1 /* 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ocsp.h> 11 #include "../ssl_local.h" 12 #include "internal/cryptlib.h" 13 #include "statem_local.h" 14 15 EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, 16 unsigned int context, X509 *x, 17 size_t chainidx) 18 { 19 /* Add RI if renegotiating */ 20 if (!s->renegotiate) 21 return EXT_RETURN_NOT_SENT; 22 23 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 24 || !WPACKET_start_sub_packet_u16(pkt) 25 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished, 26 s->s3->previous_client_finished_len) 27 || !WPACKET_close(pkt)) { 28 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, 29 ERR_R_INTERNAL_ERROR); 30 return EXT_RETURN_FAIL; 31 } 32 33 return EXT_RETURN_SENT; 34 } 35 36 EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, 37 unsigned int context, X509 *x, 38 size_t chainidx) 39 { 40 if (s->ext.hostname == NULL) 41 return EXT_RETURN_NOT_SENT; 42 43 /* Add TLS extension servername to the Client Hello message */ 44 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 45 /* Sub-packet for server_name extension */ 46 || !WPACKET_start_sub_packet_u16(pkt) 47 /* Sub-packet for servername list (always 1 hostname)*/ 48 || !WPACKET_start_sub_packet_u16(pkt) 49 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) 50 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, 51 strlen(s->ext.hostname)) 52 || !WPACKET_close(pkt) 53 || !WPACKET_close(pkt)) { 54 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, 55 ERR_R_INTERNAL_ERROR); 56 return EXT_RETURN_FAIL; 57 } 58 59 return EXT_RETURN_SENT; 60 } 61 62 /* Push a Max Fragment Len extension into ClientHello */ 63 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, 64 unsigned int context, X509 *x, 65 size_t chainidx) 66 { 67 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) 68 return EXT_RETURN_NOT_SENT; 69 70 /* Add Max Fragment Length extension if client enabled it. */ 71 /*- 72 * 4 bytes for this extension type and extension length 73 * 1 byte for the Max Fragment Length code value. 74 */ 75 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 76 /* Sub-packet for Max Fragment Length extension (1 byte) */ 77 || !WPACKET_start_sub_packet_u16(pkt) 78 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) 79 || !WPACKET_close(pkt)) { 80 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 81 SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); 82 return EXT_RETURN_FAIL; 83 } 84 85 return EXT_RETURN_SENT; 86 } 87 88 #ifndef OPENSSL_NO_SRP 89 EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, 90 X509 *x, size_t chainidx) 91 { 92 /* Add SRP username if there is one */ 93 if (s->srp_ctx.login == NULL) 94 return EXT_RETURN_NOT_SENT; 95 96 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) 97 /* Sub-packet for SRP extension */ 98 || !WPACKET_start_sub_packet_u16(pkt) 99 || !WPACKET_start_sub_packet_u8(pkt) 100 /* login must not be zero...internal error if so */ 101 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 102 || !WPACKET_memcpy(pkt, s->srp_ctx.login, 103 strlen(s->srp_ctx.login)) 104 || !WPACKET_close(pkt) 105 || !WPACKET_close(pkt)) { 106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP, 107 ERR_R_INTERNAL_ERROR); 108 return EXT_RETURN_FAIL; 109 } 110 111 return EXT_RETURN_SENT; 112 } 113 #endif 114 115 #ifndef OPENSSL_NO_EC 116 static int use_ecc(SSL *s) 117 { 118 int i, end, ret = 0; 119 unsigned long alg_k, alg_a; 120 STACK_OF(SSL_CIPHER) *cipher_stack = NULL; 121 const uint16_t *pgroups = NULL; 122 size_t num_groups, j; 123 124 /* See if we support any ECC ciphersuites */ 125 if (s->version == SSL3_VERSION) 126 return 0; 127 128 cipher_stack = SSL_get1_supported_ciphers(s); 129 end = sk_SSL_CIPHER_num(cipher_stack); 130 for (i = 0; i < end; i++) { 131 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 132 133 alg_k = c->algorithm_mkey; 134 alg_a = c->algorithm_auth; 135 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 136 || (alg_a & SSL_aECDSA) 137 || c->min_tls >= TLS1_3_VERSION) { 138 ret = 1; 139 break; 140 } 141 } 142 143 sk_SSL_CIPHER_free(cipher_stack); 144 if (!ret) 145 return 0; 146 147 /* Check we have at least one EC supported group */ 148 tls1_get_supported_groups(s, &pgroups, &num_groups); 149 for (j = 0; j < num_groups; j++) { 150 uint16_t ctmp = pgroups[j]; 151 152 if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) 153 return 1; 154 } 155 156 return 0; 157 } 158 159 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, 160 unsigned int context, X509 *x, 161 size_t chainidx) 162 { 163 const unsigned char *pformats; 164 size_t num_formats; 165 166 if (!use_ecc(s)) 167 return EXT_RETURN_NOT_SENT; 168 169 /* Add TLS extension ECPointFormats to the ClientHello message */ 170 tls1_get_formatlist(s, &pformats, &num_formats); 171 172 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 173 /* Sub-packet for formats extension */ 174 || !WPACKET_start_sub_packet_u16(pkt) 175 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) 176 || !WPACKET_close(pkt)) { 177 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 178 SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 179 return EXT_RETURN_FAIL; 180 } 181 182 return EXT_RETURN_SENT; 183 } 184 185 EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, 186 unsigned int context, X509 *x, 187 size_t chainidx) 188 { 189 const uint16_t *pgroups = NULL; 190 size_t num_groups = 0, i; 191 192 if (!use_ecc(s)) 193 return EXT_RETURN_NOT_SENT; 194 195 /* 196 * Add TLS extension supported_groups to the ClientHello message 197 */ 198 /* TODO(TLS1.3): Add support for DHE groups */ 199 tls1_get_supported_groups(s, &pgroups, &num_groups); 200 201 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 202 /* Sub-packet for supported_groups extension */ 203 || !WPACKET_start_sub_packet_u16(pkt) 204 || !WPACKET_start_sub_packet_u16(pkt)) { 205 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 206 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 207 ERR_R_INTERNAL_ERROR); 208 return EXT_RETURN_FAIL; 209 } 210 /* Copy curve ID if supported */ 211 for (i = 0; i < num_groups; i++) { 212 uint16_t ctmp = pgroups[i]; 213 214 if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { 215 if (!WPACKET_put_bytes_u16(pkt, ctmp)) { 216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 217 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 218 ERR_R_INTERNAL_ERROR); 219 return EXT_RETURN_FAIL; 220 } 221 } 222 } 223 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 225 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, 226 ERR_R_INTERNAL_ERROR); 227 return EXT_RETURN_FAIL; 228 } 229 230 return EXT_RETURN_SENT; 231 } 232 #endif 233 234 EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, 235 unsigned int context, X509 *x, 236 size_t chainidx) 237 { 238 size_t ticklen; 239 240 if (!tls_use_ticket(s)) 241 return EXT_RETURN_NOT_SENT; 242 243 if (!s->new_session && s->session != NULL 244 && s->session->ext.tick != NULL 245 && s->session->ssl_version != TLS1_3_VERSION) { 246 ticklen = s->session->ext.ticklen; 247 } else if (s->session && s->ext.session_ticket != NULL 248 && s->ext.session_ticket->data != NULL) { 249 ticklen = s->ext.session_ticket->length; 250 s->session->ext.tick = OPENSSL_malloc(ticklen); 251 if (s->session->ext.tick == NULL) { 252 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 253 SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, 254 ERR_R_INTERNAL_ERROR); 255 return EXT_RETURN_FAIL; 256 } 257 memcpy(s->session->ext.tick, 258 s->ext.session_ticket->data, ticklen); 259 