2
0

extensions_clnt.c 67 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011
  1. /*
  2. * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ocsp.h>
  10. #include "../ssl_local.h"
  11. #include "internal/cryptlib.h"
  12. #include "statem_local.h"
  13. EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
  14. unsigned int context, X509 *x,
  15. size_t chainidx)
  16. {
  17. /* Add RI if renegotiating */
  18. if (!s->renegotiate)
  19. return EXT_RETURN_NOT_SENT;
  20. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
  21. || !WPACKET_start_sub_packet_u16(pkt)
  22. || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
  23. s->s3->previous_client_finished_len)
  24. || !WPACKET_close(pkt)) {
  25. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE,
  26. ERR_R_INTERNAL_ERROR);
  27. return EXT_RETURN_FAIL;
  28. }
  29. return EXT_RETURN_SENT;
  30. }
  31. EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
  32. unsigned int context, X509 *x,
  33. size_t chainidx)
  34. {
  35. if (s->ext.hostname == NULL)
  36. return EXT_RETURN_NOT_SENT;
  37. /* Add TLS extension servername to the Client Hello message */
  38. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
  39. /* Sub-packet for server_name extension */
  40. || !WPACKET_start_sub_packet_u16(pkt)
  41. /* Sub-packet for servername list (always 1 hostname)*/
  42. || !WPACKET_start_sub_packet_u16(pkt)
  43. || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
  44. || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
  45. strlen(s->ext.hostname))
  46. || !WPACKET_close(pkt)
  47. || !WPACKET_close(pkt)) {
  48. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME,
  49. ERR_R_INTERNAL_ERROR);
  50. return EXT_RETURN_FAIL;
  51. }
  52. return EXT_RETURN_SENT;
  53. }
  54. /* Push a Max Fragment Len extension into ClientHello */
  55. EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
  56. unsigned int context, X509 *x,
  57. size_t chainidx)
  58. {
  59. if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
  60. return EXT_RETURN_NOT_SENT;
  61. /* Add Max Fragment Length extension if client enabled it. */
  62. /*-
  63. * 4 bytes for this extension type and extension length
  64. * 1 byte for the Max Fragment Length code value.
  65. */
  66. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
  67. /* Sub-packet for Max Fragment Length extension (1 byte) */
  68. || !WPACKET_start_sub_packet_u16(pkt)
  69. || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
  70. || !WPACKET_close(pkt)) {
  71. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  72. SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
  73. return EXT_RETURN_FAIL;
  74. }
  75. return EXT_RETURN_SENT;
  76. }
  77. #ifndef OPENSSL_NO_SRP
  78. EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
  79. X509 *x, size_t chainidx)
  80. {
  81. /* Add SRP username if there is one */
  82. if (s->srp_ctx.login == NULL)
  83. return EXT_RETURN_NOT_SENT;
  84. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
  85. /* Sub-packet for SRP extension */
  86. || !WPACKET_start_sub_packet_u16(pkt)
  87. || !WPACKET_start_sub_packet_u8(pkt)
  88. /* login must not be zero...internal error if so */
  89. || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
  90. || !WPACKET_memcpy(pkt, s->srp_ctx.login,
  91. strlen(s->srp_ctx.login))
  92. || !WPACKET_close(pkt)
  93. || !WPACKET_close(pkt)) {
  94. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP,
  95. ERR_R_INTERNAL_ERROR);
  96. return EXT_RETURN_FAIL;
  97. }
  98. return EXT_RETURN_SENT;
  99. }
  100. #endif
  101. #ifndef OPENSSL_NO_EC
  102. static int use_ecc(SSL *s)
  103. {
  104. int i, end, ret = 0;
  105. unsigned long alg_k, alg_a;
  106. STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
  107. /* See if we support any ECC ciphersuites */
  108. if (s->version == SSL3_VERSION)
  109. return 0;
  110. cipher_stack = SSL_get1_supported_ciphers(s);
  111. end = sk_SSL_CIPHER_num(cipher_stack);
  112. for (i = 0; i < end; i++) {
  113. const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
  114. alg_k = c->algorithm_mkey;
  115. alg_a = c->algorithm_auth;
  116. if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
  117. || (alg_a & SSL_aECDSA)
  118. || c->min_tls >= TLS1_3_VERSION) {
  119. ret = 1;
  120. break;
  121. }
  122. }
  123. sk_SSL_CIPHER_free(cipher_stack);
  124. return ret;
  125. }
  126. EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
  127. unsigned int context, X509 *x,
  128. size_t chainidx)
  129. {
  130. const unsigned char *pformats;
  131. size_t num_formats;
  132. if (!use_ecc(s))
  133. return EXT_RETURN_NOT_SENT;
  134. /* Add TLS extension ECPointFormats to the ClientHello message */
  135. tls1_get_formatlist(s, &pformats, &num_formats);
  136. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
  137. /* Sub-packet for formats extension */
  138. || !WPACKET_start_sub_packet_u16(pkt)
  139. || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
  140. || !WPACKET_close(pkt)) {
  141. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  142. SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
  143. return EXT_RETURN_FAIL;
  144. }
  145. return EXT_RETURN_SENT;
  146. }
  147. EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
  148. unsigned int context, X509 *x,
  149. size_t chainidx)
  150. {
  151. const uint16_t *pgroups = NULL;
  152. size_t num_groups = 0, i;
  153. if (!use_ecc(s))
  154. return EXT_RETURN_NOT_SENT;
  155. /*
  156. * Add TLS extension supported_groups to the ClientHello message
  157. */
  158. /* TODO(TLS1.3): Add support for DHE groups */
  159. tls1_get_supported_groups(s, &pgroups, &num_groups);
  160. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
  161. /* Sub-packet for supported_groups extension */
  162. || !WPACKET_start_sub_packet_u16(pkt)
  163. || !WPACKET_start_sub_packet_u16(pkt)) {
  164. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  165. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
  166. ERR_R_INTERNAL_ERROR);
  167. return EXT_RETURN_FAIL;
  168. }
  169. /* Copy curve ID if supported */
  170. for (i = 0; i < num_groups; i++) {
  171. uint16_t ctmp = pgroups[i];
  172. if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
  173. if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
  174. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  175. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
  176. ERR_R_INTERNAL_ERROR);
  177. return EXT_RETURN_FAIL;
  178. }
  179. }
  180. }
  181. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  182. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  183. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
  184. ERR_R_INTERNAL_ERROR);
  185. return EXT_RETURN_FAIL;
  186. }
  187. return EXT_RETURN_SENT;
  188. }
  189. #endif
  190. EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
  191. unsigned int context, X509 *x,
  192. size_t chainidx)
  193. {
  194. size_t ticklen;
  195. if (!tls_use_ticket(s))
  196. return EXT_RETURN_NOT_SENT;
  197. if (!s->new_session && s->session != NULL
  198. && s->session->ext.tick != NULL
  199. && s->session->ssl_version != TLS1_3_VERSION) {
  200. ticklen = s->session->ext.ticklen;
  201. } else if (s->session && s->ext.session_ticket != NULL
  202. && s->ext.session_ticket->data != NULL) {
  203. ticklen = s->ext.session_ticket->length;
  204. s->session->ext.tick = OPENSSL_malloc(ticklen);
  205. if (s->session->ext.tick == NULL) {
  206. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  207. SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
  208. ERR_R_INTERNAL_ERROR);
  209. return EXT_RETURN_FAIL;
  210. }
  211. memcpy(s->session->ext.tick,
  212. s->ext.session_ticket->data, ticklen);
  213. s->session->ext.ticklen = ticklen;
  214. } else {
  215. ticklen = 0;
  216. }
  217. if (ticklen == 0 && s->ext.session_ticket != NULL &&
  218. s->ext.session_ticket->data == NULL)
  219. return EXT_RETURN_NOT_SENT;
  220. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
  221. || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
  222. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  223. SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
  224. return EXT_RETURN_FAIL;
  225. }
  226. return EXT_RETURN_SENT;
