL || psksess->ext.max_early_data == 0))) { 827 s->max_early_data = 0; 828 return EXT_RETURN_NOT_SENT; 829 } 830 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; 831 s->max_early_data = edsess->ext.max_early_data; 832 833 if (edsess->ext.hostname != NULL) { 834 if (s->ext.hostname == NULL 835 || (s->ext.hostname != NULL 836 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { 837 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 838 SSL_R_INCONSISTENT_EARLY_DATA_SNI); 839 return EXT_RETURN_FAIL; 840 } 841 } 842 843 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { 844 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 845 return EXT_RETURN_FAIL; 846 } 847 848 /* 849 * Verify that we are offering an ALPN protocol consistent with the early 850 * data. 851 */ 852 if (edsess->ext.alpn_selected != NULL) { 853 PACKET prots, alpnpkt; 854 int found = 0; 855 856 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { 857 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 858 return EXT_RETURN_FAIL; 859 } 860 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { 861 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, 862 edsess->ext.alpn_selected_len)) { 863 found = 1; 864 break; 865 } 866 } 867 if (!found) { 868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 869 SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 870 return EXT_RETURN_FAIL; 871 } 872 } 873 874 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 875 || !WPACKET_start_sub_packet_u16(pkt) 876 || !WPACKET_close(pkt)) { 877 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 878 return EXT_RETURN_FAIL; 879 } 880 881 /* 882 * We set this to rejected here. Later, if the server acknowledges the 883 * extension, we set it to accepted. 884 */ 885 s->ext.early_data = SSL_EARLY_DATA_REJECTED; 886 s->ext.early_data_ok = 1; 887 888 return EXT_RETURN_SENT; 889 } 890 891 #define F5_WORKAROUND_MIN_MSG_LEN 0xff 892 #define F5_WORKAROUND_MAX_MSG_LEN 0x200 893 894 /* 895 * PSK pre binder overhead = 896 * 2 bytes for TLSEXT_TYPE_psk 897 * 2 bytes for extension length 898 * 2 bytes for identities list length 899 * 2 bytes for identity length 900 * 4 bytes for obfuscated_ticket_age 901 * 2 bytes for binder list length 902 * 1 byte for binder length 903 * The above excludes the number of bytes for the identity itself and the 904 * subsequent binder bytes 905 */ 906 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) 907 908 EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, 909 unsigned int context, X509 *x, 910 size_t chainidx) 911 { 912 unsigned char *padbytes; 913 size_t hlen; 914 915 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) 916 return EXT_RETURN_NOT_SENT; 917 918 /* 919 * Add padding to workaround bugs in F5 terminators. See RFC7685. 920 * This code calculates the length of all extensions added so far but 921 * excludes the PSK extension (because that MUST be written last). Therefore 922 * this extension MUST always appear second to last. 923 */ 924 if (!WPACKET_get_total_written(pkt, &hlen)) { 925 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 926 return EXT_RETURN_FAIL; 927 } 928 929 /* 930 * If we're going to send a PSK then that will be written out after this 931 * extension, so we need to calculate how long it is going to be. 932 */ 933 if (s->session->ssl_version == TLS1_3_VERSION 934 && s->session->ext.ticklen != 0 935 && s->session->cipher != NULL) { 936 const EVP_MD *md = ssl_md(s->ctx, s->session->cipher->algorithm2); 937 938 if (md != NULL) { 939 /* 940 * Add the fixed PSK overhead, the identity length and the binder 941 * length. 942 */ 943 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen 944 + EVP_MD_get_size(md); 945 } 946 } 947 948 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { 949 /* Calculate the amount of padding we need to add */ 950 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; 951 952 /* 953 * Take off the size of extension header itself (2 bytes for type and 954 * 2 bytes for length bytes), but ensure that the extension is at least 955 * 1 byte long so as not to have an empty extension last (WebSphere 7.x, 956 * 8.x are intolerant of that condition) 957 */ 958 if (hlen > 4) 959 hlen -= 4; 960 else 961 hlen = 1; 962 963 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) 