1 1.1 christos /* 2 1.2 christos * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.2 christos * Licensed under the Apache License 2.0 (the "License"). You may not use 5 1.1 christos * this file except in compliance with the License. You can obtain a copy 6 1.1 christos * in the file LICENSE in the source distribution or at 7 1.1 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <openssl/ocsp.h> 11 1.2 christos #include "../ssl_local.h" 12 1.2 christos #include "statem_local.h" 13 1.1 christos #include "internal/cryptlib.h" 14 1.1 christos 15 1.2 christos #define COOKIE_STATE_FORMAT_VERSION 1 16 1.1 christos 17 1.1 christos /* 18 1.1 christos * 2 bytes for packet length, 2 bytes for format version, 2 bytes for 19 1.1 christos * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for 20 1.2 christos * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen, 21 1.1 christos * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie 22 1.1 christos * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing. 23 1.1 christos */ 24 1.2 christos #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \ 25 1.1 christos + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH) 26 1.1 christos 27 1.1 christos /* 28 1.1 christos * Message header + 2 bytes for protocol version + number of random bytes + 29 1.1 christos * + 1 byte for legacy session id length + number of bytes in legacy session id 30 1.1 christos * + 2 bytes for ciphersuite + 1 byte for legacy compression 31 1.1 christos * + 2 bytes for extension block length + 6 bytes for key_share extension 32 1.1 christos * + 4 bytes for cookie extension header + the number of bytes in the cookie 33 1.1 christos */ 34 1.1 christos #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \ 35 1.1 christos + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \ 36 1.1 christos + MAX_COOKIE_SIZE) 37 1.1 christos 38 1.1 christos /* 39 1.1 christos * Parse the client's renegotiation binding and abort if it's not right 40 1.1 christos */ 41 1.1 christos int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context, 42 1.1 christos X509 *x, size_t chainidx) 43 1.1 christos { 44 1.1 christos unsigned int ilen; 45 1.1 christos const unsigned char *data; 46 1.1 christos 47 1.1 christos /* Parse the length byte */ 48 1.1 christos if (!PACKET_get_1(pkt, &ilen) 49 1.1 christos || !PACKET_get_bytes(pkt, &data, ilen)) { 50 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 51 1.1 christos return 0; 52 1.1 christos } 53 1.1 christos 54 1.1 christos /* Check that the extension matches */ 55 1.2 christos if (ilen != s->s3.previous_client_finished_len) { 56 1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH); 57 1.1 christos return 0; 58 1.1 christos } 59 1.1 christos 60 1.2 christos if (memcmp(data, s->s3.previous_client_finished, 61 1.2 christos s->s3.previous_client_finished_len)) { 62 1.2 christos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH); 63 1.1 christos return 0; 64 1.1 christos } 65 1.1 christos 66 1.2 christos s->s3.send_connection_binding = 1; 67 1.1 christos 68 1.1 christos return 1; 69 1.1 christos } 70 1.1 christos 71 1.1 christos /*- 72 1.1 christos * The servername extension is treated as follows: 73 1.1 christos * 74 1.1 christos * - Only the hostname type is supported with a maximum length of 255. 75 1.1 christos * - The servername is rejected if too long or if it contains zeros, 76 1.1 christos * in which case an fatal alert is generated. 77 1.1 christos * - The servername field is maintained together with the session cache. 78 1.1 christos * - When a session is resumed, the servername call back invoked in order 79 1.1 christos * to allow the application to position itself to the right context. 80 1.1 christos * - The servername is acknowledged if it is new for a session or when 81 1.1 christos * it is identical to a previously used for the same session. 82 1.1 christos * Applications can control the behaviour. They can at any time 83 1.1 christos * set a 'desirable' servername for a new SSL object. This can be the 84 1.1 christos * case for example with HTTPS when a Host: header field is received and 85 1.1 christos * a renegotiation is requested. In this case, a possible servername 86 1.1 christos * presented in the new client hello is only acknowledged if it matches 87 1.1 christos * the value of the Host: field. 88 1.1 christos * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 89 1.1 christos * if they provide for changing an explicit servername context for the 90 1.1 christos * session, i.e. when the session has been established with a servername 91 1.1 christos * extension. 92 1.1 christos * - On session reconnect, the servername extension may be absent. 93 1.1 christos */ 94 1.1 christos int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context, 95 1.1 christos X509 *x, size_t chainidx) 96 1.1 christos { 97 1.1 christos unsigned int servname_type; 98 1.1 christos PACKET sni, hostname; 99 1.1 christos 100 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &sni) 101 1.1 christos /* ServerNameList must be at least 1 byte long. */ 102 1.1 christos || PACKET_remaining(&sni) == 0) { 103 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 104 1.1 christos return 0; 105 1.1 christos } 106 1.1 christos 107 1.1 christos /* 108 1.1 christos * Although the intent was for server_name to be extensible, RFC 4366 109 1.1 christos * was not clear about it; and so OpenSSL among other implementations, 110 1.1 christos * always and only allows a 'host_name' name types. 111 1.1 christos * RFC 6066 corrected the mistake but adding new name types 112 1.1 christos * is nevertheless no longer feasible, so act as if no other 113 1.1 christos * SNI types can exist, to simplify parsing. 114 1.1 christos * 115 1.1 christos * Also note that the RFC permits only one SNI value per type, 116 1.1 christos * i.e., we can only have a single hostname. 117 1.1 christos */ 118 1.1 christos if (!PACKET_get_1(&sni, &servname_type) 119 1.1 christos || servname_type != TLSEXT_NAMETYPE_host_name 120 1.1 christos || !PACKET_as_length_prefixed_2(&sni, &hostname)) { 121 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 122 1.1 christos return 0; 123 1.1 christos } 124 1.1 christos 125 1.2 christos /* 126 1.2 christos * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3 127 1.2 christos * we always use the SNI value from the handshake. 128 1.2 christos */ 129 1.1 christos if (!s->hit || SSL_IS_TLS13(s)) { 130 1.1 christos if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { 131 1.2 christos SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION); 132 1.1 christos return 0; 133 1.1 christos } 134 1.1 christos 135 1.1 christos if (PACKET_contains_zero_byte(&hostname)) { 136 1.2 christos SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION); 137 1.1 christos return 0; 138 1.1 christos } 139 1.1 christos 140 1.1 christos /* 141 1.1 christos * Store the requested SNI in the SSL as temporary storage. 142 1.1 christos * If we accept it, it will get stored in the SSL_SESSION as well. 143 1.1 christos */ 144 1.1 christos OPENSSL_free(s->ext.hostname); 145 1.1 christos s->ext.hostname = NULL; 146 1.1 christos if (!PACKET_strndup(&hostname, &s->ext.hostname)) { 147 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 148 1.1 christos return 0; 149 1.1 christos } 150 1.1 christos 151 1.1 christos s->servername_done = 1; 152 1.2 christos } else { 153 1.1 christos /* 154 1.2 christos * In TLSv1.2 and below we should check if the SNI is consistent between 155 1.2 christos * the initial handshake and the resumption. In TLSv1.3 SNI is not 156 1.2 christos * associated with the session. 157 1.1 christos */ 158 1.1 christos s->servername_done = (s->session->ext.hostname != NULL) 159 1.1 christos && PACKET_equal(&hostname, s->session->ext.hostname, 160 1.1 christos strlen(s->session->ext.hostname)); 161 1.1 christos } 162 1.1 christos 163 1.1 christos return 1; 164 1.1 christos } 165 1.1 christos 166 1.1 christos int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, 167 1.1 christos X509 *x, size_t chainidx) 168 1.1 christos { 169 1.1 christos unsigned int value; 170 1.1 christos 171 1.1 christos if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 172 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 173 1.1 christos return 0; 174 1.1 christos } 175 1.1 christos 176 1.1 christos /* Received |value| should be a valid max-fragment-length code. */ 177 1.1 christos if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 178 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 179 1.1 christos SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 180 1.1 christos return 0; 181 1.1 christos } 182 1.1 christos 183 1.1 christos /* 184 1.2 christos * When doing a full handshake or a renegotiation max_fragment_len_mode will 185 1.2 christos * be TLSEXT_max_fragment_length_UNSPECIFIED 186 1.2 christos * 187 1.2 christos * In case of a resumption max_fragment_len_mode will be one of 188 1.2 christos * TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512, 189 1.2 christos * TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048. 190 1.2 christos * TLSEXT_max_fragment_length_4096 191 1.2 christos * 192 1.2 christos * RFC 6066: The negotiated length applies for the duration of the session 193 1.1 christos * including session resumptions. 194 1.2 christos * 195 1.2 christos * So we only set the value in case it is unspecified. 196 1.1 christos */ 197 1.2 christos if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED) 198 1.2 christos /* 199 1.2 christos * Store it in session, so it'll become binding for us 200 1.2 christos * and we'll include it in a next Server Hello. 