1 1.1 christos /* 2 1.1 christos * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1 christos * Licensed under the Apache License 2.0 (the "License"). You may not use 5 1.1 christos * this file except in compliance with the License. You can obtain a copy 6 1.1 christos * in the file LICENSE in the source distribution or at 7 1.1 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <openssl/ocsp.h> 11 1.1 christos #include "../ssl_local.h" 12 1.1 christos #include "internal/cryptlib.h" 13 1.1 christos #include "internal/ssl_unwrap.h" 14 1.1 christos #include "statem_local.h" 15 1.1 christos 16 1.1 christos EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt, 17 1.1.1.2 christos unsigned int context, X509 *x, 18 1.1.1.2 christos size_t chainidx) 19 1.1 christos { 20 1.1 christos if (!s->renegotiate) { 21 1.1 christos /* If not renegotiating, send an empty RI extension to indicate support */ 22 1.1 christos 23 1.1 christos #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 24 1.1.1.2 christos #error Internal DTLS version error 25 1.1 christos #endif 26 1.1 christos 27 1.1 christos if (!SSL_CONNECTION_IS_DTLS(s) 28 1.1 christos && (s->min_proto_version >= TLS1_3_VERSION 29 1.1 christos || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) 30 1.1 christos && s->min_proto_version <= TLS1_VERSION))) { 31 1.1 christos /* 32 1.1 christos * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this 33 1.1 christos * extension isn't used at all. 34 1.1 christos */ 35 1.1 christos return EXT_RETURN_NOT_SENT; 36 1.1 christos } 37 1.1 christos 38 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 39 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 40 1.1 christos || !WPACKET_put_bytes_u8(pkt, 0) 41 1.1 christos || !WPACKET_close(pkt)) { 42 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 43 1.1 christos return EXT_RETURN_FAIL; 44 1.1 christos } 45 1.1 christos 46 1.1 christos return EXT_RETURN_SENT; 47 1.1 christos } 48 1.1 christos 49 1.1 christos /* Add a complete RI extension if renegotiating */ 50 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 51 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 52 1.1.1.2 christos || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished, 53 1.1.1.2 christos s->s3.previous_client_finished_len) 54 1.1.1.2 christos || !WPACKET_close(pkt)) { 55 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 56 1.1 christos return EXT_RETURN_FAIL; 57 1.1 christos } 58 1.1 christos 59 1.1 christos return EXT_RETURN_SENT; 60 1.1 christos } 61 1.1 christos 62 1.1 christos EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt, 63 1.1.1.2 christos unsigned int context, X509 *x, 64 1.1.1.2 christos size_t chainidx) 65 1.1 christos { 66 1.1 christos if (s->ext.hostname == NULL) 67 1.1 christos return EXT_RETURN_NOT_SENT; 68 1.1 christos 69 1.1 christos /* Add TLS extension servername to the Client Hello message */ 70 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 71 1.1.1.2 christos /* Sub-packet for server_name extension */ 72 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 73 1.1.1.2 christos /* Sub-packet for servername list (always 1 hostname)*/ 74 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 75 1.1.1.2 christos || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) 76 1.1.1.2 christos || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, 77 1.1.1.2 christos strlen(s->ext.hostname)) 78 1.1.1.2 christos || !WPACKET_close(pkt) 79 1.1.1.2 christos || !WPACKET_close(pkt)) { 80 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 81 1.1 christos return EXT_RETURN_FAIL; 82 1.1 christos } 83 1.1 christos 84 1.1 christos return EXT_RETURN_SENT; 85 1.1 christos } 86 1.1 christos 87 1.1 christos /* Push a Max Fragment Len extension into ClientHello */ 88 1.1 christos EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt, 89 1.1.1.2 christos unsigned int context, X509 *x, 90 1.1.1.2 christos size_t chainidx) 91 1.1 christos { 92 1.1 christos if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) 93 1.1 christos return EXT_RETURN_NOT_SENT; 94 1.1 christos 95 1.1 christos /* Add Max Fragment Length extension if client enabled it. */ 96 1.1 christos /*- 97 1.1 christos * 4 bytes for this extension type and extension length 98 1.1 christos * 1 byte for the Max Fragment Length code value. 99 1.1 christos */ 100 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 101 1.1.1.2 christos /* Sub-packet for Max Fragment Length extension (1 byte) */ 102 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 103 1.1.1.2 christos || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) 104 1.1.1.2 christos || !WPACKET_close(pkt)) { 105 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 106 1.1 christos return EXT_RETURN_FAIL; 107 1.1 christos } 108 1.1 christos 109 1.1 christos return EXT_RETURN_SENT; 110 1.1 christos } 111 1.1 christos 112 1.1 christos #ifndef OPENSSL_NO_SRP 113 1.1 christos EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt, 114 1.1.1.2 christos unsigned int context, 115 1.1.1.2 christos X509 *x, size_t chainidx) 116 1.1 christos { 117 1.1 christos /* Add SRP username if there is one */ 118 1.1 christos if (s->srp_ctx.login == NULL) 119 1.1 christos return EXT_RETURN_NOT_SENT; 120 1.1 christos 121 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) 122 1.1.1.2 christos /* Sub-packet for SRP extension */ 123 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 124 1.1.1.2 christos || !WPACKET_start_sub_packet_u8(pkt) 125 1.1.1.2 christos /* login must not be zero...internal error if so */ 126 1.1.1.2 christos || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 127 1.1.1.2 christos || !WPACKET_memcpy(pkt, s->srp_ctx.login, 128 1.1.1.2 christos strlen(s->srp_ctx.login)) 129 1.1.1.2 christos || !WPACKET_close(pkt) 130 1.1.1.2 christos || !WPACKET_close(pkt)) { 131 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 132 1.1 christos return EXT_RETURN_FAIL; 133 1.1 christos } 134 1.1 christos 135 1.1 christos return EXT_RETURN_SENT; 136 1.1 christos } 137 1.1 christos #endif 138 1.1 christos 139 1.1 christos static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version) 140 1.1 christos { 141 1.1 christos int i, end, ret = 0; 142 1.1 christos unsigned long alg_k, alg_a; 143 1.1 christos STACK_OF(SSL_CIPHER) *cipher_stack = NULL; 144 1.1 christos const uint16_t *pgroups = NULL; 145 1.1 christos size_t num_groups, j; 146 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 147 1.1 christos 148 1.1 christos /* See if we support any ECC ciphersuites */ 149 1.1 christos if (s->version == SSL3_VERSION) 150 1.1 christos return 0; 151 1.1 christos 152 1.1 christos cipher_stack = SSL_get1_supported_ciphers(ssl); 153 1.1 christos end = sk_SSL_CIPHER_num(cipher_stack); 154 1.1 christos for (i = 0; i < end; i++) { 155 1.1 christos const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 156 1.1 christos 157 1.1 christos alg_k = c->algorithm_mkey; 158 1.1 christos alg_a = c->algorithm_auth; 159 1.1 christos if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 160 1.1.1.2 christos || (alg_a & SSL_aECDSA) 161 1.1.1.2 christos || c->min_tls >= TLS1_3_VERSION) { 162 1.1 christos ret = 1; 163 1.1 christos break; 164 1.1 christos } 165 1.1 christos } 166 1.1 christos sk_SSL_CIPHER_free(cipher_stack); 167 1.1 christos if (!ret) 168 1.1 christos return 0; 169 1.1 christos 170 1.1 christos /* Check we have at least one EC supported group */ 171 1.1 christos tls1_get_supported_groups(s, &pgroups, &num_groups); 172 1.1 christos for (j = 0; j < num_groups; j++) { 173 1.1 christos uint16_t ctmp = pgroups[j]; 174 1.1 christos 175 1.1 christos if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL) 176 1.1.1.2 christos && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) 177 1.1 christos return 1; 178 1.1 christos } 179 1.1 christos 180 1.1 christos return 0; 181 1.1 christos } 182 1.1 christos 183 1.1 christos EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt, 184 1.1.1.2 christos unsigned int context, X509 *x, 185 1.1.1.2 christos size_t chainidx) 186 1.1 christos { 187 1.1 christos const unsigned char *pformats; 188 1.1 christos size_t num_formats; 189 1.1 christos int reason, min_version, max_version; 190 1.1 christos 191 1.1 christos reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 192 1.1 christos if (reason != 0) { 193 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 194 1.1 christos return EXT_RETURN_FAIL; 195 1.1 christos } 196 1.1 christos if (!use_ecc(s, min_version, max_version)) 197 1.1 christos return EXT_RETURN_NOT_SENT; 198 1.1 christos 199 1.1 christos /* Add TLS extension ECPointFormats to the ClientHello message */ 200 1.1 christos tls1_get_formatlist(s, &pformats, &num_formats); 201 1.1 christos 202 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 203 1.1.1.2 christos /* Sub-packet for formats extension */ 204 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 205 1.1.1.2 christos || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) 206 1.1.1.2 christos || !WPACKET_close(pkt)) { 207 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 208 1.1 christos return EXT_RETURN_FAIL; 209 1.1 christos } 210 1.1 christos 211 1.1 christos return EXT_RETURN_SENT; 212 1.1 christos } 213 1.1 christos 214 1.1 christos EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, 215 1.1.1.2 christos unsigned int context, X509 *x, 216 1.1.1.2 christos size_t chainidx) 217 1.1 christos { 218 1.1 christos const uint16_t *pgroups = NULL; 219 1.1 christos size_t num_groups = 0, i, tls13added = 0, added = 0; 220 1.1 christos int min_version, max_version, reason; 221 1.1 christos 222 1.1 christos reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 223 1.1 christos if (reason != 0) { 224 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 225 1.1 christos return EXT_RETURN_FAIL; 226 1.1 christos } 227 1.1 christos 228 1.1 christos /* 229 1.1 christos * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore 230 1.1 christos * if we don't have EC support then we don't send this extension. 231 1.1 christos */ 232 1.1 christos if (!use_ecc(s, min_version, max_version) 233 1.1.1.2 christos && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)) 234 1.1 christos return EXT_RETURN_NOT_SENT; 235 1.1 christos 236 1.1 christos /* 237 1.1 christos * Add TLS extension supported_groups to the ClientHello message 238 1.1 christos */ 239 1.1 christos tls1_get_supported_groups(s, &pgroups, &num_groups); 240 1.1 christos 241 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 242 1.1.1.2 christos /* Sub-packet for supported_groups extension */ 243 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 244 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 245 1.1.1.2 christos || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { 246 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 247 1.1 christos return EXT_RETURN_FAIL; 248 1.1 christos } 249 1.1 christos /* Copy group ID if supported */ 250 1.1 christos for (i = 0; i < num_groups; i++) { 251 1.1 christos uint16_t ctmp = pgroups[i]; 252 1.1 christos int okfortls13; 253 1.1 christos 254 1.1 christos if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13) 255 1.1.1.2 christos && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { 256 1.1 christos if (!WPACKET_put_bytes_u16(pkt, ctmp)) { 257 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 258 1.1 christos return EXT_RETURN_FAIL; 259 1.1 christos } 260 1.1 christos if (okfortls13 && max_version == TLS1_3_VERSION) 261 1.1 christos tls13added++; 262 1.1 christos added++; 263 1.1 christos } 264 1.1 christos } 265 1.1 christos if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 266 1.1 christos if (added == 0) 267 1.1 christos SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 268 1.1.1.2 christos "No groups enabled for max supported SSL/TLS version"); 269 1.1 christos else 270 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 271 1.1 christos return EXT_RETURN_FAIL; 272 1.1 christos } 273 1.1 christos 274 1.1 christos if (tls13added == 0 && max_version == TLS1_3_VERSION) { 275 1.1 christos SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 276 1.1.1.2 christos "No groups enabled for max supported SSL/TLS