  227. }
  228. EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
  229. unsigned int context, X509 *x,
  230. size_t chainidx)
  231. {
  232. size_t salglen;
  233. const uint16_t *salg;
  234. if (!SSL_CLIENT_USE_SIGALGS(s))
  235. return EXT_RETURN_NOT_SENT;
  236. salglen = tls12_get_psigalgs(s, 1, &salg);
  237. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
  238. /* Sub-packet for sig-algs extension */
  239. || !WPACKET_start_sub_packet_u16(pkt)
  240. /* Sub-packet for the actual list */
  241. || !WPACKET_start_sub_packet_u16(pkt)
  242. || !tls12_copy_sigalgs(s, pkt, salg, salglen)
  243. || !WPACKET_close(pkt)
  244. || !WPACKET_close(pkt)) {
  245. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS,
  246. ERR_R_INTERNAL_ERROR);
  247. return EXT_RETURN_FAIL;
  248. }
  249. return EXT_RETURN_SENT;
  250. }
  251. #ifndef OPENSSL_NO_OCSP
  252. EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
  253. unsigned int context, X509 *x,
  254. size_t chainidx)
  255. {
  256. int i;
  257. /* This extension isn't defined for client Certificates */
  258. if (x != NULL)
  259. return EXT_RETURN_NOT_SENT;
  260. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
  261. return EXT_RETURN_NOT_SENT;
  262. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
  263. /* Sub-packet for status request extension */
  264. || !WPACKET_start_sub_packet_u16(pkt)
  265. || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
  266. /* Sub-packet for the ids */
  267. || !WPACKET_start_sub_packet_u16(pkt)) {
  268. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  269. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  270. return EXT_RETURN_FAIL;
  271. }
  272. for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
  273. unsigned char *idbytes;
  274. OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
  275. int idlen = i2d_OCSP_RESPID(id, NULL);
  276. if (idlen <= 0
  277. /* Sub-packet for an individual id */
  278. || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
  279. || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
  280. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  281. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
  282. ERR_R_INTERNAL_ERROR);
  283. return EXT_RETURN_FAIL;
  284. }
  285. }
  286. if (!WPACKET_close(pkt)
  287. || !WPACKET_start_sub_packet_u16(pkt)) {
  288. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  289. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  290. return EXT_RETURN_FAIL;
  291. }
  292. if (s->ext.ocsp.exts) {
  293. unsigned char *extbytes;
  294. int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
  295. if (extlen < 0) {
  296. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  297. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
  298. ERR_R_INTERNAL_ERROR);
  299. return EXT_RETURN_FAIL;
  300. }
  301. if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
  302. || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
  303. != extlen) {
  304. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  305. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
  306. ERR_R_INTERNAL_ERROR);
  307. return EXT_RETURN_FAIL;
  308. }
  309. }
  310. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  311. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  312. SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
  313. return EXT_RETURN_FAIL;
  314. }
  315. return EXT_RETURN_SENT;
  316. }
  317. #endif
  318. #ifndef OPENSSL_NO_NEXTPROTONEG
  319. EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
  320. X509 *x, size_t chainidx)
  321. {
  322. if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
  323. return EXT_RETURN_NOT_SENT;
  324. /*
  325. * The client advertises an empty extension to indicate its support
  326. * for Next Protocol Negotiation
  327. */
  328. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
  329. || !WPACKET_put_bytes_u16(pkt, 0)) {
  330. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN,
  331. ERR_R_INTERNAL_ERROR);
  332. return EXT_RETURN_FAIL;
  333. }
  334. return EXT_RETURN_SENT;
  335. }
  336. #endif
  337. EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
  338. X509 *x, size_t chainidx)
  339. {
  340. s->s3->alpn_sent = 0;
  341. if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
  342. return EXT_RETURN_NOT_SENT;
  343. if (!WPACKET_put_bytes_u16(pkt,
  344. TLSEXT_TYPE_application_layer_protocol_negotiation)
  345. /* Sub-packet ALPN extension */
  346. || !WPACKET_start_sub_packet_u16(pkt)
  347. || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
  348. || !WPACKET_close(pkt)) {
  349. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN,
  350. ERR_R_INTERNAL_ERROR);
  351. return EXT_RETURN_FAIL;
  352. }
  353. s->s3->alpn_sent = 1;
  354. return EXT_RETURN_SENT;
  355. }
  356. #ifndef OPENSSL_NO_SRTP
  357. EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
  358. unsigned int context, X509 *x,
  359. size_t chainidx)
  360. {
  361. STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
  362. int i, end;
  363. if (clnt == NULL)
  364. return EXT_RETURN_NOT_SENT;
  365. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
  366. /* Sub-packet for SRTP extension */
  367. || !WPACKET_start_sub_packet_u16(pkt)
  368. /* Sub-packet for the protection profile list */
  369. || !WPACKET_start_sub_packet_u16(pkt)) {
  370. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
  371. ERR_R_INTERNAL_ERROR);
  372. return EXT_RETURN_FAIL;
  373. }
  374. end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
  375. for (i = 0; i < end; i++) {
  376. const SRTP_PROTECTION_PROFILE *prof =
  377. sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
  378. if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
  379. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  380. SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
  381. return EXT_RETURN_FAIL;
  382. }
  383. }
  384. if (!WPACKET_close(pkt)
  385. /* Add an empty use_mki value */
  386. || !WPACKET_put_bytes_u8(pkt, 0)
  387. || !WPACKET_close(pkt)) {
  388. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP,
  389. ERR_R_INTERNAL_ERROR);
  390. return EXT_RETURN_FAIL;
  391. }
  392. return EXT_RETURN_SENT;
  393. }
  394. #endif
  395. EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
  396. X509 *x, size_t chainidx)
  397. {
  398. if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
  399. return EXT_RETURN_NOT_SENT;
  400. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
  401. || !WPACKET_put_bytes_u16(pkt, 0)) {
  402. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM,
  403. ERR_R_INTERNAL_ERROR);
  404. return EXT_RETURN_FAIL;
  405. }
  406. return EXT_RETURN_SENT;
  407. }
  408. #ifndef OPENSSL_NO_CT
  409. EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
  410. X509 *x, size_t chainidx)
  411. {
  412. if (s->ct_validation_callback == NULL)
  413. return EXT_RETURN_NOT_SENT;
  414. /* Not defined for client Certificates */
  415. if (x != NULL)
  416. return EXT_RETURN_NOT_SENT;
  417. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
  418. || !WPACKET_put_bytes_u16(pkt, 0)) {
  419. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT,
  420. ERR_R_INTERNAL_ERROR);
  421. return EXT_RETURN_FAIL;
  422. }
  423. return EXT_RETURN_SENT;
  424. }
  425. #endif
  426. EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
  427. X509 *x, size_t chainidx)
  428. {
  429. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
  430. || !WPACKET_put_bytes_u16(pkt, 0)) {
  431. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS,
  432. ERR_R_INTERNAL_ERROR);
  433. return EXT_RETURN_FAIL;
  434. }
  435. return EXT_RETURN_SENT;
  436. }
  437. EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
  438. unsigned int context, X509 *x,
  439. size_t chainidx)
  440. {
  441. int currv, min_version, max_version, reason;
  442. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  443. if (reason != 0) {
  444. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  445. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
  446. return EXT_RETURN_FAIL;
  447. }
  448. /*
  449. * Don't include this if we can't negotiate TLSv1.3. We can do a straight
  450. * comparison here because we will never be called in DTLS.