201 1.2 christos */ 202 1.2 christos s->session->ext.max_fragment_len_mode = value; 203 1.1 christos 204 1.1 christos return 1; 205 1.1 christos } 206 1.1 christos 207 1.1 christos #ifndef OPENSSL_NO_SRP 208 1.1 christos int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 209 1.1 christos size_t chainidx) 210 1.1 christos { 211 1.1 christos PACKET srp_I; 212 1.1 christos 213 1.1 christos if (!PACKET_as_length_prefixed_1(pkt, &srp_I) 214 1.1 christos || PACKET_contains_zero_byte(&srp_I)) { 215 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 216 1.1 christos return 0; 217 1.1 christos } 218 1.1 christos 219 1.1 christos if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) { 220 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 221 1.1 christos return 0; 222 1.1 christos } 223 1.1 christos 224 1.1 christos return 1; 225 1.1 christos } 226 1.1 christos #endif 227 1.1 christos 228 1.1 christos int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, 229 1.1 christos X509 *x, size_t chainidx) 230 1.1 christos { 231 1.1 christos PACKET ec_point_format_list; 232 1.1 christos 233 1.1 christos if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list) 234 1.1 christos || PACKET_remaining(&ec_point_format_list) == 0) { 235 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 236 1.1 christos return 0; 237 1.1 christos } 238 1.1 christos 239 1.1 christos if (!s->hit) { 240 1.1 christos if (!PACKET_memdup(&ec_point_format_list, 241 1.2 christos &s->ext.peer_ecpointformats, 242 1.2 christos &s->ext.peer_ecpointformats_len)) { 243 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 244 1.1 christos return 0; 245 1.1 christos } 246 1.1 christos } 247 1.1 christos 248 1.1 christos return 1; 249 1.1 christos } 250 1.1 christos 251 1.1 christos int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, 252 1.1 christos X509 *x, size_t chainidx) 253 1.1 christos { 254 1.1 christos if (s->ext.session_ticket_cb && 255 1.1 christos !s->ext.session_ticket_cb(s, PACKET_data(pkt), 256 1.1 christos PACKET_remaining(pkt), 257 1.1 christos s->ext.session_ticket_cb_arg)) { 258 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 259 1.1 christos return 0; 260 1.1 christos } 261 1.1 christos 262 1.1 christos return 1; 263 1.1 christos } 264 1.1 christos 265 1.2 christos int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, 266 1.2 christos ossl_unused unsigned int context, 267 1.2 christos ossl_unused X509 *x, 268 1.2 christos ossl_unused size_t chainidx) 269 1.1 christos { 270 1.1 christos PACKET supported_sig_algs; 271 1.1 christos 272 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) 273 1.1 christos || PACKET_remaining(&supported_sig_algs) == 0) { 274 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 275 1.1 christos return 0; 276 1.1 christos } 277 1.1 christos 278 1.1 christos if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) { 279 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 280 1.1 christos return 0; 281 1.1 christos } 282 1.1 christos 283 1.1 christos return 1; 284 1.1 christos } 285 1.1 christos 286 1.1 christos int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 287 1.1 christos size_t chainidx) 288 1.1 christos { 289 1.1 christos PACKET supported_sig_algs; 290 1.1 christos 291 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs) 292 1.1 christos || PACKET_remaining(&supported_sig_algs) == 0) { 293 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 294 1.1 christos return 0; 295 1.1 christos } 296 1.1 christos 297 1.1 christos if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) { 298 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 299 1.1 christos return 0; 300 1.1 christos } 301 1.1 christos 302 1.1 christos return 1; 303 1.1 christos } 304 1.1 christos 305 1.1 christos #ifndef OPENSSL_NO_OCSP 306 1.1 christos int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context, 307 1.1 christos X509 *x, size_t chainidx) 308 1.1 christos { 309 1.1 christos PACKET responder_id_list, exts; 310 1.1 christos 311 1.1 christos /* We ignore this in a resumption handshake */ 312 1.1 christos if (s->hit) 313 1.1 christos return 1; 314 1.1 christos 315 1.1 christos /* Not defined if we get one of these in a client Certificate */ 316 1.1 christos if (x != NULL) 317 1.1 christos return 1; 318 1.1 christos 319 1.1 christos if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) { 320 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 321 1.1 christos return 0; 322 1.1 christos } 323 1.1 christos 324 1.1 christos if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 325 1.1 christos /* 326 1.1 christos * We don't know what to do with any other type so ignore it. 327 1.1 christos */ 328 1.1 christos s->ext.status_type = TLSEXT_STATUSTYPE_nothing; 329 1.1 christos return 1; 330 1.1 christos } 331 1.1 christos 332 1.1 christos if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) { 333 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 334 1.1 christos return 0; 335 1.1 christos } 336 1.1 christos 337 1.1 christos /* 338 1.1 christos * We remove any OCSP_RESPIDs from a previous handshake 339 1.1 christos * to prevent unbounded memory growth - CVE-2016-6304 340 1.1 christos */ 341 1.1 christos sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free); 342 1.1 christos if (PACKET_remaining(&responder_id_list) > 0) { 343 1.1 christos s->ext.ocsp.ids = sk_OCSP_RESPID_new_null(); 344 1.1 christos if (s->ext.ocsp.ids == NULL) { 345 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 346 1.1 christos return 0; 347 1.1 christos } 348 1.1 christos } else { 349 1.1 christos s->ext.ocsp.ids = NULL; 350 1.1 christos } 351 1.1 christos 352 1.1 christos while (PACKET_remaining(&responder_id_list) > 0) { 353 1.1 christos OCSP_RESPID *id; 354 1.1 christos PACKET responder_id; 355 1.1 christos const unsigned char *id_data; 356 1.1 christos 357 1.1 christos if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id) 358 1.1 christos || PACKET_remaining(&responder_id) == 0) { 359 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 360 1.1 christos return 0; 361 1.1 christos } 362 1.1 christos 363 1.1 christos id_data = PACKET_data(&responder_id); 364 1.1 christos id = d2i_OCSP_RESPID(NULL, &id_data, 365 1.1 christos (int)PACKET_remaining(&responder_id)); 366 1.1 christos if (id == NULL) { 367 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 368 1.1 christos return 0; 369 1.1 christos } 370 1.1 christos 371 1.1 christos if (id_data != PACKET_end(&responder_id)) { 372 1.1 christos OCSP_RESPID_free(id); 373 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 374 1.1 christos 375 1.1 christos return 0; 376 1.1 christos } 377 1.1 christos 378 1.1 christos if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) { 379 1.1 christos OCSP_RESPID_free(id); 380 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 381 1.1 christos 382 1.1 christos return 0; 383 1.1 christos } 384 1.1 christos } 385 1.1 christos 386 1.1 christos /* Read in request_extensions */ 387 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &exts)) { 388 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 389 1.1 christos return 0; 390 1.1 christos } 391 1.1 christos 392 1.1 christos if (PACKET_remaining(&exts) > 0) { 393 1.1 christos const unsigned char *ext_data = PACKET_data(&exts); 394 1.1 christos 395 1.1 christos sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, 396 1.1 christos X509_EXTENSION_free); 397 1.1 christos s->ext.ocsp.exts = 398 1.1 christos d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts)); 399 1.1 christos if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) { 400 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 401 1.1 christos return 0; 402 1.1 christos } 403 1.1 christos } 404 1.1 christos 405 1.1 christos return 1; 406 1.1 christos } 407 1.1 christos #endif 408 1.1 christos 409 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 410 1.1 christos int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 411 1.1 christos size_t chainidx) 412 1.1 christos { 413 1.1 christos /* 414 1.1 christos * We shouldn't accept this extension on a 415 1.1 christos * renegotiation. 416 1.1 christos */ 417 1.1 christos if (SSL_IS_FIRST_HANDSHAKE(s)) 418 1.2 christos s->s3.npn_seen = 1; 419 1.1 christos 420 1.1 christos return 1; 421 1.1 christos } 422 1.1 christos #endif 423 1.1 christos 424 1.1 christos /* 425 1.1 christos * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN 426 1.1 christos * extension, not including type and length. Returns: 1 on success, 0 on error. 427 1.1 christos */ 428 1.1 christos int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 429 1.1 christos size_t chainidx) 430 1.1 christos { 431 1.1 christos PACKET protocol_list, save_protocol_list, protocol; 432 1.1 christos 433 1.1 christos if (!SSL_IS_FIRST_HANDSHAKE(s)) 434 1.1 christos return 1; 435 1.1 christos 436 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &protocol_list) 437 1.1 christos || PACKET_remaining(&protocol_list) < 2) { 438 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 439 1.1 christos return 0; 440 1.1 christos } 441 1.1 christos 442 1.1 christos save_protocol_list = protocol_list; 443 1.1 christos do { 444 1.1 christos /* Protocol names can't be empty. */ 445 1.1 christos if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol) 446 1.1 christos || PACKET_remaining(&protocol) == 0) { 447 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 448 1.1 christos return 0; 449 1.1 christos } 450 1.1 christos } while (PACKET_remaining(&protocol_list) != 0); 451 1.1 christos 452 1.2 christos OPENSSL_free(s->s3.alpn_proposed); 453 1.2 christos s->s3.alpn_proposed = NULL; 454 1.2 christos s->s3.alpn_proposed_len = 0; 455 1.1 christos if (!PACKET_memdup(&save_protocol_list, 456 1.2 christos &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) { 457 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 458 1.1 christos return 0; 459 1.1 christos } 460 1.1 christos 461 1.1 christos return 1; 462 1.1 christos } 463 1.1 christos 464 1.1 christos #ifndef OPENSSL_NO_SRTP 465 1.1 christos int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 