964 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { 965 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 966 return EXT_RETURN_FAIL; 967 } 968 memset(padbytes, 0, hlen); 969 } 970 971 return EXT_RETURN_SENT; 972 } 973 974 /* 975 * Construct the pre_shared_key extension 976 */ 977 EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, 978 X509 *x, size_t chainidx) 979 { 980 #ifndef OPENSSL_NO_TLS1_3 981 uint32_t agesec, agems = 0; 982 size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; 983 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; 984 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; 985 int dores = 0; 986 987 s->ext.tick_identity = 0; 988 989 /* 990 * Note: At this stage of the code we only support adding a single 991 * resumption PSK. If we add support for multiple PSKs then the length 992 * calculations in the padding extension will need to be adjusted. 993 */ 994 995 /* 996 * If this is an incompatible or new session then we have nothing to resume 997 * so don't add this extension. 998 */ 999 if (s->session->ssl_version != TLS1_3_VERSION 1000 || (s->session->ext.ticklen == 0 && s->psksession == NULL)) 1001 return EXT_RETURN_NOT_SENT; 1002 1003 if (s->hello_retry_request == SSL_HRR_PENDING) 1004 handmd = ssl_handshake_md(s); 1005 1006 if (s->session->ext.ticklen != 0) { 1007 /* Get the digest associated with the ciphersuite in the session */ 1008 if (s->session->cipher == NULL) { 1009 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1010 return EXT_RETURN_FAIL; 1011 } 1012 mdres = ssl_md(s->ctx, s->session->cipher->algorithm2); 1013 if (mdres == NULL) { 1014 /* 1015 * Don't recognize this cipher so we can't use the session. 1016 * Ignore it 1017 */ 1018 goto dopsksess; 1019 } 1020 1021 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { 1022 /* 1023 * Selected ciphersuite hash does not match the hash for the session 1024 * so we can't use it. 1025 */ 1026 goto dopsksess; 1027 } 1028 1029 /* 1030 * Technically the C standard just says time() returns a time_t and says 1031 * nothing about the encoding of that type. In practice most 1032 * implementations follow POSIX which holds it as an integral type in 1033 * seconds since epoch. We've already made the assumption that we can do 1034 * this in multiple places in the code, so portability shouldn't be an 1035 * issue. 1036 */ 1037 agesec = (uint32_t)(time(NULL) - s->session->time); 1038 /* 1039 * We calculate the age in seconds but the server may work in ms. Due to 1040 * rounding errors we could overestimate the age by up to 1s. It is 1041 * better to underestimate it. Otherwise, if the RTT is very short, when 1042 * the server calculates the age reported by the client it could be 1043 * bigger than the age calculated on the server - which should never 1044 * happen. 1045 */ 1046 if (agesec > 0) 1047 agesec--; 1048 1049 if (s->session->ext.tick_lifetime_hint < agesec) { 1050 /* Ticket is too old. Ignore it. */ 1051 goto dopsksess; 1052 } 1053 1054 /* 1055 * Calculate age in ms. We're just doing it to nearest second. Should be 1056 * good enough. 1057 */ 1058 agems = agesec * (uint32_t)1000; 1059 1060 if (agesec != 0 && agems / (uint32_t)1000 != agesec) { 1061 /* 1062 * Overflow. Shouldn't happen unless this is a *really* old session. 1063 * If so we just ignore it. 1064 */ 1065 goto dopsksess; 1066 } 1067 1068 /* 1069 * Obfuscate the age. Overflow here is fine, this addition is supposed 1070 * to be mod 2^32. 1071 */ 1072 agems += s->session->ext.tick_age_add; 1073 1074 reshashsize = EVP_MD_get_size(mdres); 1075 s->ext.tick_identity++; 1076 dores = 1; 1077 } 1078 1079 dopsksess: 1080 if (!dores && s->psksession == NULL) 1081 return EXT_RETURN_NOT_SENT; 1082 1083 if (s->psksession != NULL) { 1084 mdpsk = ssl_md(s->ctx, s->psksession->cipher->algorithm2); 1085 if (mdpsk == NULL) { 1086 /* 1087 * Don't recognize this cipher so we can't use the session. 