  451. */
  452. if (max_version < TLS1_3_VERSION)
  453. return EXT_RETURN_NOT_SENT;
  454. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
  455. || !WPACKET_start_sub_packet_u16(pkt)
  456. || !WPACKET_start_sub_packet_u8(pkt)) {
  457. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  458. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
  459. ERR_R_INTERNAL_ERROR);
  460. return EXT_RETURN_FAIL;
  461. }
  462. for (currv = max_version; currv >= min_version; currv--) {
  463. if (!WPACKET_put_bytes_u16(pkt, currv)) {
  464. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  465. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
  466. ERR_R_INTERNAL_ERROR);
  467. return EXT_RETURN_FAIL;
  468. }
  469. }
  470. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  471. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  472. SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
  473. ERR_R_INTERNAL_ERROR);
  474. return EXT_RETURN_FAIL;
  475. }
  476. return EXT_RETURN_SENT;
  477. }
  478. /*
  479. * Construct a psk_kex_modes extension.
  480. */
  481. EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
  482. unsigned int context, X509 *x,
  483. size_t chainidx)
  484. {
  485. #ifndef OPENSSL_NO_TLS1_3
  486. int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
  487. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
  488. || !WPACKET_start_sub_packet_u16(pkt)
  489. || !WPACKET_start_sub_packet_u8(pkt)
  490. || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
  491. || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
  492. || !WPACKET_close(pkt)
  493. || !WPACKET_close(pkt)) {
  494. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  495. SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
  496. return EXT_RETURN_FAIL;
  497. }
  498. s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
  499. if (nodhe)
  500. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
  501. #endif
  502. return EXT_RETURN_SENT;
  503. }
  504. #ifndef OPENSSL_NO_TLS1_3
  505. static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
  506. {
  507. unsigned char *encoded_point = NULL;
  508. EVP_PKEY *key_share_key = NULL;
  509. size_t encodedlen;
  510. if (s->s3->tmp.pkey != NULL) {
  511. if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
  512. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
  513. ERR_R_INTERNAL_ERROR);
  514. return 0;
  515. }
  516. /*
  517. * Could happen if we got an HRR that wasn't requesting a new key_share
  518. */
  519. key_share_key = s->s3->tmp.pkey;
  520. } else {
  521. key_share_key = ssl_generate_pkey_group(s, curve_id);
  522. if (key_share_key == NULL) {
  523. /* SSLfatal() already called */
  524. return 0;
  525. }
  526. }
  527. /* Encode the public key. */
  528. encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
  529. &encoded_point);
  530. if (encodedlen == 0) {
  531. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
  532. goto err;
  533. }
  534. /* Create KeyShareEntry */
  535. if (!WPACKET_put_bytes_u16(pkt, curve_id)
  536. || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
  537. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE,
  538. ERR_R_INTERNAL_ERROR);
  539. goto err;
  540. }
  541. /*
  542. * TODO(TLS1.3): When changing to send more than one key_share we're
  543. * going to need to be able to save more than one EVP_PKEY. For now
  544. * we reuse the existing tmp.pkey
  545. */
  546. s->s3->tmp.pkey = key_share_key;
  547. s->s3->group_id = curve_id;
  548. OPENSSL_free(encoded_point);
  549. return 1;
  550. err:
  551. if (s->s3->tmp.pkey == NULL)
  552. EVP_PKEY_free(key_share_key);
  553. OPENSSL_free(encoded_point);
  554. return 0;
  555. }
  556. #endif
  557. EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
  558. unsigned int context, X509 *x,
  559. size_t chainidx)
  560. {
  561. #ifndef OPENSSL_NO_TLS1_3
  562. size_t i, num_groups = 0;
  563. const uint16_t *pgroups = NULL;
  564. uint16_t curve_id = 0;
  565. /* key_share extension */
  566. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  567. /* Extension data sub-packet */
  568. || !WPACKET_start_sub_packet_u16(pkt)
  569. /* KeyShare list sub-packet */
  570. || !WPACKET_start_sub_packet_u16(pkt)) {
  571. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
  572. ERR_R_INTERNAL_ERROR);
  573. return EXT_RETURN_FAIL;
  574. }
  575. tls1_get_supported_groups(s, &pgroups, &num_groups);
  576. /*
  577. * TODO(TLS1.3): Make the number of key_shares sent configurable. For
  578. * now, just send one
  579. */
  580. if (s->s3->group_id != 0) {
  581. curve_id = s->s3->group_id;
  582. } else {
  583. for (i = 0; i < num_groups; i++) {
  584. if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
  585. continue;
  586. curve_id = pgroups[i];
  587. break;
  588. }
  589. }
  590. if (curve_id == 0) {
  591. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
  592. SSL_R_NO_SUITABLE_KEY_SHARE);
  593. return EXT_RETURN_FAIL;
  594. }
  595. if (!add_key_share(s, pkt, curve_id)) {
  596. /* SSLfatal() already called */
  597. return EXT_RETURN_FAIL;
  598. }
  599. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  600. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE,
  601. ERR_R_INTERNAL_ERROR);
  602. return EXT_RETURN_FAIL;
  603. }
  604. return EXT_RETURN_SENT;
  605. #else
  606. return EXT_RETURN_NOT_SENT;
  607. #endif
  608. }
  609. EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
  610. X509 *x, size_t chainidx)
  611. {
  612. EXT_RETURN ret = EXT_RETURN_FAIL;
  613. /* Should only be set if we've had an HRR */
  614. if (s->ext.tls13_cookie_len == 0)
  615. return EXT_RETURN_NOT_SENT;
  616. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
  617. /* Extension data sub-packet */
  618. || !WPACKET_start_sub_packet_u16(pkt)
  619. || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
  620. s->ext.tls13_cookie_len)
  621. || !WPACKET_close(pkt)) {
  622. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE,
  623. ERR_R_INTERNAL_ERROR);
  624. goto end;
  625. }
  626. ret = EXT_RETURN_SENT;
  627. end:
  628. OPENSSL_free(s->ext.tls13_cookie);
  629. s->ext.tls13_cookie = NULL;
  630. s->ext.tls13_cookie_len = 0;
  631. return ret;
  632. }
  633. EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
  634. unsigned int context, X509 *x,
  635. size_t chainidx)
  636. {
  637. #ifndef OPENSSL_NO_PSK
  638. char identity[PSK_MAX_IDENTITY_LEN + 1];
  639. #endif /* OPENSSL_NO_PSK */
  640. const unsigned char *id = NULL;
  641. size_t idlen = 0;
  642. SSL_SESSION *psksess = NULL;
  643. SSL_SESSION *edsess = NULL;
  644. const EVP_MD *handmd = NULL;
  645. if (s->hello_retry_request == SSL_HRR_PENDING)
  646. handmd = ssl_handshake_md(s);
  647. if (s->psk_use_session_cb != NULL
  648. && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess)
  649. || (psksess != NULL
  650. && psksess->ssl_version != TLS1_3_VERSION))) {
  651. SSL_SESSION_free(psksess);
  652. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  653. SSL_R_BAD_PSK);
  654. return EXT_RETURN_FAIL;
  655. }
  656. #ifndef OPENSSL_NO_PSK
  657. if (psksess == NULL && s->psk_client_callback != NULL) {
  658. unsigned char psk[PSK_MAX_PSK_LEN];
  659. size_t psklen = 0;
  660. memset(identity, 0, sizeof(identity));
  661. psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1,
  662. psk, sizeof(psk));
  663. if (psklen > PSK_MAX_PSK_LEN) {
  664. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  665. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
  666. return EXT_RETURN_FAIL;
  667. } else if (psklen > 0) {
  668. const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
  669. const SSL_CIPHER *cipher;
  670. idlen = strlen(identity);
  671. if (idlen > PSK_MAX_IDENTITY_LEN) {