466 1.1 christos size_t chainidx) 467 1.1 christos { 468 1.1 christos STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; 469 1.1 christos unsigned int ct, mki_len, id; 470 1.1 christos int i, srtp_pref; 471 1.1 christos PACKET subpkt; 472 1.1 christos 473 1.1 christos /* Ignore this if we have no SRTP profiles */ 474 1.1 christos if (SSL_get_srtp_profiles(s) == NULL) 475 1.1 christos return 1; 476 1.1 christos 477 1.1 christos /* Pull off the length of the cipher suite list and check it is even */ 478 1.1 christos if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0 479 1.1 christos || !PACKET_get_sub_packet(pkt, &subpkt, ct)) { 480 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, 481 1.1 christos SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 482 1.1 christos return 0; 483 1.1 christos } 484 1.1 christos 485 1.1 christos srvr = SSL_get_srtp_profiles(s); 486 1.1 christos s->srtp_profile = NULL; 487 1.1 christos /* Search all profiles for a match initially */ 488 1.1 christos srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); 489 1.1 christos 490 1.1 christos while (PACKET_remaining(&subpkt)) { 491 1.1 christos if (!PACKET_get_net_2(&subpkt, &id)) { 492 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, 493 1.1 christos SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 494 1.1 christos return 0; 495 1.1 christos } 496 1.1 christos 497 1.1 christos /* 498 1.1 christos * Only look for match in profiles of higher preference than 499 1.1 christos * current match. 500 1.1 christos * If no profiles have been have been configured then this 501 1.1 christos * does nothing. 502 1.1 christos */ 503 1.1 christos for (i = 0; i < srtp_pref; i++) { 504 1.1 christos SRTP_PROTECTION_PROFILE *sprof = 505 1.1 christos sk_SRTP_PROTECTION_PROFILE_value(srvr, i); 506 1.1 christos 507 1.1 christos if (sprof->id == id) { 508 1.1 christos s->srtp_profile = sprof; 509 1.1 christos srtp_pref = i; 510 1.1 christos break; 511 1.1 christos } 512 1.1 christos } 513 1.1 christos } 514 1.1 christos 515 1.1 christos /* Now extract the MKI value as a sanity check, but discard it for now */ 516 1.1 christos if (!PACKET_get_1(pkt, &mki_len)) { 517 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, 518 1.1 christos SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 519 1.1 christos return 0; 520 1.1 christos } 521 1.1 christos 522 1.1 christos if (!PACKET_forward(pkt, mki_len) 523 1.1 christos || PACKET_remaining(pkt)) { 524 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE); 525 1.1 christos return 0; 526 1.1 christos } 527 1.1 christos 528 1.1 christos return 1; 529 1.1 christos } 530 1.1 christos #endif 531 1.1 christos 532 1.1 christos int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 533 1.1 christos size_t chainidx) 534 1.1 christos { 535 1.1 christos if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) 536 1.1 christos s->ext.use_etm = 1; 537 1.1 christos 538 1.1 christos return 1; 539 1.1 christos } 540 1.1 christos 541 1.1 christos /* 542 1.1 christos * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains 543 1.1 christos * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. 544 1.1 christos */ 545 1.1 christos int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context, 546 1.1 christos X509 *x, size_t chainidx) 547 1.1 christos { 548 1.1 christos #ifndef OPENSSL_NO_TLS1_3 549 1.1 christos PACKET psk_kex_modes; 550 1.1 christos unsigned int mode; 551 1.1 christos 552 1.1 christos if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes) 553 1.1 christos || PACKET_remaining(&psk_kex_modes) == 0) { 554 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 555 1.1 christos return 0; 556 1.1 christos } 557 1.1 christos 558 1.1 christos while (PACKET_get_1(&psk_kex_modes, &mode)) { 559 1.1 christos if (mode == TLSEXT_KEX_MODE_KE_DHE) 560 1.1 christos s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE; 561 1.1 christos else if (mode == TLSEXT_KEX_MODE_KE 562 1.1 christos && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0) 563 1.1 christos s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 564 1.1 christos } 565 1.1 christos #endif 566 1.1 christos 567 1.1 christos return 1; 568 1.1 christos } 569 1.1 christos 570 1.1 christos /* 571 1.1 christos * Process a key_share extension received in the ClientHello. |pkt| contains 572 1.1 christos * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. 573 1.1 christos */ 574 1.1 christos int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 575 1.1 christos size_t chainidx) 576 1.1 christos { 577 1.1 christos #ifndef OPENSSL_NO_TLS1_3 578 1.1 christos unsigned int group_id; 579 1.1 christos PACKET key_share_list, encoded_pt; 580 1.1 christos const uint16_t *clntgroups, *srvrgroups; 581 1.1 christos size_t clnt_num_groups, srvr_num_groups; 582 1.1 christos int found = 0; 583 1.1 christos 584 1.1 christos if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) 585 1.1 christos return 1; 586 1.1 christos 587 1.1 christos /* Sanity check */ 588 1.2 christos if (s->s3.peer_tmp != NULL) { 589 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 590 1.1 christos return 0; 591 1.1 christos } 592 1.1 christos 593 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) { 594 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 595 1.1 christos return 0; 596 1.1 christos } 597 1.1 christos 598 1.1 christos /* Get our list of supported groups */ 599 1.1 christos tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups); 600 1.1 christos /* Get the clients list of supported groups. */ 601 1.1 christos tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); 602 1.1 christos if (clnt_num_groups == 0) { 603 1.1 christos /* 604 1.1 christos * This can only happen if the supported_groups extension was not sent, 605 1.1 christos * because we verify that the length is non-zero when we process that 606 1.1 christos * extension. 607 1.1 christos */ 608 1.2 christos SSLfatal(s, SSL_AD_MISSING_EXTENSION, 609 1.1 christos SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION); 610 1.1 christos return 0; 611 1.1 christos } 612 1.1 christos 613 1.2 christos if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) { 614 1.1 christos /* 615 1.1 christos * If we set a group_id already, then we must have sent an HRR 616 1.1 christos * requesting a new key_share. If we haven't got one then that is an 617 1.1 christos * error 618 1.1 christos */ 619 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 620 1.1 christos return 0; 621 1.1 christos } 622 1.1 christos 623 1.1 christos while (PACKET_remaining(&key_share_list) > 0) { 624 1.1 christos if (!PACKET_get_net_2(&key_share_list, &group_id) 625 1.1 christos || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt) 626 1.1 christos || PACKET_remaining(&encoded_pt) == 0) { 627 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 628 1.1 christos return 0; 629 1.1 christos } 630 1.1 christos 631 1.1 christos /* 632 1.1 christos * If we already found a suitable key_share we loop through the 633 1.1 christos * rest to verify the structure, but don't process them. 634 1.1 christos */ 635 1.1 christos if (found) 636 1.1 christos continue; 637 1.1 christos 638 1.1 christos /* 639 1.1 christos * If we sent an HRR then the key_share sent back MUST be for the group 640 1.1 christos * we requested, and must be the only key_share sent. 641 1.1 christos */ 642 1.2 christos if (s->s3.group_id != 0 643 1.2 christos && (group_id != s->s3.group_id 644 1.1 christos || PACKET_remaining(&key_share_list) != 0)) { 645 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 646 1.1 christos return 0; 647 1.1 christos } 648 1.1 christos 649 1.1 christos /* Check if this share is in supported_groups sent from client */ 650 1.1 christos if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) { 651 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 652 1.1 christos return 0; 653 1.1 christos } 654 1.1 christos 655 1.1 christos /* Check if this share is for a group we can use */ 656 1.2 christos if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1) 657 1.2 christos || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) 658 1.2 christos /* 659 1.2 christos * We tolerate but ignore a group id that we don't think is 660 1.2 christos * suitable for TLSv1.3 661 1.2 christos */ 662 1.2 christos || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, 663 1.2 christos 0, NULL)) { 664 1.1 christos /* Share not suitable */ 665 1.1 christos continue; 666 1.1 christos } 667 1.1 christos 668 1.2 christos if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) { 669 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 670 1.1 christos SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); 671 1.1 christos return 0; 672 1.1 christos } 673 1.1 christos 674 1.2 christos s->s3.group_id = group_id; 675 1.2 christos /* Cache the selected group ID in the SSL_SESSION */ 676 1.2 christos s->session->kex_group = group_id; 677 1.2 christos 678 1.2 christos if (tls13_set_encoded_pub_key(s->s3.peer_tmp, 679 1.2 christos PACKET_data(&encoded_pt), 680 1.2 christos PACKET_remaining(&encoded_pt)) <= 0) { 681 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 682 1.1 christos return 0; 683 1.1 christos } 684 1.1 christos 685 1.1 christos found = 1; 686 1.1 christos } 687 1.1 christos #endif 688 1.1 christos 689 1.1 christos return 1; 690 1.1 christos } 691 1.1 christos 692 1.1 christos int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 693 1.1 christos size_t chainidx) 694 1.1 christos { 695 1.1 christos #ifndef OPENSSL_NO_TLS1_3 696 1.1 christos unsigned int format, version, key_share, group_id; 697 1.1 christos EVP_MD_CTX *hctx; 698 1.1 christos EVP_PKEY *pkey; 699 1.1 christos PACKET cookie, raw, chhash, appcookie; 700 1.1 christos WPACKET hrrpkt; 701 1.1 christos const unsigned char *data, *mdin, *ciphdata; 702 1.1 christos unsigned