1 /* 2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ocsp.h> 11 #include "../ssl_local.h" 12 #include "statem_local.h" 13 #include "internal/cryptlib.h" 14 15 #define COOKIE_STATE_FORMAT_VERSION 1 16 17 /* 18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for 19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for 20 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen, 21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie 22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing. 23 */ 24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \ 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH) 26 27 /* 28 * Message header + 2 bytes for protocol version + number of random bytes + 29 * + 1 byte for legacy session id length + number of bytes in legacy session id 30 * + 2 bytes for ciphersuite + 1 byte for legacy compression 31 * + 2 bytes for extension block length + 6 bytes for key_share extension 32 * + 4 bytes for cookie extension header + the number of bytes in the cookie 33 */ 34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \ 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \ 36 + MAX_COOKIE_SIZE) 37 38 /* 39 * Parse the client's renegotiation binding and abort if it's not right 40 */ 41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, 42 X509 *x, size_t chainidx) 43 { 44 unsigned int ilen; 45 const unsigned char *data; 46 47 /* Parse the length byte */ 48 if (!PACKET_get_1(pkt, &ilen) 49 || !PACKET_get_bytes(pkt, &data, ilen)) { 50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 51 return 0; 52 } 53 54 /* Check that the extension matches */ 55 if (ilen != s->s3.previous_client_finished_len) { 56 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH); 57 return 0; 58 } 59 60 if (memcmp(data, s->s3.previous_client_finished, 61 s->s3.previous_client_finished_len)) { 62 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH); 63 return 0; 64 } 65 66 s->s3.send_connection_binding = 1; 67 68 return 1; 69 } 70 71 /*- 72 * The servername extension is treated as follows: 73 * 74 * - Only the hostname type is supported with a maximum length of 255. 75 * - The servername is rejected if too long or if it contains zeros, 76 * in which case an fatal alert is generated. 77 * - The servername field is maintained together with the session cache. 78 * - When a session is resumed, the servername call back invoked in order 79 * to allow the application to position itself to the right context. 80 * - The servername is acknowledged if it is new for a session or when 81 * it is identical to a previously used for the same session. 82 * Applications can control the behaviour. They can at any time 83 * set a 'desirable' servername for a new SSL object. This can be the 84 * case for example with HTTPS when a Host: header field is received and 85 * a renegotiation is requested. In this case, a possible servername 86 * presented in the new client hello is only acknowledged if it matches 87 * the value of the Host: field. 88 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 89 * if they provide for changing an explicit servername context for the 90 * session, i.e. when the session has been established with a servername 91 * extension. 92 * - On session reconnect, the servername extension may be absent. 93 */ 94 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, 95 X509 *x, size_t chainidx) 96 { 97 unsigned int servname_type; 98 PACKET sni, hostname; 99 100 if (!PACKET_as_length_prefixed_2(pkt, &sni) 101 /* ServerNameList must be at least 1 byte long. */ 102 || PACKET_remaining(&sni) == 0) { 103 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 104 return 0; 105 } 106 107 /* 108 * Although the intent was for server_name to be extensible, RFC 4366 109 * was not clear about it; and so OpenSSL among other implementations, 110 * always and only allows a 'host_name' name types. 111 * RFC 6066 corrected the mistake but adding new name types 112 * is nevertheless no longer feasible, so act as if no other 113 * SNI types can exist, to simplify parsing. 114 * 115 * Also note that the RFC permits only one SNI value per type, 116 * i.e., we can only have a single hostname. 117 */ 118 if (!PACKET_get_1(&sni, &servname_type) 119 || servname_type != TLSEXT_NAMETYPE_host_name 120 || !PACKET_as_length_prefixed_2(&sni, &hostname)) { 121 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 122 return 0; 123 } 124 125 /* 126 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3 127 * we always use the SNI value from the handshake. 128 */ 129 if (!s->hit || SSL_IS_TLS13(s)) { 130 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { 131 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION); 132 return 0; 133 } 134 135 if (PACKET_contains_zero_byte(&hostname)) { 136 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION); 137 return 0; 138 } 139 140 /* 141 * Store the requested SNI in the SSL as temporary storage. 142 * If we accept it, it will get stored in the SSL_SESSION as well. 143 */ 144 OPENSSL_free(s->ext.hostname); 145 s->ext.hostname = NULL; 146 if (!PACKET_strndup(&hostname, &s->ext.hostname)) { 147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 148 return 0; 149 } 150 151 s->servername_done = 1; 152 } else { 153 /* 154 * In TLSv1.2 and below we should check if the SNI is consistent between 155 * the initial handshake and the resumption. In TLSv1.3 SNI is not 156 * associated with the session. 157 */ 158 s->servername_done = (s->session->ext.hostname != NULL) 159 && PACKET_equal(&hostname, s->session->ext.hostname, 160 strlen(s->session->ext.hostname)); 161 } 162 163 return 1; 164 } 165 166 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, 167 X509 *x, size_t chainidx) 168 { 169 unsigned int value; 170 171 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 172 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 173 return 0; 174 } 175 176 /* Received |value| should be a valid max-fragment-length code. */ 177 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 178 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 179 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 180 return 0; 181 } 182 183 /* 184 * When doing a full handshake or a renegotiation max_fragment_len_mode will 185 * be TLSEXT_max_fragment_length_UNSPECIFIED 186 * 187 * In case of a resumption max_fragment_len_mode will be one of 188 * TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512, 189 * TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048. 190 * TLSEXT_max_fragment_length_4096 191 * 192 * RFC 6066: The negotiated length applies for the duration of the session 193 * including session resumptions. 194 * 195 * So we only set the value in case it is unspecified. 196 */ 197 if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED) 198 /* 199 * Store it in session, so it'll become binding for us 200 * and we'll include it in a next Server Hello. 