version"); 277 1.1 christos return EXT_RETURN_FAIL; 278 1.1 christos } 279 1.1 christos 280 1.1 christos return EXT_RETURN_SENT; 281 1.1 christos } 282 1.1 christos 283 1.1 christos EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt, 284 1.1.1.2 christos unsigned int context, X509 *x, 285 1.1.1.2 christos size_t chainidx) 286 1.1 christos { 287 1.1 christos size_t ticklen; 288 1.1 christos 289 1.1 christos if (!tls_use_ticket(s)) 290 1.1 christos return EXT_RETURN_NOT_SENT; 291 1.1 christos 292 1.1 christos if (!s->new_session && s->session != NULL 293 1.1.1.2 christos && s->session->ext.tick != NULL 294 1.1.1.2 christos && s->session->ssl_version != TLS1_3_VERSION) { 295 1.1 christos ticklen = s->session->ext.ticklen; 296 1.1 christos } else if (s->session && s->ext.session_ticket != NULL 297 1.1.1.2 christos && s->ext.session_ticket->data != NULL) { 298 1.1 christos ticklen = s->ext.session_ticket->length; 299 1.1 christos s->session->ext.tick = OPENSSL_malloc(ticklen); 300 1.1 christos if (s->session->ext.tick == NULL) { 301 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 302 1.1 christos return EXT_RETURN_FAIL; 303 1.1 christos } 304 1.1 christos memcpy(s->session->ext.tick, 305 1.1.1.2 christos s->ext.session_ticket->data, ticklen); 306 1.1 christos s->session->ext.ticklen = ticklen; 307 1.1 christos } else { 308 1.1 christos ticklen = 0; 309 1.1 christos } 310 1.1 christos 311 1.1.1.2 christos if (ticklen == 0 && s->ext.session_ticket != NULL && s->ext.session_ticket->data == NULL) 312 1.1 christos return EXT_RETURN_NOT_SENT; 313 1.1 christos 314 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 315 1.1.1.2 christos || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { 316 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 317 1.1 christos return EXT_RETURN_FAIL; 318 1.1 christos } 319 1.1 christos 320 1.1 christos return EXT_RETURN_SENT; 321 1.1 christos } 322 1.1 christos 323 1.1 christos EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt, 324 1.1.1.2 christos unsigned int context, X509 *x, 325 1.1.1.2 christos size_t chainidx) 326 1.1 christos { 327 1.1 christos size_t salglen; 328 1.1 christos const uint16_t *salg; 329 1.1 christos 330 1.1 christos /* 331 1.1 christos * This used both in the initial hello and as part of renegotiation, 332 1.1 christos * in the latter case, the client version may be already set and may 333 1.1 christos * be lower than that initially offered in `client_version`. 334 1.1 christos */ 335 1.1 christos if (!SSL_CONNECTION_IS_DTLS(s)) { 336 1.1 christos if (s->client_version < TLS1_2_VERSION 337 1.1 christos || (s->ssl.method->version != TLS_ANY_VERSION 338 1.1 christos && s->version < TLS1_2_VERSION)) 339 1.1.1.2 christos return EXT_RETURN_NOT_SENT; 340 1.1 christos } else { 341 1.1 christos if (DTLS_VERSION_LT(s->client_version, DTLS1_2_VERSION) 342 1.1 christos || (s->ssl.method->version != DTLS_ANY_VERSION 343 1.1 christos && DTLS_VERSION_LT(s->version, DTLS1_2_VERSION))) 344 1.1.1.2 christos return EXT_RETURN_NOT_SENT; 345 1.1 christos } 346 1.1 christos 347 1.1 christos salglen = tls12_get_psigalgs(s, 1, &salg); 348 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) 349 1.1.1.2 christos /* Sub-packet for sig-algs extension */ 350 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 351 1.1.1.2 christos /* Sub-packet for the actual list */ 352 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 353 1.1.1.2 christos || !tls12_copy_sigalgs(s, pkt, salg, salglen) 354 1.1.1.2 christos || !WPACKET_close(pkt) 355 1.1.1.2 christos || !WPACKET_close(pkt)) { 356 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 357 1.1 christos return EXT_RETURN_FAIL; 358 1.1 christos } 359 1.1 christos 360 1.1 christos return EXT_RETURN_SENT; 361 1.1 christos } 362 1.1 christos 363 1.1 christos #ifndef OPENSSL_NO_OCSP 364 1.1 christos EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt, 365 1.1.1.2 christos unsigned int context, X509 *x, 366 1.1.1.2 christos size_t chainidx) 367 1.1 christos { 368 1.1 christos int i; 369 1.1 christos 370 1.1 christos /* This extension isn't defined for client Certificates */ 371 1.1 christos if (x != NULL) 372 1.1 christos return EXT_RETURN_NOT_SENT; 373 1.1 christos 374 1.1 christos if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) 375 1.1 christos return EXT_RETURN_NOT_SENT; 376 1.1 christos 377 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 378 1.1.1.2 christos /* Sub-packet for status request extension */ 379 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 380 1.1.1.2 christos || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) 381 1.1.1.2 christos /* Sub-packet for the ids */ 382 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt)) { 383 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 384 1.1 christos return EXT_RETURN_FAIL; 385 1.1 christos } 386 1.1 christos for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { 387 1.1 christos unsigned char *idbytes; 388 1.1 christos OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); 389 1.1 christos int idlen = i2d_OCSP_RESPID(id, NULL); 390 1.1 christos 391 1.1 christos if (idlen <= 0 392 1.1.1.2 christos /* Sub-packet for an individual id */ 393 1.1.1.2 christos || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) 394 1.1.1.2 christos || i2d_OCSP_RESPID(id, &idbytes) != idlen) { 395 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 396 1.1 christos return EXT_RETURN_FAIL; 397 1.1 christos } 398 1.1 christos } 399 1.1 christos if (!WPACKET_close(pkt) 400 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt)) { 401 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 402 1.1 christos return EXT_RETURN_FAIL; 403 1.1 christos } 404 1.1 christos if (s->ext.ocsp.exts) { 405 1.1 christos unsigned char *extbytes; 406 1.1 christos int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); 407 1.1 christos 408 1.1 christos if (extlen < 0) { 409 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 410 1.1 christos return EXT_RETURN_FAIL; 411 1.1 christos } 412 1.1 christos if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) 413 1.1.1.2 christos || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) 414 1.1.1.2 christos != extlen) { 415 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 416 1.1 christos return EXT_RETURN_FAIL; 417 1.1.1.2 christos } 418 1.1 christos } 419 1.1 christos if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 420 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 421 1.1 christos return EXT_RETURN_FAIL; 422 1.1 christos } 423 1.1 christos 424 1.1 christos return EXT_RETURN_SENT; 425 1.1 christos } 426 1.1 christos #endif 427 1.1 christos 428 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 429 1.1 christos EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt, 430 1.1.1.2 christos unsigned int context, 431 1.1.1.2 christos X509 *x, size_t chainidx) 432 1.1 christos { 433 1.1 christos if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL 434 1.1 christos || !SSL_IS_FIRST_HANDSHAKE(s)) 435 1.1 christos return EXT_RETURN_NOT_SENT; 436 1.1 christos 437 1.1 christos /* 438 1.1 christos * The client advertises an empty extension to indicate its support 439 1.1 christos * for Next Protocol Negotiation 440 1.1 christos */ 441 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 442 1.1.1.2 christos || !WPACKET_put_bytes_u16(pkt, 0)) { 443 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 444 1.1 christos return EXT_RETURN_FAIL; 445 1.1 christos } 446 1.1 christos 447 1.1 christos return EXT_RETURN_SENT; 448 1.1 christos } 449 1.1 christos #endif 450 1.1 christos 451 1.1 christos EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt, 452 1.1.1.2 christos unsigned int context, 453 1.1.1.2 christos X509 *x, size_t chainidx) 454 1.1 christos { 455 1.1 christos s->s3.alpn_sent = 0; 456 1.1 christos 457 1.1 christos if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 458 1.1 christos return EXT_RETURN_NOT_SENT; 459 1.1 christos 460 1.1 christos if (!WPACKET_put_bytes_u16(pkt, 461 1.1.1.2 christos TLSEXT_TYPE_application_layer_protocol_negotiation) 462 1.1.1.2 christos /* Sub-packet ALPN extension */ 463 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 464 1.1.1.2 christos || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) 465 1.1.1.2 christos || !WPACKET_close(pkt)) { 466 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 467 1.1 christos return EXT_RETURN_FAIL; 468 1.1 christos } 469 1.1 christos s->s3.alpn_sent = 1; 470 1.1 christos 471 1.1 christos return EXT_RETURN_SENT; 472 1.1 christos } 473 1.1 christos 474 1.1 christos #ifndef OPENSSL_NO_SRTP 475 1.1 christos EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt, 476 1.1.1.2 christos unsigned int context, X509 *x, 477 1.1.1.2 christos size_t chainidx) 478 1.1 christos { 479 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 480 1.1 christos STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl); 481 1.1 christos int i, end; 482 1.1 christos 483 1.1 christos if (clnt == NULL) 484 1.1 christos return EXT_RETURN_NOT_SENT; 485 1.1 christos 486 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 487 1.1.1.2 christos /* Sub-packet for SRTP extension */ 488 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 489 1.1.1.2 christos /* Sub-packet for the protection profile list */ 490 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt)) { 491 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 492 1.1 christos return EXT_RETURN_FAIL; 493 1.1 christos } 494 1.1 christos 495 1.1 christos end = sk_SRTP_PROTECTION_PROFILE_num(clnt); 496 1.1 christos for (i = 0; i < end; i++) { 497 1.1.1.2 christos const SRTP_PROTECTION_PROFILE *prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 498 1.1 christos 499 1.1 christos if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { 500 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 501 1.1 christos return EXT_RETURN_FAIL; 502 1.1 christos } 503 1.1 christos } 504 1.1 christos if (!WPACKET_close(pkt) 505 1.1.1.2 christos /* Add an empty use_mki value */ 506 1.1.1.2 christos || !WPACKET_put_bytes_u8(pkt, 0) 507 1.1.1.2 christos || !WPACKET_close(pkt)) { 508 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 509 1.1 christos return EXT_RETURN_FAIL; 510 1.1 christos } 511 1.1 christos 512 1.1 christos return EXT_RETURN_SENT; 513 1.1 christos } 514 1.1 christos #endif 515 1.1 christos 516 1.1 christos EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt, 517 1.1.1.2 christos unsigned int context, 518 1.1.1.2 christos X509 *x, size_t chainidx) 519 1.1 christos { 520 1.1 christos if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 521 1.1 christos return EXT_RETURN_NOT_SENT; 522 1.1 christos 523 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 524 1.1.1.2 christos || !WPACKET_put_bytes_u16(pkt, 0)) { 525 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 526 1.1 christos return EXT_RETURN_FAIL; 527 1.1 christos } 528 1.1 christos 529 1.1 christos return EXT_RETURN_SENT; 530 1.1 christos } 531 1.1 christos 532 1.1 christos #ifndef OPENSSL_NO_CT 533 1.1 christos EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt, 534 1.1.1.2 christos unsigned int context, 535 1.1.1.2 christos X509 *x, size_t chainidx) 536 1.1 christos { 537 1.1 christos if (s->ct_validation_callback == NULL) 538 1.1 christos return EXT_RETURN_NOT_SENT; 539 1.1 christos 540 1.1 christos /* Not defined for client Certificates */ 541 1.1 christos if (x != NULL) 542 1.1 christos return EXT_RETURN_NOT_SENT; 543 1.1 christos 544 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) 545 1.1.1.2 christos || !WPACKET_put_bytes_u16(pkt, 0)) { 546 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 547 1.1 christos return EXT_RETURN_FAIL; 548 1.1 christos } 549 1.1 christos 550 1.1 christos return EXT_RETURN_SENT; 551 1.1 christos } 552 1.1 christos #endif 553 1.1 christos 554 1.1 christos EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt, 555 1.1.1.2 christos unsigned int context, 556 1.1.1.2 christos X509 *x, size_t chainidx) 557 1.1 christos { 558 1.1 christos if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 559 1.1 christos return EXT_RETURN_NOT_SENT; 560 1.1 christos 561 