char hmac[SHA256_DIGEST_LENGTH]; 703 1.1 christos unsigned char hrr[MAX_HRR_SIZE]; 704 1.1 christos size_t rawlen, hmaclen, hrrlen, ciphlen; 705 1.2 christos uint64_t tm, now; 706 1.1 christos 707 1.1 christos /* Ignore any cookie if we're not set up to verify it */ 708 1.1 christos if (s->ctx->verify_stateless_cookie_cb == NULL 709 1.2 christos || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0) 710 1.1 christos return 1; 711 1.1 christos 712 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &cookie)) { 713 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 714 1.1 christos return 0; 715 1.1 christos } 716 1.1 christos 717 1.1 christos raw = cookie; 718 1.1 christos data = PACKET_data(&raw); 719 1.1 christos rawlen = PACKET_remaining(&raw); 720 1.1 christos if (rawlen < SHA256_DIGEST_LENGTH 721 1.1 christos || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) { 722 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 723 1.1 christos return 0; 724 1.1 christos } 725 1.1 christos mdin = PACKET_data(&raw); 726 1.1 christos 727 1.1 christos /* Verify the HMAC of the cookie */ 728 1.1 christos hctx = EVP_MD_CTX_create(); 729 1.2 christos pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", 730 1.2 christos s->ctx->propq, 731 1.2 christos s->session_ctx->ext.cookie_hmac_key, 732 1.2 christos sizeof(s->session_ctx->ext.cookie_hmac_key)); 733 1.1 christos if (hctx == NULL || pkey == NULL) { 734 1.1 christos EVP_MD_CTX_free(hctx); 735 1.1 christos EVP_PKEY_free(pkey); 736 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 737 1.1 christos return 0; 738 1.1 christos } 739 1.1 christos 740 1.1 christos hmaclen = SHA256_DIGEST_LENGTH; 741 1.2 christos if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx, 742 1.2 christos s->ctx->propq, pkey, NULL) <= 0 743 1.1 christos || EVP_DigestSign(hctx, hmac, &hmaclen, data, 744 1.1 christos rawlen - SHA256_DIGEST_LENGTH) <= 0 745 1.1 christos || hmaclen != SHA256_DIGEST_LENGTH) { 746 1.1 christos EVP_MD_CTX_free(hctx); 747 1.1 christos EVP_PKEY_free(pkey); 748 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 749 1.1 christos return 0; 750 1.1 christos } 751 1.1 christos 752 1.1 christos EVP_MD_CTX_free(hctx); 753 1.1 christos EVP_PKEY_free(pkey); 754 1.1 christos 755 1.1 christos if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) { 756 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH); 757 1.1 christos return 0; 758 1.1 christos } 759 1.1 christos 760 1.1 christos if (!PACKET_get_net_2(&cookie, &format)) { 761 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 762 1.1 christos return 0; 763 1.1 christos } 764 1.1 christos /* Check the cookie format is something we recognise. Ignore it if not */ 765 1.1 christos if (format != COOKIE_STATE_FORMAT_VERSION) 766 1.1 christos return 1; 767 1.1 christos 768 1.1 christos /* 769 1.1 christos * The rest of these checks really shouldn't fail since we have verified the 770 1.1 christos * HMAC above. 771 1.1 christos */ 772 1.1 christos 773 1.1 christos /* Check the version number is sane */ 774 1.1 christos if (!PACKET_get_net_2(&cookie, &version)) { 775 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 776 1.1 christos return 0; 777 1.1 christos } 778 1.1 christos if (version != TLS1_3_VERSION) { 779 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 780 1.1 christos SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 781 1.1 christos return 0; 782 1.1 christos } 783 1.1 christos 784 1.1 christos if (!PACKET_get_net_2(&cookie, &group_id)) { 785 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 786 1.1 christos return 0; 787 1.1 christos } 788 1.1 christos 789 1.1 christos ciphdata = PACKET_data(&cookie); 790 1.1 christos if (!PACKET_forward(&cookie, 2)) { 791 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 792 1.1 christos return 0; 793 1.1 christos } 794 1.2 christos if (group_id != s->s3.group_id 795 1.2 christos || s->s3.tmp.new_cipher 796 1.1 christos != ssl_get_cipher_by_char(s, ciphdata, 0)) { 797 1.1 christos /* 798 1.1 christos * We chose a different cipher or group id this time around to what is 799 1.1 christos * in the cookie. Something must have changed. 800 1.1 christos */ 801 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER); 802 1.1 christos return 0; 803 1.1 christos } 804 1.1 christos 805 1.1 christos if (!PACKET_get_1(&cookie, &key_share) 806 1.2 christos || !PACKET_get_net_8(&cookie, &tm) 807 1.1 christos || !PACKET_get_length_prefixed_2(&cookie, &chhash) 808 1.1 christos || !PACKET_get_length_prefixed_1(&cookie, &appcookie) 809 1.1 christos || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) { 810 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 811 1.1 christos return 0; 812 1.1 christos } 813 1.1 christos 814 1.1 christos /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */ 815 1.2 christos now = time(NULL); 816 1.1 christos if (tm > now || (now - tm) > 600) { 817 1.1 christos /* Cookie is stale. Ignore it */ 818 1.1 christos return 1; 819 1.1 christos } 820 1.1 christos 821 1.1 christos /* Verify the app cookie */ 822 1.1 christos if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie), 823 1.1 christos PACKET_remaining(&appcookie)) == 0) { 824 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH); 825 1.1 christos return 0; 826 1.1 christos } 827 1.1 christos 828 1.1 christos /* 829 1.1 christos * Reconstruct the HRR that we would have sent in response to the original 830 1.1 christos * ClientHello so we can add it to the transcript hash. 831 1.1 christos * Note: This won't work with custom HRR extensions 832 1.1 christos */ 833 1.1 christos if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) { 834 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 835 1.1 christos return 0; 836 1.1 christos } 837 1.1 christos if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO) 838 1.1 christos || !WPACKET_start_sub_packet_u24(&hrrpkt) 839 1.1 christos || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION) 840 1.1 christos || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE) 841 1.1 christos || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id, 842 1.1 christos s->tmp_session_id_len) 843 1.2 christos || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt, 844 1.1 christos &ciphlen) 845 1.1 christos || !WPACKET_put_bytes_u8(&hrrpkt, 0) 846 1.1 christos || !WPACKET_start_sub_packet_u16(&hrrpkt)) { 847 1.1 christos WPACKET_cleanup(&hrrpkt); 848 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 849 1.1 christos return 0; 850 1.1 christos } 851 1.1 christos if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions) 852 1.1 christos || !WPACKET_start_sub_packet_u16(&hrrpkt) 853 1.1 christos || !WPACKET_put_bytes_u16(&hrrpkt, s->version) 854 1.1 christos || !WPACKET_close(&hrrpkt)) { 855 1.1 christos WPACKET_cleanup(&hrrpkt); 856 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 857 1.1 christos return 0; 858 1.1 christos } 859 1.1 christos if (key_share) { 860 1.1 christos if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share) 861 1.1 christos || !WPACKET_start_sub_packet_u16(&hrrpkt) 862 1.2 christos || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id) 863 1.1 christos || !WPACKET_close(&hrrpkt)) { 864 1.1 christos WPACKET_cleanup(&hrrpkt); 865 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 866 1.1 christos return 0; 867 1.1 christos } 868 1.1 christos } 869 1.1 christos if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie) 870 1.1 christos || !WPACKET_start_sub_packet_u16(&hrrpkt) 871 1.1 christos || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen) 872 1.1 christos || !WPACKET_close(&hrrpkt) /* cookie extension */ 873 1.1 christos || !WPACKET_close(&hrrpkt) /* extension block */ 874 1.1 christos || !WPACKET_close(&hrrpkt) /* message */ 875 1.1 christos || !WPACKET_get_total_written(&hrrpkt, &hrrlen) 876 1.1 christos || !WPACKET_finish(&hrrpkt)) { 877 1.1 christos WPACKET_cleanup(&hrrpkt); 878 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 879 1.1 christos return 0; 880 1.1 christos } 881 1.1 christos 882 1.1 christos /* Reconstruct the transcript hash */ 883 1.1 christos if (!create_synthetic_message_hash(s, PACKET_data(&chhash), 884 1.1 christos PACKET_remaining(&chhash), hrr, 885 1.1 christos hrrlen)) { 886 1.1 christos /* SSLfatal() already called */ 887 1.1 christos return 0; 888 1.1 christos } 889 1.1 christos 890 1.1 christos /* Act as if this ClientHello came after a HelloRetryRequest */ 891 1.2 christos s->hello_retry_request = SSL_HRR_PENDING; 892 1.1 christos 893 1.1 christos s->ext.cookieok = 1; 894 1.1 christos #endif 895 1.1 christos 896 1.1 christos return 1; 897 1.1 christos } 898 1.1 christos 899 1.1 christos int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, 900 1.1 christos X509 *x, size_t chainidx) 901 1.1 christos { 902 1.1 christos PACKET supported_groups_list; 903 1.1 christos 904 1.1 christos /* Each group is 2 bytes and we must have at least 1. */ 905 1.1 christos if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list) 906 1.1 christos || PACKET_remaining(&supported_groups_list) == 0 907 1.1 christos || (PACKET_remaining(&supported_groups_list) % 2) != 0) { 908 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 909 1.1 christos return 0; 910 1.1 christos } 911 1.1 christos 912 1.1 christos if (!s->hit || SSL_IS_TLS13(s)) { 913 1.2 christos OPENSSL_free(s->ext.peer_supportedgroups); 914 1.2 christos s->ext.peer_supportedgroups = NULL; 915 1.2 christos s->ext.peer_supportedgroups_len = 0; 916 1.1 christos if (!tls1_save_u16(&supported_groups_list, 917 1.2 christos &s->ext.peer_supportedgroups, 918 1.2 christos &s->ext.peer_supportedgroups_len)) { 919 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 920 1.1 christos return 0; 921 1.1 christos } 922 1.1 christos } 923 1.1 christos 924 1.1 christos return 1; 925 1.1 christos } 926 1.1 christos 927 1.1 