201 */ 202 s->session->ext.max_fragment_len_mode = value; 203 204 return 1; 205 } 206 207 #ifndef OPENSSL_NO_SRP 208 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 209 size_t chainidx) 210 { 211 PACKET srp_I; 212 213 if (!PACKET_as_length_prefixed_1(pkt, &srp_I) 214 || PACKET_contains_zero_byte(&srp_I)) { 215 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 216 return 0; 217 } 218 219 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) { 220 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 221 return 0; 222 } 223 224 return 1; 225 } 226 #endif 227 228 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, 229 X509 *x, size_t chainidx) 230 { 231 PACKET ec_point_format_list; 232 233 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list) 234 || PACKET_remaining(&ec_point_format_list) == 0) { 235 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 236 return 0; 237 } 238 239 if (!s->hit) { 240 if (!PACKET_memdup(&ec_point_format_list, 241 &s->ext.peer_ecpointformats, 242 &s->ext.peer_ecpointformats_len)) { 243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 244 return 0; 245 } 246 } 247 248 return 1; 249 } 250 251 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, 252 X509 *x, size_t chainidx) 253 { 254 if (s->ext.session_ticket_cb && 255 !s->ext.session_ticket_cb(s, PACKET_data(pkt), 256 PACKET_remaining(pkt), 257 s->ext.session_ticket_cb_arg)) { 258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 259 return 0; 260 } 261 262 return 1; 263 } 264 265 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, 266 ossl_unused unsigned int context, 267 ossl_unused X509 *x, 268 ossl_unused size_t chainidx) 269 { 270 PACKET supported_sig_algs; 271 272 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) 273 || PACKET_remaining(&supported_sig_algs) == 0) { 274 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 275 return 0; 276 } 277 278 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) { 279 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 280 return 0; 281 } 282 283 return 1; 284 } 285 286 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 287 size_t chainidx) 288 { 289 PACKET supported_sig_algs; 290 291 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) 292 || PACKET_remaining(&supported_sig_algs) == 0) { 293 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 294 return 0; 295 } 296 297 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) { 298 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 299 return 0; 300 } 301 302 return 1; 303 } 304 305 #ifndef OPENSSL_NO_OCSP 306 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, 307 X509 *x, size_t chainidx) 308 { 309 PACKET responder_id_list, exts; 310 311 /* We ignore this in a resumption handshake */ 312 if (s->hit) 313 return 1; 314 315 /* Not defined if we get one of these in a client Certificate */ 316 if (x != NULL) 317 return 1; 318 319 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) { 320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 321 return 0; 322 } 323 324 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 325 /* 326 * We don't know what to do with any other type so ignore it. 327 */ 328 s->ext.status_type = TLSEXT_STATUSTYPE_nothing; 329 return 1; 330 } 331 332 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) { 333 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 334 return 0; 335 } 336 337 /* 338 * We remove any OCSP_RESPIDs from a previous handshake 339 * to prevent unbounded memory growth - CVE-2016-6304 340 */ 341 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); 342 if (PACKET_remaining(&responder_id_list) > 0) { 343 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null(); 344 if (s->ext.ocsp.ids == NULL) { 345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 346 return 0; 347 } 348 } else { 349 s->ext.ocsp.ids = NULL; 350 } 351 352 while (PACKET_remaining(&responder_id_list) > 0) { 353 OCSP_RESPID *id; 354 PACKET responder_id; 355 const unsigned char *id_data; 356 357 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) 358 || PACKET_remaining(&responder_id) == 0) { 359 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 360 return 0; 361 } 362 363 id_data = PACKET_data(&responder_id); 364 id = d2i_OCSP_RESPID(NULL, &id_data, 365 (int)PACKET_remaining(&responder_id)); 366 if (id == NULL) { 367 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 368 return 0; 369 } 370 371 if (id_data != PACKET_end(&responder_id)) { 372 OCSP_RESPID_free(id); 373 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 374 375 return 0; 376 } 377 378 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) { 379 OCSP_RESPID_free(id); 380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 381 382 return 0; 383 } 384 } 385 386 /* Read in request_extensions */ 387 if (!PACKET_as_length_prefixed_2(pkt, &exts)) { 388 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 389 return 0; 390 } 391 392 if (PACKET_remaining(&exts) > 0) { 393 const unsigned char *ext_data = PACKET_data(&exts); 394 395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, 396 X509_EXTENSION_free); 397 s->ext.ocsp.exts = 398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts)); 399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) { 400 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 401 return 0; 402 } 403 } 404 405 return 1; 406 } 407 #endif 408 409 #ifndef OPENSSL_NO_NEXTPROTONEG 410 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 411 size_t chainidx) 412 { 413 /* 414 * We shouldn't accept this extension on a 415 * renegotiation. 416 */ 417 if (SSL_IS_FIRST_HANDSHAKE(s)) 418 s->s3.npn_seen = 1; 419 420 return 1; 421 } 422 #endif 423 424 /* 425 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN 426 * extension, not including type and length. Returns: 1 on success, 0 on error. 427 */ 428 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 429 size_t chainidx) 430 { 431 PACKET protocol_list, save_protocol_list, protocol; 432 433 if (!SSL_IS_FIRST_HANDSHAKE(s)) 434 return 1; 435 436 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list) 437 || PACKET_remaining(&protocol_list) < 2) { 438 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 439 return 0; 440 } 441 442 save_protocol_list = protocol_list; 443 do { 444 /* Protocol names can't be empty. */ 445 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol) 446 || PACKET_remaining(&protocol) == 0) { 447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 448 return 0; 449 } 450 } while (PACKET_remaining(&protocol_list) != 0); 451 452 OPENSSL_free(s->s3.alpn_proposed); 453 s->s3.alpn_proposed = NULL; 454 s->s3.alpn_proposed_len = 0; 455 if (!PACKET_memdup(&save_protocol_list, 456 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) { 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 458 return 0; 459 } 460 461 return 1; 462 } 463 464 #ifndef OPENSSL_NO_SRTP 465 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 466 size_t chainidx) 467 { 468 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; 469 unsigned int ct, mki_len, id; 470 int i, srtp_pref; 471 PACKET subpkt; 472 473 /* Ignore this if we have no SRTP profiles */ 474 if (SSL_get_srtp_profiles(s) == NULL) 475 return 1; 476 477 /* Pull off the length of the cipher suite list and check it is even */ 478 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0 479 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) { 480 SSLfatal(s, SSL_AD_DECODE_ERROR, 481 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 482 return 0; 483 } 484 485 srvr = SSL_get_srtp_profiles(s); 486 s->srtp_profile = NULL; 487 /* Search all profiles for a match initially */ 488 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); 489 490 while (PACKET_remaining(&subpkt)) { 491 if (!PACKET_get_net_2(&subpkt, &id)) { 492 SSLfatal(s, SSL_AD_DECODE_ERROR, 493 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 494 return 0; 495 } 496 497 /* 498 * Only look for match in profiles of higher preference than 499 * current match. 