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 562 1.1.1.2 christos || !WPACKET_put_bytes_u16(pkt, 0)) { 563 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 564 1.1 christos return EXT_RETURN_FAIL; 565 1.1 christos } 566 1.1 christos 567 1.1 christos return EXT_RETURN_SENT; 568 1.1 christos } 569 1.1 christos 570 1.1 christos EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt, 571 1.1.1.2 christos unsigned int context, X509 *x, 572 1.1.1.2 christos size_t chainidx) 573 1.1 christos { 574 1.1 christos int currv, min_version, max_version, reason; 575 1.1 christos 576 1.1 christos reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 577 1.1 christos if (reason != 0) { 578 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 579 1.1 christos return EXT_RETURN_FAIL; 580 1.1 christos } 581 1.1 christos 582 1.1 christos /* 583 1.1 christos * Don't include this if we can't negotiate TLSv1.3. We can do a straight 584 1.1 christos * comparison here because we will never be called in DTLS. 585 1.1 christos */ 586 1.1 christos if (max_version < TLS1_3_VERSION) 587 1.1 christos return EXT_RETURN_NOT_SENT; 588 1.1 christos 589 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 590 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 591 1.1.1.2 christos || !WPACKET_start_sub_packet_u8(pkt)) { 592 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 593 1.1 christos return EXT_RETURN_FAIL; 594 1.1 christos } 595 1.1 christos 596 1.1 christos for (currv = max_version; currv >= min_version; currv--) { 597 1.1 christos if (!WPACKET_put_bytes_u16(pkt, currv)) { 598 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 599 1.1 christos return EXT_RETURN_FAIL; 600 1.1 christos } 601 1.1 christos } 602 1.1 christos if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 603 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 604 1.1 christos return EXT_RETURN_FAIL; 605 1.1 christos } 606 1.1 christos 607 1.1 christos return EXT_RETURN_SENT; 608 1.1 christos } 609 1.1 christos 610 1.1 christos /* 611 1.1 christos * Construct a psk_kex_modes extension. 612 1.1 christos */ 613 1.1 christos EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, 614 1.1.1.2 christos unsigned int context, X509 *x, 615 1.1.1.2 christos size_t chainidx) 616 1.1 christos { 617 1.1 christos #ifndef OPENSSL_NO_TLS1_3 618 1.1 christos int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; 619 1.1 christos 620 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) 621 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 622 1.1.1.2 christos || !WPACKET_start_sub_packet_u8(pkt) 623 1.1.1.2 christos || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) 624 1.1.1.2 christos || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) 625 1.1.1.2 christos || !WPACKET_close(pkt) 626 1.1.1.2 christos || !WPACKET_close(pkt)) { 627 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 628 1.1 christos return EXT_RETURN_FAIL; 629 1.1 christos } 630 1.1 christos 631 1.1 christos s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; 632 1.1 christos if (nodhe) 633 1.1 christos s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 634 1.1 christos #endif 635 1.1 christos 636 1.1 christos return EXT_RETURN_SENT; 637 1.1 christos } 638 1.1 christos 639 1.1 christos #ifndef OPENSSL_NO_TLS1_3 640 1.1 christos static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int group_id, size_t loop_num) 641 1.1 christos { 642 1.1 christos unsigned char *encoded_pubkey = NULL; 643 1.1 christos EVP_PKEY *key_share_key = NULL; 644 1.1 christos size_t encodedlen; 645 1.1 christos 646 1.1 christos if (loop_num < s->s3.tmp.num_ks_pkey) { 647 1.1 christos if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING) 648 1.1 christos || !ossl_assert(s->s3.tmp.ks_pkey[loop_num] != NULL)) { 649 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 650 1.1 christos return 0; 651 1.1 christos } 652 1.1 christos /* 653 1.1 christos * Could happen if we got an HRR that wasn't requesting a new key_share 654 1.1 christos */ 655 1.1 christos key_share_key = s->s3.tmp.ks_pkey[loop_num]; 656 1.1 christos } else { 657 1.1 christos key_share_key = ssl_generate_pkey_group(s, group_id); 658 1.1 christos if (key_share_key == NULL) { 659 1.1 christos /* SSLfatal() already called */ 660 1.1 christos return 0; 661 1.1 christos } 662 1.1 christos } 663 1.1 christos 664 1.1 christos /* Encode the public key. */ 665 1.1 christos encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key, 666 1.1.1.2 christos &encoded_pubkey); 667 1.1 christos if (encodedlen == 0) { 668 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 669 1.1 christos goto err; 670 1.1 christos } 671 1.1 christos 672 1.1 christos /* Create KeyShareEntry */ 673 1.1 christos if (!WPACKET_put_bytes_u16(pkt, group_id) 674 1.1.1.2 christos || !WPACKET_sub_memcpy_u16(pkt, encoded_pubkey, encodedlen)) { 675 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 676 1.1 christos goto err; 677 1.1 christos } 678 1.1 christos 679 1.1 christos /* For backward compatibility, we use the first valid group to add a key share */ 680 1.1 christos if (loop_num == 0) { 681 1.1 christos s->s3.tmp.pkey = key_share_key; 682 1.1 christos s->s3.group_id = group_id; 683 1.1 christos } 684 1.1 christos /* We ensure in t1_lib.c that the loop number does not exceed OPENSSL_CLIENT_MAX_KEY_SHARES */ 685 1.1 christos s->s3.tmp.ks_pkey[loop_num] = key_share_key; 686 1.1 christos s->s3.tmp.ks_group_id[loop_num] = group_id; 687 1.1 christos if (loop_num >= s->s3.tmp.num_ks_pkey) 688 1.1 christos s->s3.tmp.num_ks_pkey++; 689 1.1 christos 690 1.1 christos OPENSSL_free(encoded_pubkey); 691 1.1 christos 692 1.1 christos return 1; 693 1.1.1.2 christos err: 694 1.1 christos if (key_share_key != s->s3.tmp.ks_pkey[loop_num]) 695 1.1 christos EVP_PKEY_free(key_share_key); 696 1.1 christos OPENSSL_free(encoded_pubkey); 697 1.1 christos return 0; 698 1.1 christos } 699 1.1 christos #endif 700 1.1 christos 701 1.1 christos EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, 702 1.1.1.2 christos unsigned int context, X509 *x, 703 1.1.1.2 christos size_t chainidx) 704 1.1 christos { 705 1.1 christos #ifndef OPENSSL_NO_TLS1_3 706 1.1 christos size_t i, num_groups = 0; 707 1.1 christos const uint16_t *pgroups = NULL; 708 1.1 christos uint16_t group_id = 0; 709 1.1 christos int add_only_one = 0; 710 1.1 christos size_t valid_keyshare = 0; 711 1.1 christos 712 1.1 christos /* key_share extension */ 713 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 714 1.1.1.2 christos /* Extension data sub-packet */ 715 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 716 1.1.1.2 christos /* KeyShare list sub-packet */ 717 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt)) { 718 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 719 1.1 christos return EXT_RETURN_FAIL; 720 1.1 christos } 721 1.1 christos 722 1.1 christos tls1_get_requested_keyshare_groups(s, &pgroups, &num_groups); 723 1.1 christos if (num_groups == 1 && pgroups[0] == 0) { /* Indication that no * prefix was used */ 724 1.1 christos tls1_get_supported_groups(s, &pgroups, &num_groups); 725 1.1 christos add_only_one = 1; 726 1.1 christos } 727 1.1 christos 728 1.1 christos /* If neither the default nor the keyshares have any entry --> fatal */ 729 1.1 christos if (num_groups == 0) { 730 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 731 1.1 christos return EXT_RETURN_FAIL; 732 1.1 christos } 733 1.1 christos 734 1.1 christos /* Add key shares */ 735 1.1 christos 736 1.1 christos if (s->s3.group_id != 0 && s->s3.tmp.pkey == NULL) { 737 1.1 christos /* new, single key share */ 738 1.1 christos group_id = s->s3.group_id; 739 1.1 christos s->s3.tmp.num_ks_pkey = 0; 740 1.1 christos if (!add_key_share(s, pkt, group_id, 0)) { 741 1.1 christos /* SSLfatal() already called */ 742 1.1 christos return EXT_RETURN_FAIL; 743 1.1 christos } 744 1.1.1.2 christos valid_keyshare++; 745 1.1 christos } else { 746 1.1 christos if (s->ext.supportedgroups == NULL) /* use default */ 747 1.1 christos add_only_one = 1; 748 1.1 christos 749 1.1 christos for (i = 0; i < num_groups; i++) { 750 1.1 christos if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) 751 1.1 christos continue; 752 1.1 christos if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, 753 1.1.1.2 christos 0, NULL)) 754 1.1 christos continue; 755 1.1 christos 756 1.1 christos group_id = pgroups[i]; 757 1.1 christos 758 1.1 christos if (group_id == 0) { 759 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 760 1.1 christos return EXT_RETURN_FAIL; 761 1.1 christos } 762 1.1 christos if (!add_key_share(s, pkt, group_id, valid_keyshare)) { 763 1.1 christos /* SSLfatal() already called */ 764 1.1 christos return EXT_RETURN_FAIL; 765 1.1 christos } 766 1.1.1.2 christos valid_keyshare++; 767 1.1 christos if (add_only_one) 768 1.1 christos break; 769 1.1 christos } 770 1.1 christos } 771 1.1 christos 772 1.1.1.2 christos if (valid_keyshare == 0) { 773 1.1.1.2 christos /* No key shares were allowed */ 774 1.1.1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 775 1.1.1.2 christos return EXT_RETURN_FAIL; 776 1.1.1.2 christos } 777 1.1.1.2 christos 778 1.1 christos if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 779 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 780 1.1 christos return EXT_RETURN_FAIL; 781 1.1 christos } 782 1.1 christos return EXT_RETURN_SENT; 783 1.1 christos #else 784 1.1 christos return EXT_RETURN_NOT_SENT; 785 1.1 christos #endif 786 1.1 christos } 787 1.1 christos 788 1.1 christos EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt, 789 1.1.1.2 christos unsigned int context, 790 1.1.1.2 christos X509 *x, size_t chainidx) 791 1.1 christos { 792 1.1 christos EXT_RETURN ret = EXT_RETURN_FAIL; 793 1.1 christos 794 1.1 christos /* Should only be set if we've had an HRR */ 795 1.1 christos if (s->ext.tls13_cookie_len == 0) 796 1.1 christos return EXT_RETURN_NOT_SENT; 797 1.1 christos 798 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 799 1.1.1.2 christos /* Extension data sub-packet */ 800 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 801 1.1.1.2 christos || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, 802 1.1.1.2 christos s->ext.tls13_cookie_len) 803 1.1.1.2 christos || !WPACKET_close(pkt)) { 804 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 805 1.1 christos goto end; 806 1.1 christos } 807 1.1 christos 808 1.1 christos ret = EXT_RETURN_SENT; 809 1.1.1.2 christos end: 810 1.1 christos OPENSSL_free(s->ext.tls13_cookie); 811 1.1 christos s->ext.tls13_cookie = NULL; 812 1.1 christos s->ext.tls13_cookie_len = 0; 813 1.1 christos 814 1.1 christos return ret; 815 1.1 christos } 816 1.1 christos 817 1.1 christos EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, 818 1.1.1.2 christos unsigned int context, X509 *x, 819 1.1.1.2 christos size_t chainidx) 820 1.1 christos { 821 1.1 christos #ifndef OPENSSL_NO_PSK 822 1.1 christos char identity[PSK_MAX_IDENTITY_LEN + 1]; 823 1.1.1.2 christos #endif /* OPENSSL_NO_PSK */ 824 1.1 christos const unsigned char *id = NULL; 825 1.1 christos size_t idlen = 0; 826 1.1 christos SSL_SESSION *psksess = NULL; 827 1.1 christos SSL_SESSION *edsess = NULL; 828 1.1 christos const EVP_MD *handmd = NULL; 829 1.1 christos SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 830 1.1 christos 831 1.1 christos if (s->hello_retry_request == SSL_HRR_PENDING) 832 1.1 christos handmd = ssl_handshake_md(s); 833 1.1 christos 834 1.1 christos if (s->psk_use_session_cb != NULL 835 1.1.1.2 christos && (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess) 836 1.1.1.2 christos || (psksess != NULL 837 1.1.1.2 christos && psksess->ssl_version != TLS1_3_VERSION))) { 838 1.1 christos SSL_SESSION_free(psksess); 839 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 840 1.1 christos return EXT_RETURN_FAIL; 841 1.1 christos } 842 1.1 christos 843 1.1 christos #ifndef OPENSSL_NO_PSK 844 1.1 christos if (psksess == NULL && s->psk_client_callback != NULL) { 845 1.1 christos unsigned char psk[PSK_MAX_PSK_LEN]; 846 1.1 christos size_t psklen = 0; 847 1.1 christos 848 1.1 christos memset(identity, 0, sizeof(identity)); 849 1.1 christos psklen = s->psk_client_callback(ussl, NULL, 850 