christos int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 928 1.1 christos size_t chainidx) 929 1.1 christos { 930 1.1 christos /* The extension must always be empty */ 931 1.1 christos if (PACKET_remaining(pkt) != 0) { 932 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 933 1.1 christos return 0; 934 1.1 christos } 935 1.1 christos 936 1.2 christos if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 937 1.2 christos return 1; 938 1.2 christos 939 1.2 christos s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; 940 1.1 christos 941 1.1 christos return 1; 942 1.1 christos } 943 1.1 christos 944 1.1 christos 945 1.1 christos int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, 946 1.1 christos X509 *x, size_t chainidx) 947 1.1 christos { 948 1.1 christos if (PACKET_remaining(pkt) != 0) { 949 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 950 1.1 christos return 0; 951 1.1 christos } 952 1.1 christos 953 1.1 christos if (s->hello_retry_request != SSL_HRR_NONE) { 954 1.2 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 955 1.1 christos return 0; 956 1.1 christos } 957 1.1 christos 958 1.1 christos return 1; 959 1.1 christos } 960 1.1 christos 961 1.1 christos static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick, 962 1.1 christos SSL_SESSION **sess) 963 1.1 christos { 964 1.1 christos SSL_SESSION *tmpsess = NULL; 965 1.1 christos 966 1.1 christos s->ext.ticket_expected = 1; 967 1.1 christos 968 1.1 christos switch (PACKET_remaining(tick)) { 969 1.1 christos case 0: 970 1.1 christos return SSL_TICKET_EMPTY; 971 1.1 christos 972 1.1 christos case SSL_MAX_SSL_SESSION_ID_LENGTH: 973 1.1 christos break; 974 1.1 christos 975 1.1 christos default: 976 1.1 christos return SSL_TICKET_NO_DECRYPT; 977 1.1 christos } 978 1.1 christos 979 1.1 christos tmpsess = lookup_sess_in_cache(s, PACKET_data(tick), 980 1.1 christos SSL_MAX_SSL_SESSION_ID_LENGTH); 981 1.1 christos 982 1.1 christos if (tmpsess == NULL) 983 1.1 christos return SSL_TICKET_NO_DECRYPT; 984 1.1 christos 985 1.1 christos *sess = tmpsess; 986 1.1 christos return SSL_TICKET_SUCCESS; 987 1.1 christos } 988 1.1 christos 989 1.1 christos int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 990 1.1 christos size_t chainidx) 991 1.1 christos { 992 1.1 christos PACKET identities, binders, binder; 993 1.1 christos size_t binderoffset, hashsize; 994 1.1 christos SSL_SESSION *sess = NULL; 995 1.1 christos unsigned int id, i, ext = 0; 996 1.1 christos const EVP_MD *md = NULL; 997 1.1 christos 998 1.1 christos /* 999 1.1 christos * If we have no PSK kex mode that we recognise then we can't resume so 1000 1.1 christos * ignore this extension 1001 1.1 christos */ 1002 1.1 christos if ((s->ext.psk_kex_mode 1003 1.1 christos & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0) 1004 1.1 christos return 1; 1005 1.1 christos 1006 1.1 christos if (!PACKET_get_length_prefixed_2(pkt, &identities)) { 1007 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1008 1.1 christos return 0; 1009 1.1 christos } 1010 1.1 christos 1011 1.1 christos s->ext.ticket_expected = 0; 1012 1.1 christos for (id = 0; PACKET_remaining(&identities) != 0; id++) { 1013 1.1 christos PACKET identity; 1014 1.1 christos unsigned long ticket_agel; 1015 1.1 christos size_t idlen; 1016 1.1 christos 1017 1.1 christos if (!PACKET_get_length_prefixed_2(&identities, &identity) 1018 1.1 christos || !PACKET_get_net_4(&identities, &ticket_agel)) { 1019 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1020 1.1 christos return 0; 1021 1.1 christos } 1022 1.1 christos 1023 1.1 christos idlen = PACKET_remaining(&identity); 1024 1.1 christos if (s->psk_find_session_cb != NULL 1025 1.1 christos && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen, 1026 1.1 christos &sess)) { 1027 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION); 1028 1.1 christos return 0; 1029 1.1 christos } 1030 1.1 christos 1031 1.1 christos #ifndef OPENSSL_NO_PSK 1032 1.1 christos if(sess == NULL 1033 1.1 christos && s->psk_server_callback != NULL 1034 1.1 christos && idlen <= PSK_MAX_IDENTITY_LEN) { 1035 1.1 christos char *pskid = NULL; 1036 1.1 christos unsigned char pskdata[PSK_MAX_PSK_LEN]; 1037 1.1 christos unsigned int pskdatalen; 1038 1.1 christos 1039 1.1 christos if (!PACKET_strndup(&identity, &pskid)) { 1040 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1041 1.1 christos return 0; 1042 1.1 christos } 1043 1.1 christos pskdatalen = s->psk_server_callback(s, pskid, pskdata, 1044 1.1 christos sizeof(pskdata)); 1045 1.1 christos OPENSSL_free(pskid); 1046 1.1 christos if (pskdatalen > PSK_MAX_PSK_LEN) { 1047 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1048 1.1 christos return 0; 1049 1.1 christos } else if (pskdatalen > 0) { 1050 1.1 christos const SSL_CIPHER *cipher; 1051 1.1 christos const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 1052 1.1 christos 1053 1.1 christos /* 1054 1.1 christos * We found a PSK using an old style callback. We don't know 1055 1.1 christos * the digest so we default to SHA256 as per the TLSv1.3 spec 1056 1.1 christos */ 1057 1.1 christos cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); 1058 1.1 christos if (cipher == NULL) { 1059 1.1 christos OPENSSL_cleanse(pskdata, pskdatalen); 1060 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1061 1.1 christos return 0; 1062 1.1 christos } 1063 1.1 christos 1064 1.1 christos sess = SSL_SESSION_new(); 1065 1.1 christos if (sess == NULL 1066 1.1 christos || !SSL_SESSION_set1_master_key(sess, pskdata, 1067 1.1 christos pskdatalen) 1068 1.1 christos || !SSL_SESSION_set_cipher(sess, cipher) 1069 1.1 christos || !SSL_SESSION_set_protocol_version(sess, 1070 1.1 christos TLS1_3_VERSION)) { 1071 1.1 christos OPENSSL_cleanse(pskdata, pskdatalen); 1072 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1073 1.1 christos goto err; 1074 1.1 christos } 1075 1.1 christos OPENSSL_cleanse(pskdata, pskdatalen); 1076 1.1 christos } 1077 1.1 christos } 1078 1.1 christos #endif /* OPENSSL_NO_PSK */ 1079 1.1 christos 1080 1.1 christos if (sess != NULL) { 1081 1.1 christos /* We found a PSK */ 1082 1.1 christos SSL_SESSION *sesstmp = ssl_session_dup(sess, 0); 1083 1.1 christos 1084 1.1 christos if (sesstmp == NULL) { 1085 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1086 1.3 christos goto err; 1087 1.1 christos } 1088 1.1 christos SSL_SESSION_free(sess); 1089 1.1 christos sess = sesstmp; 1090 1.1 christos 1091 1.1 christos /* 1092 1.1 christos * We've just been told to use this session for this context so 1093 1.1 christos * make sure the sid_ctx matches up. 1094 1.1 christos */ 1095 1.1 christos memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length); 1096 1.1 christos sess->sid_ctx_length = s->sid_ctx_length; 1097 1.1 christos ext = 1; 1098 1.1 christos if (id == 0) 1099 1.1 christos s->ext.early_data_ok = 1; 1100 1.1 christos s->ext.ticket_expected = 1; 1101 1.1 christos } else { 1102 1.2 christos uint32_t ticket_age = 0, agesec, agems; 1103 1.1 christos int ret; 1104 1.1 christos 1105 1.1 christos /* 1106 1.1 christos * If we are using anti-replay protection then we behave as if 1107 1.1 christos * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there 1108 1.1 christos * is no point in using full stateless tickets. 1109 1.1 christos */ 1110 1.1 christos if ((s->options & SSL_OP_NO_TICKET) != 0 1111 1.1 christos || (s->max_early_data > 0 1112 1.1 christos && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0)) 1113 1.1 christos ret = tls_get_stateful_ticket(s, &identity, &sess); 1114 1.1 christos else 1115 1.1 christos ret = tls_decrypt_ticket(s, PACKET_data(&identity), 1116 1.1 christos PACKET_remaining(&identity), NULL, 0, 1117 1.1 christos &sess); 1118 1.1 christos 1119 1.1 christos if (ret == SSL_TICKET_EMPTY) { 1120 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1121 1.1 christos return 0; 1122 1.1 christos } 1123 1.1 christos 1124 1.1 christos if (ret == SSL_TICKET_FATAL_ERR_MALLOC 1125 1.1 christos || ret == SSL_TICKET_FATAL_ERR_OTHER) { 1126 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1127 1.1 christos return 0; 1128 1.1 christos } 1129 1.1 christos if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT) 1130 1.1 christos continue; 1131 1.1 christos 1132 1.1 christos /* Check for replay */ 1133 1.1 christos if (s->max_early_data > 0 1134 1.1 christos && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0 1135 1.1 christos && !SSL_CTX_remove_session(s->session_ctx, sess)) { 1136 1.1 christos SSL_SESSION_free(sess); 1137 1.1 christos sess = NULL; 1138 1.1 christos continue; 1139 1.1 christos } 1140 1.1 christos 1141 1.1 christos ticket_age = (uint32_t)ticket_agel; 1142 1.2 christos agesec = (uint32_t)(time(NULL) - sess->time); 1143 1.1 christos agems = agesec * (uint32_t)1000; 1144 1.1 christos ticket_age -= sess->ext.tick_age_add; 1145 1.1 christos 1146 1.1 christos /* 1147 1.1 christos * For simplicity we do our age calculations in seconds. If the 1148 1.1 christos * client does it in ms then it could appear that their ticket age 1149 1.1 christos * is longer than ours (our ticket age calculation should always be 1150 1.1 christos * slightly longer than the client's due to the network latency). 1151 1.1 christos * Therefore we add 1000ms to our age calculation to adjust for 1152 1.1 christos * rounding errors. 