500 * If no profiles have been have been configured then this 501 * does nothing. 502 */ 503 for (i = 0; i < srtp_pref; i++) { 504 SRTP_PROTECTION_PROFILE *sprof = 505 sk_SRTP_PROTECTION_PROFILE_value(srvr, i); 506 507 if (sprof->id == id) { 508 s->srtp_profile = sprof; 509 srtp_pref = i; 510 break; 511 } 512 } 513 } 514 515 /* Now extract the MKI value as a sanity check, but discard it for now */ 516 if (!PACKET_get_1(pkt, &mki_len)) { 517 SSLfatal(s, SSL_AD_DECODE_ERROR, 518 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 519 return 0; 520 } 521 522 if (!PACKET_forward(pkt, mki_len) 523 || PACKET_remaining(pkt)) { 524 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE); 525 return 0; 526 } 527 528 return 1; 529 } 530 #endif 531 532 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 533 size_t chainidx) 534 { 535 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) 536 s->ext.use_etm = 1; 537 538 return 1; 539 } 540 541 /* 542 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains 543 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. 544 */ 545 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, 546 X509 *x, size_t chainidx) 547 { 548 #ifndef OPENSSL_NO_TLS1_3 549 PACKET psk_kex_modes; 550 unsigned int mode; 551 552 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes) 553 || PACKET_remaining(&psk_kex_modes) == 0) { 554 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 555 return 0; 556 } 557 558 while (PACKET_get_1(&psk_kex_modes, &mode)) { 559 if (mode == TLSEXT_KEX_MODE_KE_DHE) 560 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE; 561 else if (mode == TLSEXT_KEX_MODE_KE 562 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0) 563 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 564 } 565 #endif 566 567 return 1; 568 } 569 570 /* 571 * Process a key_share extension received in the ClientHello. |pkt| contains 572 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. 573 */ 574 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 575 size_t chainidx) 576 { 577 #ifndef OPENSSL_NO_TLS1_3 578 unsigned int group_id; 579 PACKET key_share_list, encoded_pt; 580 const uint16_t *clntgroups, *srvrgroups; 581 size_t clnt_num_groups, srvr_num_groups; 582 int found = 0; 583 584 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) 585 return 1; 586 587 /* Sanity check */ 588 if (s->s3.peer_tmp != NULL) { 589 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 590 return 0; 591 } 592 593 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) { 594 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 595 return 0; 596 } 597 598 /* Get our list of supported groups */ 599 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups); 600 /* Get the clients list of supported groups. */ 601 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); 602 if (clnt_num_groups == 0) { 603 /* 604 * This can only happen if the supported_groups extension was not sent, 605 * because we verify that the length is non-zero when we process that 606 * extension. 607 */ 608 SSLfatal(s, SSL_AD_MISSING_EXTENSION, 609 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION); 610 return 0; 611 } 612 613 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) { 614 /* 615 * If we set a group_id already, then we must have sent an HRR 616 * requesting a new key_share. If we haven't got one then that is an 617 * error 618 */ 619 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 620 return 0; 621 } 622 623 while (PACKET_remaining(&key_share_list) > 0) { 624 if (!PACKET_get_net_2(&key_share_list, &group_id) 625 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt) 626 || PACKET_remaining(&encoded_pt) == 0) { 627 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 628 return 0; 629 } 630 631 /* 632 * If we already found a suitable key_share we loop through the 633 * rest to verify the structure, but don't process them. 634 */ 635 if (found) 636 continue; 637 638 /* 639 * If we sent an HRR then the key_share sent back MUST be for the group 640 * we requested, and must be the only key_share sent. 641 */ 642 if (s->s3.group_id != 0 643 && (group_id != s->s3.group_id 644 || PACKET_remaining(&key_share_list) != 0)) { 645 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 646 return 0; 647 } 648 649 /* Check if this share is in supported_groups sent from client */ 650 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) { 651 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 652 return 0; 653 } 654 655 /* Check if this share is for a group we can use */ 656 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1) 657 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) 658 /* 659 * We tolerate but ignore a group id that we don't think is 660 * suitable for TLSv1.3 661 */ 662 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, 663 0, NULL)) { 664 /* Share not suitable */ 665 continue; 666 } 667 668 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) { 669 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 670 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 671 return 0; 672 } 673 674 s->s3.group_id = group_id; 675 /* Cache the selected group ID in the SSL_SESSION */ 676 s->session->kex_group = group_id; 677 678 if (tls13_set_encoded_pub_key(s->s3.peer_tmp, 679 PACKET_data(&encoded_pt), 680 PACKET_remaining(&encoded_pt)) <= 0) { 681 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 682 return 0; 683 } 684 685 found = 1; 686 } 687 #endif 688 689 return 1; 690 } 691 692 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 693 size_t chainidx) 694 { 695 #ifndef OPENSSL_NO_TLS1_3 696 unsigned int format, version, key_share, group_id; 697 EVP_MD_CTX *hctx; 698 EVP_PKEY *pkey; 699 PACKET cookie, raw, chhash, appcookie; 700 WPACKET hrrpkt; 701 const unsigned char *data, *mdin, *ciphdata; 702 unsigned char hmac[SHA256_DIGEST_LENGTH]; 703 unsigned char hrr[MAX_HRR_SIZE]; 704 size_t rawlen, hmaclen, hrrlen, ciphlen; 705 uint64_t tm, now; 706 707 /* Ignore any cookie if we're not set up to verify it */ 708 if (s->ctx->verify_stateless_cookie_cb == NULL 709 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0) 710 return 1; 711 712 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) { 713 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 714 return 0; 715 } 716 717 raw = cookie; 718 data = PACKET_data(&raw); 719 rawlen = PACKET_remaining(&raw); 720 if (rawlen < SHA256_DIGEST_LENGTH 721 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) { 722 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 723 return 0; 724 } 725 mdin = PACKET_data(&raw); 726 727 /* Verify the HMAC of the cookie */ 728 hctx = EVP_MD_CTX_create(); 729 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", 730 s->ctx->propq, 731 s->session_ctx->ext.cookie_hmac_key, 732 sizeof(s->session_ctx->ext.cookie_hmac_key)); 733 if (hctx == NULL || pkey == NULL) { 734 EVP_MD_CTX_free(hctx); 735 EVP_PKEY_free(pkey); 736 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 737 return 0; 738 } 739 740 hmaclen = SHA256_DIGEST_LENGTH; 741 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx, 742 s->ctx->propq, pkey, NULL) <= 0 743 || EVP_DigestSign(hctx, hmac, &hmaclen, data, 744 rawlen - SHA256_DIGEST_LENGTH) <= 0 745 || hmaclen != SHA256_DIGEST_LENGTH) { 746 EVP_MD_CTX_free(hctx); 747 EVP_PKEY_free(pkey); 748 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 749 return 0; 750 } 751 752 EVP_MD_CTX_free(hctx); 753 EVP_PKEY_free(pkey); 754 755 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) { 756 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH); 757 return 0; 758 } 759 760 if (!PACKET_get_net_2(&cookie, &format)) { 761 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 762 return 0; 763 } 764 /* Check the cookie format is something we recognise. Ignore it if not */ 765 if (format != COOKIE_STATE_FORMAT_VERSION) 766 return 1; 767 768 /* 769 * The rest of these checks really shouldn't fail since we have verified the 770 * HMAC above. 771 */ 772 773 /* Check the version number is sane */ 774 if (!PACKET_get_net_2(&cookie, &version)) { 775 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 776 return 0; 777 } 778 if (version != TLS1_3_VERSION) { 779 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 780 SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 781 return 0; 782 } 783 784 if (!PACKET_get_net_2(&cookie, &group_id)) { 785 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 786 return 0; 787 } 788 789 ciphdata = PACKET_data(&cookie); 790 if (!PACKET_forward(&cookie, 2)) { 791 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 792 return 0; 793 } 794 if (group_id != s->s3.group_id 795 || s->s3.tmp.new_cipher 796 != ssl_get_cipher_by_char(s, ciphdata, 0)) { 797 /* 798 * We chose a different cipher or group id this time around to what is 799 * in the cookie. Something must have changed. 800 */ 801 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER); 802 return 0; 803 } 804 805 if (!PACKET_get_1(&cookie, &key_share) 806 || !PACKET_get_net_8(&cookie, &tm) 807 || !PACKET_get_length_prefixed_2(&cookie, &chhash) 808 || !PACKET_get_length_prefixed_1(&cookie, &appcookie) 809 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) { 810 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 811 return 0; 812 } 813 814 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */ 815 now = time(NULL); 816 if (tm > now || (now - tm) > 600) { 817 /* Cookie is stale. Ignore it */ 818 return 1; 819 } 820 821 /* Verify the app cookie */ 822 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie), 823 PACKET_remaining(&appcookie)) == 0) { 824 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH); 825 return 0; 826 } 827 828 /* 829 * Reconstruct the HRR that we would have sent in response to the original 830 * ClientHello so we can add it to the transcript hash. 831 * Note: This won't work with custom HRR extensions 832 */ 833 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) { 834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 835 return 0; 836 } 837 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO) 838 || !WPACKET_start_sub_packet_u24(&hrrpkt) 839 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION) 840 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE) 841 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id, 842 s->tmp_session_id_len) 843 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt, 844 &ciphlen) 845 || !WPACKET_put_bytes_u8(&hrrpkt, 0) 846 || !WPACKET_start_sub_packet_u16(&hrrpkt)) { 847 WPACKET_cleanup(&hrrpkt); 848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 849 return 0; 850 } 851 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions) 852 || !WPACKET_start_sub_packet_u16(&hrrpkt) 853 || !WPACKET_put_bytes_u16(&hrrpkt, s->version) 854 || !WPACKET_close(&hrrpkt)) { 855 WPACKET_cleanup(&hrrpkt); 856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 857 return 0; 858 } 859 if (key_share) { 860 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share) 861 || !WPACKET_start_sub_packet_u16(&hrrpkt) 862 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id) 863 || !WPACKET_close(&hrrpkt)) { 864 WPACKET_cleanup(&hrrpkt); 865 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 866 return 0; 867 } 868 } 869 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie) 870 || !WPACKET_start_sub_packet_u16(&hrrpkt) 871 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen) 872 || !WPACKET_close(&hrrpkt) /* cookie extension */ 873 || !WPACKET_close(&hrrpkt) /* extension block */ 874 || !WPACKET_close(&hrrpkt) /* message */ 875 || !WPACKET_get_total_written(&hrrpkt, &hrrlen) 876 || !WPACKET_finish(&hrrpkt)) { 877 WPACKET_cleanup(&hrrpkt); 878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 879 return 0; 880 } 881 882 /* Reconstruct the transcript hash */ 883 if (!create_synthetic_message_hash(s, PACKET_data(&chhash), 884 PACKET_remaining(&chhash), hrr, 885 hrrlen)) { 886 /* SSLfatal() already called */ 887 return 0; 888 } 889 890 /* Act as if this ClientHello came after a HelloRetryRequest */ 891 s->hello_retry_request = SSL_HRR_PENDING; 892 893 s->ext.cookieok = 1; 894 #endif 895 896 return 1; 897 } 898 899 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, 900 X509 *x, size_t chainidx) 901 { 902 PACKET supported_groups_list; 903 904 /* Each group is 2 bytes and we must have at least 1. */ 905 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list) 906 || PACKET_remaining(&supported_groups_list) == 0 907 || (PACKET_remaining(&supported_groups_list) % 2) != 0) { 908 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 909 return 0; 910 } 911 912 if (!s->hit || SSL_IS_TLS13(s)) { 913 OPENSSL_free(s->ext.peer_supportedgroups); 914 s->ext.peer_supportedgroups = NULL; 915 s->ext.peer_supportedgroups_len = 0; 916 if (!tls1_save_u16(&supported_groups_list, 917 &s->ext.peer_supportedgroups, 918 &s->ext.peer_supportedgroups_len)) { 919 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 920 return 0; 921 } 922 } 923 924 return 1; 925 } 926 927 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 928 size_t chainidx) 929 { 930 /* The extension must always be empty */ 931 if (PACKET_remaining(pkt) != 0) { 932 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 933 return 0; 934 } 935 936 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 937 return 1; 938 939 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; 940 941 return 1; 942 } 943 944 945 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, 946 X509 *x, size_t chainidx) 947 { 948 if (PACKET_remaining(pkt) != 0) { 949 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 950 return 0; 951 } 952 953 if (s->hello_retry_request != SSL_HRR_NONE) { 954 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 955 return 0; 956 } 957 958 return 1; 959 } 960 961 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick, 962 SSL_SESSION **sess) 963 { 964 SSL_SESSION *tmpsess = NULL; 965 966 s->ext.ticket_expected = 1; 967 968 switch (PACKET_remaining(tick)) { 969 case 0: 970 return SSL_TICKET_EMPTY; 971 972 case SSL_MAX_SSL_SESSION_ID_LENGTH: 973 break; 