s->session->ext.ticklen = ticklen; 260 } else { 261 ticklen = 0; 262 } 263 264 if (ticklen == 0 && s->ext.session_ticket != NULL && 265 s->ext.session_ticket->data == NULL) 266 return EXT_RETURN_NOT_SENT; 267 268 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 269 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { 270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 271 SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); 272 return EXT_RETURN_FAIL; 273 } 274 275 return EXT_RETURN_SENT; 276 } 277 278 EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, 279 unsigned int context, X509 *x, 280 size_t chainidx) 281 { 282 size_t salglen; 283 const uint16_t *salg; 284 285 if (!SSL_CLIENT_USE_SIGALGS(s)) 286 return EXT_RETURN_NOT_SENT; 287 288 salglen = tls12_get_psigalgs(s, 1, &salg); 289 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) 290 /* Sub-packet for sig-algs extension */ 291 || !WPACKET_start_sub_packet_u16(pkt) 292 /* Sub-packet for the actual list */ 293 || !WPACKET_start_sub_packet_u16(pkt) 294 || !tls12_copy_sigalgs(s, pkt, salg, salglen) 295 || !WPACKET_close(pkt) 296 || !WPACKET_close(pkt)) { 297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, 298 ERR_R_INTERNAL_ERROR); 299 return EXT_RETURN_FAIL; 300 } 301 302 return EXT_RETURN_SENT; 303 } 304 305 #ifndef OPENSSL_NO_OCSP 306 EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, 307 unsigned int context, X509 *x, 308 size_t chainidx) 309 { 310 int i; 311 312 /* This extension isn't defined for client Certificates */ 313 if (x != NULL) 314 return EXT_RETURN_NOT_SENT; 315 316 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) 317 return EXT_RETURN_NOT_SENT; 318 319 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 320 /* Sub-packet for status request extension */ 321 || !WPACKET_start_sub_packet_u16(pkt) 322 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) 323 /* Sub-packet for the ids */ 324 || !WPACKET_start_sub_packet_u16(pkt)) { 325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 326 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 327 return EXT_RETURN_FAIL; 328 } 329 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { 330 unsigned char *idbytes; 331 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); 332 int idlen = i2d_OCSP_RESPID(id, NULL); 333 334 if (idlen <= 0 335 /* Sub-packet for an individual id */ 336 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) 337 || i2d_OCSP_RESPID(id, &idbytes) != idlen) { 338 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 339 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 340 ERR_R_INTERNAL_ERROR); 341 return EXT_RETURN_FAIL; 342 } 343 } 344 if (!WPACKET_close(pkt) 345 || !WPACKET_start_sub_packet_u16(pkt)) { 346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 347 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 348 return EXT_RETURN_FAIL; 349 } 350 if (s->ext.ocsp.exts) { 351 unsigned char *extbytes; 352 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); 353 354 if (extlen < 0) { 355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 356 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 357 ERR_R_INTERNAL_ERROR); 358 return EXT_RETURN_FAIL; 359 } 360 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) 361 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) 362 != extlen) { 363 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 364 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, 365 ERR_R_INTERNAL_ERROR); 366 return EXT_RETURN_FAIL; 367 } 368 } 369 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 371 SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); 372 return EXT_RETURN_FAIL; 373 } 374 375 return EXT_RETURN_SENT; 376 } 377 #endif 378 379 #ifndef OPENSSL_NO_NEXTPROTONEG 380 EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, 381 X509 *x, size_t chainidx) 382 { 383 if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 384 return EXT_RETURN_NOT_SENT; 385 386 /* 387 * The client advertises an empty extension to indicate its support 388 * for Next Protocol Negotiation 389 */ 390 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 391 || !WPACKET_put_bytes_u16(pkt, 0)) { 392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN, 393 ERR_R_INTERNAL_ERROR); 394 return EXT_RETURN_FAIL; 395 } 396 397 return EXT_RETURN_SENT; 398 } 399 #endif 400 401 EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, 402 X509 *x, size_t chainidx) 403 { 404 s->s3->alpn_sent = 0; 405 406 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 407 return EXT_RETURN_NOT_SENT; 408 409 if (!WPACKET_put_bytes_u16(pkt, 410 TLSEXT_TYPE_application_layer_protocol_negotiation) 411 /* Sub-packet ALPN extension */ 412 || !WPACKET_start_sub_packet_u16(pkt) 413 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) 414 || !WPACKET_close(pkt)) { 415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN, 416 ERR_R_INTERNAL_ERROR); 417 return EXT_RETURN_FAIL; 418 } 419 s->s3->alpn_sent = 1; 420 421 return EXT_RETURN_SENT; 422 } 423 424 425 #ifndef OPENSSL_NO_SRTP 426 EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, 427 unsigned int context, X509 *x, 428 size_t chainidx) 429 { 430 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s); 431 int i, end; 432 433 if (clnt == NULL) 434 return EXT_RETURN_NOT_SENT; 435 436 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 437 /* Sub-packet for SRTP extension */ 438 || !WPACKET_start_sub_packet_u16(pkt) 439 /* Sub-packet for the protection profile list */ 440 || !WPACKET_start_sub_packet_u16(pkt)) { 441 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, 442 ERR_R_INTERNAL_ERROR); 443 return EXT_RETURN_FAIL; 444 } 445 446 end = sk_SRTP_PROTECTION_PROFILE_num(clnt); 447 for (i = 0; i < end; i++) { 448 const SRTP_PROTECTION_PROFILE *prof = 449 sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 450 451 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { 452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 453 SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); 454 return EXT_RETURN_FAIL; 455 } 456 } 457 if (!WPACKET_close(pkt) 458 /* Add an empty use_mki value */ 459 || !WPACKET_put_bytes_u8(pkt, 0) 460 || !WPACKET_close(pkt)) { 461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, 462 ERR_R_INTERNAL_ERROR); 463 return EXT_RETURN_FAIL; 464 } 465 466 return EXT_RETURN_SENT; 467 } 468 #endif 469 470 EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, 471 X509 *x, size_t chainidx) 472 { 473 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 474 return EXT_RETURN_NOT_SENT; 475 476 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 477 || !WPACKET_put_bytes_u16(pkt, 0)) { 478 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM, 479 ERR_R_INTERNAL_ERROR); 480 return EXT_RETURN_FAIL; 481 } 482 483 return EXT_RETURN_SENT; 484 } 485 486 #ifndef OPENSSL_NO_CT 487 EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, 488 X509 *x, size_t chainidx) 489 { 490 if (s->ct_validation_callback == NULL) 491 return EXT_RETURN_NOT_SENT; 492 493 /* Not defined for client Certificates */ 494 if (x != NULL) 495 return EXT_RETURN_NOT_SENT; 496 497 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) 498 || !WPACKET_put_bytes_u16(pkt, 0)) { 499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT, 500 ERR_R_INTERNAL_ERROR); 501 return EXT_RETURN_FAIL; 502 } 503 504 return EXT_RETURN_SENT; 505 } 506 #endif 507 508 EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, 509 X509 *x, size_t chainidx) 510 { 511 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 512 || !WPACKET_put_bytes_u16(pkt, 0)) { 513 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS, 514 ERR_R_INTERNAL_ERROR); 515 return EXT_RETURN_FAIL; 516 } 517 518 return EXT_RETURN_SENT; 519 } 520 521 EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, 522 unsigned int context, X509 *x, 523 size_t chainidx) 524 { 525 int currv, min_version, max_version, reason; 526 527 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 528 if (reason != 0) { 529 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 530 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason); 531 return EXT_RETURN_FAIL; 532 } 533 534 /* 535 * Don't include this if we can't negotiate TLSv1.3. We can do a straight 536 * comparison here because we will never be called in DTLS. 537 */ 538 if (max_version < TLS1_3_VERSION) 539 return EXT_RETURN_NOT_SENT; 540 541 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 542 || !WPACKET_start_sub_packet_u16(pkt) 543 || !WPACKET_start_sub_packet_u8(pkt)) { 544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 545 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 546 ERR_R_INTERNAL_ERROR); 547 return EXT_RETURN_FAIL; 548 } 549 550 for (currv = max_version; currv >= min_version; currv--) { 551 if (!WPACKET_put_bytes_u16(pkt, currv)) { 552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 553 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 554 ERR_R_INTERNAL_ERROR); 555 return EXT_RETURN_FAIL; 556 } 557 } 558 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 559 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 560 SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, 561 ERR_R_INTERNAL_ERROR); 562 return EXT_RETURN_FAIL; 563 } 564 565 return EXT_RETURN_SENT; 566 } 567 568 /* 569 * Construct a psk_kex_modes extension. 570 */ 571 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, 572 unsigned int context, X509 *x, 573 size_t chainidx) 574 { 575 #ifndef OPENSSL_NO_TLS1_3 576 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; 577 578 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) 579 || !WPACKET_start_sub_packet_u16(pkt) 580 || !WPACKET_start_sub_packet_u8(pkt) 581 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) 582 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) 583 || !WPACKET_close(pkt) 584 || !WPACKET_close(pkt)) { 585 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 586 SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR); 587 return EXT_RETURN_FAIL; 588 } 589 590 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; 591 if (nodhe) 592 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 593 #endif 594 595 return EXT_RETURN_SENT; 596 } 597 598 #ifndef OPENSSL_NO_TLS1_3 599 static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) 600 { 601 unsigned char *encoded_point = NULL; 602 EVP_PKEY *key_share_key = NULL; 603 size_t encodedlen; 604 605 if (s->s3->tmp.pkey != NULL) { 606 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) { 607 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, 608 ERR_R_INTERNAL_ERROR); 609 return 0; 610 } 611 /* 612 * Could happen if we got an HRR that wasn't requesting a new key_share 613 */ 614 key_share_key = s->s3->tmp.pkey; 615 } else { 616 key_share_key = ssl_generate_pkey_group(s, curve_id); 617 if (key_share_key == NULL) { 618 /* SSLfatal() already called */ 619 return 0; 620 } 621 } 622 623 /* Encode the public key. */ 624 encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, 625 &encoded_point); 626 if (encodedlen == 0) { 627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB); 628 goto err; 629 } 630 631 /* Create KeyShareEntry */ 632 if (!WPACKET_put_bytes_u16(pkt, curve_id) 633 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { 634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, 635 ERR_R_INTERNAL_ERROR); 636 goto err; 637 } 638 639 /* 640 * TODO(TLS1.3): When changing to send more than one key_share we're 641 * going to need to be able to save more than one EVP_PKEY. For now 642 * we reuse the existing tmp.pkey 643 */ 644 s->s3->tmp.pkey = key_share_key; 645 s->s3->group_id = curve_id; 646 OPENSSL_free(encoded_point); 647 648 return 1; 649 err: 650 if (s->s3->tmp.pkey == NULL) 651 EVP_PKEY_free(key_share_key); 652 OPENSSL_free(encoded_point); 653 return 0; 654 } 655 #endif 656 657 EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, 658 unsigned int context, X509 *x, 659 size_t chainidx) 660 { 661 #ifndef OPENSSL_NO_TLS1_3 662 size_t i, num_groups = 0; 663 const uint16_t *pgroups = NULL; 664 uint16_t curve_id = 0; 665 666 /* key_share extension */ 667 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 668 /* Extension data sub-packet */ 669 || !WPACKET_start_sub_packet_u16(pkt) 670 /* KeyShare list sub-packet */ 671 || !WPACKET_start_sub_packet_u16(pkt)) { 672 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 673 ERR_R_INTERNAL_ERROR); 674 return EXT_RETURN_FAIL; 675 } 676 677 tls1_get_supported_groups(s, &pgroups, &num_groups); 678 679 /* 680 * TODO(TLS1.3): Make the number of key_shares sent configurable. For 681 * now, just send one 682 */ 683 if (s->s3->group_id != 0) { 684 curve_id = s->s3->group_id; 685 } else { 686 for (i = 0; i < num_groups; i++) { 687 688 if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) 689 continue; 690 691 curve_id = pgroups[i]; 692 break; 693 } 694 } 695 696 if (curve_id == 0) { 697 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 698 SSL_R_NO_SUITABLE_KEY_SHARE); 699 return EXT_RETURN_FAIL; 700 } 701 702 if (!add_key_share(s, pkt, curve_id)) { 703 /* SSLfatal() already called */ 704 return EXT_RETURN_FAIL; 705 } 706 707 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 708 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, 709 ERR_R_INTERNAL_ERROR); 710 return EXT_RETURN_FAIL; 711 } 712 return EXT_RETURN_SENT; 713 #else 714 return EXT_RETURN_NOT_SENT; 715 #endif 716 } 717 718 EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, 719 X509 *x, size_t chainidx) 720 { 721 EXT_RETURN ret = EXT_RETURN_FAIL; 722 723 /* Should only be set if we've had an HRR */ 724 if (s->ext.tls13_cookie_len == 0) 725 return EXT_RETURN_NOT_SENT; 726 727 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 728 /* Extension data sub-packet */ 729 || !WPACKET_start_sub_packet_u16(pkt) 730 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, 731 s->ext.tls13_cookie_len) 732 || !WPACKET_close(pkt)) { 733 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, 734 ERR_R_INTERNAL_ERROR); 735 goto end; 736 } 737 738 ret = EXT_RETURN_SENT; 739 end: 740 OPENSSL_free(s->ext.tls13_cookie); 741 s->ext.tls13_cookie = NULL; 742 s->ext.tls13_cookie_len = 0; 743 744 return ret; 745 } 746 747 EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, 748 unsigned int context, X509 *x, 749 size_t chainidx) 750 { 751 #ifndef OPENSSL_NO_PSK 752 char identity[PSK_MAX_IDENTITY_LEN + 1]; 753 #endif /* OPENSSL_NO_PSK */ 754 const unsigned char *id = NULL; 755 size_t idlen = 0; 756 SSL_SESSION *psksess = NULL; 757 SSL_SESSION *edsess = NULL; 758 const EVP_MD *handmd = NULL; 759 760 if (s->hello_retry_request == SSL_HRR_PENDING) 761 handmd = ssl_handshake_md(s); 762 763 if (s->psk_use_session_cb != NULL 764 && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess) 765 || (psksess != NULL 766 && psksess->ssl_version != TLS1_3_VERSION))) { 767 SSL_SESSION_free(psksess); 768 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 769 SSL_R_BAD_PSK); 770 return EXT_RETURN_FAIL; 771 } 772 773 #ifndef OPENSSL_NO_PSK 774 if (psksess == NULL && s->psk_client_callback != NULL) { 