1153 1.1 christos */ 1154 1.1 christos if (id == 0 1155 1.1 christos && sess->timeout >= (long)agesec 1156 1.1 christos && agems / (uint32_t)1000 == agesec 1157 1.1 christos && ticket_age <= agems + 1000 1158 1.1 christos && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) { 1159 1.1 christos /* 1160 1.1 christos * Ticket age is within tolerance and not expired. We allow it 1161 1.1 christos * for early data 1162 1.1 christos */ 1163 1.1 christos s->ext.early_data_ok = 1; 1164 1.1 christos } 1165 1.1 christos } 1166 1.1 christos 1167 1.2 christos md = ssl_md(s->ctx, sess->cipher->algorithm2); 1168 1.2 christos if (md == NULL) { 1169 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1170 1.2 christos goto err; 1171 1.2 christos } 1172 1.2 christos if (!EVP_MD_is_a(md, 1173 1.2 christos EVP_MD_get0_name(ssl_md(s->ctx, 1174 1.2 christos s->s3.tmp.new_cipher->algorithm2)))) { 1175 1.1 christos /* The ciphersuite is not compatible with this session. */ 1176 1.1 christos SSL_SESSION_free(sess); 1177 1.1 christos sess = NULL; 1178 1.1 christos s->ext.early_data_ok = 0; 1179 1.1 christos s->ext.ticket_expected = 0; 1180 1.1 christos continue; 1181 1.1 christos } 1182 1.1 christos break; 1183 1.1 christos } 1184 1.1 christos 1185 1.1 christos if (sess == NULL) 1186 1.1 christos return 1; 1187 1.1 christos 1188 1.1 christos binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data; 1189 1.2 christos hashsize = EVP_MD_get_size(md); 1190 1.1 christos 1191 1.1 christos if (!PACKET_get_length_prefixed_2(pkt, &binders)) { 1192 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1193 1.1 christos goto err; 1194 1.1 christos } 1195 1.1 christos 1196 1.1 christos for (i = 0; i <= id; i++) { 1197 1.1 christos if (!PACKET_get_length_prefixed_1(&binders, &binder)) { 1198 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1199 1.1 christos goto err; 1200 1.1 christos } 1201 1.1 christos } 1202 1.1 christos 1203 1.1 christos if (PACKET_remaining(&binder) != hashsize) { 1204 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1205 1.1 christos goto err; 1206 1.1 christos } 1207 1.1 christos if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data, 1208 1.1 christos binderoffset, PACKET_data(&binder), NULL, sess, 0, 1209 1.1 christos ext) != 1) { 1210 1.1 christos /* SSLfatal() already called */ 1211 1.1 christos goto err; 1212 1.1 christos } 1213 1.1 christos 1214 1.2 christos s->ext.tick_identity = id; 1215 1.1 christos 1216 1.1 christos SSL_SESSION_free(s->session); 1217 1.1 christos s->session = sess; 1218 1.1 christos return 1; 1219 1.1 christos err: 1220 1.1 christos SSL_SESSION_free(sess); 1221 1.1 christos return 0; 1222 1.1 christos } 1223 1.1 christos 1224 1.2 christos int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, 1225 1.2 christos ossl_unused unsigned int context, 1226 1.2 christos ossl_unused X509 *x, 1227 1.2 christos ossl_unused size_t chainidx) 1228 1.1 christos { 1229 1.1 christos if (PACKET_remaining(pkt) != 0) { 1230 1.2 christos SSLfatal(s, SSL_AD_DECODE_ERROR, 1231 1.1 christos SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR); 1232 1.1 christos return 0; 1233 1.1 christos } 1234 1.1 christos 1235 1.1 christos s->post_handshake_auth = SSL_PHA_EXT_RECEIVED; 1236 1.1 christos 1237 1.1 christos return 1; 1238 1.1 christos } 1239 1.1 christos 1240 1.1 christos /* 1241 1.1 christos * Add the server's renegotiation binding 1242 1.1 christos */ 1243 1.1 christos EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, 1244 1.1 christos unsigned int context, X509 *x, 1245 1.1 christos size_t chainidx) 1246 1.1 christos { 1247 1.2 christos if (!s->s3.send_connection_binding) 1248 1.1 christos return EXT_RETURN_NOT_SENT; 1249 1.1 christos 1250 1.1 christos /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */ 1251 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 1252 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1253 1.1 christos || !WPACKET_start_sub_packet_u8(pkt) 1254 1.2 christos || !WPACKET_memcpy(pkt, s->s3.previous_client_finished, 1255 1.2 christos s->s3.previous_client_finished_len) 1256 1.2 christos || !WPACKET_memcpy(pkt, s->s3.previous_server_finished, 1257 1.2 christos s->s3.previous_server_finished_len) 1258 1.1 christos || !WPACKET_close(pkt) 1259 1.1 christos || !WPACKET_close(pkt)) { 1260 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1261 1.1 christos return EXT_RETURN_FAIL; 1262 1.1 christos } 1263 1.1 christos 1264 1.1 christos return EXT_RETURN_SENT; 1265 1.1 christos } 1266 1.1 christos 1267 1.1 christos EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, 1268 1.1 christos unsigned int context, X509 *x, 1269 1.1 christos size_t chainidx) 1270 1.1 christos { 1271 1.2 christos if (s->servername_done != 1) 1272 1.2 christos return EXT_RETURN_NOT_SENT; 1273 1.2 christos 1274 1.2 christos /* 1275 1.2 christos * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming. 1276 1.2 christos * We just use the servername from the initial handshake. 1277 1.2 christos */ 1278 1.2 christos if (s->hit && !SSL_IS_TLS13(s)) 1279 1.1 christos return EXT_RETURN_NOT_SENT; 1280 1.1 christos 1281 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 1282 1.1 christos || !WPACKET_put_bytes_u16(pkt, 0)) { 1283 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1284 1.1 christos return EXT_RETURN_FAIL; 1285 1.1 christos } 1286 1.1 christos 1287 1.1 christos return EXT_RETURN_SENT; 1288 1.1 christos } 1289 1.1 christos 1290 1.1 christos /* Add/include the server's max fragment len extension into ServerHello */ 1291 1.1 christos EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt, 1292 1.1 christos unsigned int context, X509 *x, 1293 1.1 christos size_t chainidx) 1294 1.1 christos { 1295 1.1 christos if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) 1296 1.1 christos return EXT_RETURN_NOT_SENT; 1297 1.1 christos 1298 1.1 christos /*- 1299 1.1 christos * 4 bytes for this extension type and extension length 1300 1.1 christos * 1 byte for the Max Fragment Length code value. 1301 1.1 christos */ 1302 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 1303 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1304 1.1 christos || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode) 1305 1.1 christos || !WPACKET_close(pkt)) { 1306 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1307 1.1 christos return EXT_RETURN_FAIL; 1308 1.1 christos } 1309 1.1 christos 1310 1.1 christos return EXT_RETURN_SENT; 1311 1.1 christos } 1312 1.1 christos 1313 1.1 christos EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, 1314 1.1 christos unsigned int context, X509 *x, 1315 1.1 christos size_t chainidx) 1316 1.1 christos { 1317 1.2 christos unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; 1318 1.2 christos unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth; 1319 1.1 christos int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) 1320 1.2 christos && (s->ext.peer_ecpointformats != NULL); 1321 1.1 christos const unsigned char *plist; 1322 1.1 christos size_t plistlen; 1323 1.1 christos 1324 1.1 christos if (!using_ecc) 1325 1.1 christos return EXT_RETURN_NOT_SENT; 1326 1.1 christos 1327 1.1 christos tls1_get_formatlist(s, &plist, &plistlen); 1328 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 1329 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1330 1.1 christos || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen) 1331 1.1 christos || !WPACKET_close(pkt)) { 1332 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1333 1.1 christos return EXT_RETURN_FAIL; 1334 1.1 christos } 1335 1.1 christos 1336 1.1 christos return EXT_RETURN_SENT; 1337 1.1 christos } 1338 1.1 christos 1339 1.1 christos EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, 1340 1.1 christos unsigned int context, X509 *x, 1341 1.1 christos size_t chainidx) 1342 1.1 christos { 1343 1.1 christos const uint16_t *groups; 1344 1.1 christos size_t numgroups, i, first = 1; 1345 1.2 christos int version; 1346 1.1 christos 1347 1.2 christos /* s->s3.group_id is non zero if we accepted a key_share */ 1348 1.2 christos if (s->s3.group_id == 0) 1349 1.1 christos return EXT_RETURN_NOT_SENT; 1350 1.1 christos 1351 1.1 christos /* Get our list of supported groups */ 1352 1.1 christos tls1_get_supported_groups(s, &groups, &numgroups); 1353 1.1 christos if (numgroups == 0) { 1354 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1355 1.1 christos return EXT_RETURN_FAIL; 1356 1.1 christos } 1357 1.1 christos 1358 1.1 christos /* Copy group ID if supported */ 1359 1.2 christos version = SSL_version(s); 1360 1.1 christos for (i = 0; i < numgroups; i++) { 1361 1.1 christos uint16_t group = groups[i]; 1362 1.1 christos 1363 1.2 christos if (tls_valid_group(s, group, version, version, 0, NULL) 1364 1.2 christos && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { 1365 1.1 christos if (first) { 1366 1.1 christos /* 1367 1.1 christos * Check if the client is already using our preferred group. If 1368 1.1 christos * so we don't need to add this extension 1369 1.1 christos */ 1370 1.2 christos if (s->s3.group_id == group) 1371 1.1 christos return EXT_RETURN_NOT_SENT; 1372 1.1 christos 1373 1.1 christos /* Add extension header */ 1374 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 1375 1.1 christos /* Sub-packet for supported_groups extension */ 1376 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1377 1.1 christos || !WPACKET_start_sub_packet_u16(pkt)) { 1378 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1379 1.1 christos return EXT_RETURN_FAIL; 1380 1.1 christos } 1381 1.1 christos 1382 1.1 christos first = 0; 1383 1.1 christos } 1384 1.1 christos if (!WPACKET_put_bytes_u16(pkt, group)) { 1385 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1386 1.1 christos return EXT_RETURN_FAIL; 1387 1.1 christos } 1388 1.1 christos } 1389 1.1 christos } 1390 1.1 christos 1391 1.1 christos if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 1392 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1393 1.1 christos return EXT_RETURN_FAIL; 1394 1.1 christos } 1395 1.1 christos 1396 1.1 christos return EXT_RETURN_SENT; 1397 1.1 christos } 1398 1.1 christos 1399 1.1 christos EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, 1400 1.1 christos unsigned int context, X509 *x, 1401 1.1 christos size_t chainidx) 1402 1.1 christos { 1403 1.1 christos if (!s->ext.ticket_expected || !tls_use_ticket(s)) { 1404 1.1 christos s->ext.ticket_expected = 0; 1405 1.1 christos return