  672. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  673. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  674. ERR_R_INTERNAL_ERROR);
  675. return EXT_RETURN_FAIL;
  676. }
  677. id = (unsigned char *)identity;
  678. /*
  679. * We found a PSK using an old style callback. We don't know
  680. * the digest so we default to SHA256 as per the TLSv1.3 spec
  681. */
  682. cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
  683. if (cipher == NULL) {
  684. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  685. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  686. ERR_R_INTERNAL_ERROR);
  687. return EXT_RETURN_FAIL;
  688. }
  689. psksess = SSL_SESSION_new();
  690. if (psksess == NULL
  691. || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
  692. || !SSL_SESSION_set_cipher(psksess, cipher)
  693. || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
  694. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  695. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  696. ERR_R_INTERNAL_ERROR);
  697. OPENSSL_cleanse(psk, psklen);
  698. return EXT_RETURN_FAIL;
  699. }
  700. OPENSSL_cleanse(psk, psklen);
  701. }
  702. }
  703. #endif /* OPENSSL_NO_PSK */
  704. SSL_SESSION_free(s->psksession);
  705. s->psksession = psksess;
  706. if (psksess != NULL) {
  707. OPENSSL_free(s->psksession_id);
  708. s->psksession_id = OPENSSL_memdup(id, idlen);
  709. if (s->psksession_id == NULL) {
  710. s->psksession_id_len = 0;
  711. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  712. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
  713. return EXT_RETURN_FAIL;
  714. }
  715. s->psksession_id_len = idlen;
  716. }
  717. if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
  718. || (s->session->ext.max_early_data == 0
  719. && (psksess == NULL || psksess->ext.max_early_data == 0))) {
  720. s->max_early_data = 0;
  721. return EXT_RETURN_NOT_SENT;
  722. }
  723. edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
  724. s->max_early_data = edsess->ext.max_early_data;
  725. if (edsess->ext.hostname != NULL) {
  726. if (s->ext.hostname == NULL
  727. || (s->ext.hostname != NULL
  728. && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
  729. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  730. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  731. SSL_R_INCONSISTENT_EARLY_DATA_SNI);
  732. return EXT_RETURN_FAIL;
  733. }
  734. }
  735. if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
  736. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  737. SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
  738. return EXT_RETURN_FAIL;
  739. }
  740. /*
  741. * Verify that we are offering an ALPN protocol consistent with the early
  742. * data.
  743. */
  744. if (edsess->ext.alpn_selected != NULL) {
  745. PACKET prots, alpnpkt;
  746. int found = 0;
  747. if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
  748. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  749. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
  750. return EXT_RETURN_FAIL;
  751. }
  752. while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
  753. if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
  754. edsess->ext.alpn_selected_len)) {
  755. found = 1;
  756. break;
  757. }
  758. }
  759. if (!found) {
  760. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  761. SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  762. SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
  763. return EXT_RETURN_FAIL;
  764. }
  765. }
  766. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  767. || !WPACKET_start_sub_packet_u16(pkt)
  768. || !WPACKET_close(pkt)) {
  769. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA,
  770. ERR_R_INTERNAL_ERROR);
  771. return EXT_RETURN_FAIL;
  772. }
  773. /*
  774. * We set this to rejected here. Later, if the server acknowledges the
  775. * extension, we set it to accepted.
  776. */
  777. s->ext.early_data = SSL_EARLY_DATA_REJECTED;
  778. s->ext.early_data_ok = 1;
  779. return EXT_RETURN_SENT;
  780. }
  781. #define F5_WORKAROUND_MIN_MSG_LEN 0xff
  782. #define F5_WORKAROUND_MAX_MSG_LEN 0x200
  783. /*
  784. * PSK pre binder overhead =
  785. * 2 bytes for TLSEXT_TYPE_psk
  786. * 2 bytes for extension length
  787. * 2 bytes for identities list length
  788. * 2 bytes for identity length
  789. * 4 bytes for obfuscated_ticket_age
  790. * 2 bytes for binder list length
  791. * 1 byte for binder length
  792. * The above excludes the number of bytes for the identity itself and the
  793. * subsequent binder bytes
  794. */
  795. #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
  796. EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
  797. unsigned int context, X509 *x,
  798. size_t chainidx)
  799. {
  800. unsigned char *padbytes;
  801. size_t hlen;
  802. if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
  803. return EXT_RETURN_NOT_SENT;
  804. /*
  805. * Add padding to workaround bugs in F5 terminators. See RFC7685.
  806. * This code calculates the length of all extensions added so far but
  807. * excludes the PSK extension (because that MUST be written last). Therefore
  808. * this extension MUST always appear second to last.
  809. */
  810. if (!WPACKET_get_total_written(pkt, &hlen)) {
  811. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
  812. ERR_R_INTERNAL_ERROR);
  813. return EXT_RETURN_FAIL;
  814. }
  815. /*
  816. * If we're going to send a PSK then that will be written out after this
  817. * extension, so we need to calculate how long it is going to be.
  818. */
  819. if (s->session->ssl_version == TLS1_3_VERSION
  820. && s->session->ext.ticklen != 0
  821. && s->session->cipher != NULL) {
  822. const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);
  823. if (md != NULL) {
  824. /*
  825. * Add the fixed PSK overhead, the identity length and the binder
  826. * length.
  827. */
  828. hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
  829. + EVP_MD_size(md);
  830. }
  831. }
  832. if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
  833. /* Calculate the amount of padding we need to add */
  834. hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
  835. /*
  836. * Take off the size of extension header itself (2 bytes for type and
  837. * 2 bytes for length bytes), but ensure that the extension is at least
  838. * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
  839. * 8.x are intolerant of that condition)
  840. */
  841. if (hlen > 4)
  842. hlen -= 4;
  843. else
  844. hlen = 1;
  845. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
  846. || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
  847. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING,
  848. ERR_R_INTERNAL_ERROR);
  849. return EXT_RETURN_FAIL;
  850. }
  851. memset(padbytes, 0, hlen);
  852. }
  853. return EXT_RETURN_SENT;
  854. }
  855. /*
  856. * Construct the pre_shared_key extension
  857. */
  858. EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
  859. X509 *x, size_t chainidx)
  860. {
  861. #ifndef OPENSSL_NO_TLS1_3
  862. uint32_t now, agesec, agems = 0;
  863. size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
  864. unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
  865. const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
  866. int dores = 0;
  867. s->ext.tick_identity = 0;
  868. /*
  869. * Note: At this stage of the code we only support adding a single
  870. * resumption PSK. If we add support for multiple PSKs then the length
  871. * calculations in the padding extension will need to be adjusted.
  872. */
  873. /*
  874. * If this is an incompatible or new session then we have nothing to resume
  875. * so don't add this extension.