1088 * If this happens it's an application bug. 1089 */ 1090 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1091 return EXT_RETURN_FAIL; 1092 } 1093 1094 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { 1095 /* 1096 * Selected ciphersuite hash does not match the hash for the PSK 1097 * session. This is an application bug. 1098 */ 1099 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1100 return EXT_RETURN_FAIL; 1101 } 1102 1103 pskhashsize = EVP_MD_get_size(mdpsk); 1104 } 1105 1106 /* Create the extension, but skip over the binder for now */ 1107 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1108 || !WPACKET_start_sub_packet_u16(pkt) 1109 || !WPACKET_start_sub_packet_u16(pkt)) { 1110 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1111 return EXT_RETURN_FAIL; 1112 } 1113 1114 if (dores) { 1115 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, 1116 s->session->ext.ticklen) 1117 || !WPACKET_put_bytes_u32(pkt, agems)) { 1118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1119 return EXT_RETURN_FAIL; 1120 } 1121 } 1122 1123 if (s->psksession != NULL) { 1124 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, 1125 s->psksession_id_len) 1126 || !WPACKET_put_bytes_u32(pkt, 0)) { 1127 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1128 return EXT_RETURN_FAIL; 1129 } 1130 s->ext.tick_identity++; 1131 } 1132 1133 if (!WPACKET_close(pkt) 1134 || !WPACKET_get_total_written(pkt, &binderoffset) 1135 || !WPACKET_start_sub_packet_u16(pkt) 1136 || (dores 1137 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) 1138 || (s->psksession != NULL 1139 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) 1140 || !WPACKET_close(pkt) 1141 || !WPACKET_close(pkt) 1142 || !WPACKET_get_total_written(pkt, &msglen) 1143 /* 1144 * We need to fill in all the sub-packet lengths now so we can 1145 * calculate the HMAC of the message up to the binders 1146 */ 1147 || !WPACKET_fill_lengths(pkt)) { 1148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1149 return EXT_RETURN_FAIL; 1150 } 1151 1152 msgstart = WPACKET_get_curr(pkt) - msglen; 1153 1154 if (dores 1155 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, 1156 resbinder, s->session, 1, 0) != 1) { 1157 /* SSLfatal() already called */ 1158 return EXT_RETURN_FAIL; 1159 } 1160 1161 if (s->psksession != NULL 1162 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, 1163 pskbinder, s->psksession, 1, 1) != 1) { 1164 /* SSLfatal() already called */ 1165 return EXT_RETURN_FAIL; 1166 } 1167 1168 return EXT_RETURN_SENT; 1169 #else 1170 return EXT_RETURN_NOT_SENT; 1171 #endif 1172 } 1173 1174 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, 1175 ossl_unused unsigned int context, 1176 ossl_unused X509 *x, 1177 ossl_unused size_t chainidx) 1178 { 1179 #ifndef OPENSSL_NO_TLS1_3 1180 if (!s->pha_enabled) 1181 return EXT_RETURN_NOT_SENT; 1182 1183 /* construct extension - 0 length, no contents */ 1184 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) 1185 || !WPACKET_start_sub_packet_u16(pkt) 1186 || !WPACKET_close(pkt)) { 1187 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1188 return EXT_RETURN_FAIL; 1189 } 1190 1191 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1192 1193 return EXT_RETURN_SENT; 1194 #else 1195 return EXT_RETURN_NOT_SENT; 1196 #endif 1197 } 1198 1199 1200 /* 1201 * Parse the server's renegotiation binding and abort if it's not right 1202 */ 1203 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, 1204 X509 *x, size_t chainidx) 1205 { 1206 size_t expected_len = s->s3.previous_client_finished_len 1207 + s->s3.previous_server_finished_len; 1208 size_t ilen; 1209 const unsigned char *data; 1210 1211 /* Check for logic errors */ 1212 if (!ossl_assert(expected_len == 0 1213 || s->s3.previous_client_finished_len != 0) 1214 || !ossl_assert(expected_len == 0 1215 || s->s3.previous_server_finished_len != 0)) { 1216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1217 return 0; 1218 } 1219 1220 /* Parse the length byte */ 1221 if (!PACKET_get_1_len(pkt, &ilen)) { 1222 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1223 return 0; 1224 } 1225 1226 /* Consistency check */ 1227 if (PACKET_remaining(pkt) != ilen) { 1228 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1229 return 0; 1230 } 1231 1232 /* Check that the extension matches */ 1233 if (ilen != expected_len) { 1234 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1235 return 0; 1236 } 1237 1238 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len) 1239 || memcmp(data, s->s3.previous_client_finished, 1240 s->s3.previous_client_finished_len) != 0) { 1241 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1242 return 0; 1243 } 