EXT_RETURN_NOT_SENT; 1406 1.1 christos } 1407 1.1 christos 1408 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 1409 1.1 christos || !WPACKET_put_bytes_u16(pkt, 0)) { 1410 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1411 1.1 christos return EXT_RETURN_FAIL; 1412 1.1 christos } 1413 1.1 christos 1414 1.1 christos return EXT_RETURN_SENT; 1415 1.1 christos } 1416 1.1 christos 1417 1.1 christos #ifndef OPENSSL_NO_OCSP 1418 1.1 christos EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, 1419 1.1 christos unsigned int context, X509 *x, 1420 1.1 christos size_t chainidx) 1421 1.1 christos { 1422 1.2 christos /* We don't currently support this extension inside a CertificateRequest */ 1423 1.2 christos if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) 1424 1.2 christos return EXT_RETURN_NOT_SENT; 1425 1.2 christos 1426 1.1 christos if (!s->ext.status_expected) 1427 1.1 christos return EXT_RETURN_NOT_SENT; 1428 1.1 christos 1429 1.1 christos if (SSL_IS_TLS13(s) && chainidx != 0) 1430 1.1 christos return EXT_RETURN_NOT_SENT; 1431 1.1 christos 1432 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 1433 1.1 christos || !WPACKET_start_sub_packet_u16(pkt)) { 1434 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1435 1.1 christos return EXT_RETURN_FAIL; 1436 1.1 christos } 1437 1.1 christos 1438 1.1 christos /* 1439 1.1 christos * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we 1440 1.1 christos * send back an empty extension, with the certificate status appearing as a 1441 1.1 christos * separate message 1442 1.1 christos */ 1443 1.1 christos if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) { 1444 1.1 christos /* SSLfatal() already called */ 1445 1.1 christos return EXT_RETURN_FAIL; 1446 1.1 christos } 1447 1.1 christos if (!WPACKET_close(pkt)) { 1448 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1449 1.1 christos return EXT_RETURN_FAIL; 1450 1.1 christos } 1451 1.1 christos 1452 1.1 christos return EXT_RETURN_SENT; 1453 1.1 christos } 1454 1.1 christos #endif 1455 1.1 christos 1456 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 1457 1.1 christos EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, 1458 1.1 christos unsigned int context, X509 *x, 1459 1.1 christos size_t chainidx) 1460 1.1 christos { 1461 1.1 christos const unsigned char *npa; 1462 1.1 christos unsigned int npalen; 1463 1.1 christos int ret; 1464 1.2 christos int npn_seen = s->s3.npn_seen; 1465 1.1 christos 1466 1.2 christos s->s3.npn_seen = 0; 1467 1.1 christos if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL) 1468 1.1 christos return EXT_RETURN_NOT_SENT; 1469 1.1 christos 1470 1.1 christos ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen, 1471 1.1 christos s->ctx->ext.npn_advertised_cb_arg); 1472 1.1 christos if (ret == SSL_TLSEXT_ERR_OK) { 1473 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 1474 1.1 christos || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) { 1475 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1476 1.1 christos return EXT_RETURN_FAIL; 1477 1.1 christos } 1478 1.2 christos s->s3.npn_seen = 1; 1479 1.2 christos return EXT_RETURN_SENT; 1480 1.1 christos } 1481 1.1 christos 1482 1.2 christos return EXT_RETURN_NOT_SENT; 1483 1.1 christos } 1484 1.1 christos #endif 1485 1.1 christos 1486 1.1 christos EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, 1487 1.1 christos X509 *x, size_t chainidx) 1488 1.1 christos { 1489 1.2 christos if (s->s3.alpn_selected == NULL) 1490 1.1 christos return EXT_RETURN_NOT_SENT; 1491 1.1 christos 1492 1.1 christos if (!WPACKET_put_bytes_u16(pkt, 1493 1.1 christos TLSEXT_TYPE_application_layer_protocol_negotiation) 1494 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1495 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1496 1.2 christos || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected, 1497 1.2 christos s->s3.alpn_selected_len) 1498 1.1 christos || !WPACKET_close(pkt) 1499 1.1 christos || !WPACKET_close(pkt)) { 1500 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1501 1.1 christos return EXT_RETURN_FAIL; 1502 1.1 christos } 1503 1.1 christos 1504 1.1 christos return EXT_RETURN_SENT; 1505 1.1 christos } 1506 1.1 christos 1507 1.1 christos #ifndef OPENSSL_NO_SRTP 1508 1.1 christos EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, 1509 1.1 christos unsigned int context, X509 *x, 1510 1.1 christos size_t chainidx) 1511 1.1 christos { 1512 1.1 christos if (s->srtp_profile == NULL) 1513 1.1 christos return EXT_RETURN_NOT_SENT; 1514 1.1 christos 1515 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 1516 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1517 1.1 christos || !WPACKET_put_bytes_u16(pkt, 2) 1518 1.1 christos || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id) 1519 1.1 christos || !WPACKET_put_bytes_u8(pkt, 0) 1520 1.1 christos || !WPACKET_close(pkt)) { 1521 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1522 1.1 christos return EXT_RETURN_FAIL; 1523 1.1 christos } 1524 1.1 christos 1525 1.1 christos return EXT_RETURN_SENT; 1526 1.1 christos } 1527 1.1 christos #endif 1528 1.1 christos 1529 1.1 christos EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, 1530 1.1 christos X509 *x, size_t chainidx) 1531 1.1 christos { 1532 1.1 christos if (!s->ext.use_etm) 1533 1.1 christos return EXT_RETURN_NOT_SENT; 1534 1.1 christos 1535 1.1 christos /* 1536 1.1 christos * Don't use encrypt_then_mac if AEAD or RC4 might want to disable 1537 1.1 christos * for other cases too. 1538 1.1 christos */ 1539 1.2 christos if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD 1540 1.2 christos || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4 1541 1.2 christos || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT 1542 1.2 christos || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12 1543 1.2 christos || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA 1544 1.2 christos || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) { 1545 1.1 christos s->ext.use_etm = 0; 1546 1.1 christos return EXT_RETURN_NOT_SENT; 1547 1.1 christos } 1548 1.1 christos 1549 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 1550 1.1 christos || !WPACKET_put_bytes_u16(pkt, 0)) { 1551 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1552 1.1 christos return EXT_RETURN_FAIL; 1553 1.1 christos } 1554 1.1 christos 1555 1.1 christos return EXT_RETURN_SENT; 1556 1.1 christos } 1557 1.1 christos 1558 1.1 christos EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, 1559 1.1 christos X509 *x, size_t chainidx) 1560 1.1 christos { 1561 1.2 christos if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) 1562 1.1 christos return EXT_RETURN_NOT_SENT; 1563 1.1 christos 1564 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 1565 1.1 christos || !WPACKET_put_bytes_u16(pkt, 0)) { 1566 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1567 1.1 christos return EXT_RETURN_FAIL; 1568 1.1 christos } 1569 1.1 christos 1570 1.1 christos return EXT_RETURN_SENT; 1571 1.1 christos } 1572 1.1 christos 1573 1.1 christos EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt, 1574 1.1 christos unsigned int context, X509 *x, 1575 1.1 christos size_t chainidx) 1576 1.1 christos { 1577 1.1 christos if (!ossl_assert(SSL_IS_TLS13(s))) { 1578 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1579 1.1 christos return EXT_RETURN_FAIL; 1580 1.1 christos } 1581 1.1 christos 1582 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 1583 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1584 1.1 christos || !WPACKET_put_bytes_u16(pkt, s->version) 1585 1.1 christos || !WPACKET_close(pkt)) { 1586 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1587 1.1 christos return EXT_RETURN_FAIL; 1588 1.1 christos } 1589 1.1 christos 1590 1.1 christos return EXT_RETURN_SENT; 1591 1.1 christos } 1592 1.1 christos 1593 1.1 christos EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, 1594 1.1 christos unsigned int context, X509 *x, 1595 1.1 christos size_t chainidx) 1596 1.1 christos { 1597 1.1 christos #ifndef OPENSSL_NO_TLS1_3 1598 1.1 christos unsigned char *encodedPoint; 1599 1.1 christos size_t encoded_pt_len = 0; 1600 1.2 christos EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL; 1601 1.2 christos const TLS_GROUP_INFO *ginf = NULL; 1602 1.1 christos 1603 1.1 christos if (s->hello_retry_request == SSL_HRR_PENDING) { 1604 1.1 christos if (ckey != NULL) { 1605 1.1 christos /* Original key_share was acceptable so don't ask for another one */ 1606 1.1 christos return EXT_RETURN_NOT_SENT; 1607 1.1 christos } 1608 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 1609 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1610 1.2 christos || !WPACKET_put_bytes_u16(pkt, s->s3.group_id) 1611 1.1 christos || !WPACKET_close(pkt)) { 1612 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1613 1.1 christos return EXT_RETURN_FAIL; 1614 1.1 christos } 1615 1.1 christos 1616 1.1 christos return EXT_RETURN_SENT; 1617 1.1 christos } 1618 1.1 christos 1619 1.1 christos if (ckey == NULL) { 1620 1.1 christos /* No key_share received from client - must be resuming */ 1621 1.1 christos if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) { 1622 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1623 1.1 christos return EXT_RETURN_FAIL; 1624 1.1 christos } 1625 1.1 christos return EXT_RETURN_NOT_SENT; 1626 1.1 christos } 1627 1.2 christos if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) { 1628 1.2 christos /* 1629 1.2 christos * PSK ('hit') and explicitly not doing DHE (if the client sent the 1630 1.2 christos * DHE option we always take it); don't send key share. 