775 unsigned char psk[PSK_MAX_PSK_LEN]; 776 size_t psklen = 0; 777 778 memset(identity, 0, sizeof(identity)); 779 psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1, 780 psk, sizeof(psk)); 781 782 if (psklen > PSK_MAX_PSK_LEN) { 783 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 784 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 785 return EXT_RETURN_FAIL; 786 } else if (psklen > 0) { 787 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 788 const SSL_CIPHER *cipher; 789 790 idlen = strlen(identity); 791 if (idlen > PSK_MAX_IDENTITY_LEN) { 792 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 793 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 794 ERR_R_INTERNAL_ERROR); 795 return EXT_RETURN_FAIL; 796 } 797 id = (unsigned char *)identity; 798 799 /* 800 * We found a PSK using an old style callback. We don't know 801 * the digest so we default to SHA256 as per the TLSv1.3 spec 802 */ 803 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); 804 if (cipher == NULL) { 805 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 806 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 807 ERR_R_INTERNAL_ERROR); 808 return EXT_RETURN_FAIL; 809 } 810 811 psksess = SSL_SESSION_new(); 812 if (psksess == NULL 813 || !SSL_SESSION_set1_master_key(psksess, psk, psklen) 814 || !SSL_SESSION_set_cipher(psksess, cipher) 815 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { 816 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 817 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 818 ERR_R_INTERNAL_ERROR); 819 OPENSSL_cleanse(psk, psklen); 820 return EXT_RETURN_FAIL; 821 } 822 OPENSSL_cleanse(psk, psklen); 823 } 824 } 825 #endif /* OPENSSL_NO_PSK */ 826 827 SSL_SESSION_free(s->psksession); 828 s->psksession = psksess; 829 if (psksess != NULL) { 830 OPENSSL_free(s->psksession_id); 831 s->psksession_id = OPENSSL_memdup(id, idlen); 832 if (s->psksession_id == NULL) { 833 s->psksession_id_len = 0; 834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 835 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 836 return EXT_RETURN_FAIL; 837 } 838 s->psksession_id_len = idlen; 839 } 840 841 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING 842 || (s->session->ext.max_early_data == 0 843 && (psksess == NULL || psksess->ext.max_early_data == 0))) { 844 s->max_early_data = 0; 845 return EXT_RETURN_NOT_SENT; 846 } 847 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; 848 s->max_early_data = edsess->ext.max_early_data; 849 850 if (edsess->ext.hostname != NULL) { 851 if (s->ext.hostname == NULL 852 || (s->ext.hostname != NULL 853 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { 854 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 855 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 856 SSL_R_INCONSISTENT_EARLY_DATA_SNI); 857 return EXT_RETURN_FAIL; 858 } 859 } 860 861 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { 862 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 863 SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 864 return EXT_RETURN_FAIL; 865 } 866 867 /* 868 * Verify that we are offering an ALPN protocol consistent with the early 869 * data. 870 */ 871 if (edsess->ext.alpn_selected != NULL) { 872 PACKET prots, alpnpkt; 873 int found = 0; 874 875 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { 876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 877 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); 878 return EXT_RETURN_FAIL; 879 } 880 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { 881 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, 882 edsess->ext.alpn_selected_len)) { 883 found = 1; 884 break; 885 } 886 } 887 if (!found) { 888 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 889 SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 890 SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 891 return EXT_RETURN_FAIL; 892 } 893 } 894 895 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 896 || !WPACKET_start_sub_packet_u16(pkt) 897 || !WPACKET_close(pkt)) { 898 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, 899 ERR_R_INTERNAL_ERROR); 900 return EXT_RETURN_FAIL; 901 } 902 903 /* 904 * We set this to rejected here. Later, if the server acknowledges the 905 * extension, we set it to accepted. 906 */ 907 s->ext.early_data = SSL_EARLY_DATA_REJECTED; 908 s->ext.early_data_ok = 1; 909 910 return EXT_RETURN_SENT; 911 } 912 913 #define F5_WORKAROUND_MIN_MSG_LEN 0xff 914 #define F5_WORKAROUND_MAX_MSG_LEN 0x200 915 916 /* 917 * PSK pre binder overhead = 918 * 2 bytes for TLSEXT_TYPE_psk 919 * 2 bytes for extension length 920 * 2 bytes for identities list length 921 * 2 bytes for identity length 922 * 4 bytes for obfuscated_ticket_age 923 * 2 bytes for binder list length 924 * 1 byte for binder length 925 * The above excludes the number of bytes for the identity itself and the 926 * subsequent binder bytes 927 */ 928 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) 929 930 EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, 931 unsigned int context, X509 *x, 932 size_t chainidx) 933 { 934 unsigned char *padbytes; 935 size_t hlen; 936 937 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) 938 return EXT_RETURN_NOT_SENT; 939 940 /* 941 * Add padding to workaround bugs in F5 terminators. See RFC7685. 942 * This code calculates the length of all extensions added so far but 943 * excludes the PSK extension (because that MUST be written last). Therefore 944 * this extension MUST always appear second to last. 945 */ 946 if (!WPACKET_get_total_written(pkt, &hlen)) { 947 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, 948 ERR_R_INTERNAL_ERROR); 949 return EXT_RETURN_FAIL; 950 } 951 952 /* 953 * If we're going to send a PSK then that will be written out after this 954 * extension, so we need to calculate how long it is going to be. 955 */ 956 if (s->session->ssl_version == TLS1_3_VERSION 957 && s->session->ext.ticklen != 0 958 && s->session->cipher != NULL) { 959 const EVP_MD *md = ssl_md(s->session->cipher->algorithm2); 960 961 if (md != NULL) { 962 /* 963 * Add the fixed PSK overhead, the identity length and the binder 964 * length. 965 */ 966 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen 967 + EVP_MD_size(md); 968 } 969 } 970 971 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { 972 /* Calculate the amount of padding we need to add */ 973 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; 974 975 /* 976 * Take off the size of extension header itself (2 bytes for type and 977 * 2 bytes for length bytes), but ensure that the extension is at least 978 * 1 byte long so as not to have an empty extension last (WebSphere 7.x, 979 * 8.x are intolerant of that condition) 980 */ 981 if (hlen > 4) 982 hlen -= 4; 983 else 984 hlen = 1; 985 986 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) 987 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { 988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, 989 ERR_R_INTERNAL_ERROR); 990 return EXT_RETURN_FAIL; 991 } 992 memset(padbytes, 0, hlen); 993 } 994 995 return EXT_RETURN_SENT; 996 } 997 998 /* 999 * Construct the pre_shared_key extension 1000 */ 1001 EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, 1002 X509 *x, size_t chainidx) 1003 { 1004 #ifndef OPENSSL_NO_TLS1_3 1005 uint32_t agesec, agems = 0; 1006 size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; 1007 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; 1008 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; 1009 int dores = 0; 1010 1011 s->ext.tick_identity = 0; 1012 1013 /* 1014 * Note: At this stage of the code we only support adding a single 1015 * resumption PSK. If we add support for multiple PSKs then the length 1016 * calculations in the padding extension will need to be adjusted. 