1244 1245 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len) 1246 || memcmp(data, s->s3.previous_server_finished, 1247 s->s3.previous_server_finished_len) != 0) { 1248 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1249 return 0; 1250 } 1251 s->s3.send_connection_binding = 1; 1252 1253 return 1; 1254 } 1255 1256 /* Parse the server's max fragment len extension packet */ 1257 int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, 1258 X509 *x, size_t chainidx) 1259 { 1260 unsigned int value; 1261 1262 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 1263 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1264 return 0; 1265 } 1266 1267 /* |value| should contains a valid max-fragment-length code. */ 1268 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 1269 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1270 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1271 return 0; 1272 } 1273 1274 /* Must be the same value as client-configured one who was sent to server */ 1275 /*- 1276 * RFC 6066: if a client receives a maximum fragment length negotiation 1277 * response that differs from the length it requested, ... 1278 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert 1279 */ 1280 if (value != s->ext.max_fragment_len_mode) { 1281 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1282 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1283 return 0; 1284 } 1285 1286 /* 1287 * Maximum Fragment Length Negotiation succeeded. 1288 * The negotiated Maximum Fragment Length is binding now. 1289 */ 1290 s->session->ext.max_fragment_len_mode = value; 1291 1292 return 1; 1293 } 1294 1295 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, 1296 X509 *x, size_t chainidx) 1297 { 1298 if (s->ext.hostname == NULL) { 1299 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1300 return 0; 1301 } 1302 1303 if (PACKET_remaining(pkt) > 0) { 1304 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1305 return 0; 1306 } 1307 1308 if (!s->hit) { 1309 if (s->session->ext.hostname != NULL) { 1310 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1311 return 0; 1312 } 1313 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 1314 if (s->session->ext.hostname == NULL) { 1315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1316 return 0; 1317 } 1318 } 1319 1320 return 1; 1321 } 1322 1323 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, 1324 X509 *x, size_t chainidx) 1325 { 1326 size_t ecpointformats_len; 1327 PACKET ecptformatlist; 1328 1329 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { 1330 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1331 return 0; 1332 } 1333 if (!s->hit) { 1334 ecpointformats_len = PACKET_remaining(&ecptformatlist); 1335 if (ecpointformats_len == 0) { 1336 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1337 return 0; 1338 } 1339 1340 s->ext.peer_ecpointformats_len = 0; 1341 OPENSSL_free(s->ext.peer_ecpointformats); 1342 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); 1343 if (s->ext.peer_ecpointformats == NULL) { 1344 s->ext.peer_ecpointformats_len = 0; 1345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1346 return 0; 1347 } 1348 1349 s->ext.peer_ecpointformats_len = ecpointformats_len; 1350 1351 if (!PACKET_copy_bytes(&ecptformatlist, 1352 s->ext.peer_ecpointformats, 1353 ecpointformats_len)) { 1354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1355 return 0; 1356 } 1357 } 1358 1359 return 1; 1360 } 1361 1362 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, 1363 X509 *x, size_t chainidx) 1364 { 1365 if (s->ext.session_ticket_cb != NULL && 1366 !s->ext.session_ticket_cb(s, PACKET_data(pkt), 1367 PACKET_remaining(pkt), 1368 s->ext.session_ticket_cb_arg)) { 1369 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1370 return 0; 1371 } 1372 1373 if (!tls_use_ticket(s)) { 1374 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1375 return 0; 1376 } 1377 if (PACKET_remaining(pkt) > 0) { 1378 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1379 return 0; 1380 } 1381 1382 s->ext.ticket_expected = 1; 1383 1384 return 1; 1385 } 1386 1387 #ifndef OPENSSL_NO_OCSP 1388 int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, 1389 X509 *x, size_t chainidx) 1390 { 1391 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1392 /* We ignore this if the server sends a CertificateRequest */ 1393 return 1; 1394 } 1395 1396 /* 1397 * MUST only be sent if we've requested a status 1398 * request message. In TLS <= 1.2 it must also be empty. 