974 975 default: 976 return SSL_TICKET_NO_DECRYPT; 977 } 978 979 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick), 980 SSL_MAX_SSL_SESSION_ID_LENGTH); 981 982 if (tmpsess == NULL) 983 return SSL_TICKET_NO_DECRYPT; 984 985 *sess = tmpsess; 986 return SSL_TICKET_SUCCESS; 987 } 988 989 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 990 size_t chainidx) 991 { 992 PACKET identities, binders, binder; 993 size_t binderoffset, hashsize; 994 SSL_SESSION *sess = NULL; 995 unsigned int id, i, ext = 0; 996 const EVP_MD *md = NULL; 997 998 /* 999 * If we have no PSK kex mode that we recognise then we can't resume so 1000 * ignore this extension 1001 */ 1002 if ((s->ext.psk_kex_mode 1003 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0) 1004 return 1; 1005 1006 if (!PACKET_get_length_prefixed_2(pkt, &identities)) { 1007 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1008 return 0; 1009 } 1010 1011 s->ext.ticket_expected = 0; 1012 for (id = 0; PACKET_remaining(&identities) != 0; id++) { 1013 PACKET identity; 1014 unsigned long ticket_agel; 1015 size_t idlen; 1016 1017 if (!PACKET_get_length_prefixed_2(&identities, &identity) 1018 || !PACKET_get_net_4(&identities, &ticket_agel)) { 1019 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1020 return 0; 1021 } 1022 1023 idlen = PACKET_remaining(&identity); 1024 if (s->psk_find_session_cb != NULL 1025 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen, 1026 &sess)) { 1027 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION); 1028 return 0; 1029 } 1030 1031 #ifndef OPENSSL_NO_PSK 1032 if(sess == NULL 1033 && s->psk_server_callback != NULL 1034 && idlen <= PSK_MAX_IDENTITY_LEN) { 1035 char *pskid = NULL; 1036 unsigned char pskdata[PSK_MAX_PSK_LEN]; 1037 unsigned int pskdatalen; 1038 1039 if (!PACKET_strndup(&identity, &pskid)) { 1040 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1041 return 0; 1042 } 1043 pskdatalen = s->psk_server_callback(s, pskid, pskdata, 1044 sizeof(pskdata)); 1045 OPENSSL_free(pskid); 1046 if (pskdatalen > PSK_MAX_PSK_LEN) { 1047 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1048 return 0; 1049 } else if (pskdatalen > 0) { 1050 const SSL_CIPHER *cipher; 1051 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 1052 1053 /* 1054 * We found a PSK using an old style callback. We don't know 1055 * the digest so we default to SHA256 as per the TLSv1.3 spec 1056 */ 1057 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); 1058 if (cipher == NULL) { 1059 OPENSSL_cleanse(pskdata, pskdatalen); 1060 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1061 return 0; 1062 } 1063 1064 sess = SSL_SESSION_new(); 1065 if (sess == NULL 1066 || !SSL_SESSION_set1_master_key(sess, pskdata, 1067 pskdatalen) 1068 || !SSL_SESSION_set_cipher(sess, cipher) 1069 || !SSL_SESSION_set_protocol_version(sess, 1070 TLS1_3_VERSION)) { 1071 OPENSSL_cleanse(pskdata, pskdatalen); 1072 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1073 goto err; 1074 } 1075 OPENSSL_cleanse(pskdata, pskdatalen); 1076 } 1077 } 1078 #endif /* OPENSSL_NO_PSK */ 1079 1080 if (sess != NULL) { 1081 /* We found a PSK */ 1082 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0); 1083 1084 if (sesstmp == NULL) { 1085 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1086 return 0; 1087 } 1088 SSL_SESSION_free(sess); 1089 sess = sesstmp; 1090 1091 /* 1092 * We've just been told to use this session for this context so 1093 * make sure the sid_ctx matches up. 1094 */ 1095 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length); 1096 sess->sid_ctx_length = s->sid_ctx_length; 1097 ext = 1; 1098 if (id == 0) 1099 s->ext.early_data_ok = 1; 1100 s->ext.ticket_expected = 1; 1101 } else { 1102 uint32_t ticket_age = 0, agesec, agems; 1103 int ret; 1104 1105 /* 1106 * If we are using anti-replay protection then we behave as if 1107 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there 1108 * is no point in using full stateless tickets. 1109 */ 1110 if ((s->options & SSL_OP_NO_TICKET) != 0 1111 || (s->max_early_data > 0 1112 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)) 1113 ret = tls_get_stateful_ticket(s, &identity, &sess); 1114 else 1115 ret = tls_decrypt_ticket(s, PACKET_data(&identity), 1116 PACKET_remaining(&identity), NULL, 0, 1117 &sess); 1118 1119 if (ret == SSL_TICKET_EMPTY) { 1120 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1121 return 0; 1122 } 1123 1124 if (ret == SSL_TICKET_FATAL_ERR_MALLOC 1125 || ret == SSL_TICKET_FATAL_ERR_OTHER) { 1126 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1127 return 0; 1128 } 1129 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT) 1130 continue; 1131 1132 /* Check for replay */ 1133 if (s->max_early_data > 0 1134 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0 1135 && !SSL_CTX_remove_session(s->session_ctx, sess)) { 1136 SSL_SESSION_free(sess); 1137 sess = NULL; 1138 continue; 1139 } 1140 1141 ticket_age = (uint32_t)ticket_agel; 1142 agesec = (uint32_t)(time(NULL) - sess->time); 1143 agems = agesec * (uint32_t)1000; 1144 ticket_age -= sess->ext.tick_age_add; 1145 1146 /* 1147 * For simplicity we do our age calculations in seconds. If the 1148 * client does it in ms then it could appear that their ticket age 1149 * is longer than ours (our ticket age calculation should always be 1150 * slightly longer than the client's due to the network latency). 1151 * Therefore we add 1000ms to our age calculation to adjust for 1152 * rounding errors. 1153 */ 1154 if (id == 0 1155 && sess->timeout >= (long)agesec 1156 && agems / (uint32_t)1000 == agesec 1157 && ticket_age <= agems + 1000 1158 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) { 1159 /* 1160 * Ticket age is within tolerance and not expired. We allow it 1161 * for early data 1162 */ 1163 s->ext.early_data_ok = 1; 1164 } 1165 } 1166 1167 md = ssl_md(s->ctx, sess->cipher->algorithm2); 1168 if (md == NULL) { 1169 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1170 goto err; 1171 } 1172 if (!EVP_MD_is_a(md, 1173 EVP_MD_get0_name(ssl_md(s->ctx, 1174 s->s3.tmp.new_cipher->algorithm2)))) { 1175 /* The ciphersuite is not compatible with this session. */ 1176 SSL_SESSION_free(sess); 1177 sess = NULL; 1178 s->ext.early_data_ok = 0; 1179 s->ext.ticket_expected = 0; 1180 continue; 1181 } 1182 break; 1183 } 1184 1185 if (sess == NULL) 1186 return 1; 1187 1188 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data; 1189 hashsize = EVP_MD_get_size(md); 1190 1191 if (!PACKET_get_length_prefixed_2(pkt, &binders)) { 1192 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1193 goto err; 1194 } 1195 1196 for (i = 0; i <= id; i++) { 1197 if (!PACKET_get_length_prefixed_1(&binders, &binder)) { 1198 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1199 goto err; 1200 } 1201 } 1202 1203 if (PACKET_remaining(&binder) != hashsize) { 1204 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1205 goto err; 1206 } 1207 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data, 1208 binderoffset, PACKET_data(&binder), NULL, sess, 0, 1209 ext) != 1) { 1210 /* SSLfatal() already called */ 1211 goto err; 1212 } 1213 1214 s->ext.tick_identity = id; 1215 1216 SSL_SESSION_free(s->session); 1217 s->session = sess; 1218 return 1; 1219 err: 1220 SSL_SESSION_free(sess); 