  876. */
  877. if (s->session->ssl_version != TLS1_3_VERSION
  878. || (s->session->ext.ticklen == 0 && s->psksession == NULL))
  879. return EXT_RETURN_NOT_SENT;
  880. if (s->hello_retry_request == SSL_HRR_PENDING)
  881. handmd = ssl_handshake_md(s);
  882. if (s->session->ext.ticklen != 0) {
  883. /* Get the digest associated with the ciphersuite in the session */
  884. if (s->session->cipher == NULL) {
  885. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  886. ERR_R_INTERNAL_ERROR);
  887. return EXT_RETURN_FAIL;
  888. }
  889. mdres = ssl_md(s->session->cipher->algorithm2);
  890. if (mdres == NULL) {
  891. /*
  892. * Don't recognize this cipher so we can't use the session.
  893. * Ignore it
  894. */
  895. goto dopsksess;
  896. }
  897. if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
  898. /*
  899. * Selected ciphersuite hash does not match the hash for the session
  900. * so we can't use it.
  901. */
  902. goto dopsksess;
  903. }
  904. /*
  905. * Technically the C standard just says time() returns a time_t and says
  906. * nothing about the encoding of that type. In practice most
  907. * implementations follow POSIX which holds it as an integral type in
  908. * seconds since epoch. We've already made the assumption that we can do
  909. * this in multiple places in the code, so portability shouldn't be an
  910. * issue.
  911. */
  912. now = (uint32_t)time(NULL);
  913. agesec = now - (uint32_t)s->session->time;
  914. /*
  915. * We calculate the age in seconds but the server may work in ms. Due to
  916. * rounding errors we could overestimate the age by up to 1s. It is
  917. * better to underestimate it. Otherwise, if the RTT is very short, when
  918. * the server calculates the age reported by the client it could be
  919. * bigger than the age calculated on the server - which should never
  920. * happen.
  921. */
  922. if (agesec > 0)
  923. agesec--;
  924. if (s->session->ext.tick_lifetime_hint < agesec) {
  925. /* Ticket is too old. Ignore it. */
  926. goto dopsksess;
  927. }
  928. /*
  929. * Calculate age in ms. We're just doing it to nearest second. Should be
  930. * good enough.
  931. */
  932. agems = agesec * (uint32_t)1000;
  933. if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
  934. /*
  935. * Overflow. Shouldn't happen unless this is a *really* old session.
  936. * If so we just ignore it.
  937. */
  938. goto dopsksess;
  939. }
  940. /*
  941. * Obfuscate the age. Overflow here is fine, this addition is supposed
  942. * to be mod 2^32.
  943. */
  944. agems += s->session->ext.tick_age_add;
  945. reshashsize = EVP_MD_size(mdres);
  946. s->ext.tick_identity++;
  947. dores = 1;
  948. }
  949. dopsksess:
  950. if (!dores && s->psksession == NULL)
  951. return EXT_RETURN_NOT_SENT;
  952. if (s->psksession != NULL) {
  953. mdpsk = ssl_md(s->psksession->cipher->algorithm2);
  954. if (mdpsk == NULL) {
  955. /*
  956. * Don't recognize this cipher so we can't use the session.
  957. * If this happens it's an application bug.
  958. */
  959. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  960. SSL_R_BAD_PSK);
  961. return EXT_RETURN_FAIL;
  962. }
  963. if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
  964. /*
  965. * Selected ciphersuite hash does not match the hash for the PSK
  966. * session. This is an application bug.
  967. */
  968. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  969. SSL_R_BAD_PSK);
  970. return EXT_RETURN_FAIL;
  971. }
  972. pskhashsize = EVP_MD_size(mdpsk);
  973. }
  974. /* Create the extension, but skip over the binder for now */
  975. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
  976. || !WPACKET_start_sub_packet_u16(pkt)
  977. || !WPACKET_start_sub_packet_u16(pkt)) {
  978. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  979. ERR_R_INTERNAL_ERROR);
  980. return EXT_RETURN_FAIL;
  981. }
  982. if (dores) {
  983. if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
  984. s->session->ext.ticklen)
  985. || !WPACKET_put_bytes_u32(pkt, agems)) {
  986. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  987. ERR_R_INTERNAL_ERROR);
  988. return EXT_RETURN_FAIL;
  989. }
  990. }
  991. if (s->psksession != NULL) {
  992. if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
  993. s->psksession_id_len)
  994. || !WPACKET_put_bytes_u32(pkt, 0)) {
  995. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  996. ERR_R_INTERNAL_ERROR);
  997. return EXT_RETURN_FAIL;
  998. }
  999. s->ext.tick_identity++;
  1000. }
  1001. if (!WPACKET_close(pkt)
  1002. || !WPACKET_get_total_written(pkt, &binderoffset)
  1003. || !WPACKET_start_sub_packet_u16(pkt)
  1004. || (dores
  1005. && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
  1006. || (s->psksession != NULL
  1007. && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
  1008. || !WPACKET_close(pkt)
  1009. || !WPACKET_close(pkt)
  1010. || !WPACKET_get_total_written(pkt, &msglen)
  1011. /*
  1012. * We need to fill in all the sub-packet lengths now so we can
  1013. * calculate the HMAC of the message up to the binders
  1014. */
  1015. || !WPACKET_fill_lengths(pkt)) {
  1016. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK,
  1017. ERR_R_INTERNAL_ERROR);
  1018. return EXT_RETURN_FAIL;
  1019. }
  1020. msgstart = WPACKET_get_curr(pkt) - msglen;
  1021. if (dores
  1022. && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
  1023. resbinder, s->session, 1, 0) != 1) {
  1024. /* SSLfatal() already called */
  1025. return EXT_RETURN_FAIL;
  1026. }
  1027. if (s->psksession != NULL
  1028. && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
  1029. pskbinder, s->psksession, 1, 1) != 1) {
  1030. /* SSLfatal() already called */
  1031. return EXT_RETURN_FAIL;
  1032. }
  1033. return EXT_RETURN_SENT;
  1034. #else
  1035. return EXT_RETURN_NOT_SENT;
  1036. #endif
  1037. }
  1038. EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
  1039. unsigned int context,
  1040. X509 *x, size_t chainidx)
  1041. {
  1042. #ifndef OPENSSL_NO_TLS1_3
  1043. if (!s->pha_enabled)
  1044. return EXT_RETURN_NOT_SENT;
  1045. /* construct extension - 0 length, no contents */
  1046. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
  1047. || !WPACKET_start_sub_packet_u16(pkt)
  1048. || !WPACKET_close(pkt)) {
  1049. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1050. SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH,
  1051. ERR_R_INTERNAL_ERROR);
  1052. return EXT_RETURN_FAIL;
  1053. }
  1054. s->post_handshake_auth = SSL_PHA_EXT_SENT;
  1055. return EXT_RETURN_SENT;
  1056. #else
  1057. return EXT_RETURN_NOT_SENT;
  1058. #endif
  1059. }
  1060. /*
  1061. * Parse the server's renegotiation binding and abort if it's not right
  1062. */
  1063. int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
  1064. X509 *x, size_t chainidx)
  1065. {
  1066. size_t expected_len = s->s3->previous_client_finished_len
  1067. + s->s3->previous_server_finished_len;
  1068. size_t ilen;
  1069. const unsigned char *data;
  1070. /* Check for logic errors */
  1071. if (!ossl_assert(expected_len == 0
  1072. || s->s3->previous_client_finished_len != 0)
  1073. || !ossl_assert(expected_len == 0
  1074. || s->s3->previous_server_finished_len != 0)) {
  1075. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1076. ERR_R_INTERNAL_ERROR);
  1077. return 0;
  1078. }
  1079. /* Parse the length byte */
  1080. if (!PACKET_get_1_len(pkt, &ilen)) {
  1081. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1082. SSL_R_RENEGOTIATION_ENCODING_ERR);
  1083. return 0;
  1084. }
  1085. /* Consistency check */
  1086. if (PACKET_remaining(pkt) != ilen) {
  1087. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1088. SSL_R_RENEGOTIATION_ENCODING_ERR);
  1089. return 0;
  1090. }
  1091. /* Check that the extension matches */
  1092. if (ilen != expected_len) {
  1093. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1094. SSL_R_RENEGOTIATION_MISMATCH);
  1095. return 0;
  1096. }
  1097. if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
  1098. || memcmp(data, s->s3->previous_client_finished,
  1099. s->s3->previous_client_finished_len) != 0) {
  1100. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1101. SSL_R_RENEGOTIATION_MISMATCH);
  1102. return 0;
  1103. }
  1104. if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
  1105. || memcmp(data, s->s3->previous_server_finished,
  1106. s->s3->previous_server_finished_len) != 0) {
  1107. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
  1108. SSL_R_RENEGOTIATION_MISMATCH);
  1109. return 0;
  1110. }
  1111. s->s3->send_connection_binding = 1;
  1112. return 1;
  1113. }
  1114. /* Parse the server's max fragment len extension packet */
  1115. int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
  1116. X509 *x, size_t chainidx)
  1117. {
  1118. unsigned int value;
  1119. if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
  1120. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
  1121. SSL_R_BAD_EXTENSION);
  1122. return 0;
  1123. }
  1124. /* |value| should contains a valid max-fragment-length code. */
  1125. if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
  1126. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1127. SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
  1128. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  1129. return 0;
  1130. }
  1131. /* Must be the same value as client-configured one who was sent to server */
  1132. /*-
  1133. * RFC 6066: if a client receives a maximum fragment length negotiation
  1134. * response that differs from the length it requested, ...