1017 */ 1018 1019 /* 1020 * If this is an incompatible or new session then we have nothing to resume 1021 * so don't add this extension. 1022 */ 1023 if (s->session->ssl_version != TLS1_3_VERSION 1024 || (s->session->ext.ticklen == 0 && s->psksession == NULL)) 1025 return EXT_RETURN_NOT_SENT; 1026 1027 if (s->hello_retry_request == SSL_HRR_PENDING) 1028 handmd = ssl_handshake_md(s); 1029 1030 if (s->session->ext.ticklen != 0) { 1031 /* Get the digest associated with the ciphersuite in the session */ 1032 if (s->session->cipher == NULL) { 1033 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1034 ERR_R_INTERNAL_ERROR); 1035 return EXT_RETURN_FAIL; 1036 } 1037 mdres = ssl_md(s->session->cipher->algorithm2); 1038 if (mdres == NULL) { 1039 /* 1040 * Don't recognize this cipher so we can't use the session. 1041 * Ignore it 1042 */ 1043 goto dopsksess; 1044 } 1045 1046 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { 1047 /* 1048 * Selected ciphersuite hash does not match the hash for the session 1049 * so we can't use it. 1050 */ 1051 goto dopsksess; 1052 } 1053 1054 /* 1055 * Technically the C standard just says time() returns a time_t and says 1056 * nothing about the encoding of that type. In practice most 1057 * implementations follow POSIX which holds it as an integral type in 1058 * seconds since epoch. We've already made the assumption that we can do 1059 * this in multiple places in the code, so portability shouldn't be an 1060 * issue. 1061 */ 1062 agesec = (uint32_t)(time(NULL) - s->session->time); 1063 /* 1064 * We calculate the age in seconds but the server may work in ms. Due to 1065 * rounding errors we could overestimate the age by up to 1s. It is 1066 * better to underestimate it. Otherwise, if the RTT is very short, when 1067 * the server calculates the age reported by the client it could be 1068 * bigger than the age calculated on the server - which should never 1069 * happen. 1070 */ 1071 if (agesec > 0) 1072 agesec--; 1073 1074 if (s->session->ext.tick_lifetime_hint < agesec) { 1075 /* Ticket is too old. Ignore it. */ 1076 goto dopsksess; 1077 } 1078 1079 /* 1080 * Calculate age in ms. We're just doing it to nearest second. Should be 1081 * good enough. 1082 */ 1083 agems = agesec * (uint32_t)1000; 1084 1085 if (agesec != 0 && agems / (uint32_t)1000 != agesec) { 1086 /* 1087 * Overflow. Shouldn't happen unless this is a *really* old session. 1088 * If so we just ignore it. 1089 */ 1090 goto dopsksess; 1091 } 1092 1093 /* 1094 * Obfuscate the age. Overflow here is fine, this addition is supposed 1095 * to be mod 2^32. 1096 */ 1097 agems += s->session->ext.tick_age_add; 1098 1099 reshashsize = EVP_MD_size(mdres); 1100 s->ext.tick_identity++; 1101 dores = 1; 1102 } 1103 1104 dopsksess: 1105 if (!dores && s->psksession == NULL) 1106 return EXT_RETURN_NOT_SENT; 1107 1108 if (s->psksession != NULL) { 1109 mdpsk = ssl_md(s->psksession->cipher->algorithm2); 1110 if (mdpsk == NULL) { 1111 /* 1112 * Don't recognize this cipher so we can't use the session. 1113 * If this happens it's an application bug. 1114 */ 1115 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1116 SSL_R_BAD_PSK); 1117 return EXT_RETURN_FAIL; 1118 } 1119 1120 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { 1121 /* 1122 * Selected ciphersuite hash does not match the hash for the PSK 1123 * session. This is an application bug. 1124 */ 1125 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1126 SSL_R_BAD_PSK); 1127 return EXT_RETURN_FAIL; 1128 } 1129 1130 pskhashsize = EVP_MD_size(mdpsk); 1131 } 1132 1133 /* Create the extension, but skip over the binder for now */ 1134 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1135 || !WPACKET_start_sub_packet_u16(pkt) 1136 || !WPACKET_start_sub_packet_u16(pkt)) { 1137 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1138 ERR_R_INTERNAL_ERROR); 1139 return EXT_RETURN_FAIL; 1140 } 1141 1142 if (dores) { 1143 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, 1144 s->session->ext.ticklen) 1145 || !WPACKET_put_bytes_u32(pkt, agems)) { 1146 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1147 ERR_R_INTERNAL_ERROR); 1148 return EXT_RETURN_FAIL; 1149 } 1150 } 1151 1152 if (s->psksession != NULL) { 1153 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, 1154 s->psksession_id_len) 1155 || !WPACKET_put_bytes_u32(pkt, 0)) { 1156 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1157 ERR_R_INTERNAL_ERROR); 1158 return EXT_RETURN_FAIL; 1159 } 1160 s->ext.tick_identity++; 1161 } 1162 1163 if (!WPACKET_close(pkt) 1164 || !WPACKET_get_total_written(pkt, &binderoffset) 1165 || !WPACKET_start_sub_packet_u16(pkt) 1166 || (dores 1167 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) 1168 || (s->psksession != NULL 1169 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) 1170 || !WPACKET_close(pkt) 1171 || !WPACKET_close(pkt) 1172 || !WPACKET_get_total_written(pkt, &msglen) 1173 /* 1174 * We need to fill in all the sub-packet lengths now so we can 1175 * calculate the HMAC of the message up to the binders 1176 */ 1177 || !WPACKET_fill_lengths(pkt)) { 1178 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, 1179 ERR_R_INTERNAL_ERROR); 1180 return EXT_RETURN_FAIL; 1181 } 1182 1183 msgstart = WPACKET_get_curr(pkt) - msglen; 1184 1185 if (dores 1186 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, 1187 resbinder, s->session, 1, 0) != 1) { 1188 /* SSLfatal() already called */ 1189 return EXT_RETURN_FAIL; 1190 } 1191 1192 if (s->psksession != NULL 1193 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, 1194 pskbinder, s->psksession, 1, 1) != 1) { 1195 /* SSLfatal() already called */ 1196 return EXT_RETURN_FAIL; 1197 } 1198 1199 return EXT_RETURN_SENT; 1200 #else 1201 return EXT_RETURN_NOT_SENT; 1202 #endif 1203 } 1204 1205 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, 1206 unsigned int context, 1207 X509 *x, size_t chainidx) 1208 { 1209 #ifndef OPENSSL_NO_TLS1_3 1210 if (!s->pha_enabled) 1211 return EXT_RETURN_NOT_SENT; 1212 1213 /* construct extension - 0 length, no contents */ 1214 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) 1215 || !WPACKET_start_sub_packet_u16(pkt) 1216 || !WPACKET_close(pkt)) { 1217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1218 SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH, 1219 ERR_R_INTERNAL_ERROR); 1220 return EXT_RETURN_FAIL; 1221 } 1222 1223 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1224 1225 return EXT_RETURN_SENT; 1226 #else 1227 return EXT_RETURN_NOT_SENT; 1228 #endif 1229 } 1230 1231 1232 /* 1233 * Parse the server's renegotiation binding and abort if it's not right 1234 */ 1235 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, 1236 X509 *x, size_t chainidx) 1237 { 1238 size_t expected_len = s->s3->previous_client_finished_len 1239 + s->s3->previous_server_finished_len; 1240 size_t ilen; 1241 const unsigned char *data; 1242 1243 /* Check for logic errors */ 1244 if (!ossl_assert(expected_len == 0 1245 || s->s3->previous_client_finished_len != 0) 1246 || !ossl_assert(expected_len == 0 1247 || s->s3->previous_server_finished_len != 0)) { 1248 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1249 ERR_R_INTERNAL_ERROR); 1250 return 0; 1251 } 1252 1253 /* Parse the length byte */ 1254 if (!PACKET_get_1_len(pkt, &ilen)) { 1255 