1.1.1.2 christos identity, sizeof(identity) - 1, 851 1.1.1.2 christos psk, sizeof(psk)); 852 1.1 christos 853 1.1 christos if (psklen > PSK_MAX_PSK_LEN) { 854 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 855 1.1 christos return EXT_RETURN_FAIL; 856 1.1 christos } else if (psklen > 0) { 857 1.1 christos const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 858 1.1 christos const SSL_CIPHER *cipher; 859 1.1 christos 860 1.1 christos idlen = strlen(identity); 861 1.1 christos if (idlen > PSK_MAX_IDENTITY_LEN) { 862 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 863 1.1 christos return EXT_RETURN_FAIL; 864 1.1 christos } 865 1.1 christos id = (unsigned char *)identity; 866 1.1 christos 867 1.1 christos /* 868 1.1 christos * We found a PSK using an old style callback. We don't know 869 1.1 christos * the digest so we default to SHA256 as per the TLSv1.3 spec 870 1.1 christos */ 871 1.1 christos cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s), 872 1.1.1.2 christos tls13_aes128gcmsha256_id); 873 1.1 christos if (cipher == NULL) { 874 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 875 1.1 christos return EXT_RETURN_FAIL; 876 1.1 christos } 877 1.1 christos 878 1.1 christos psksess = SSL_SESSION_new(); 879 1.1 christos if (psksess == NULL 880 1.1.1.2 christos || !SSL_SESSION_set1_master_key(psksess, psk, psklen) 881 1.1.1.2 christos || !SSL_SESSION_set_cipher(psksess, cipher) 882 1.1.1.2 christos || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { 883 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 884 1.1 christos OPENSSL_cleanse(psk, psklen); 885 1.1 christos return EXT_RETURN_FAIL; 886 1.1 christos } 887 1.1 christos OPENSSL_cleanse(psk, psklen); 888 1.1 christos } 889 1.1 christos } 890 1.1.1.2 christos #endif /* OPENSSL_NO_PSK */ 891 1.1 christos 892 1.1 christos SSL_SESSION_free(s->psksession); 893 1.1 christos s->psksession = psksess; 894 1.1 christos if (psksess != NULL) { 895 1.1 christos OPENSSL_free(s->psksession_id); 896 1.1 christos s->psksession_id = OPENSSL_memdup(id, idlen); 897 1.1 christos if (s->psksession_id == NULL) { 898 1.1 christos s->psksession_id_len = 0; 899 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 900 1.1 christos return EXT_RETURN_FAIL; 901 1.1 christos } 902 1.1 christos s->psksession_id_len = idlen; 903 1.1 christos } 904 1.1 christos 905 1.1 christos if (s->early_data_state != SSL_EARLY_DATA_CONNECTING 906 1.1.1.2 christos || (s->session->ext.max_early_data == 0 907 1.1.1.2 christos && (psksess == NULL || psksess->ext.max_early_data == 0))) { 908 1.1 christos s->max_early_data = 0; 909 1.1 christos return EXT_RETURN_NOT_SENT; 910 1.1 christos } 911 1.1 christos edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; 912 1.1 christos s->max_early_data = edsess->ext.max_early_data; 913 1.1 christos 914 1.1 christos if (edsess->ext.hostname != NULL) { 915 1.1 christos if (s->ext.hostname == NULL 916 1.1.1.2 christos || (s->ext.hostname != NULL 917 1.1.1.2 christos && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { 918 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 919 1.1.1.2 christos SSL_R_INCONSISTENT_EARLY_DATA_SNI); 920 1.1 christos return EXT_RETURN_FAIL; 921 1.1 christos } 922 1.1 christos } 923 1.1 christos 924 1.1 christos if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { 925 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 926 1.1 christos return EXT_RETURN_FAIL; 927 1.1 christos } 928 1.1 christos 929 1.1 christos /* 930 1.1 christos * Verify that we are offering an ALPN protocol consistent with the early 931 1.1 christos * data. 932 1.1 christos */ 933 1.1 christos if (edsess->ext.alpn_selected != NULL) { 934 1.1 christos PACKET prots, alpnpkt; 935 1.1 christos int found = 0; 936 1.1 christos 937 1.1 christos if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { 938 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 939 1.1 christos return EXT_RETURN_FAIL; 940 1.1 christos } 941 1.1 christos while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { 942 1.1 christos if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, 943 1.1.1.2 christos edsess->ext.alpn_selected_len)) { 944 1.1 christos found = 1; 945 1.1 christos break; 946 1.1 christos } 947 1.1 christos } 948 1.1 christos if (!found) { 949 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 950 1.1.1.2 christos SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 951 1.1 christos return EXT_RETURN_FAIL; 952 1.1 christos } 953 1.1 christos } 954 1.1 christos 955 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 956 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 957 1.1.1.2 christos || !WPACKET_close(pkt)) { 958 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 959 1.1 christos return EXT_RETURN_FAIL; 960 1.1 christos } 961 1.1 christos 962 1.1 christos /* 963 1.1 christos * We set this to rejected here. Later, if the server acknowledges the 964 1.1 christos * extension, we set it to accepted. 965 1.1 christos */ 966 1.1 christos s->ext.early_data = SSL_EARLY_DATA_REJECTED; 967 1.1 christos s->ext.early_data_ok = 1; 968 1.1 christos 969 1.1 christos return EXT_RETURN_SENT; 970 1.1 christos } 971 1.1 christos 972 1.1.1.2 christos #define F5_WORKAROUND_MIN_MSG_LEN 0xff 973 1.1.1.2 christos #define F5_WORKAROUND_MAX_MSG_LEN 0x200 974 1.1 christos 975 1.1 christos /* 976 1.1 christos * PSK pre binder overhead = 977 1.1 christos * 2 bytes for TLSEXT_TYPE_psk 978 1.1 christos * 2 bytes for extension length 979 1.1 christos * 2 bytes for identities list length 980 1.1 christos * 2 bytes for identity length 981 1.1 christos * 4 bytes for obfuscated_ticket_age 982 1.1 christos * 2 bytes for binder list length 983 1.1 christos * 1 byte for binder length 984 1.1 christos * The above excludes the number of bytes for the identity itself and the 985 1.1 christos * subsequent binder bytes 986 1.1 christos */ 987 1.1 christos #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) 988 1.1 christos 989 1.1 christos EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt, 990 1.1.1.2 christos unsigned int context, X509 *x, 991 1.1.1.2 christos size_t chainidx) 992 1.1 christos { 993 1.1 christos unsigned char *padbytes; 994 1.1 christos size_t hlen; 995 1.1 christos 996 1.1 christos if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) 997 1.1 christos return EXT_RETURN_NOT_SENT; 998 1.1 christos 999 1.1 christos /* 1000 1.1 christos * Add padding to workaround bugs in F5 terminators. See RFC7685. 1001 1.1 christos * This code calculates the length of all extensions added so far but 1002 1.1 christos * excludes the PSK extension (because that MUST be written last). Therefore 1003 1.1 christos * this extension MUST always appear second to last. 1004 1.1 christos */ 1005 1.1 christos if (!WPACKET_get_total_written(pkt, &hlen)) { 1006 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1007 1.1 christos return EXT_RETURN_FAIL; 1008 1.1 christos } 1009 1.1 christos 1010 1.1 christos /* 1011 1.1 christos * If we're going to send a PSK then that will be written out after this 1012 1.1 christos * extension, so we need to calculate how long it is going to be. 1013 1.1 christos */ 1014 1.1 christos if (s->session->ssl_version == TLS1_3_VERSION 1015 1.1.1.2 christos && s->session->ext.ticklen != 0 1016 1.1.1.2 christos && s->session->cipher != NULL) { 1017 1.1 christos const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s), 1018 1.1.1.2 christos s->session->cipher->algorithm2); 1019 1.1 christos 1020 1.1 christos if (md != NULL) { 1021 1.1 christos /* 1022 1.1 christos * Add the fixed PSK overhead, the identity length and the binder 1023 1.1 christos * length. 1024 1.1 christos */ 1025 1.1 christos int md_size = EVP_MD_get_size(md); 1026 1.1 christos 1027 1.1 christos if (md_size <= 0) 1028 1.1 christos return EXT_RETURN_FAIL; 1029 1.1.1.2 christos hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen 1030 1.1.1.2 christos + md_size; 1031 1.1 christos } 1032 1.1 christos } 1033 1.1 christos 1034 1.1 christos if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { 1035 1.1 christos /* Calculate the amount of padding we need to add */ 1036 1.1 christos hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; 1037 1.1 christos 1038 1.1 christos /* 1039 1.1 christos * Take off the size of extension header itself (2 bytes for type and 1040 1.1 christos * 2 bytes for length bytes), but ensure that the extension is at least 1041 1.1 christos * 1 byte long so as not to have an empty extension last (WebSphere 7.x, 1042 1.1 christos * 8.x are intolerant of that condition) 1043 1.1 christos */ 1044 1.1 christos if (hlen > 4) 1045 1.1 christos hlen -= 4; 1046 1.1 christos else 1047 1.1 christos hlen = 1; 1048 1.1 christos 1049 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) 1050 1.1.1.2 christos || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { 1051 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1052 1.1 christos return EXT_RETURN_FAIL; 1053 1.1 christos } 1054 1.1 christos memset(padbytes, 0, hlen); 1055 1.1 christos } 1056 1.1 christos 1057 1.1 christos return EXT_RETURN_SENT; 1058 1.1 christos } 1059 1.1 christos 1060 1.1 christos /* 1061 1.1 christos * Construct the pre_shared_key extension 1062 1.1 christos */ 1063 1.1 christos EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, 1064 1.1.1.2 christos unsigned int context, 1065 1.1.1.2 christos X509 *x, size_t chainidx) 1066 1.1 christos { 1067 1.1 christos #ifndef OPENSSL_NO_TLS1_3 1068 1.1 christos uint32_t agesec, agems = 0; 1069 1.1 christos size_t binderoffset, msglen; 1070 1.1 christos int reshashsize = 0, pskhashsize = 0; 1071 1.1 christos unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; 1072 1.1 christos const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; 1073 1.1 christos int dores = 0; 1074 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1075 1.1 christos OSSL_TIME t; 1076 1.1 christos 1077 1.1 christos s->ext.tick_identity = 0; 1078 1.1 christos 1079 1.1 christos /* 1080 1.1 christos * Note: At this stage of the code we only support adding a single 1081 1.1 christos * resumption PSK. If we add support for multiple PSKs then the length 1082 1.1 christos * calculations in the padding extension will need to be adjusted. 1083 1.1 christos */ 1084 1.1 christos 1085 1.1 christos /* 1086 1.1 christos * If this is an incompatible or new session then we have nothing to resume 1087 1.1 christos * so don't add this extension. 1088 1.1 christos */ 1089 1.1 christos if (s->session->ssl_version != TLS1_3_VERSION 1090 1.1.1.2 christos || (s->session->ext.ticklen == 0 && s->psksession == NULL)) 1091 1.1 christos return EXT_RETURN_NOT_SENT; 1092 1.1 christos 1093 1.1 christos if (s->hello_retry_request == SSL_HRR_PENDING) 1094 1.1 christos handmd = ssl_handshake_md(s); 1095 1.1 christos 1096 1.1 christos if (s->session->ext.ticklen != 0) { 1097 1.1 christos /* Get the digest associated with the ciphersuite in the session */ 1098 1.1 christos if (s->session->cipher == NULL) { 1099 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1100 1.1 christos return EXT_RETURN_FAIL; 1101 1.1 christos } 1102 1.1 christos mdres = ssl_md(sctx, s->session->cipher->algorithm2); 1103 1.1 christos if (mdres == NULL) { 1104 1.1 christos /* 1105 1.1 christos * Don't recognize this cipher so we can't use the session. 1106 1.1 christos * Ignore it 1107 1.1 christos */ 1108 1.1 christos goto dopsksess; 1109 1.1 christos } 1110 1.1 christos 1111 1.1 christos if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { 1112 1.1 christos /* 1113 1.1 christos * Selected ciphersuite hash does not match the hash for the session 1114 1.1 christos * so we can't use it. 1115 1.1 christos */ 1116 1.1 christos goto dopsksess; 1117 1.1 christos } 1118 1.1 christos 1119 1.1 christos /* 1120 1.1 christos * Technically the C standard just says time() returns a time_t and says 1121 1.1 christos * nothing about the encoding of that type. In practice most 1122 1.1 christos * implementations follow POSIX which holds it as an integral type in 1123 1.1 christos * seconds since epoch. We've already made the assumption that we can do 1124 1.1 christos * this in multiple places in the code, so portability shouldn't be an 1125 1.1 christos * issue. 