  1135. * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
  1136. */
  1137. if (value != s->ext.max_fragment_len_mode) {
  1138. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1139. SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN,
  1140. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  1141. return 0;
  1142. }
  1143. /*
  1144. * Maximum Fragment Length Negotiation succeeded.
  1145. * The negotiated Maximum Fragment Length is binding now.
  1146. */
  1147. s->session->ext.max_fragment_len_mode = value;
  1148. return 1;
  1149. }
  1150. int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
  1151. X509 *x, size_t chainidx)
  1152. {
  1153. if (s->ext.hostname == NULL) {
  1154. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
  1155. ERR_R_INTERNAL_ERROR);
  1156. return 0;
  1157. }
  1158. if (PACKET_remaining(pkt) > 0) {
  1159. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
  1160. SSL_R_BAD_EXTENSION);
  1161. return 0;
  1162. }
  1163. if (!s->hit) {
  1164. if (s->session->ext.hostname != NULL) {
  1165. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
  1166. ERR_R_INTERNAL_ERROR);
  1167. return 0;
  1168. }
  1169. s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
  1170. if (s->session->ext.hostname == NULL) {
  1171. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME,
  1172. ERR_R_INTERNAL_ERROR);
  1173. return 0;
  1174. }
  1175. }
  1176. return 1;
  1177. }
  1178. #ifndef OPENSSL_NO_EC
  1179. int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
  1180. X509 *x, size_t chainidx)
  1181. {
  1182. size_t ecpointformats_len;
  1183. PACKET ecptformatlist;
  1184. if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
  1185. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS,
  1186. SSL_R_BAD_EXTENSION);
  1187. return 0;
  1188. }
  1189. if (!s->hit) {
  1190. ecpointformats_len = PACKET_remaining(&ecptformatlist);
  1191. if (ecpointformats_len == 0) {
  1192. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1193. SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH);
  1194. return 0;
  1195. }
  1196. s->ext.peer_ecpointformats_len = 0;
  1197. OPENSSL_free(s->ext.peer_ecpointformats);
  1198. s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
  1199. if (s->ext.peer_ecpointformats == NULL) {
  1200. s->ext.peer_ecpointformats_len = 0;
  1201. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1202. SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
  1203. return 0;
  1204. }
  1205. s->ext.peer_ecpointformats_len = ecpointformats_len;
  1206. if (!PACKET_copy_bytes(&ecptformatlist,
  1207. s->ext.peer_ecpointformats,
  1208. ecpointformats_len)) {
  1209. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1210. SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
  1211. return 0;
  1212. }
  1213. }
  1214. return 1;
  1215. }
  1216. #endif
  1217. int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
  1218. X509 *x, size_t chainidx)
  1219. {
  1220. if (s->ext.session_ticket_cb != NULL &&
  1221. !s->ext.session_ticket_cb(s, PACKET_data(pkt),
  1222. PACKET_remaining(pkt),
  1223. s->ext.session_ticket_cb_arg)) {
  1224. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  1225. SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
  1226. return 0;
  1227. }
  1228. if (!tls_use_ticket(s)) {
  1229. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
  1230. SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
  1231. return 0;
  1232. }
  1233. if (PACKET_remaining(pkt) > 0) {
  1234. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1235. SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION);
  1236. return 0;
  1237. }
  1238. s->ext.ticket_expected = 1;
  1239. return 1;
  1240. }
  1241. #ifndef OPENSSL_NO_OCSP
  1242. int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
  1243. X509 *x, size_t chainidx)
  1244. {
  1245. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
  1246. /* We ignore this if the server sends a CertificateRequest */
  1247. /* TODO(TLS1.3): Add support for this */
  1248. return 1;
  1249. }
  1250. /*
  1251. * MUST only be sent if we've requested a status
  1252. * request message. In TLS <= 1.2 it must also be empty.
  1253. */
  1254. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
  1255. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
  1256. SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  1257. return 0;
  1258. }
  1259. if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
  1260. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1261. SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
  1262. return 0;
  1263. }
  1264. if (SSL_IS_TLS13(s)) {
  1265. /* We only know how to handle this if it's for the first Certificate in
  1266. * the chain. We ignore any other responses.
  1267. */
  1268. if (chainidx != 0)
  1269. return 1;
  1270. /* SSLfatal() already called */
  1271. return tls_process_cert_status_body(s, pkt);
  1272. }
  1273. /* Set flag to expect CertificateStatus message */
  1274. s->ext.status_expected = 1;
  1275. return 1;
  1276. }
  1277. #endif
  1278. #ifndef OPENSSL_NO_CT
  1279. int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1280. size_t chainidx)
  1281. {
  1282. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
  1283. /* We ignore this if the server sends it in a CertificateRequest */
  1284. /* TODO(TLS1.3): Add support for this */
  1285. return 1;
  1286. }
  1287. /*
  1288. * Only take it if we asked for it - i.e if there is no CT validation
  1289. * callback set, then a custom extension MAY be processing it, so we
  1290. * need to let control continue to flow to that.
  1291. */
  1292. if (s->ct_validation_callback != NULL) {
  1293. size_t size = PACKET_remaining(pkt);
  1294. /* Simply copy it off for later processing */
  1295. OPENSSL_free(s->ext.scts);
  1296. s->ext.scts = NULL;
  1297. s->ext.scts_len = (uint16_t)size;
  1298. if (size > 0) {
  1299. s->ext.scts = OPENSSL_malloc(size);
  1300. if (s->ext.scts == NULL) {
  1301. s->ext.scts_len = 0;
  1302. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
  1303. ERR_R_MALLOC_FAILURE);
  1304. return 0;
  1305. }
  1306. if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
  1307. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT,
  1308. ERR_R_INTERNAL_ERROR);
  1309. return 0;
  1310. }
  1311. }
  1312. } else {
  1313. ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
  1314. ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
  1315. /*
  1316. * If we didn't ask for it then there must be a custom extension,
  1317. * otherwise this is unsolicited.