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1256 SSL_R_RENEGOTIATION_ENCODING_ERR); 1257 return 0; 1258 } 1259 1260 /* Consistency check */ 1261 if (PACKET_remaining(pkt) != ilen) { 1262 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1263 SSL_R_RENEGOTIATION_ENCODING_ERR); 1264 return 0; 1265 } 1266 1267 /* Check that the extension matches */ 1268 if (ilen != expected_len) { 1269 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1270 SSL_R_RENEGOTIATION_MISMATCH); 1271 return 0; 1272 } 1273 1274 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len) 1275 || memcmp(data, s->s3->previous_client_finished, 1276 s->s3->previous_client_finished_len) != 0) { 1277 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1278 SSL_R_RENEGOTIATION_MISMATCH); 1279 return 0; 1280 } 1281 1282 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len) 1283 || memcmp(data, s->s3->previous_server_finished, 1284 s->s3->previous_server_finished_len) != 0) { 1285 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, 1286 SSL_R_RENEGOTIATION_MISMATCH); 1287 return 0; 1288 } 1289 s->s3->send_connection_binding = 1; 1290 1291 return 1; 1292 } 1293 1294 /* Parse the server's max fragment len extension packet */ 1295 int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, 1296 X509 *x, size_t chainidx) 1297 { 1298 unsigned int value; 1299 1300 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 1301 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1302 SSL_R_BAD_EXTENSION); 1303 return 0; 1304 } 1305 1306 /* |value| should contains a valid max-fragment-length code. */ 1307 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 1308 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1309 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1310 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1311 return 0; 1312 } 1313 1314 /* Must be the same value as client-configured one who was sent to server */ 1315 /*- 1316 * RFC 6066: if a client receives a maximum fragment length negotiation 1317 * response that differs from the length it requested, ... 1318 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert 1319 */ 1320 if (value != s->ext.max_fragment_len_mode) { 1321 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1322 SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, 1323 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1324 return 0; 1325 } 1326 1327 /* 1328 * Maximum Fragment Length Negotiation succeeded. 1329 * The negotiated Maximum Fragment Length is binding now. 1330 */ 1331 s->session->ext.max_fragment_len_mode = value; 1332 1333 return 1; 1334 } 1335 1336 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, 1337 X509 *x, size_t chainidx) 1338 { 1339 if (s->ext.hostname == NULL) { 1340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1341 ERR_R_INTERNAL_ERROR); 1342 return 0; 1343 } 1344 1345 if (PACKET_remaining(pkt) > 0) { 1346 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1347 SSL_R_BAD_EXTENSION); 1348 return 0; 1349 } 1350 1351 if (!s->hit) { 1352 if (s->session->ext.hostname != NULL) { 1353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1354 ERR_R_INTERNAL_ERROR); 1355 return 0; 1356 } 1357 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 1358 if (s->session->ext.hostname == NULL) { 1359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, 1360 ERR_R_INTERNAL_ERROR); 1361 return 0; 1362 } 1363 } 1364 1365 return 1; 1366 } 1367 1368 #ifndef OPENSSL_NO_EC 1369 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, 1370 X509 *x, size_t chainidx) 1371 { 1372 size_t ecpointformats_len; 1373 PACKET ecptformatlist; 1374 1375 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { 1376 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, 1377 SSL_R_BAD_EXTENSION); 1378 return 0; 1379 } 1380 if (!s->hit) { 1381 ecpointformats_len = PACKET_remaining(&ecptformatlist); 1382 if (ecpointformats_len == 0) { 1383 SSLfatal(s, SSL_AD_DECODE_ERROR, 1384 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH); 1385 return 0; 1386 } 1387 1388 s->ext.peer_ecpointformats_len = 0; 1389 OPENSSL_free(s->ext.peer_ecpointformats); 1390 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); 1391 if (s->ext.peer_ecpointformats == NULL) { 1392 s->ext.peer_ecpointformats_len = 0; 1393 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1394 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 1395 return 0; 1396 } 1397 1398 s->ext.peer_ecpointformats_len = ecpointformats_len; 1399 1400 if (!PACKET_copy_bytes(&ecptformatlist, 1401 s->ext.peer_ecpointformats, 1402 ecpointformats_len)) { 1403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1404 SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); 1405 return 0; 1406 } 1407 } 1408 1409 return 1; 1410 } 1411 #endif 1412 1413 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, 1414 X509 *x, size_t chainidx) 1415 { 1416 if (s->ext.session_ticket_cb != NULL && 1417 !s->ext.session_ticket_cb(s, PACKET_data(pkt), 1418 PACKET_remaining(pkt), 1419 s->ext.session_ticket_cb_arg)) { 1420 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, 1421 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1422 return 0; 1423 } 1424 1425 if (!tls_use_ticket(s)) { 1426 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 1427 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1428 return 0; 1429 } 1430 if (PACKET_remaining(pkt) > 0) { 1431 SSLfatal(s, SSL_AD_DECODE_ERROR, 1432 SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); 1433 return 0; 1434 } 1435 1436 s->ext.ticket_expected = 1; 1437 1438 return 1; 1439 } 1440 1441 #ifndef OPENSSL_NO_OCSP 1442 int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, 1443 X509 *x, size_t chainidx) 1444 { 1445 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1446 /* We ignore this if the server sends a CertificateRequest */ 1447 /* TODO(TLS1.3): Add support for this */ 1448 return 1; 1449 } 1450 1451 /* 1452 * MUST only be sent if we've requested a status 1453 * request message. In TLS <= 1.2 it must also be empty. 1454 */ 1455 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 1456 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 1457 SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); 1458 return 0; 1459 } 1460 if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { 1461 SSLfatal(s, SSL_AD_DECODE_ERROR, 1462 SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); 1463 return 0; 1464 } 1465 1466 if (SSL_IS_TLS13(s)) { 1467 /* We only know how to handle this if it's for the first Certificate in 1468 * the chain. We ignore any other responses. 1469 */ 1470 if (chainidx != 0) 1471 return 1; 1472 1473 /* SSLfatal() already called */ 1474 return tls_process_cert_status_body(s, pkt); 1475 } 1476 1477 /* Set flag to expect CertificateStatus message */ 1478 s->ext.status_expected = 1; 1479 1480 return 1; 1481 } 1482 #endif 1483 1484 1485 #ifndef OPENSSL_NO_CT 1486 int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1487 size_t chainidx) 1488 { 1489 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1490 /* We ignore this if the server sends it in a CertificateRequest */ 1491 /* TODO(TLS1.3): Add support for this */ 1492 return 1; 1493 } 1494 1495 /* 1496 * Only take it if we asked for it - i.e if there is no CT validation 1497 * callback set, then a custom extension MAY be processing it, so we 1498 * need to let control continue to flow to that. 1499 */ 1500 if (s->ct_validation_callback != NULL) { 1501 size_t size = PACKET_remaining(pkt); 1502 1503 /* Simply copy it off for later processing */ 1504 OPENSSL_free(s->ext.scts); 1505 s->ext.scts = NULL; 1506 1507 s->ext.scts_len = (uint16_t)size; 1508 if (size > 0) { 1509 s->ext.scts = OPENSSL_malloc(size); 1510 if (s->ext.scts == NULL) { 1511 s->ext.scts_len = 0; 1512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, 1513 ERR_R_MALLOC_FAILURE); 1514 return 0; 1515 } 1516 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { 1517 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, 1518 ERR_R_INTERNAL_ERROR); 1519 return 0; 1520 } 1521 } 1522 } else { 1523 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 1524 ? ENDPOINT_CLIENT : ENDPOINT_BOTH; 1525 1526 /* 1527 * If we didn't ask for it then there must be a custom extension, 1528 * otherwise this is unsolicited. 