1399 */ 1400 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 1401 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1402 return 0; 1403 } 1404 if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { 1405 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1406 return 0; 1407 } 1408 1409 if (SSL_IS_TLS13(s)) { 1410 /* We only know how to handle this if it's for the first Certificate in 1411 * the chain. We ignore any other responses. 1412 */ 1413 if (chainidx != 0) 1414 return 1; 1415 1416 /* SSLfatal() already called */ 1417 return tls_process_cert_status_body(s, pkt); 1418 } 1419 1420 /* Set flag to expect CertificateStatus message */ 1421 s->ext.status_expected = 1; 1422 1423 return 1; 1424 } 1425 #endif 1426 1427 1428 #ifndef OPENSSL_NO_CT 1429 int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1430 size_t chainidx) 1431 { 1432 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1433 /* We ignore this if the server sends it in a CertificateRequest */ 1434 return 1; 1435 } 1436 1437 /* 1438 * Only take it if we asked for it - i.e if there is no CT validation 1439 * callback set, then a custom extension MAY be processing it, so we 1440 * need to let control continue to flow to that. 1441 */ 1442 if (s->ct_validation_callback != NULL) { 1443 size_t size = PACKET_remaining(pkt); 1444 1445 /* Simply copy it off for later processing */ 1446 OPENSSL_free(s->ext.scts); 1447 s->ext.scts = NULL; 1448 1449 s->ext.scts_len = (uint16_t)size; 1450 if (size > 0) { 1451 s->ext.scts = OPENSSL_malloc(size); 1452 if (s->ext.scts == NULL) { 1453 s->ext.scts_len = 0; 1454 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 1455 return 0; 1456 } 1457 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { 1458 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1459 return 0; 1460 } 1461 } 1462 } else { 1463 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 1464 ? ENDPOINT_CLIENT : ENDPOINT_BOTH; 1465 1466 /* 1467 * If we didn't ask for it then there must be a custom extension, 1468 * otherwise this is unsolicited. 1469 */ 1470 if (custom_ext_find(&s->cert->custext, role, 1471 TLSEXT_TYPE_signed_certificate_timestamp, 1472 NULL) == NULL) { 1473 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1474 return 0; 1475 } 1476 1477 if (!custom_ext_parse(s, context, 1478 TLSEXT_TYPE_signed_certificate_timestamp, 1479 PACKET_data(pkt), PACKET_remaining(pkt), 1480 x, chainidx)) { 1481 /* SSLfatal already called */ 1482 return 0; 1483 } 1484 } 1485 1486 return 1; 1487 } 1488 #endif 1489 1490 1491 #ifndef OPENSSL_NO_NEXTPROTONEG 1492 /* 1493 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1494 * elements of zero length are allowed and the set of elements must exactly 1495 * fill the length of the block. Returns 1 on success or 0 on failure. 1496 */ 1497 static int ssl_next_proto_validate(SSL *s, PACKET *pkt) 1498 { 1499 PACKET tmp_protocol; 1500 1501 while (PACKET_remaining(pkt)) { 1502 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 1503 || PACKET_remaining(&tmp_protocol) == 0) { 1504 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1505 return 0; 1506 } 1507 } 1508 1509 return 1; 1510 } 1511 1512 int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1513 size_t chainidx) 1514 { 1515 unsigned char *selected; 1516 unsigned char selected_len; 1517 PACKET tmppkt; 1518 1519 /* Check if we are in a renegotiation. If so ignore this extension */ 1520 if (!SSL_IS_FIRST_HANDSHAKE(s)) 1521 return 1; 1522 1523 /* We must have requested it. */ 1524 if (s->ctx->ext.npn_select_cb == NULL) { 1525 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1526 return 0; 1527 } 1528 1529 /* The data must be valid */ 1530 tmppkt = *pkt; 1531 if (!ssl_next_proto_validate(s, &tmppkt)) { 1532 /* SSLfatal() already called */ 1533 return 0; 1534 } 1535 if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len, 1536 PACKET_data(pkt), 1537 PACKET_remaining(pkt), 1538 s->ctx->ext.npn_select_cb_arg) != 1539 SSL_TLSEXT_ERR_OK) { 1540 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1541 return 0; 1542 } 1543 1544 /* 1545 * Could be