1126 1.1 christos */ 1127 1.1 christos t = ossl_time_subtract(ossl_time_now(), s->session->time); 1128 1.1 christos agesec = (uint32_t)ossl_time2seconds(t); 1129 1.1 christos /* 1130 1.1 christos * We calculate the age in seconds but the server may work in ms. Due to 1131 1.1 christos * rounding errors we could overestimate the age by up to 1s. It is 1132 1.1 christos * better to underestimate it. Otherwise, if the RTT is very short, when 1133 1.1 christos * the server calculates the age reported by the client it could be 1134 1.1 christos * bigger than the age calculated on the server - which should never 1135 1.1 christos * happen. 1136 1.1 christos */ 1137 1.1 christos if (agesec > 0) 1138 1.1 christos agesec--; 1139 1.1 christos 1140 1.1 christos if (s->session->ext.tick_lifetime_hint < agesec) { 1141 1.1 christos /* Ticket is too old. Ignore it. */ 1142 1.1 christos goto dopsksess; 1143 1.1 christos } 1144 1.1 christos 1145 1.1 christos /* 1146 1.1 christos * Calculate age in ms. We're just doing it to nearest second. Should be 1147 1.1 christos * good enough. 1148 1.1 christos */ 1149 1.1 christos agems = agesec * (uint32_t)1000; 1150 1.1 christos 1151 1.1 christos if (agesec != 0 && agems / (uint32_t)1000 != agesec) { 1152 1.1 christos /* 1153 1.1 christos * Overflow. Shouldn't happen unless this is a *really* old session. 1154 1.1 christos * If so we just ignore it. 1155 1.1 christos */ 1156 1.1 christos goto dopsksess; 1157 1.1 christos } 1158 1.1 christos 1159 1.1 christos /* 1160 1.1 christos * Obfuscate the age. Overflow here is fine, this addition is supposed 1161 1.1 christos * to be mod 2^32. 1162 1.1 christos */ 1163 1.1 christos agems += s->session->ext.tick_age_add; 1164 1.1 christos 1165 1.1 christos reshashsize = EVP_MD_get_size(mdres); 1166 1.1 christos if (reshashsize <= 0) 1167 1.1 christos goto dopsksess; 1168 1.1 christos s->ext.tick_identity++; 1169 1.1 christos dores = 1; 1170 1.1 christos } 1171 1.1 christos 1172 1.1.1.2 christos dopsksess: 1173 1.1 christos if (!dores && s->psksession == NULL) 1174 1.1 christos return EXT_RETURN_NOT_SENT; 1175 1.1 christos 1176 1.1 christos if (s->psksession != NULL) { 1177 1.1 christos mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2); 1178 1.1 christos if (mdpsk == NULL) { 1179 1.1 christos /* 1180 1.1 christos * Don't recognize this cipher so we can't use the session. 1181 1.1 christos * If this happens it's an application bug. 1182 1.1 christos */ 1183 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1184 1.1 christos return EXT_RETURN_FAIL; 1185 1.1 christos } 1186 1.1 christos 1187 1.1 christos if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { 1188 1.1 christos /* 1189 1.1 christos * Selected ciphersuite hash does not match the hash for the PSK 1190 1.1 christos * session. This is an application bug. 1191 1.1 christos */ 1192 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1193 1.1 christos return EXT_RETURN_FAIL; 1194 1.1 christos } 1195 1.1 christos 1196 1.1 christos pskhashsize = EVP_MD_get_size(mdpsk); 1197 1.1 christos if (pskhashsize <= 0) { 1198 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1199 1.1 christos return EXT_RETURN_FAIL; 1200 1.1 christos } 1201 1.1 christos } 1202 1.1 christos 1203 1.1 christos /* Create the extension, but skip over the binder for now */ 1204 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1205 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 1206 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt)) { 1207 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1208 1.1 christos return EXT_RETURN_FAIL; 1209 1.1 christos } 1210 1.1 christos 1211 1.1 christos if (dores) { 1212 1.1 christos if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, 1213 1.1.1.2 christos s->session->ext.ticklen) 1214 1.1.1.2 christos || !WPACKET_put_bytes_u32(pkt, agems)) { 1215 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1216 1.1 christos return EXT_RETURN_FAIL; 1217 1.1 christos } 1218 1.1 christos } 1219 1.1 christos 1220 1.1 christos if (s->psksession != NULL) { 1221 1.1 christos if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, 1222 1.1.1.2 christos s->psksession_id_len) 1223 1.1.1.2 christos || !WPACKET_put_bytes_u32(pkt, 0)) { 1224 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1225 1.1 christos return EXT_RETURN_FAIL; 1226 1.1 christos } 1227 1.1 christos s->ext.tick_identity++; 1228 1.1 christos } 1229 1.1 christos 1230 1.1 christos if (!WPACKET_close(pkt) 1231 1.1.1.2 christos || !WPACKET_get_total_written(pkt, &binderoffset) 1232 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 1233 1.1.1.2 christos || (dores 1234 1.1.1.2 christos && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) 1235 1.1.1.2 christos || (s->psksession != NULL 1236 1.1.1.2 christos && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) 1237 1.1.1.2 christos || !WPACKET_close(pkt) 1238 1.1.1.2 christos || !WPACKET_close(pkt) 1239 1.1.1.2 christos || !WPACKET_get_total_written(pkt, &msglen) 1240 1.1.1.2 christos /* 1241 1.1.1.2 christos * We need to fill in all the sub-packet lengths now so we can 1242 1.1.1.2 christos * calculate the HMAC of the message up to the binders 1243 1.1.1.2 christos */ 1244 1.1.1.2 christos || !WPACKET_fill_lengths(pkt)) { 1245 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1246 1.1 christos return EXT_RETURN_FAIL; 1247 1.1 christos } 1248 1.1 christos 1249 1.1 christos msgstart = WPACKET_get_curr(pkt) - msglen; 1250 1.1 christos 1251 1.1 christos if (dores 1252 1.1.1.2 christos && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, 1253 1.1.1.2 christos resbinder, s->session, 1, 0) 1254 1.1.1.2 christos != 1) { 1255 1.1 christos /* SSLfatal() already called */ 1256 1.1 christos return EXT_RETURN_FAIL; 1257 1.1 christos } 1258 1.1 christos 1259 1.1 christos if (s->psksession != NULL 1260 1.1.1.2 christos && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, 1261 1.1.1.2 christos pskbinder, s->psksession, 1, 1) 1262 1.1.1.2 christos != 1) { 1263 1.1 christos /* SSLfatal() already called */ 1264 1.1 christos return EXT_RETURN_FAIL; 1265 1.1 christos } 1266 1.1 christos 1267 1.1 christos return EXT_RETURN_SENT; 1268 1.1 christos #else 1269 1.1 christos return EXT_RETURN_NOT_SENT; 1270 1.1 christos #endif 1271 1.1 christos } 1272 1.1 christos 1273 1.1 christos EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt, 1274 1.1.1.2 christos ossl_unused unsigned int context, 1275 1.1.1.2 christos ossl_unused X509 *x, 1276 1.1.1.2 christos ossl_unused size_t chainidx) 1277 1.1 christos { 1278 1.1 christos #ifndef OPENSSL_NO_TLS1_3 1279 1.1 christos if (!s->pha_enabled) 1280 1.1 christos return EXT_RETURN_NOT_SENT; 1281 1.1 christos 1282 1.1 christos /* construct extension - 0 length, no contents */ 1283 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) 1284 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 1285 1.1.1.2 christos || !WPACKET_close(pkt)) { 1286 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1287 1.1 christos return EXT_RETURN_FAIL; 1288 1.1 christos } 1289 1.1 christos 1290 1.1 christos s->post_handshake_auth = SSL_PHA_EXT_SENT; 1291 1.1 christos 1292 1.1 christos return EXT_RETURN_SENT; 1293 1.1 christos #else 1294 1.1 christos return EXT_RETURN_NOT_SENT; 1295 1.1 christos #endif 1296 1.1 christos } 1297 1.1 christos 1298 1.1 christos /* 1299 1.1 christos * Parse the server's renegotiation binding and abort if it's not right 1300 1.1 christos */ 1301 1.1 christos int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt, 1302 1.1.1.2 christos unsigned int context, 1303 1.1.1.2 christos X509 *x, size_t chainidx) 1304 1.1 christos { 1305 1.1 christos size_t expected_len = s->s3.previous_client_finished_len 1306 1.1 christos + s->s3.previous_server_finished_len; 1307 1.1 christos size_t ilen; 1308 1.1 christos const unsigned char *data; 1309 1.1 christos 1310 1.1 christos /* Check for logic errors */ 1311 1.1 christos if (!ossl_assert(expected_len == 0 1312 1.1.1.2 christos || s->s3.previous_client_finished_len != 0) 1313 1.1 christos || !ossl_assert(expected_len == 0 1314 1.1.1.2 christos || s->s3.previous_server_finished_len != 0)) { 1315 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1316 1.1 christos return 0; 1317 1.1 christos } 1318 1.1 christos 1319 1.1 christos /* Parse the length byte */ 1320 1.1 christos if (!PACKET_get_1_len(pkt, &ilen)) { 1321 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1322 1.1 christos return 0; 1323 1.1 christos } 1324 1.1 christos 1325 1.1 christos /* Consistency check */ 1326 1.1 christos if (PACKET_remaining(pkt) != ilen) { 1327 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1328 1.1 christos return 0; 1329 1.1 christos } 1330 1.1 christos 1331 1.1 christos /* Check that the extension matches */ 1332 1.1 christos if (ilen != expected_len) { 1333 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1334 1.1 christos return 0; 1335 1.1 christos } 1336 1.1 christos 1337 1.1 christos if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len) 1338 1.1 christos || memcmp(data, s->s3.previous_client_finished, 1339 1.1.1.2 christos s->s3.previous_client_finished_len) 1340 1.1.1.2 christos != 0) { 1341 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1342 1.1 christos return 0; 1343 1.1 christos } 1344 1.1 christos 1345 1.1 christos if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len) 1346 1.1 christos || memcmp(data, s->s3.previous_server_finished, 1347 1.1.1.2 christos s->s3.previous_server_finished_len) 1348 1.1.1.2 christos != 0) { 1349 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1350 1.1 christos return 0; 1351 1.1 christos } 1352 1.1 christos s->s3.send_connection_binding = 1; 1353 1.1 christos 1354 1.1 christos return 1; 1355 1.1 christos } 1356 1.1 christos 1357 1.1 christos /* Parse the server's max fragment len extension packet */ 1358 1.1 christos int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt, 1359 1.1.1.2 christos unsigned int context, 1360 1.1.1.2 christos X509 *x, size_t chainidx) 1361 1.1 christos { 1362 1.1 christos unsigned int value; 1363 1.1 christos 1364 1.1 christos if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 1365 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1366 1.1 christos return 0; 1367 1.1 christos } 1368 1.1 christos 1369 1.1 christos /* |value| should contains a valid max-fragment-length code. */ 1370 1.1 christos if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 1371 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1372 1.1.1.2 christos SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1373 1.1 christos return 0; 1374 1.1 christos } 1375 1.1 christos 1376 1.1 christos /* Must be the same value as client-configured one who was sent to server */ 1377 1.1 christos /*- 1378 1.1 christos * RFC 6066: if a client receives a maximum fragment length negotiation 1379 1.1 christos * response that differs from the length it requested, ... 1380 1.1 christos * It must abort with SSL_AD_ILLEGAL_PARAMETER alert 1381 1.1 christos */ 1382 1.1 christos if (value != s->ext.max_fragment_len_mode) { 1383 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1384 1.1.1.2 christos SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1385 1.1 christos return 0; 1386 1.1 christos } 1387 1.1 christos 1388 1.1 christos /* 1389 1.1 christos * Maximum Fragment Length Negotiation succeeded. 