1529 */ 1530 if (custom_ext_find(&s->cert->custext, role, 1531 TLSEXT_TYPE_signed_certificate_timestamp, 1532 NULL) == NULL) { 1533 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT, 1534 SSL_R_BAD_EXTENSION); 1535 return 0; 1536 } 1537 1538 if (!custom_ext_parse(s, context, 1539 TLSEXT_TYPE_signed_certificate_timestamp, 1540 PACKET_data(pkt), PACKET_remaining(pkt), 1541 x, chainidx)) { 1542 /* SSLfatal already called */ 1543 return 0; 1544 } 1545 } 1546 1547 return 1; 1548 } 1549 #endif 1550 1551 1552 #ifndef OPENSSL_NO_NEXTPROTONEG 1553 /* 1554 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1555 * elements of zero length are allowed and the set of elements must exactly 1556 * fill the length of the block. Returns 1 on success or 0 on failure. 1557 */ 1558 static int ssl_next_proto_validate(SSL *s, PACKET *pkt) 1559 { 1560 PACKET tmp_protocol; 1561 1562 while (PACKET_remaining(pkt)) { 1563 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 1564 || PACKET_remaining(&tmp_protocol) == 0) { 1565 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE, 1566 SSL_R_BAD_EXTENSION); 1567 return 0; 1568 } 1569 } 1570 1571 return 1; 1572 } 1573 1574 int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1575 size_t chainidx) 1576 { 1577 unsigned char *selected; 1578 unsigned char selected_len; 1579 PACKET tmppkt; 1580 1581 /* Check if we are in a renegotiation. If so ignore this extension */ 1582 if (!SSL_IS_FIRST_HANDSHAKE(s)) 1583 return 1; 1584 1585 /* We must have requested it. */ 1586 if (s->ctx->ext.npn_select_cb == NULL) { 1587 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN, 1588 SSL_R_BAD_EXTENSION); 1589 return 0; 1590 } 1591 1592 /* The data must be valid */ 1593 tmppkt = *pkt; 1594 if (!ssl_next_proto_validate(s, &tmppkt)) { 1595 /* SSLfatal() already called */ 1596 return 0; 1597 } 1598 if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len, 1599 PACKET_data(pkt), 1600 PACKET_remaining(pkt), 1601 s->ctx->ext.npn_select_cb_arg) != 1602 SSL_TLSEXT_ERR_OK) { 1603 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN, 1604 SSL_R_BAD_EXTENSION); 1605 return 0; 1606 } 1607 1608 /* 1609 * Could be non-NULL if server has sent multiple NPN extensions in 1610 * a single Serverhello 1611 */ 1612 OPENSSL_free(s->ext.npn); 1613 s->ext.npn = OPENSSL_malloc(selected_len); 1614 if (s->ext.npn == NULL) { 1615 s->ext.npn_len = 0; 1616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN, 1617 ERR_R_INTERNAL_ERROR); 1618 return 0; 1619 } 1620 1621 memcpy(s->ext.npn, selected, selected_len); 1622 s->ext.npn_len = selected_len; 1623 s->s3->npn_seen = 1; 1624 1625 return 1; 1626 } 1627 #endif 1628 1629 int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1630 size_t chainidx) 1631 { 1632 size_t len; 1633 1634 /* We must have requested it. */ 1635 if (!s->s3->alpn_sent) { 1636 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN, 1637 SSL_R_BAD_EXTENSION); 1638 return 0; 1639 } 1640 /*- 1641 * The extension data consists of: 1642 * uint16 list_length 1643 * uint8 proto_length; 1644 * uint8 proto[proto_length]; 1645 */ 1646 if (!PACKET_get_net_2_len(pkt, &len) 1647 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) 1648 || PACKET_remaining(pkt) != len) { 1649 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1650 SSL_R_BAD_EXTENSION); 1651 return 0; 1652 } 1653 OPENSSL_free(s->s3->alpn_selected); 1654 s->s3->alpn_selected = OPENSSL_malloc(len); 1655 if (s->s3->alpn_selected == NULL) { 1656 s->s3->alpn_selected_len = 0; 1657 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1658 ERR_R_INTERNAL_ERROR); 1659 return 0; 1660 } 1661 if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) { 1662 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1663 SSL_R_BAD_EXTENSION); 1664 return 0; 1665 } 1666 s->s3->alpn_selected_len = len; 1667 1668 if (s->session->ext.alpn_selected == NULL 1669 || s->session->ext.alpn_selected_len != len 1670 || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len) 1671 != 0) { 1672 /* ALPN not consistent with the old session so cannot use early_data */ 1673 s->ext.early_data_ok = 0; 1674 } 1675 if (!s->hit) { 1676 /* 1677 * This is a new session and so alpn_selected should have been 1678 * initialised to NULL. We should update it with the selected ALPN. 1679 */ 1680 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 1681 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1682 ERR_R_INTERNAL_ERROR); 1683 return 0; 1684 } 1685 s->session->ext.alpn_selected = 1686 OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len); 1687 if (s->session->ext.alpn_selected == NULL) { 1688 s->session->ext.alpn_selected_len = 0; 1689 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, 1690 ERR_R_INTERNAL_ERROR); 1691 return 0; 1692 } 1693 s->session->ext.alpn_selected_len = s->s3->alpn_selected_len; 1694 } 1695 1696 return 1; 1697 } 1698 1699 #ifndef OPENSSL_NO_SRTP 1700 int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1701 size_t chainidx) 1702 { 1703 unsigned int id, ct, mki; 1704 int i; 1705 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1706 SRTP_PROTECTION_PROFILE *prof; 1707 1708 if (!PACKET_get_net_2(pkt, &ct) || ct != 2 1709 || !PACKET_get_net_2(pkt, &id) 1710 || !PACKET_get_1(pkt, &mki) 1711 || PACKET_remaining(pkt) != 0) { 1712 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1713 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1714 return 0; 1715 } 1716 1717 if (mki != 0) { 1718 /* Must be no MKI, since we never offer one */ 1719 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1720 SSL_R_BAD_SRTP_MKI_VALUE); 1721 return 0; 1722 } 1723 1724 /* Throw an error if the server gave us an unsolicited extension */ 1725 clnt = SSL_get_srtp_profiles(s); 1726 if (clnt == NULL) { 1727 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1728 SSL_R_NO_SRTP_PROFILES); 1729 return 0; 1730 } 1731 1732 /* 1733 * Check to see if the server gave us something we support (and 1734 * presumably offered) 1735 */ 1736 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1737 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 1738 1739 if (prof->id == id) { 1740 s->srtp_profile = prof; 1741 return 1; 1742 } 1743 } 1744 1745 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, 1746 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1747 return 0; 1748 } 1749 #endif 1750 1751 int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1752 size_t chainidx) 1753 { 1754 /* Ignore if inappropriate ciphersuite */ 1755 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 1756 && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD 1757 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4 1758 && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT 1759 && s->s3->tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12) 1760 s->ext.use_etm = 1; 1761 1762 return 1; 1763 } 1764 1765 int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1766 size_t chainidx) 1767 { 1768 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; 1769 if (!s->hit) 1770 s->session->flags |= SSL_SESS_FLAG_EXTMS; 1771 1772 return 1; 1773 } 1774 1775 int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, 1776 X509 *x, size_t chainidx) 1777 { 1778 unsigned int version; 1779 1780 if (!PACKET_get_net_2(pkt, &version) 1781 || PACKET_remaining(pkt) != 0) { 1782 SSLfatal(s, SSL_AD_DECODE_ERROR, 1783 SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, 1784 SSL_R_LENGTH_MISMATCH); 1785 return 0; 1786 } 1787 1788 /* 1789 * The only protocol version we support which is valid in this extension in 1790 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. 