non-NULL if server has sent multiple NPN extensions in 1546 * a single Serverhello 1547 */ 1548 OPENSSL_free(s->ext.npn); 1549 s->ext.npn = OPENSSL_malloc(selected_len); 1550 if (s->ext.npn == NULL) { 1551 s->ext.npn_len = 0; 1552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1553 return 0; 1554 } 1555 1556 memcpy(s->ext.npn, selected, selected_len); 1557 s->ext.npn_len = selected_len; 1558 s->s3.npn_seen = 1; 1559 1560 return 1; 1561 } 1562 #endif 1563 1564 int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1565 size_t chainidx) 1566 { 1567 size_t len; 1568 1569 /* We must have requested it. */ 1570 if (!s->s3.alpn_sent) { 1571 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1572 return 0; 1573 } 1574 /*- 1575 * The extension data consists of: 1576 * uint16 list_length 1577 * uint8 proto_length; 1578 * uint8 proto[proto_length]; 1579 */ 1580 if (!PACKET_get_net_2_len(pkt, &len) 1581 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) 1582 || PACKET_remaining(pkt) != len) { 1583 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1584 return 0; 1585 } 1586 OPENSSL_free(s->s3.alpn_selected); 1587 s->s3.alpn_selected = OPENSSL_malloc(len); 1588 if (s->s3.alpn_selected == NULL) { 1589 s->s3.alpn_selected_len = 0; 1590 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1591 return 0; 1592 } 1593 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) { 1594 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1595 return 0; 1596 } 1597 s->s3.alpn_selected_len = len; 1598 1599 if (s->session->ext.alpn_selected == NULL 1600 || s->session->ext.alpn_selected_len != len 1601 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len) 1602 != 0) { 1603 /* ALPN not consistent with the old session so cannot use early_data */ 1604 s->ext.early_data_ok = 0; 1605 } 1606 if (!s->hit) { 1607 /* 1608 * This is a new session and so alpn_selected should have been 1609 * initialised to NULL. We should update it with the selected ALPN. 1610 */ 1611 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 1612 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1613 return 0; 1614 } 1615 s->session->ext.alpn_selected = 1616 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); 1617 if (s->session->ext.alpn_selected == NULL) { 1618 s->session->ext.alpn_selected_len = 0; 1619 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1620 return 0; 1621 } 1622 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; 1623 } 1624 1625 return 1; 1626 } 1627 1628 #ifndef OPENSSL_NO_SRTP 1629 int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1630 size_t chainidx) 1631 { 1632 unsigned int id, ct, mki; 1633 int i; 1634 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1635 SRTP_PROTECTION_PROFILE *prof; 1636 1637 if (!PACKET_get_net_2(pkt, &ct) || ct != 2 1638 || !PACKET_get_net_2(pkt, &id) 1639 || !PACKET_get_1(pkt, &mki) 1640 || PACKET_remaining(pkt) != 0) { 1641 SSLfatal(s, SSL_AD_DECODE_ERROR, 1642 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1643 return 0; 1644 } 1645 1646 if (mki != 0) { 1647 /* Must be no MKI, since we never offer one */ 1648 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE); 1649 return 0; 1650 } 1651 1652 /* Throw an error if the server gave us an unsolicited extension */ 1653 clnt = SSL_get_srtp_profiles(s); 1654 if (clnt == NULL) { 1655 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES); 1656 return 0; 1657 } 1658 1659 /* 1660 * Check to see if the server gave us something we support (and 1661 * presumably offered) 1662 */ 1663 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1664 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 1665 1666 if (prof->id == id) { 1667 s->srtp_profile = prof; 1668 return 1; 1669 } 1670 } 1671 1672 SSLfatal(s, SSL_AD_DECODE_ERROR, 1673 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1674 return 0; 1675 } 1676 #endif 1677 1678 int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1679 size_t chainidx) 1680 { 1681 /* Ignore if inappropriate ciphersuite */ 1682 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 1683 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD 1684 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4 1685 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT 1686 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12 