  1318. */
  1319. if (custom_ext_find(&s->cert->custext, role,
  1320. TLSEXT_TYPE_signed_certificate_timestamp,
  1321. NULL) == NULL) {
  1322. SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT,
  1323. SSL_R_BAD_EXTENSION);
  1324. return 0;
  1325. }
  1326. if (!custom_ext_parse(s, context,
  1327. TLSEXT_TYPE_signed_certificate_timestamp,
  1328. PACKET_data(pkt), PACKET_remaining(pkt),
  1329. x, chainidx)) {
  1330. /* SSLfatal already called */
  1331. return 0;
  1332. }
  1333. }
  1334. return 1;
  1335. }
  1336. #endif
  1337. #ifndef OPENSSL_NO_NEXTPROTONEG
  1338. /*
  1339. * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
  1340. * elements of zero length are allowed and the set of elements must exactly
  1341. * fill the length of the block. Returns 1 on success or 0 on failure.
  1342. */
  1343. static int ssl_next_proto_validate(SSL *s, PACKET *pkt)
  1344. {
  1345. PACKET tmp_protocol;
  1346. while (PACKET_remaining(pkt)) {
  1347. if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
  1348. || PACKET_remaining(&tmp_protocol) == 0) {
  1349. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE,
  1350. SSL_R_BAD_EXTENSION);
  1351. return 0;
  1352. }
  1353. }
  1354. return 1;
  1355. }
  1356. int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1357. size_t chainidx)
  1358. {
  1359. unsigned char *selected;
  1360. unsigned char selected_len;
  1361. PACKET tmppkt;
  1362. /* Check if we are in a renegotiation. If so ignore this extension */
  1363. if (!SSL_IS_FIRST_HANDSHAKE(s))
  1364. return 1;
  1365. /* We must have requested it. */
  1366. if (s->ctx->ext.npn_select_cb == NULL) {
  1367. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN,
  1368. SSL_R_BAD_EXTENSION);
  1369. return 0;
  1370. }
  1371. /* The data must be valid */
  1372. tmppkt = *pkt;
  1373. if (!ssl_next_proto_validate(s, &tmppkt)) {
  1374. /* SSLfatal() already called */
  1375. return 0;
  1376. }
  1377. if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
  1378. PACKET_data(pkt),
  1379. PACKET_remaining(pkt),
  1380. s->ctx->ext.npn_select_cb_arg) !=
  1381. SSL_TLSEXT_ERR_OK) {
  1382. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN,
  1383. SSL_R_BAD_EXTENSION);
  1384. return 0;
  1385. }
  1386. /*
  1387. * Could be non-NULL if server has sent multiple NPN extensions in
  1388. * a single Serverhello
  1389. */
  1390. OPENSSL_free(s->ext.npn);
  1391. s->ext.npn = OPENSSL_malloc(selected_len);
  1392. if (s->ext.npn == NULL) {
  1393. s->ext.npn_len = 0;
  1394. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN,
  1395. ERR_R_INTERNAL_ERROR);
  1396. return 0;
  1397. }
  1398. memcpy(s->ext.npn, selected, selected_len);
  1399. s->ext.npn_len = selected_len;
  1400. s->s3->npn_seen = 1;
  1401. return 1;
  1402. }
  1403. #endif
  1404. int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1405. size_t chainidx)
  1406. {
  1407. size_t len;
  1408. /* We must have requested it. */
  1409. if (!s->s3->alpn_sent) {
  1410. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN,
  1411. SSL_R_BAD_EXTENSION);
  1412. return 0;
  1413. }
  1414. /*-
  1415. * The extension data consists of:
  1416. * uint16 list_length
  1417. * uint8 proto_length;
  1418. * uint8 proto[proto_length];
  1419. */
  1420. if (!PACKET_get_net_2_len(pkt, &len)
  1421. || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
  1422. || PACKET_remaining(pkt) != len) {
  1423. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1424. SSL_R_BAD_EXTENSION);
  1425. return 0;
  1426. }
  1427. OPENSSL_free(s->s3->alpn_selected);
  1428. s->s3->alpn_selected = OPENSSL_malloc(len);
  1429. if (s->s3->alpn_selected == NULL) {
  1430. s->s3->alpn_selected_len = 0;
  1431. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1432. ERR_R_INTERNAL_ERROR);
  1433. return 0;
  1434. }
  1435. if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
  1436. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1437. SSL_R_BAD_EXTENSION);
  1438. return 0;
  1439. }
  1440. s->s3->alpn_selected_len = len;
  1441. if (s->session->ext.alpn_selected == NULL
  1442. || s->session->ext.alpn_selected_len != len
  1443. || memcmp(s->session->ext.alpn_selected, s->s3->alpn_selected, len)
  1444. != 0) {
  1445. /* ALPN not consistent with the old session so cannot use early_data */
  1446. s->ext.early_data_ok = 0;
  1447. }
  1448. if (!s->hit) {
  1449. /*
  1450. * This is a new session and so alpn_selected should have been
  1451. * initialised to NULL. We should update it with the selected ALPN.