1791 */ 1792 if (version != TLS1_3_VERSION) { 1793 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1794 SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, 1795 SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1796 return 0; 1797 } 1798 1799 /* We ignore this extension for HRRs except to sanity check it */ 1800 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) 1801 return 1; 1802 1803 /* We just set it here. We validate it in ssl_choose_client_version */ 1804 s->version = version; 1805 1806 return 1; 1807 } 1808 1809 int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1810 size_t chainidx) 1811 { 1812 #ifndef OPENSSL_NO_TLS1_3 1813 unsigned int group_id; 1814 PACKET encoded_pt; 1815 EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL; 1816 1817 /* Sanity check */ 1818 if (ckey == NULL || s->s3->peer_tmp != NULL) { 1819 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1820 ERR_R_INTERNAL_ERROR); 1821 return 0; 1822 } 1823 1824 if (!PACKET_get_net_2(pkt, &group_id)) { 1825 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1826 SSL_R_LENGTH_MISMATCH); 1827 return 0; 1828 } 1829 1830 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { 1831 const uint16_t *pgroups = NULL; 1832 size_t i, num_groups; 1833 1834 if (PACKET_remaining(pkt) != 0) { 1835 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1836 SSL_R_LENGTH_MISMATCH); 1837 return 0; 1838 } 1839 1840 /* 1841 * It is an error if the HelloRetryRequest wants a key_share that we 1842 * already sent in the first ClientHello 1843 */ 1844 if (group_id == s->s3->group_id) { 1845 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1846 SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); 1847 return 0; 1848 } 1849 1850 /* Validate the selected group is one we support */ 1851 tls1_get_supported_groups(s, &pgroups, &num_groups); 1852 for (i = 0; i < num_groups; i++) { 1853 if (group_id == pgroups[i]) 1854 break; 1855 } 1856 if (i >= num_groups 1857 || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { 1858 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1859 SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); 1860 return 0; 1861 } 1862 1863 s->s3->group_id = group_id; 1864 EVP_PKEY_free(s->s3->tmp.pkey); 1865 s->s3->tmp.pkey = NULL; 1866 return 1; 1867 } 1868 1869 if (group_id != s->s3->group_id) { 1870 /* 1871 * This isn't for the group that we sent in the original 1872 * key_share! 1873 */ 1874 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1875 SSL_R_BAD_KEY_SHARE); 1876 return 0; 1877 } 1878 1879 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) 1880 || PACKET_remaining(&encoded_pt) == 0) { 1881 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1882 SSL_R_LENGTH_MISMATCH); 1883 return 0; 1884 } 1885 1886 skey = EVP_PKEY_new(); 1887 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { 1888 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1889 ERR_R_MALLOC_FAILURE); 1890 EVP_PKEY_free(skey); 1891 return 0; 1892 } 1893 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt), 1894 PACKET_remaining(&encoded_pt))) { 1895 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, 1896 SSL_R_BAD_ECPOINT); 1897 EVP_PKEY_free(skey); 1898 return 0; 1899 } 1900 1901 if (ssl_derive(s, ckey, skey, 1) == 0) { 1902 /* SSLfatal() already called */ 1903 EVP_PKEY_free(skey); 1904 return 0; 1905 } 1906 s->s3->peer_tmp = skey; 1907 #endif 1908 1909 return 1; 1910 } 1911 1912 int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1913 size_t chainidx) 1914 { 1915 PACKET cookie; 1916 1917 if (!PACKET_as_length_prefixed_2(pkt, &cookie) 1918 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, 1919 &s->ext.tls13_cookie_len)) { 1920 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE, 1921 SSL_R_LENGTH_MISMATCH); 1922 return 0; 1923 } 1924 1925 return 1; 1926 } 1927 1928 int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, 1929 X509 *x, size_t chainidx) 1930 { 1931 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 1932 unsigned long max_early_data; 1933 1934 if (!PACKET_get_net_4(pkt, &max_early_data) 1935 || PACKET_remaining(pkt) != 0) { 1936 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1937 SSL_R_INVALID_MAX_EARLY_DATA); 1938 return 0; 1939 } 1940 1941 s->session->ext.max_early_data = max_early_data; 1942 1943 return 1; 1944 } 1945 1946 if (PACKET_remaining(pkt) != 0) { 1947 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1948 SSL_R_BAD_EXTENSION); 1949 return 0; 1950 } 1951 1952 if (!s->ext.early_data_ok 1953 || !s->hit) { 1954 /* 1955 * If we get here then we didn't send early data, or we didn't resume 1956 * using the first identity, or the SNI/ALPN is not consistent so the 1957 * server should not be accepting it. 1958 */ 1959 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA, 1960 SSL_R_BAD_EXTENSION); 1961 return 0; 1962 } 1963 1964 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 1965 1966 return 1; 1967 } 1968 1969 int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 1970 size_t chainidx) 1971 { 1972 #ifndef OPENSSL_NO_TLS1_3 1973 unsigned int identity; 1974 1975 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { 1976 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK, 1977 SSL_R_LENGTH_MISMATCH); 1978 return 0; 1979 } 1980 1981 if (identity >= (unsigned int)s->ext.tick_identity) { 1982 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, 1983 SSL_R_BAD_PSK_IDENTITY); 1984 return 0; 1985 } 1986 1987 /* 1988 * Session resumption tickets are always sent before PSK tickets. If the 1989 * ticket index is 0 then it must be for a session resumption ticket if we 1990 * sent two tickets, or if we didn't send a PSK ticket. 1991 */ 1992 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { 1993 s->hit = 1; 1994 SSL_SESSION_free(s->psksession); 1995 s->psksession = NULL; 1996 return 1; 1997 } 1998 1999 if (s->psksession == NULL) { 2000 /* Should never happen */ 2001 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK, 2002 ERR_R_INTERNAL_ERROR); 2003 return 0; 2004 } 2005 2006 /* 2007 * If we used the external PSK for sending early_data then s->early_secret 2008 * is already set up, so don't overwrite it. Otherwise we copy the 2009 * early_secret across that we generated earlier. 2010 */ 2011 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 2012 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 2013 || s->session->ext.max_early_data > 0 2014 || s->psksession->ext.max_early_data == 0) 2015 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); 2016 2017 SSL_SESSION_free(s->session); 2018 s->session = s->psksession; 2019 s->psksession = NULL; 2020 s->hit = 1; 2021 /* Early data is only allowed if we used the first ticket */ 2022 if (identity != 0) 2023 s->ext.early_data_ok = 0; 2024 #endif 2025 2026 return 1; 2027 } 2028