1221 return 0; 1222 } 1223 1224 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, 1225 ossl_unused unsigned int context, 1226 ossl_unused X509 *x, 1227 ossl_unused size_t chainidx) 1228 { 1229 if (PACKET_remaining(pkt) != 0) { 1230 SSLfatal(s, SSL_AD_DECODE_ERROR, 1231 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR); 1232 return 0; 1233 } 1234 1235 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 1236 1237 return 1; 1238 } 1239 1240 /* 1241 * Add the server's renegotiation binding 1242 */ 1243 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, 1244 unsigned int context, X509 *x, 1245 size_t chainidx) 1246 { 1247 if (!s->s3.send_connection_binding) 1248 return EXT_RETURN_NOT_SENT; 1249 1250 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */ 1251 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 1252 || !WPACKET_start_sub_packet_u16(pkt) 1253 || !WPACKET_start_sub_packet_u8(pkt) 1254 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished, 1255 s->s3.previous_client_finished_len) 1256 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished, 1257 s->s3.previous_server_finished_len) 1258 || !WPACKET_close(pkt) 1259 || !WPACKET_close(pkt)) { 1260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1261 return EXT_RETURN_FAIL; 1262 } 1263 1264 return EXT_RETURN_SENT; 1265 } 1266 1267 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, 1268 unsigned int context, X509 *x, 1269 size_t chainidx) 1270 { 1271 if (s->servername_done != 1) 1272 return EXT_RETURN_NOT_SENT; 1273 1274 /* 1275 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming. 1276 * We just use the servername from the initial handshake. 1277 */ 1278 if (s->hit && !SSL_IS_TLS13(s)) 1279 return EXT_RETURN_NOT_SENT; 1280 1281 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 1282 || !WPACKET_put_bytes_u16(pkt, 0)) { 1283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1284 return EXT_RETURN_FAIL; 1285 } 1286 1287 return EXT_RETURN_SENT; 1288 } 1289 1290 /* Add/include the server's max fragment len extension into ServerHello */ 1291 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, 1292 unsigned int context, X509 *x, 1293 size_t chainidx) 1294 { 1295 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) 1296 return EXT_RETURN_NOT_SENT; 1297 1298 /*- 1299 * 4 bytes for this extension type and extension length 1300 * 1 byte for the Max Fragment Length code value. 1301 */ 1302 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 1303 || !WPACKET_start_sub_packet_u16(pkt) 1304 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode) 1305 || !WPACKET_close(pkt)) { 1306 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1307 return EXT_RETURN_FAIL; 1308 } 1309 1310 return EXT_RETURN_SENT; 1311 } 1312 1313 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, 1314 unsigned int context, X509 *x, 1315 size_t chainidx) 1316 { 1317 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 1318 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth; 1319 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) 1320 && (s->ext.peer_ecpointformats != NULL); 1321 const unsigned char *plist; 1322 size_t plistlen; 1323 1324 if (!using_ecc) 1325 return EXT_RETURN_NOT_SENT; 1326 1327 tls1_get_formatlist(s, &plist, &plistlen); 1328 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 1329 || !WPACKET_start_sub_packet_u16(pkt) 1330 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen) 1331 || !WPACKET_close(pkt)) { 1332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1333 return EXT_RETURN_FAIL; 1334 } 1335 1336 return EXT_RETURN_SENT; 1337 } 1338 1339 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, 1340 unsigned int context, X509 *x, 1341 size_t chainidx) 1342 { 1343 const uint16_t *groups; 1344 size_t numgroups, i, first = 1; 1345 int version; 1346 1347 /* s->s3.group_id is non zero if we accepted a key_share */ 1348 if (s->s3.group_id == 0) 1349 return EXT_RETURN_NOT_SENT; 1350 1351 /* Get our list of supported groups */ 1352 tls1_get_supported_groups(s, &groups, &numgroups); 1353 if (numgroups == 0) { 1354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1355 return EXT_RETURN_FAIL; 1356 } 1357 1358 /* Copy group ID if supported */ 1359 version = SSL_version(s); 1360 for (i = 0; i < numgroups; i++) { 1361 uint16_t group = groups[i]; 1362 1363 if (tls_valid_group(s, group, version, version, 0, NULL) 1364 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { 1365 if (first) { 1366 /* 1367 * Check if the client is already using our preferred group. If 1368 * so we don't need to add this extension 1369 */ 1370 if (s->s3.group_id == group) 1371 return EXT_RETURN_NOT_SENT; 1372 1373 /* Add extension header */ 1374 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 1375 /* Sub-packet for supported_groups extension */ 1376 || !WPACKET_start_sub_packet_u16(pkt) 1377 || !WPACKET_start_sub_packet_u16(pkt)) { 1378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1379 return EXT_RETURN_FAIL; 1380 } 1381 1382 first = 0; 1383 } 1384 if (!WPACKET_put_bytes_u16(pkt, group)) { 1385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1386 return EXT_RETURN_FAIL; 1387 } 1388 } 1389 } 1390 1391 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 1392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1393 return EXT_RETURN_FAIL; 1394 } 1395 1396 return EXT_RETURN_SENT; 1397 } 1398 1399 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, 1400 unsigned int context, X509 *x, 1401 size_t chainidx) 1402 { 1403 if (!s->ext.ticket_expected || !tls_use_ticket(s)) { 1404 s->ext.ticket_expected = 0; 1405 return EXT_RETURN_NOT_SENT; 1406 } 1407 1408 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 1409 || !WPACKET_put_bytes_u16(pkt, 0)) { 1410 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1411 return EXT_RETURN_FAIL; 1412 } 1413 1414 return EXT_RETURN_SENT; 1415 } 1416 1417 #ifndef OPENSSL_NO_OCSP 1418 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, 1419 unsigned int context, X509 *x, 1420 size_t chainidx) 1421 { 1422 /* We don't currently support this extension inside a CertificateRequest */ 1423 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) 1424 return EXT_RETURN_NOT_SENT; 1425 1426 if (!s->ext.status_expected) 1427 return EXT_RETURN_NOT_SENT; 1428 1429 if (SSL_IS_TLS13(s) && chainidx != 0) 1430 return EXT_RETURN_NOT_SENT; 1431 1432 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 1433 || !WPACKET_start_sub_packet_u16(pkt)) { 1434 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1435 return EXT_RETURN_FAIL; 1436 } 1437 1438 /* 1439 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we 1440 * send back an empty extension, with the certificate status appearing as a 1441 * separate message 1442 */ 1443 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) { 1444 /* SSLfatal() already called */ 1445 return EXT_RETURN_FAIL; 1446 } 1447 if (!WPACKET_close(pkt)) { 1448 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1449 return EXT_RETURN_FAIL; 1450 } 1451 1452 return EXT_RETURN_SENT; 1453 } 1454 #endif 1455 1456 #ifndef OPENSSL_NO_NEXTPROTONEG 1457 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, 1458 unsigned int context, X509 *x, 1459 size_t chainidx) 1460 { 1461 const unsigned char *npa; 1462 unsigned int npalen; 1463 int ret; 1464 int npn_seen = s->s3.npn_seen; 1465 1466 s->s3.npn_seen = 0; 1467 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL) 1468 return EXT_RETURN_NOT_SENT; 1469 1470 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen, 1471 s->ctx->ext.npn_advertised_cb_arg); 1472 if (ret == SSL_TLSEXT_ERR_OK) { 1473 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 1474 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) { 1475 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1476 return EXT_RETURN_FAIL; 1477 } 1478 s->s3.npn_seen = 1; 1479 return EXT_RETURN_SENT; 1480 } 1481 1482 return EXT_RETURN_NOT_SENT; 1483 } 1484 #endif 1485 1486 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, 1487 X509 *x, size_t chainidx) 1488 { 1489 if (s->s3.alpn_selected == NULL) 1490 return EXT_RETURN_NOT_SENT; 1491 1492 if (!WPACKET_put_bytes_u16(pkt, 1493 TLSEXT_TYPE_application_layer_protocol_negotiation) 1494 || !WPACKET_start_sub_packet_u16(pkt) 1495 || !WPACKET_start_sub_packet_u16(pkt) 1496 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected, 1497 s->s3.alpn_selected_len) 1498 || !WPACKET_close(pkt) 1499 || !WPACKET_close(pkt)) { 1500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1501 return EXT_RETURN_FAIL; 1502 } 1503 1504 return EXT_RETURN_SENT; 1505 } 1506 1507 #ifndef OPENSSL_NO_SRTP 1508 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, 1509 unsigned int context, X509 *x, 1510 size_t chainidx) 1511 { 1512 if (s->srtp_profile == NULL) 1513 return EXT_RETURN_NOT_SENT; 1514 1515 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 1516 || !WPACKET_start_sub_packet_u16(pkt) 1517 || !WPACKET_put_bytes_u16(pkt, 2) 1518 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id) 1519 || !WPACKET_put_bytes_u8(pkt, 0) 1520 || !WPACKET_close(pkt)) { 1521 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1522 return EXT_RETURN_FAIL; 1523 } 1524 1525 return EXT_RETURN_SENT; 1526 } 1527 #endif 1528 1529 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, 1530 X509 *x, size_t chainidx) 1531 { 1532 if (!s->ext.use_etm) 1533 return EXT_RETURN_NOT_SENT; 1534 1535 /* 1536 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable 1537 * for other cases too. 1538 */ 1539 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD 1540 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4 1541 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT 1542 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12 1543 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA 1544 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) { 1545 s->ext.use_etm = 0; 1546 return EXT_RETURN_NOT_SENT; 1547 } 1548 1549 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 1550 || !WPACKET_put_bytes_u16(pkt, 0)) { 1551 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1552 return EXT_RETURN_FAIL; 1553 } 1554 1555 return EXT_RETURN_SENT; 1556 } 1557 1558 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, 1559 X509 *x, size_t chainidx) 1560 { 1561 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) 1562 return EXT_RETURN_NOT_SENT; 1563 1564 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 1565 || !WPACKET_put_bytes_u16(pkt, 0)) { 1566 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1567 return EXT_RETURN_FAIL; 1568 } 1569 1570 return EXT_RETURN_SENT; 1571 } 1572 1573 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt, 1574 unsigned int context, X509 *x, 1575 size_t chainidx) 1576 { 1577 if (!ossl_assert(SSL_IS_TLS13(s))) { 1578 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1579 return EXT_RETURN_FAIL; 1580 } 1581 1582 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 1583 || !WPACKET_start_sub_packet_u16(pkt) 1584 || !WPACKET_put_bytes_u16(pkt, s->version) 1585 || !WPACKET_close(pkt)) { 1586 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1587 return EXT_RETURN_FAIL; 1588 } 1589 1590 return EXT_RETURN_SENT; 1591 } 1592 1593 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, 1594 unsigned int context, X509 *x, 1595 size_t chainidx) 1596 { 1597 #ifndef OPENSSL_NO_TLS1_3 1598 unsigned char *encodedPoint; 1599 size_t encoded_pt_len = 0; 1600 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL; 1601 const TLS_GROUP_INFO *ginf = NULL; 1602 1603 if (s->hello_retry_request == SSL_HRR_PENDING) { 1604 if (ckey != NULL) { 1605 /* Original key_share was acceptable so don't ask for another one */ 1606 return EXT_RETURN_NOT_SENT; 1607 } 1608 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 1609 || !WPACKET_start_sub_packet_u16(pkt) 1610 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id) 1611 || !WPACKET_close(pkt)) { 1612 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1613 return EXT_RETURN_FAIL; 1614 } 1615 1616 return EXT_RETURN_SENT; 1617 } 1618 1619 if (ckey == NULL) { 1620 /* No key_share received from client - must be resuming */ 1621 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) { 1622 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1623 return EXT_RETURN_FAIL; 1624 } 1625 return EXT_RETURN_NOT_SENT; 1626 } 1627 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) { 1628 /* 1629 * PSK ('hit') and explicitly not doing DHE (if the client sent the 1630 * DHE option we always take it); don't send key share. 1631 */ 1632 return EXT_RETURN_NOT_SENT; 1633 } 1634 1635 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 1636 || !WPACKET_start_sub_packet_u16(pkt) 1637 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) { 1638 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1639 return EXT_RETURN_FAIL; 1640 } 1641 1642 if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) { 1643 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1644 return EXT_RETURN_FAIL; 1645 } 1646 1647 if (!ginf->is_kem) { 1648 /* Regular KEX */ 1649 skey = ssl_generate_pkey(s, ckey); 1650 if (skey == NULL) { 1651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 1652 return EXT_RETURN_FAIL; 1653 } 1654 1655 /* Generate encoding of server key */ 1656 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint); 1657 if (encoded_pt_len == 0) { 1658 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 1659 EVP_PKEY_free(skey); 1660 return EXT_RETURN_FAIL; 1661 } 1662 1663 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len) 1664 || !WPACKET_close(pkt)) { 1665 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1666 EVP_PKEY_free(skey); 1667 OPENSSL_free(encodedPoint); 1668 return EXT_RETURN_FAIL; 1669 } 1670 OPENSSL_free(encodedPoint); 1671 1672 /* 1673 * This causes the crypto state to be updated based on the derived keys 1674 */ 1675 s->s3.tmp.pkey = skey; 1676 if (ssl_derive(s, skey, ckey, 1) == 0) { 1677 /* SSLfatal() already called */ 1678 return EXT_RETURN_FAIL; 1679 } 1680 } else { 1681 /* KEM mode */ 1682 unsigned char *ct = NULL; 1683 size_t ctlen = 0; 1684 1685 /* 1686 * This does not update the crypto state. 1687 * 1688 * The generated pms is stored in `s->s3.tmp.pms` to be later used via 1689 * ssl_gensecret(). 