1390 1.1 christos * The negotiated Maximum Fragment Length is binding now. 1391 1.1 christos */ 1392 1.1 christos s->session->ext.max_fragment_len_mode = value; 1393 1.1 christos 1394 1.1 christos return 1; 1395 1.1 christos } 1396 1.1 christos 1397 1.1 christos int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt, 1398 1.1.1.2 christos unsigned int context, 1399 1.1.1.2 christos X509 *x, size_t chainidx) 1400 1.1 christos { 1401 1.1 christos if (s->ext.hostname == NULL) { 1402 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1403 1.1 christos return 0; 1404 1.1 christos } 1405 1.1 christos 1406 1.1 christos if (PACKET_remaining(pkt) > 0) { 1407 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1408 1.1 christos return 0; 1409 1.1 christos } 1410 1.1 christos 1411 1.1 christos if (!s->hit) { 1412 1.1 christos if (s->session->ext.hostname != NULL) { 1413 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1414 1.1 christos return 0; 1415 1.1 christos } 1416 1.1 christos s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 1417 1.1 christos if (s->session->ext.hostname == NULL) { 1418 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1419 1.1 christos return 0; 1420 1.1 christos } 1421 1.1 christos } 1422 1.1 christos 1423 1.1 christos return 1; 1424 1.1 christos } 1425 1.1 christos 1426 1.1 christos int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt, 1427 1.1.1.2 christos unsigned int context, 1428 1.1.1.2 christos X509 *x, size_t chainidx) 1429 1.1 christos { 1430 1.1 christos size_t ecpointformats_len; 1431 1.1 christos PACKET ecptformatlist; 1432 1.1 christos 1433 1.1 christos if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { 1434 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1435 1.1 christos return 0; 1436 1.1 christos } 1437 1.1 christos if (!s->hit) { 1438 1.1 christos ecpointformats_len = PACKET_remaining(&ecptformatlist); 1439 1.1 christos if (ecpointformats_len == 0) { 1440 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1441 1.1 christos return 0; 1442 1.1 christos } 1443 1.1 christos 1444 1.1 christos s->ext.peer_ecpointformats_len = 0; 1445 1.1 christos OPENSSL_free(s->ext.peer_ecpointformats); 1446 1.1 christos s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); 1447 1.1 christos if (s->ext.peer_ecpointformats == NULL) { 1448 1.1 christos s->ext.peer_ecpointformats_len = 0; 1449 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1450 1.1 christos return 0; 1451 1.1 christos } 1452 1.1 christos 1453 1.1 christos s->ext.peer_ecpointformats_len = ecpointformats_len; 1454 1.1 christos 1455 1.1 christos if (!PACKET_copy_bytes(&ecptformatlist, 1456 1.1.1.2 christos s->ext.peer_ecpointformats, 1457 1.1.1.2 christos ecpointformats_len)) { 1458 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1459 1.1 christos return 0; 1460 1.1 christos } 1461 1.1 christos } 1462 1.1 christos 1463 1.1 christos return 1; 1464 1.1 christos } 1465 1.1 christos 1466 1.1 christos int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt, 1467 1.1.1.2 christos unsigned int context, 1468 1.1.1.2 christos X509 *x, size_t chainidx) 1469 1.1 christos { 1470 1.1 christos SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 1471 1.1 christos 1472 1.1.1.2 christos if (s->ext.session_ticket_cb != NULL && !s->ext.session_ticket_cb(ssl, PACKET_data(pkt), PACKET_remaining(pkt), s->ext.session_ticket_cb_arg)) { 1473 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1474 1.1 christos return 0; 1475 1.1 christos } 1476 1.1 christos 1477 1.1 christos if (!tls_use_ticket(s)) { 1478 1.1 christos SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1479 1.1 christos return 0; 1480 1.1 christos } 1481 1.1 christos if (PACKET_remaining(pkt) > 0) { 1482 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1483 1.1 christos return 0; 1484 1.1 christos } 1485 1.1 christos 1486 1.1 christos s->ext.ticket_expected = 1; 1487 1.1 christos 1488 1.1 christos return 1; 1489 1.1 christos } 1490 1.1 christos 1491 1.1 christos #ifndef OPENSSL_NO_OCSP 1492 1.1 christos int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt, 1493 1.1.1.2 christos unsigned int context, 1494 1.1.1.2 christos X509 *x, size_t chainidx) 1495 1.1 christos { 1496 1.1 christos if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1497 1.1 christos /* We ignore this if the server sends a CertificateRequest */ 1498 1.1 christos return 1; 1499 1.1 christos } 1500 1.1 christos 1501 1.1 christos /* 1502 1.1 christos * MUST only be sent if we've requested a status 1503 1.1 christos * request message. In TLS <= 1.2 it must also be empty. 1504 1.1 christos */ 1505 1.1 christos if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 1506 1.1 christos SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1507 1.1 christos return 0; 1508 1.1 christos } 1509 1.1 christos if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { 1510 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1511 1.1 christos return 0; 1512 1.1 christos } 1513 1.1 christos 1514 1.1 christos if (SSL_CONNECTION_IS_TLS13(s)) { 1515 1.1 christos /* We only know how to handle this if it's for the first Certificate in 1516 1.1 christos * the chain. We ignore any other responses. 1517 1.1 christos */ 1518 1.1 christos if (chainidx != 0) 1519 1.1 christos return 1; 1520 1.1 christos 1521 1.1 christos /* SSLfatal() already called */ 1522 1.1 christos return tls_process_cert_status_body(s, pkt); 1523 1.1 christos } 1524 1.1 christos 1525 1.1 christos /* Set flag to expect CertificateStatus message */ 1526 1.1 christos s->ext.status_expected = 1; 1527 1.1 christos 1528 1.1 christos return 1; 1529 1.1 christos } 1530 1.1 christos #endif 1531 1.1 christos 1532 1.1 christos #ifndef OPENSSL_NO_CT 1533 1.1 christos int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1534 1.1.1.2 christos X509 *x, size_t chainidx) 1535 1.1 christos { 1536 1.1 christos if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1537 1.1 christos /* We ignore this if the server sends it in a CertificateRequest */ 1538 1.1 christos return 1; 1539 1.1 christos } 1540 1.1 christos 1541 1.1 christos /* 1542 1.1 christos * Only take it if we asked for it - i.e if there is no CT validation 1543 1.1 christos * callback set, then a custom extension MAY be processing it, so we 1544 1.1 christos * need to let control continue to flow to that. 1545 1.1 christos */ 1546 1.1 christos if (s->ct_validation_callback != NULL) { 1547 1.1 christos size_t size = PACKET_remaining(pkt); 1548 1.1 christos 1549 1.1 christos /* Simply copy it off for later processing */ 1550 1.1 christos OPENSSL_free(s->ext.scts); 1551 1.1 christos s->ext.scts = NULL; 1552 1.1 christos 1553 1.1 christos s->ext.scts_len = (uint16_t)size; 1554 1.1 christos if (size > 0) { 1555 1.1 christos s->ext.scts = OPENSSL_malloc(size); 1556 1.1 christos if (s->ext.scts == NULL) { 1557 1.1 christos s->ext.scts_len = 0; 1558 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 1559 1.1 christos return 0; 1560 1.1 christos } 1561 1.1 christos if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { 1562 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1563 1.1 christos return 0; 1564 1.1 christos } 1565 1.1 christos } 1566 1.1 christos } else { 1567 1.1 christos ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 1568 1.1.1.2 christos ? ENDPOINT_CLIENT 1569 1.1.1.2 christos : ENDPOINT_BOTH; 1570 1.1 christos 1571 1.1 christos /* 1572 1.1 christos * If we didn't ask for it then there must be a custom extension, 1573 1.1 christos * otherwise this is unsolicited. 1574 1.1 christos */ 1575 1.1 christos if (custom_ext_find(&s->cert->custext, role, 1576 1.1.1.2 christos TLSEXT_TYPE_signed_certificate_timestamp, 1577 1.1.1.2 christos NULL) 1578 1.1.1.2 christos == NULL) { 1579 1.1 christos SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1580 1.1 christos return 0; 1581 1.1 christos } 1582 1.1 christos 1583 1.1 christos if (!custom_ext_parse(s, context, 1584 1.1.1.2 christos TLSEXT_TYPE_signed_certificate_timestamp, 1585 1.1.1.2 christos PACKET_data(pkt), PACKET_remaining(pkt), 1586 1.1.1.2 christos x, chainidx)) { 1587 1.1 christos /* SSLfatal already called */ 1588 1.1 christos return 0; 1589 1.1 christos } 1590 1.1 christos } 1591 1.1 christos 1592 1.1 christos return 1; 1593 1.1 christos } 1594 1.1 christos #endif 1595 1.1 christos 1596 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 1597 1.1 christos /* 1598 1.1 christos * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1599 1.1 christos * elements of zero length are allowed and the set of elements must exactly 1600 1.1 christos * fill the length of the block. Returns 1 on success or 0 on failure. 1601 1.1 christos */ 1602 1.1 christos static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt) 1603 1.1 christos { 1604 1.1 christos PACKET tmp_protocol; 1605 1.1 christos 1606 1.1 christos while (PACKET_remaining(pkt)) { 1607 1.1 christos if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 1608 1.1 christos || PACKET_remaining(&tmp_protocol) == 0) { 1609 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1610 1.1 christos return 0; 1611 1.1 christos } 1612 1.1 christos } 1613 1.1 christos 1614 1.1 christos return 1; 1615 1.1 christos } 1616 1.1 christos 1617 1.1 christos int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1618 1.1.1.2 christos X509 *x, size_t chainidx) 1619 1.1 christos { 1620 1.1 christos unsigned char *selected; 1621 1.1 christos unsigned char selected_len; 1622 1.1 christos PACKET tmppkt; 1623 1.1 christos SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1624 1.1 christos 1625 1.1 christos /* Check if we are in a renegotiation. If so ignore this extension */ 1626 1.1 christos if (!SSL_IS_FIRST_HANDSHAKE(s)) 1627 1.1 christos return 1; 1628 1.1 christos 1629 1.1 christos /* We must have requested it. */ 1630 1.1 christos if (sctx->ext.npn_select_cb == NULL) { 1631 1.1 christos SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1632 1.1 christos return 0; 1633 1.1 christos } 1634 1.1 christos 1635 1.1 christos /* The data must be valid */ 1636 1.1 christos tmppkt = *pkt; 1637 1.1 christos if (!ssl_next_proto_validate(s, &tmppkt)) { 1638 1.1 christos /* SSLfatal() already called */ 1639 1.1 christos return 0; 1640 1.1 christos } 1641 1.1 christos if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s), 1642 1.1.1.2 christos &selected, &selected_len, 1643 1.1.1.2 christos PACKET_data(pkt), PACKET_remaining(pkt), 1644 1.1.1.2 christos sctx->ext.npn_select_cb_arg) 1645 1.1.1.2 christos != SSL_TLSEXT_ERR_OK 1646 1.1.1.2 christos || selected_len == 0) { 1647 1.1 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1648 1.1 christos return 0; 1649 1.1 christos } 1650 1.1 christos 1651 1.1 christos /* 1652 1.1 christos * Could be non-NULL if server has sent multiple NPN extensions in 1653 1.1 christos * a single Serverhello 1654 1.1 christos */ 1655 1.1 christos OPENSSL_free(s->ext.npn); 1656 1.1 christos s->ext.npn = OPENSSL_malloc(selected_len); 1657 1.1 christos if (s->ext.npn == NULL) { 1658 1.1 christos s->ext.npn_len = 0; 1659 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1660 1.1 christos return 0; 1661 1.1 christos } 1662 1.1 christos 1663 1.1 christos memcpy(s->ext.npn, selected, selected_len); 1664 1.1 christos s->ext.npn_len = selected_len; 1665 1.1 christos s->s3.npn_seen = 1; 1666 1.1 christos 1667 1.1 christos return 1; 1668 1.1 christos } 1669 1.1 christos #endif 1670 1.1 christos 1671 1.1 christos int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1672 1.1.1.2 christos X509 *x, size_t chainidx) 1673 1.1 christos { 1674 1.1 christos size_t len; 1675 1.1 christos PACKET confpkt, protpkt; 1676 1.1 christos int valid = 0; 1677 1.1 christos 1678 1.1 christos /* We must have requested it. */ 1679 1.1 christos if (!s->s3.alpn_sent) { 1680 1.1 christos SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1681 1.1 christos return 0; 1682 1.1 christos } 1683 1.1 christos /*- 1684 1.1 christos * The extension data consists of: 1685 1.1 christos * uint16 list_length 1686 1.1 christos * uint8 proto_length; 1687 1.1 christos * uint8 proto[proto_length]; 1688 1.1 christos */ 1689 1.1 christos if (!PACKET_get_net_2_len(pkt, &len) 1690 1.1 christos || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) 1691 1.1 christos || PACKET_remaining(pkt) != len) { 1692 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1693 1.1 christos return 0; 1694 1.1 christos } 1695 1.1 christos 1696 1.1 christos /* It must be a protocol that we sent */ 1697 1.1 christos if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { 1698 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1699 1.1 christos return 0; 1700 1.1 christos } 1701 1.1 christos while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { 1702 1.1 christos if (PACKET_remaining(&protpkt) != len) 1703 1.1 christos continue; 1704 1.1 christos if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { 1705 1.1 christos /* Valid protocol found */ 1706 1.1 christos valid = 1; 1707 1.1 christos break; 1708 