1687 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA 1688 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK) 1689 s->ext.use_etm = 1; 1690 1691 return 1; 1692 } 1693 1694 int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1695 size_t chainidx) 1696 { 1697 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 1698 return 1; 1699 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; 1700 if (!s->hit) 1701 s->session->flags |= SSL_SESS_FLAG_EXTMS; 1702 1703 return 1; 1704 } 1705 1706 int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, 1707 X509 *x, size_t chainidx) 1708 { 1709 unsigned int version; 1710 1711 if (!PACKET_get_net_2(pkt, &version) 1712 || PACKET_remaining(pkt) != 0) { 1713 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1714 return 0; 1715 } 1716 1717 /* 1718 * The only protocol version we support which is valid in this extension in 1719 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. 1720 */ 1721 if (version != TLS1_3_VERSION) { 1722 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1723 SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1724 return 0; 1725 } 1726 1727 /* We ignore this extension for HRRs except to sanity check it */ 1728 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) 1729 return 1; 1730 1731 /* We just set it here. We validate it in ssl_choose_client_version */ 1732 s->version = version; 1733 1734 return 1; 1735 } 1736 1737 int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1738 size_t chainidx) 1739 { 1740 #ifndef OPENSSL_NO_TLS1_3 1741 unsigned int group_id; 1742 PACKET encoded_pt; 1743 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; 1744 const TLS_GROUP_INFO *ginf = NULL; 1745 1746 /* Sanity check */ 1747 if (ckey == NULL || s->s3.peer_tmp != NULL) { 1748 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1749 return 0; 1750 } 1751 1752 if (!PACKET_get_net_2(pkt, &group_id)) { 1753 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1754 return 0; 1755 } 1756 1757 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { 1758 const uint16_t *pgroups = NULL; 1759 size_t i, num_groups; 1760 1761 if (PACKET_remaining(pkt) != 0) { 1762 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1763 return 0; 1764 } 1765 1766 /* 1767 * It is an error if the HelloRetryRequest wants a key_share that we 1768 * already sent in the first ClientHello 1769 */ 1770 if (group_id == s->s3.group_id) { 1771 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1772 return 0; 1773 } 1774 1775 /* Validate the selected group is one we support */ 1776 tls1_get_supported_groups(s, &pgroups, &num_groups); 1777 for (i = 0; i < num_groups; i++) { 1778 if (group_id == pgroups[i]) 1779 break; 1780 } 1781 if (i >= num_groups 1782 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) 1783 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, 1784 0, NULL)) { 1785 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1786 return 0; 1787 } 1788 1789 s->s3.group_id = group_id; 1790 EVP_PKEY_free(s->s3.tmp.pkey); 1791 s->s3.tmp.pkey = NULL; 1792 return 1; 1793 } 1794 1795 if (group_id != s->s3.group_id) { 1796 /* 1797 * This isn't for the group that we sent in the original 1798 * key_share! 1799 */ 1800 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1801 return 0; 1802 } 1803 /* Retain this group in the SSL_SESSION */ 1804 if (!s->hit) { 1805 s->session->kex_group = group_id; 1806 } else if (group_id != s->session->kex_group) { 1807 /* 1808 * If this is a resumption but changed what group was used, we need 1809 * to record the new group in the session, but the session is not 1810 * a new session and could be in use by other threads. So, make 1811 * a copy of the session to record the new information so that it's 1812 * useful for any sessions resumed from tickets issued on this 1813 * connection. 