  1452. */
  1453. if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
  1454. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1455. ERR_R_INTERNAL_ERROR);
  1456. return 0;
  1457. }
  1458. s->session->ext.alpn_selected =
  1459. OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
  1460. if (s->session->ext.alpn_selected == NULL) {
  1461. s->session->ext.alpn_selected_len = 0;
  1462. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN,
  1463. ERR_R_INTERNAL_ERROR);
  1464. return 0;
  1465. }
  1466. s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
  1467. }
  1468. return 1;
  1469. }
  1470. #ifndef OPENSSL_NO_SRTP
  1471. int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1472. size_t chainidx)
  1473. {
  1474. unsigned int id, ct, mki;
  1475. int i;
  1476. STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
  1477. SRTP_PROTECTION_PROFILE *prof;
  1478. if (!PACKET_get_net_2(pkt, &ct) || ct != 2
  1479. || !PACKET_get_net_2(pkt, &id)
  1480. || !PACKET_get_1(pkt, &mki)
  1481. || PACKET_remaining(pkt) != 0) {
  1482. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
  1483. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  1484. return 0;
  1485. }
  1486. if (mki != 0) {
  1487. /* Must be no MKI, since we never offer one */
  1488. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP,
  1489. SSL_R_BAD_SRTP_MKI_VALUE);
  1490. return 0;
  1491. }
  1492. /* Throw an error if the server gave us an unsolicited extension */
  1493. clnt = SSL_get_srtp_profiles(s);
  1494. if (clnt == NULL) {
  1495. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
  1496. SSL_R_NO_SRTP_PROFILES);
  1497. return 0;
  1498. }
  1499. /*
  1500. * Check to see if the server gave us something we support (and
  1501. * presumably offered)
  1502. */
  1503. for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
  1504. prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
  1505. if (prof->id == id) {
  1506. s->srtp_profile = prof;
  1507. return 1;
  1508. }
  1509. }
  1510. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP,
  1511. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  1512. return 0;
  1513. }
  1514. #endif
  1515. int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1516. size_t chainidx)
  1517. {
  1518. /* Ignore if inappropriate ciphersuite */
  1519. if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
  1520. && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
  1521. && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
  1522. s->ext.use_etm = 1;
  1523. return 1;
  1524. }
  1525. int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1526. size_t chainidx)
  1527. {
  1528. s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
  1529. if (!s->hit)
  1530. s->session->flags |= SSL_SESS_FLAG_EXTMS;
  1531. return 1;
  1532. }
  1533. int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
  1534. X509 *x, size_t chainidx)
  1535. {
  1536. unsigned int version;
  1537. if (!PACKET_get_net_2(pkt, &version)
  1538. || PACKET_remaining(pkt) != 0) {
  1539. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1540. SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
  1541. SSL_R_LENGTH_MISMATCH);
  1542. return 0;
  1543. }
  1544. /*
  1545. * The only protocol version we support which is valid in this extension in
  1546. * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
  1547. */
  1548. if (version != TLS1_3_VERSION) {
  1549. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1550. SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS,
  1551. SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
  1552. return 0;
  1553. }
  1554. /* We ignore this extension for HRRs except to sanity check it */
  1555. if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
  1556. return 1;
  1557. /* We just set it here. We validate it in ssl_choose_client_version */
  1558. s->version = version;
  1559. return 1;
  1560. }
  1561. int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1562. size_t chainidx)
  1563. {
  1564. #ifndef OPENSSL_NO_TLS1_3
  1565. unsigned int group_id;
  1566. PACKET encoded_pt;
  1567. EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
  1568. /* Sanity check */
  1569. if (ckey == NULL || s->s3->peer_tmp != NULL) {
  1570. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1571. ERR_R_INTERNAL_ERROR);
  1572. return 0;
  1573. }
  1574. if (!PACKET_get_net_2(pkt, &group_id)) {
  1575. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1576. SSL_R_LENGTH_MISMATCH);
  1577. return 0;
  1578. }
  1579. if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
  1580. const uint16_t *pgroups = NULL;
  1581. size_t i, num_groups;
  1582. if (PACKET_remaining(pkt) != 0) {
  1583. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1584. SSL_R_LENGTH_MISMATCH);
  1585. return 0;
  1586. }
  1587. /*
  1588. * It is an error if the HelloRetryRequest wants a key_share that we
  1589. * already sent in the first ClientHello
  1590. */
  1591. if (group_id == s->s3->group_id) {
  1592. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1593. SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
  1594. return 0;
  1595. }
  1596. /* Validate the selected group is one we support */
  1597. tls1_get_supported_groups(s, &pgroups, &num_groups);
  1598. for (i = 0; i < num_groups; i++) {
  1599. if (group_id == pgroups[i])
  1600. break;
  1601. }
  1602. if (i >= num_groups
  1603. || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
  1604. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  1605. SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
  1606. return 0;
  1607. }
  1608. s->s3->group_id = group_id;
  1609. EVP_PKEY_free(s->s3->tmp.pkey);
  1610. s->s3->tmp.pkey = NULL;
  1611. return 1;
  1612. }
  1613. if (group_id != s->s3->group_id) {
  1614. /*
  1615. * This isn't for the group that we sent in the original
  1616. * key_share!
  1617. */
  1618. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1619. SSL_R_BAD_KEY_SHARE);
  1620. return 0;
  1621. }
  1622. if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
  1623. || PACKET_remaining(&encoded_pt) == 0) {
  1624. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1625. SSL_R_LENGTH_MISMATCH);
  1626. return 0;
  1627. }
  1628. skey = EVP_PKEY_new();
  1629. if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
  1630. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1631. ERR_R_MALLOC_FAILURE);
  1632. return 0;
  1633. }
  1634. if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
  1635. PACKET_remaining(&encoded_pt))) {
  1636. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE,
  1637. SSL_R_BAD_ECPOINT);
  1638. EVP_PKEY_free(skey);
  1639. return 0;
  1640. }
  1641. if (ssl_derive(s, ckey, skey, 1) == 0) {
  1642. /* SSLfatal() already called */
  1643. EVP_PKEY_free(skey);
  1644. return 0;
  1645. }
  1646. s->s3->peer_tmp = skey;
  1647. #endif
  1648. return 1;
  1649. }
  1650. int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1651. size_t chainidx)
  1652. {
  1653. PACKET cookie;
  1654. if (!PACKET_as_length_prefixed_2(pkt, &cookie)
  1655. || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
  1656. &s->ext.tls13_cookie_len)) {
  1657. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE,
  1658. SSL_R_LENGTH_MISMATCH);
  1659. return 0;
  1660. }
  1661. return 1;
  1662. }
  1663. int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
  1664. X509 *x, size_t chainidx)
  1665. {
  1666. if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
  1667. unsigned long max_early_data;
  1668. if (!PACKET_get_net_4(pkt, &max_early_data)
  1669. || PACKET_remaining(pkt) != 0) {
  1670. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
  1671. SSL_R_INVALID_MAX_EARLY_DATA);
  1672. return 0;
  1673. }
  1674. s->session->ext.max_early_data = max_early_data;
  1675. return 1;
  1676. }
  1677. if (PACKET_remaining(pkt) != 0) {
  1678. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
  1679. SSL_R_BAD_EXTENSION);
  1680. return 0;
  1681. }
  1682. if (!s->ext.early_data_ok
  1683. || !s->hit) {
  1684. /*
  1685. * If we get here then we didn't send early data, or we didn't resume
  1686. * using the first identity, or the SNI/ALPN is not consistent so the
  1687. * server should not be accepting it.
  1688. */
  1689. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA,
  1690. SSL_R_BAD_EXTENSION);
  1691. return 0;
  1692. }
  1693. s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
  1694. return 1;
  1695. }
  1696. int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  1697. size_t chainidx)
  1698. {
  1699. #ifndef OPENSSL_NO_TLS1_3
  1700. unsigned int identity;
  1701. if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
  1702. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
  1703. SSL_R_LENGTH_MISMATCH);
  1704. return 0;
  1705. }
  1706. if (identity >= (unsigned int)s->ext.tick_identity) {
  1707. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK,
  1708. SSL_R_BAD_PSK_IDENTITY);
  1709. return 0;
  1710. }
  1711. /*
  1712. * Session resumption tickets are always sent before PSK tickets. If the
  1713. * ticket index is 0 then it must be for a session resumption ticket if we
  1714. * sent two tickets, or if we didn't send a PSK ticket.
  1715. */
  1716. if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
  1717. s->hit = 1;
  1718. SSL_SESSION_free(s->psksession);
  1719. s->psksession = NULL;
  1720. return 1;
  1721. }
  1722. if (s->psksession == NULL) {
  1723. /* Should never happen */
  1724. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK,
  1725. ERR_R_INTERNAL_ERROR);
  1726. return 0;
  1727. }
  1728. /*
  1729. * If we used the external PSK for sending early_data then s->early_secret
  1730. * is already set up, so don't overwrite it. Otherwise we copy the
  1731. * early_secret across that we generated earlier.
  1732. */
  1733. if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
  1734. && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
  1735. || s->session->ext.max_early_data > 0
  1736. || s->psksession->ext.max_early_data == 0)
  1737. memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
  1738. SSL_SESSION_free(s->session);
  1739. s->session = s->psksession;
  1740. s->psksession = NULL;
  1741. s->hit = 1;
  1742. /* Early data is only allowed if we used the first ticket */
  1743. if (identity != 0)
  1744. s->ext.early_data_ok = 0;
  1745. #endif
  1746. return 1;
  1747. }