1.1 christos } 1709 1.1 christos } 1710 1.1 christos 1711 1.1 christos if (!valid) { 1712 1.1 christos /* The protocol sent from the server does not match one we advertised */ 1713 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1714 1.1 christos return 0; 1715 1.1 christos } 1716 1.1 christos 1717 1.1 christos OPENSSL_free(s->s3.alpn_selected); 1718 1.1 christos s->s3.alpn_selected = OPENSSL_malloc(len); 1719 1.1 christos if (s->s3.alpn_selected == NULL) { 1720 1.1 christos s->s3.alpn_selected_len = 0; 1721 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1722 1.1 christos return 0; 1723 1.1 christos } 1724 1.1 christos if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) { 1725 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1726 1.1 christos return 0; 1727 1.1 christos } 1728 1.1 christos s->s3.alpn_selected_len = len; 1729 1.1 christos 1730 1.1 christos if (s->session->ext.alpn_selected == NULL 1731 1.1.1.2 christos || s->session->ext.alpn_selected_len != len 1732 1.1.1.2 christos || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len) 1733 1.1.1.2 christos != 0) { 1734 1.1 christos /* ALPN not consistent with the old session so cannot use early_data */ 1735 1.1 christos s->ext.early_data_ok = 0; 1736 1.1 christos } 1737 1.1 christos if (!s->hit) { 1738 1.1 christos /* 1739 1.1 christos * This is a new session and so alpn_selected should have been 1740 1.1 christos * initialised to NULL. We should update it with the selected ALPN. 1741 1.1 christos */ 1742 1.1 christos if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 1743 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1744 1.1 christos return 0; 1745 1.1 christos } 1746 1.1.1.2 christos s->session->ext.alpn_selected = OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); 1747 1.1 christos if (s->session->ext.alpn_selected == NULL) { 1748 1.1 christos s->session->ext.alpn_selected_len = 0; 1749 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1750 1.1 christos return 0; 1751 1.1 christos } 1752 1.1 christos s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; 1753 1.1 christos } 1754 1.1 christos 1755 1.1 christos return 1; 1756 1.1 christos } 1757 1.1 christos 1758 1.1 christos #ifndef OPENSSL_NO_SRTP 1759 1.1 christos int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt, 1760 1.1.1.2 christos unsigned int context, X509 *x, size_t chainidx) 1761 1.1 christos { 1762 1.1 christos unsigned int id, ct, mki; 1763 1.1 christos int i; 1764 1.1 christos STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1765 1.1 christos SRTP_PROTECTION_PROFILE *prof; 1766 1.1 christos 1767 1.1 christos if (!PACKET_get_net_2(pkt, &ct) || ct != 2 1768 1.1.1.2 christos || !PACKET_get_net_2(pkt, &id) 1769 1.1.1.2 christos || !PACKET_get_1(pkt, &mki) 1770 1.1.1.2 christos || PACKET_remaining(pkt) != 0) { 1771 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, 1772 1.1.1.2 christos SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1773 1.1 christos return 0; 1774 1.1 christos } 1775 1.1 christos 1776 1.1 christos if (mki != 0) { 1777 1.1 christos /* Must be no MKI, since we never offer one */ 1778 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE); 1779 1.1 christos return 0; 1780 1.1 christos } 1781 1.1 christos 1782 1.1 christos /* Throw an error if the server gave us an unsolicited extension */ 1783 1.1 christos clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s)); 1784 1.1 christos if (clnt == NULL) { 1785 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES); 1786 1.1 christos return 0; 1787 1.1 christos } 1788 1.1 christos 1789 1.1 christos /* 1790 1.1 christos * Check to see if the server gave us something we support (and 1791 1.1 christos * presumably offered) 1792 1.1 christos */ 1793 1.1 christos for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1794 1.1 christos prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 1795 1.1 christos 1796 1.1 christos if (prof->id == id) { 1797 1.1 christos s->srtp_profile = prof; 1798 1.1 christos return 1; 1799 1.1 christos } 1800 1.1 christos } 1801 1.1 christos 1802 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, 1803 1.1.1.2 christos SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1804 1.1 christos return 0; 1805 1.1 christos } 1806 1.1 christos #endif 1807 1.1 christos 1808 1.1 christos int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1809 1.1.1.2 christos X509 *x, size_t chainidx) 1810 1.1 christos { 1811 1.1 christos /* Ignore if inappropriate ciphersuite */ 1812 1.1 christos if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 1813 1.1.1.2 christos && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD 1814 1.1.1.2 christos && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4 1815 1.1.1.2 christos && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT 1816 1.1.1.2 christos && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12 1817 1.1.1.2 christos && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA 1818 1.1.1.2 christos && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK) 1819 1.1 christos s->ext.use_etm = 1; 1820 1.1 christos 1821 1.1 christos return 1; 1822 1.1 christos } 1823 1.1 christos 1824 1.1 christos int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1825 1.1.1.2 christos X509 *x, size_t chainidx) 1826 1.1 christos { 1827 1.1 christos if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 1828 1.1 christos return 1; 1829 1.1 christos s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; 1830 1.1 christos if (!s->hit) 1831 1.1 christos s->session->flags |= SSL_SESS_FLAG_EXTMS; 1832 1.1 christos 1833 1.1 christos return 1; 1834 1.1 christos } 1835 1.1 christos 1836 1.1 christos int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt, 1837 1.1.1.2 christos unsigned int context, 1838 1.1.1.2 christos X509 *x, size_t chainidx) 1839 1.1 christos { 1840 1.1 christos unsigned int version; 1841 1.1 christos 1842 1.1 christos if (!PACKET_get_net_2(pkt, &version) 1843 1.1.1.2 christos || PACKET_remaining(pkt) != 0) { 1844 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1845 1.1 christos return 0; 1846 1.1 christos } 1847 1.1 christos 1848 1.1 christos /* 1849 1.1 christos * The only protocol version we support which is valid in this extension in 1850 1.1 christos * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. 1851 1.1 christos */ 1852 1.1 christos if (version != TLS1_3_VERSION) { 1853 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1854 1.1.1.2 christos SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1855 1.1 christos return 0; 1856 1.1 christos } 1857 1.1 christos 1858 1.1 christos /* We ignore this extension for HRRs except to sanity check it */ 1859 1.1 christos if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) 1860 1.1 christos return 1; 1861 1.1 christos 1862 1.1 christos /* We just set it here. We validate it in ssl_choose_client_version */ 1863 1.1 christos s->version = version; 1864 1.1 christos if (!ssl_set_record_protocol_version(s, version)) { 1865 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1866 1.1 christos return 0; 1867 1.1 christos } 1868 1.1 christos 1869 1.1 christos return 1; 1870 1.1 christos } 1871 1.1 christos 1872 1.1 christos int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, 1873 1.1.1.2 christos unsigned int context, X509 *x, 1874 1.1.1.2 christos size_t chainidx) 1875 1.1 christos { 1876 1.1 christos #ifndef OPENSSL_NO_TLS1_3 1877 1.1 christos unsigned int group_id; 1878 1.1 christos PACKET encoded_pt; 1879 1.1 christos EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; 1880 1.1 christos const TLS_GROUP_INFO *ginf = NULL; 1881 1.1 christos uint16_t valid_ks_id = 0; 1882 1.1 christos size_t i; 1883 1.1 christos 1884 1.1 christos /* Sanity check */ 1885 1.1 christos if (ckey == NULL || s->s3.peer_tmp != NULL) { 1886 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1887 1.1 christos return 0; 1888 1.1 christos } 1889 1.1 christos 1890 1.1 christos /* Which group ID does the server want -> group_id */ 1891 1.1 christos if (!PACKET_get_net_2(pkt, &group_id)) { 1892 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1893 1.1 christos return 0; 1894 1.1 christos } 1895 1.1 christos 1896 1.1 christos if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { 1897 1.1 christos const uint16_t *pgroups = NULL; 1898 1.1 christos size_t num_groups; 1899 1.1 christos 1900 1.1 christos if (PACKET_remaining(pkt) != 0) { 1901 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1902 1.1 christos return 0; 1903 1.1 christos } 1904 1.1 christos 1905 1.1 christos /* 1906 1.1 christos * It is an error if the HelloRetryRequest wants a key_share that we 1907 1.1 christos * already sent in the first ClientHello 1908 1.1 christos */ 1909 1.1 christos for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1910 1.1 christos if (s->s3.tmp.ks_group_id[i] == group_id) { 1911 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1912 1.1 christos return 0; 1913 1.1 christos } 1914 1.1 christos } 1915 1.1 christos 1916 1.1 christos /* Validate the selected group is one we support */ 1917 1.1 christos tls1_get_supported_groups(s, &pgroups, &num_groups); 1918 1.1 christos for (i = 0; i < num_groups; i++) { 1919 1.1 christos if (group_id == pgroups[i]) 1920 1.1 christos break; 1921 1.1 christos } 1922 1.1 christos if (i >= num_groups 1923 1.1.1.2 christos || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) 1924 1.1.1.2 christos || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, 1925 1.1.1.2 christos 0, NULL)) { 1926 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1927 1.1 christos return 0; 1928 1.1 christos } 1929 1.1 christos 1930 1.1 christos /* Memorize which groupID the server wants */ 1931 1.1 christos s->s3.group_id = group_id; 1932 1.1 christos 1933 1.1 christos /* The initial keyshares are obsolete now, hence free memory */ 1934 1.1 christos for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1935 1.1 christos if (s->s3.tmp.ks_pkey[i] != NULL) { 1936 1.1 christos EVP_PKEY_free(s->s3.tmp.ks_pkey[i]); 1937 1.1 christos s->s3.tmp.ks_pkey[i] = NULL; 1938 1.1 christos } 1939 1.1 christos } 1940 1.1 christos s->s3.tmp.num_ks_pkey = 0; 1941 1.1 christos s->s3.tmp.pkey = NULL; 1942 1.1 christos 1943 1.1 christos return 1; 1944 1.1 christos } 1945 1.1 christos 1946 1.1 christos /* 1947 1.1 christos * check that the group requested by the server is one we've 1948 1.1 christos * sent a key share for, and if so: memorize which one 1949 1.1 christos */ 1950 1.1 christos for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1951 1.1 christos if (s->s3.tmp.ks_group_id[i] == group_id) { 1952 1.1 christos valid_ks_id = group_id; 1953 1.1 christos ckey = s->s3.tmp.ks_pkey[i]; 1954 1.1 christos s->s3.group_id = group_id; 1955 1.1 christos s->s3.tmp.pkey = ckey; 1956 1.1 christos break; 1957 1.1 christos } 1958 1.1 christos } 1959 1.1 christos if (valid_ks_id == 0) { 1960 1.1 christos /* 1961 1.1 christos * This isn't for the group that we sent in the original 1962 1.1 christos * key_share! 1963 1.1 christos */ 1964 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1965 1.1 christos return 0; 1966 1.1 christos } 1967 1.1 christos /* Retain this group in the SSL_SESSION */ 1968 1.1 christos if (!s->hit) { 1969 1.1 christos s->session->kex_group = group_id; 1970 1.1 christos } else if (group_id != s->session->kex_group) { 1971 1.1 christos /* 1972 1.1 christos * If this is a resumption but changed what group was used, we need 1973 1.1 christos * to record the new group in the session, but the session is not 1974 1.1 christos * a new session and could be in use by other threads. So, make 1975 1.1 christos * a copy of the session to record the new information so that it's 1976 1.1 christos * useful for any sessions resumed from tickets issued on this 1977 1.1 christos * connection. 