1814 */ 1815 SSL_SESSION *new_sess; 1816 1817 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) { 1818 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 1819 return 0; 1820 } 1821 SSL_SESSION_free(s->session); 1822 s->session = new_sess; 1823 s->session->kex_group = group_id; 1824 } 1825 1826 if ((ginf = tls1_group_id_lookup(s->ctx, group_id)) == NULL) { 1827 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1828 return 0; 1829 } 1830 1831 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) 1832 || PACKET_remaining(&encoded_pt) == 0) { 1833 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1834 return 0; 1835 } 1836 1837 if (!ginf->is_kem) { 1838 /* Regular KEX */ 1839 skey = EVP_PKEY_new(); 1840 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { 1841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); 1842 EVP_PKEY_free(skey); 1843 return 0; 1844 } 1845 1846 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt), 1847 PACKET_remaining(&encoded_pt)) <= 0) { 1848 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 1849 EVP_PKEY_free(skey); 1850 return 0; 1851 } 1852 1853 if (ssl_derive(s, ckey, skey, 1) == 0) { 1854 /* SSLfatal() already called */ 1855 EVP_PKEY_free(skey); 1856 return 0; 1857 } 1858 s->s3.peer_tmp = skey; 1859 } else { 1860 /* KEM Mode */ 1861 const unsigned char *ct = PACKET_data(&encoded_pt); 1862 size_t ctlen = PACKET_remaining(&encoded_pt); 1863 1864 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) { 1865 /* SSLfatal() already called */ 1866 return 0; 1867 } 1868 } 1869 s->s3.did_kex = 1; 1870 #endif 1871 1872 return 1; 1873 } 1874 1875 int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1876 size_t chainidx) 1877 { 1878 PACKET cookie; 1879 1880 if (!PACKET_as_length_prefixed_2(pkt, &cookie) 1881 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, 1882 &s->ext.tls13_cookie_len)) { 1883 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1884 return 0; 1885 } 1886 1887 return 1; 1888 } 1889 1890 int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, 1891 X509 *x, size_t chainidx) 1892 { 1893 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 1894 unsigned long max_early_data; 1895 1896 if (!PACKET_get_net_4(pkt, &max_early_data) 1897 || PACKET_remaining(pkt) != 0) { 1898 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA); 1899 return 0; 1900 } 1901 1902 s->session->ext.max_early_data = max_early_data; 1903 1904 return 1; 1905 } 1906 1907 if (PACKET_remaining(pkt) != 0) { 1908 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1909 return 0; 1910 } 1911 1912 if (!s->ext.early_data_ok 1913 || !s->hit) { 1914 /* 1915 * If we get here then we didn't send early data, or we didn't resume 1916 * using the first identity, or the SNI/ALPN is not consistent so the 1917 * server should not be accepting it. 1918 */ 1919 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 1920 return 0; 1921 } 1922 1923 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 1924 1925 return 1; 1926 } 1927 1928 int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1929 size_t chainidx) 1930 { 1931 #ifndef OPENSSL_NO_TLS1_3 1932 unsigned int identity; 1933 1934 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { 1935 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1936 return 0; 1937 } 1938 1939 if (identity >= (unsigned int)s->ext.tick_identity) { 1940 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY); 1941 return 0; 1942 } 1943 1944 /* 1945 * Session resumption tickets are always sent before PSK tickets. If the 1946 * ticket index is 0 then it must be for a session resumption ticket if we 1947 * sent two tickets, or if we didn't send a PSK ticket. 1948 */ 1949 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { 1950 s->hit = 1; 1951 SSL_SESSION_free(s->psksession); 1952 s->psksession = NULL; 1953 return 1; 1954 } 1955 1956 if (s->psksession == NULL) { 1957 /* Should never happen */ 1958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1959 return 0; 1960 } 1961 1962 /* 1963 * If we used the external PSK for sending early_data then s->early_secret 1964 * is already set up, so don't overwrite it. Otherwise we copy the 1965 * early_secret across that we generated earlier. 1966 */ 1967 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 1968 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 1969 || s->session->ext.max_early_data > 0 1970 || s->psksession->ext.max_early_data == 0) 1971 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); 1972 1973 SSL_SESSION_free(s->session); 1974 s->session = s->psksession; 1975 s->psksession = NULL; 1976 s->hit = 1; 1977 /* Early data is only allowed if we used the first ticket */ 1978 if (identity != 0) 1979 s->ext.early_data_ok = 0; 1980 #endif 1981 1982 return 1; 1983 } 1984