1690 */ 1691 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) { 1692 /* SSLfatal() already called */ 1693 return EXT_RETURN_FAIL; 1694 } 1695 1696 if (ctlen == 0) { 1697 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1698 OPENSSL_free(ct); 1699 return EXT_RETURN_FAIL; 1700 } 1701 1702 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen) 1703 || !WPACKET_close(pkt)) { 1704 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1705 OPENSSL_free(ct); 1706 return EXT_RETURN_FAIL; 1707 } 1708 OPENSSL_free(ct); 1709 1710 /* 1711 * This causes the crypto state to be updated based on the generated pms 1712 */ 1713 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) { 1714 /* SSLfatal() already called */ 1715 return EXT_RETURN_FAIL; 1716 } 1717 } 1718 s->s3.did_kex = 1; 1719 return EXT_RETURN_SENT; 1720 #else 1721 return EXT_RETURN_FAIL; 1722 #endif 1723 } 1724 1725 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, 1726 X509 *x, size_t chainidx) 1727 { 1728 #ifndef OPENSSL_NO_TLS1_3 1729 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie; 1730 unsigned char *hmac, *hmac2; 1731 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen; 1732 EVP_MD_CTX *hctx; 1733 EVP_PKEY *pkey; 1734 int ret = EXT_RETURN_FAIL; 1735 1736 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0) 1737 return EXT_RETURN_NOT_SENT; 1738 1739 if (s->ctx->gen_stateless_cookie_cb == NULL) { 1740 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET); 1741 return EXT_RETURN_FAIL; 1742 } 1743 1744 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 1745 || !WPACKET_start_sub_packet_u16(pkt) 1746 || !WPACKET_start_sub_packet_u16(pkt) 1747 || !WPACKET_get_total_written(pkt, &startlen) 1748 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie) 1749 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION) 1750 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION) 1751 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id) 1752 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, 1753 &ciphlen) 1754 /* Is there a key_share extension present in this HRR? */ 1755 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL) 1756 || !WPACKET_put_bytes_u64(pkt, time(NULL)) 1757 || !WPACKET_start_sub_packet_u16(pkt) 1758 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) { 1759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1760 return EXT_RETURN_FAIL; 1761 } 1762 1763 /* 1764 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates 1765 * on raw buffers, so we first reserve sufficient bytes (above) and then 1766 * subsequently allocate them (below) 1767 */ 1768 if (!ssl3_digest_cached_records(s, 0) 1769 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) { 1770 /* SSLfatal() already called */ 1771 return EXT_RETURN_FAIL; 1772 } 1773 1774 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2) 1775 || !ossl_assert(hashval1 == hashval2) 1776 || !WPACKET_close(pkt) 1777 || !WPACKET_start_sub_packet_u8(pkt) 1778 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) { 1779 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1780 return EXT_RETURN_FAIL; 1781 } 1782 1783 /* Generate the application cookie */ 1784 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) { 1785 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); 1786 return EXT_RETURN_FAIL; 1787 } 1788 1789 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2) 1790 || !ossl_assert(appcookie1 == appcookie2) 1791 || !WPACKET_close(pkt) 1792 || !WPACKET_get_total_written(pkt, &totcookielen) 1793 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) { 1794 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1795 return EXT_RETURN_FAIL; 1796 } 1797 hmaclen = SHA256_DIGEST_LENGTH; 1798 1799 totcookielen -= startlen; 1800 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) { 1801 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1802 return EXT_RETURN_FAIL; 1803 } 1804 1805 /* HMAC the cookie */ 1806 hctx = EVP_MD_CTX_create(); 1807 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", 1808 s->ctx->propq, 1809 s->session_ctx->ext.cookie_hmac_key, 1810 sizeof(s->session_ctx->ext.cookie_hmac_key)); 1811 if (hctx == NULL || pkey == NULL) { 1812 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 1813 goto err; 1814 } 1815 1816 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx, 1817 s->ctx->propq, pkey, NULL) <= 0 1818 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie, 1819 totcookielen) <= 0) { 1820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1821 goto err; 1822 } 1823 1824 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) { 1825 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1826 goto err; 1827 } 1828 1829 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2) 1830 || !ossl_assert(hmac == hmac2) 1831 || !ossl_assert(cookie == hmac - totcookielen) 1832 || !WPACKET_close(pkt) 1833 || !WPACKET_close(pkt)) { 1834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1835 goto err; 1836 } 1837 1838 ret = EXT_RETURN_SENT; 1839 1840 err: 1841 EVP_MD_CTX_free(hctx); 1842 EVP_PKEY_free(pkey); 1843 return ret; 1844 #else 1845 return EXT_RETURN_FAIL; 1846 #endif 1847 } 1848 1849 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, 1850 unsigned int context, X509 *x, 1851 size_t chainidx) 1852 { 1853 const unsigned char cryptopro_ext[36] = { 1854 0xfd, 0xe8, /* 65000 */ 1855 0x00, 0x20, /* 32 bytes length */ 1856 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1857 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1858 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1859 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1860 }; 1861 1862 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80 1863 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81) 1864 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0) 1865 return EXT_RETURN_NOT_SENT; 1866 1867 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) { 1868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1869 return EXT_RETURN_FAIL; 1870 } 1871 1872 return EXT_RETURN_SENT; 1873 } 1874 1875 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, 1876 unsigned int context, X509 *x, 1877 size_t chainidx) 1878 { 1879 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 1880 if (s->max_early_data == 0) 1881 return EXT_RETURN_NOT_SENT; 1882 1883 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 1884 || !WPACKET_start_sub_packet_u16(pkt) 1885 || !WPACKET_put_bytes_u32(pkt, s->max_early_data) 1886 || !WPACKET_close(pkt)) { 1887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1888 return EXT_RETURN_FAIL; 1889 } 1890 1891 return EXT_RETURN_SENT; 1892 } 1893 1894 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) 1895 return EXT_RETURN_NOT_SENT; 1896 1897 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 1898 || !WPACKET_start_sub_packet_u16(pkt) 1899 || !WPACKET_close(pkt)) { 1900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1901 return EXT_RETURN_FAIL; 1902 } 1903 1904 return EXT_RETURN_SENT; 1905 } 1906 1907 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, 1908 X509 *x, size_t chainidx) 1909 { 1910 if (!s->hit) 1911 return EXT_RETURN_NOT_SENT; 1912 1913 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1914 || !WPACKET_start_sub_packet_u16(pkt) 1915 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity) 1916 || !WPACKET_close(pkt)) { 1917 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1918 return EXT_RETURN_FAIL; 1919 } 1920 1921 return EXT_RETURN_SENT; 1922 } 1923