1978 1.1 christos */ 1979 1.1 christos SSL_SESSION *new_sess; 1980 1.1 christos 1981 1.1 christos if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) { 1982 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 1983 1.1 christos return 0; 1984 1.1 christos } 1985 1.1 christos SSL_SESSION_free(s->session); 1986 1.1 christos s->session = new_sess; 1987 1.1 christos s->session->kex_group = group_id; 1988 1.1 christos } 1989 1.1 christos 1990 1.1 christos if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), 1991 1.1.1.2 christos group_id)) 1992 1.1.1.2 christos == NULL) { 1993 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1994 1.1 christos return 0; 1995 1.1 christos } 1996 1.1 christos 1997 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) 1998 1.1.1.2 christos || PACKET_remaining(&encoded_pt) == 0) { 1999 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2000 1.1 christos return 0; 2001 1.1 christos } 2002 1.1 christos 2003 1.1 christos if (!ginf->is_kem) { 2004 1.1 christos /* Regular KEX */ 2005 1.1 christos skey = EVP_PKEY_new(); 2006 1.1 christos if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { 2007 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); 2008 1.1 christos EVP_PKEY_free(skey); 2009 1.1 christos return 0; 2010 1.1 christos } 2011 1.1 christos 2012 1.1 christos if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt), 2013 1.1.1.2 christos PACKET_remaining(&encoded_pt)) 2014 1.1.1.2 christos <= 0) { 2015 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 2016 1.1 christos EVP_PKEY_free(skey); 2017 1.1 christos return 0; 2018 1.1 christos } 2019 1.1 christos 2020 1.1 christos if (ssl_derive(s, ckey, skey, 1) == 0) { 2021 1.1 christos /* SSLfatal() already called */ 2022 1.1 christos EVP_PKEY_free(skey); 2023 1.1 christos return 0; 2024 1.1 christos } 2025 1.1 christos s->s3.peer_tmp = skey; 2026 1.1 christos } else { 2027 1.1 christos /* KEM Mode */ 2028 1.1 christos const unsigned char *ct = PACKET_data(&encoded_pt); 2029 1.1 christos size_t ctlen = PACKET_remaining(&encoded_pt); 2030 1.1 christos 2031 1.1 christos if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) { 2032 1.1 christos /* SSLfatal() already called */ 2033 1.1 christos return 0; 2034 1.1 christos } 2035 1.1 christos } 2036 1.1 christos s->s3.did_kex = 1; 2037 1.1 christos #endif 2038 1.1 christos 2039 1.1 christos return 1; 2040 1.1 christos } 2041 1.1 christos 2042 1.1 christos int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 2043 1.1.1.2 christos X509 *x, size_t chainidx) 2044 1.1 christos { 2045 1.1 christos PACKET cookie; 2046 1.1 christos 2047 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &cookie) 2048 1.1.1.2 christos || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, 2049 1.1.1.2 christos &s->ext.tls13_cookie_len)) { 2050 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2051 1.1 christos return 0; 2052 1.1 christos } 2053 1.1 christos 2054 1.1 christos return 1; 2055 1.1 christos } 2056 1.1 christos 2057 1.1 christos int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt, 2058 1.1.1.2 christos unsigned int context, 2059 1.1.1.2 christos X509 *x, size_t chainidx) 2060 1.1 christos { 2061 1.1 christos if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 2062 1.1 christos unsigned long max_early_data; 2063 1.1 christos 2064 1.1 christos if (!PACKET_get_net_4(pkt, &max_early_data) 2065 1.1.1.2 christos || PACKET_remaining(pkt) != 0) { 2066 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA); 2067 1.1 christos return 0; 2068 1.1 christos } 2069 1.1 christos 2070 1.1 christos s->session->ext.max_early_data = max_early_data; 2071 1.1 christos 2072 1.1 christos if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) { 2073 1.1 christos /* 2074 1.1 christos * QUIC allows missing max_early_data, or a max_early_data value 2075 1.1 christos * of 0xffffffff. Missing max_early_data is stored in the session 2076 1.1 christos * as 0. This is indistinguishable in OpenSSL from a present 2077 1.1 christos * max_early_data value that was 0. In order that later checks for 2078 1.1 christos * invalid max_early_data correctly treat as an error the case where 2079 1.1 christos * max_early_data is present and it is 0, we store any invalid 2080 1.1 christos * value in the same (non-zero) way. Otherwise we would have to 2081 1.1 christos * introduce a new flag just for this. 2082 1.1 christos */ 2083 1.1 christos s->session->ext.max_early_data = 1; 2084 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA); 2085 1.1 christos return 0; 2086 1.1 christos } 2087 1.1 christos 2088 1.1 christos return 1; 2089 1.1 christos } 2090 1.1 christos 2091 1.1 christos if (PACKET_remaining(pkt) != 0) { 2092 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2093 1.1 christos return 0; 2094 1.1 christos } 2095 1.1 christos 2096 1.1 christos if (!s->ext.early_data_ok 2097 1.1.1.2 christos || !s->hit) { 2098 1.1 christos /* 2099 1.1 christos * If we get here then we didn't send early data, or we didn't resume 2100 1.1 christos * using the first identity, or the SNI/ALPN is not consistent so the 2101 1.1 christos * server should not be accepting it. 2102 1.1 christos */ 2103 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 2104 1.1 christos return 0; 2105 1.1 christos } 2106 1.1 christos 2107 1.1 christos s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 2108 1.1 christos 2109 1.1 christos return 1; 2110 1.1 christos } 2111 1.1 christos 2112 1.1 christos int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt, 2113 1.1.1.2 christos unsigned int context, X509 *x, 2114 1.1.1.2 christos size_t chainidx) 2115 1.1 christos { 2116 1.1 christos #ifndef OPENSSL_NO_TLS1_3 2117 1.1 christos unsigned int identity; 2118 1.1 christos 2119 1.1 christos if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { 2120 1.1 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2121 1.1 christos return 0; 2122 1.1 christos } 2123 1.1 christos 2124 1.1 christos if (identity >= (unsigned int)s->ext.tick_identity) { 2125 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY); 2126 1.1 christos return 0; 2127 1.1 christos } 2128 1.1 christos 2129 1.1 christos /* 2130 1.1 christos * Session resumption tickets are always sent before PSK tickets. If the 2131 1.1 christos * ticket index is 0 then it must be for a session resumption ticket if we 2132 1.1 christos * sent two tickets, or if we didn't send a PSK ticket. 2133 1.1 christos */ 2134 1.1 christos if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { 2135 1.1 christos s->hit = 1; 2136 1.1 christos SSL_SESSION_free(s->psksession); 2137 1.1 christos s->psksession = NULL; 2138 1.1 christos return 1; 2139 1.1 christos } 2140 1.1 christos 2141 1.1 christos if (s->psksession == NULL) { 2142 1.1 christos /* Should never happen */ 2143 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2144 1.1 christos return 0; 2145 1.1 christos } 2146 1.1 christos 2147 1.1 christos /* 2148 1.1 christos * If we used the external PSK for sending early_data then s->early_secret 2149 1.1 christos * is already set up, so don't overwrite it. Otherwise we copy the 2150 1.1 christos * early_secret across that we generated earlier. 2151 1.1 christos */ 2152 1.1 christos if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 2153 1.1.1.2 christos && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 2154 1.1.1.2 christos || s->session->ext.max_early_data > 0 2155 1.1.1.2 christos || s->psksession->ext.max_early_data == 0) 2156 1.1 christos memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); 2157 1.1 christos 2158 1.1 christos SSL_SESSION_free(s->session); 2159 1.1 christos s->session = s->psksession; 2160 1.1 christos s->psksession = NULL; 2161 1.1 christos s->hit = 1; 2162 1.1 christos /* Early data is only allowed if we used the first ticket */ 2163 1.1 christos if (identity != 0) 2164 1.1 christos s->ext.early_data_ok = 0; 2165 1.1 christos #endif 2166 1.1 christos 2167 1.1 christos return 1; 2168 1.1 christos } 2169 1.1 christos 2170 1.1 christos EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, 2171 1.1.1.2 christos unsigned int context, 2172 1.1.1.2 christos X509 *x, size_t chainidx) 2173 1.1 christos { 2174 1.1 christos sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; 2175 1.1 christos if (sc->client_cert_type == NULL) 2176 1.1 christos return EXT_RETURN_NOT_SENT; 2177 1.1 christos 2178 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type) 2179 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 2180 1.1.1.2 christos || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len) 2181 1.1.1.2 christos || !WPACKET_close(pkt)) { 2182 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2183 1.1 christos return EXT_RETURN_FAIL; 2184 1.1 christos } 2185 1.1 christos sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; 2186 1.1 christos return EXT_RETURN_SENT; 2187 1.1 christos } 2188 1.1 christos 2189 1.1 christos int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt, 2190 1.1.1.2 christos unsigned int context, 2191 1.1.1.2 christos X509 *x, size_t chainidx) 2192 1.1 christos { 2193 1.1 christos unsigned int type; 2194 1.1 christos 2195 1.1 christos if (PACKET_remaining(pkt) != 1) { 2196 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2197 1.1 christos return 0; 2198 1.1 christos } 2199 1.1 christos if (!PACKET_get_1(pkt, &type)) { 2200 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2201 1.1 christos return 0; 2202 1.1 christos } 2203 1.1 christos /* We did not send/ask for this */ 2204 1.1 christos if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { 2205 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2206 1.1 christos return 0; 2207 1.1 christos } 2208 1.1 christos /* We don't have this enabled */ 2209 1.1 christos if (sc->client_cert_type == NULL) { 2210 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2211 1.1 christos return 0; 2212 1.1 christos } 2213 1.1 christos /* Given back a value we didn't configure */ 2214 1.1 christos if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) { 2215 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); 2216 1.1 christos return 0; 2217 1.1 christos } 2218 1.1 christos sc->ext.client_cert_type = type; 2219 1.1 christos return 1; 2220 1.1 christos } 2221 1.1 christos 2222 1.1 christos EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, 2223 1.1.1.2 christos unsigned int context, 2224 1.1.1.2 christos X509 *x, size_t chainidx) 2225 1.1 christos { 2226 1.1 christos sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; 2227 1.1 christos if (sc->server_cert_type == NULL) 2228 1.1 christos return EXT_RETURN_NOT_SENT; 2229 1.1 christos 2230 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type) 2231 1.1.1.2 christos || !WPACKET_start_sub_packet_u16(pkt) 2232 1.1.1.2 christos || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len) 2233 1.1.1.2 christos || !WPACKET_close(pkt)) { 2234 1.1 christos SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2235 1.1 christos return EXT_RETURN_FAIL; 2236 1.1 christos } 2237 1.1 christos sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; 2238 1.1 christos return EXT_RETURN_SENT; 2239 1.1 christos } 2240 1.1 christos 2241 1.1 christos int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt, 2242 1.1.1.2 christos unsigned int context, 2243 1.1.1.2 christos X509 *x, size_t chainidx) 2244 1.1 christos { 2245 1.1 christos unsigned int type; 2246 1.1 christos 2247 1.1 christos if (PACKET_remaining(pkt) != 1) { 2248 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2249 1.1 christos return 0; 2250 1.1 christos } 2251 1.1 christos if (!PACKET_get_1(pkt, &type)) { 2252 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2253 1.1 christos return 0; 2254 1.1 christos } 2255 1.1 christos /* We did not send/ask for this */ 2256 1.1 christos if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { 2257 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2258 1.1 christos return 0; 2259 1.1 christos } 2260 1.1 christos /* We don't have this enabled */ 2261 1.1 christos if (sc->server_cert_type == NULL) { 2262 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2263 1.1 christos return 0; 2264 1.1 christos } 2265 1.1 christos /* Given back a value we didn't configure */ 2266 1.1 christos if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) { 2267 1.1 christos SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); 2268 1.1 christos return 0; 2269 1.1 christos } 2270 1.1 christos sc->ext.server_cert_type = type; 2271 1.1 christos return 1; 2272 1.1 christos } 2273
Indexes created Wed Mar 04 05:31:52 UTC 2026