1631 1.2 christos */ 1632 1.2 christos return EXT_RETURN_NOT_SENT; 1633 1.2 christos } 1634 1.1 christos 1635 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 1636 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1637 1.2 christos || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) { 1638 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1639 1.1 christos return EXT_RETURN_FAIL; 1640 1.1 christos } 1641 1.1 christos 1642 1.2 christos if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) { 1643 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1644 1.1 christos return EXT_RETURN_FAIL; 1645 1.1 christos } 1646 1.1 christos 1647 1.2 christos if (!ginf->is_kem) { 1648 1.2 christos /* Regular KEX */ 1649 1.2 christos skey = ssl_generate_pkey(s, ckey); 1650 1.2 christos if (skey == NULL) { 1651 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 1652 1.2 christos return EXT_RETURN_FAIL; 1653 1.2 christos } 1654 1.2 christos 1655 1.2 christos /* Generate encoding of server key */ 1656 1.2 christos encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint); 1657 1.2 christos if (encoded_pt_len == 0) { 1658 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 1659 1.2 christos EVP_PKEY_free(skey); 1660 1.2 christos return EXT_RETURN_FAIL; 1661 1.2 christos } 1662 1.1 christos 1663 1.2 christos if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len) 1664 1.2 christos || !WPACKET_close(pkt)) { 1665 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1666 1.2 christos EVP_PKEY_free(skey); 1667 1.2 christos OPENSSL_free(encodedPoint); 1668 1.2 christos return EXT_RETURN_FAIL; 1669 1.2 christos } 1670 1.1 christos OPENSSL_free(encodedPoint); 1671 1.1 christos 1672 1.2 christos /* 1673 1.2 christos * This causes the crypto state to be updated based on the derived keys 1674 1.2 christos */ 1675 1.2 christos s->s3.tmp.pkey = skey; 1676 1.2 christos if (ssl_derive(s, skey, ckey, 1) == 0) { 1677 1.2 christos /* SSLfatal() already called */ 1678 1.2 christos return EXT_RETURN_FAIL; 1679 1.2 christos } 1680 1.2 christos } else { 1681 1.2 christos /* KEM mode */ 1682 1.2 christos unsigned char *ct = NULL; 1683 1.2 christos size_t ctlen = 0; 1684 1.2 christos 1685 1.2 christos /* 1686 1.2 christos * This does not update the crypto state. 1687 1.2 christos * 1688 1.2 christos * The generated pms is stored in `s->s3.tmp.pms` to be later used via 1689 1.2 christos * ssl_gensecret(). 1690 1.2 christos */ 1691 1.2 christos if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) { 1692 1.2 christos /* SSLfatal() already called */ 1693 1.2 christos return EXT_RETURN_FAIL; 1694 1.2 christos } 1695 1.2 christos 1696 1.2 christos if (ctlen == 0) { 1697 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1698 1.2 christos OPENSSL_free(ct); 1699 1.2 christos return EXT_RETURN_FAIL; 1700 1.2 christos } 1701 1.2 christos 1702 1.2 christos if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen) 1703 1.2 christos || !WPACKET_close(pkt)) { 1704 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1705 1.2 christos OPENSSL_free(ct); 1706 1.2 christos return EXT_RETURN_FAIL; 1707 1.2 christos } 1708 1.2 christos OPENSSL_free(ct); 1709 1.2 christos 1710 1.2 christos /* 1711 1.2 christos * This causes the crypto state to be updated based on the generated pms 1712 1.2 christos */ 1713 1.2 christos if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) { 1714 1.2 christos /* SSLfatal() already called */ 1715 1.2 christos return EXT_RETURN_FAIL; 1716 1.2 christos } 1717 1.1 christos } 1718 1.2 christos s->s3.did_kex = 1; 1719 1.1 christos return EXT_RETURN_SENT; 1720 1.1 christos #else 1721 1.1 christos return EXT_RETURN_FAIL; 1722 1.1 christos #endif 1723 1.1 christos } 1724 1.1 christos 1725 1.1 christos EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, 1726 1.1 christos X509 *x, size_t chainidx) 1727 1.1 christos { 1728 1.1 christos #ifndef OPENSSL_NO_TLS1_3 1729 1.1 christos unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie; 1730 1.1 christos unsigned char *hmac, *hmac2; 1731 1.1 christos size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen; 1732 1.1 christos EVP_MD_CTX *hctx; 1733 1.1 christos EVP_PKEY *pkey; 1734 1.1 christos int ret = EXT_RETURN_FAIL; 1735 1.1 christos 1736 1.2 christos if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0) 1737 1.1 christos return EXT_RETURN_NOT_SENT; 1738 1.1 christos 1739 1.1 christos if (s->ctx->gen_stateless_cookie_cb == NULL) { 1740 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET); 1741 1.1 christos return EXT_RETURN_FAIL; 1742 1.1 christos } 1743 1.1 christos 1744 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 1745 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1746 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1747 1.1 christos || !WPACKET_get_total_written(pkt, &startlen) 1748 1.1 christos || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie) 1749 1.1 christos || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION) 1750 1.1 christos || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION) 1751 1.2 christos || !WPACKET_put_bytes_u16(pkt, s->s3.group_id) 1752 1.2 christos || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, 1753 1.1 christos &ciphlen) 1754 1.1 christos /* Is there a key_share extension present in this HRR? */ 1755 1.2 christos || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL) 1756 1.2 christos || !WPACKET_put_bytes_u64(pkt, time(NULL)) 1757 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1758 1.1 christos || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) { 1759 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1760 1.1 christos return EXT_RETURN_FAIL; 1761 1.1 christos } 1762 1.1 christos 1763 1.1 christos /* 1764 1.1 christos * Get the hash of the initial ClientHello. ssl_handshake_hash() operates 1765 1.1 christos * on raw buffers, so we first reserve sufficient bytes (above) and then 1766 1.1 christos * subsequently allocate them (below) 1767 1.1 christos */ 1768 1.1 christos if (!ssl3_digest_cached_records(s, 0) 1769 1.1 christos || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) { 1770 1.1 christos /* SSLfatal() already called */ 1771 1.1 christos return EXT_RETURN_FAIL; 1772 1.1 christos } 1773 1.1 christos 1774 1.1 christos if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2) 1775 1.1 christos || !ossl_assert(hashval1 == hashval2) 1776 1.1 christos || !WPACKET_close(pkt) 1777 1.1 christos || !WPACKET_start_sub_packet_u8(pkt) 1778 1.1 christos || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) { 1779 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1780 1.1 christos return EXT_RETURN_FAIL; 1781 1.1 christos } 1782 1.1 christos 1783 1.1 christos /* Generate the application cookie */ 1784 1.1 christos if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) { 1785 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); 1786 1.1 christos return EXT_RETURN_FAIL; 1787 1.1 christos } 1788 1.1 christos 1789 1.1 christos if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2) 1790 1.1 christos || !ossl_assert(appcookie1 == appcookie2) 1791 1.1 christos || !WPACKET_close(pkt) 1792 1.1 christos || !WPACKET_get_total_written(pkt, &totcookielen) 1793 1.1 christos || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) { 1794 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1795 1.1 christos return EXT_RETURN_FAIL; 1796 1.1 christos } 1797 1.1 christos hmaclen = SHA256_DIGEST_LENGTH; 1798 1.1 christos 1799 1.1 christos totcookielen -= startlen; 1800 1.1 christos if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) { 1801 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1802 1.1 christos return EXT_RETURN_FAIL; 1803 1.1 christos } 1804 1.1 christos 1805 1.1 christos /* HMAC the cookie */ 1806 1.1 christos hctx = EVP_MD_CTX_create(); 1807 1.2 christos pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", 1808 1.2 christos s->ctx->propq, 1809 1.2 christos s->session_ctx->ext.cookie_hmac_key, 1810 1.2 christos sizeof(s->session_ctx->ext.cookie_hmac_key)); 1811 1.1 christos if (hctx == NULL || pkey == NULL) { 1812 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 1813 1.1 christos goto err; 1814 1.1 christos } 1815 1.1 christos 1816 1.2 christos if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx, 1817 1.2 christos s->ctx->propq, pkey, NULL) <= 0 1818 1.1 christos || EVP_DigestSign(hctx, hmac, &hmaclen, cookie, 1819 1.1 christos totcookielen) <= 0) { 1820 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1821 1.1 christos goto err; 1822 1.1 christos } 1823 1.1 christos 1824 1.1 christos if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) { 1825 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1826 1.1 christos goto err; 1827 1.1 christos } 1828 1.1 christos 1829 1.1 christos if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2) 1830 1.1 christos || !ossl_assert(hmac == hmac2) 1831 1.1 christos || !ossl_assert(cookie == hmac - totcookielen) 1832 1.1 christos || !WPACKET_close(pkt) 1833 1.1 christos || !WPACKET_close(pkt)) { 1834 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1835 1.1 christos goto err; 1836 1.1 christos } 1837 1.1 christos 1838 1.1 christos ret = EXT_RETURN_SENT; 1839 1.1 christos 1840 1.1 christos err: 1841 1.1 christos EVP_MD_CTX_free(hctx); 1842 1.1 christos EVP_PKEY_free(pkey); 1843 1.1 christos return ret; 1844 1.1 christos #else 1845 1.1 christos return EXT_RETURN_FAIL; 1846 1.1 christos #endif 1847 1.1 christos } 1848 1.1 christos 1849 1.1 christos EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, 1850 1.1 christos unsigned int context, X509 *x, 1851 1.1 christos size_t chainidx) 1852 1.1 christos { 1853 1.1 christos const unsigned char cryptopro_ext[36] = { 1854 1.1 christos 0xfd, 0xe8, /* 65000 */ 1855 1.1 christos 0x00, 0x20, /* 32 bytes length */ 1856 1.1 christos 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, 1857 1.1 christos 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, 1858 1.1 christos 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, 1859 1.1 christos 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 1860 1.1 christos }; 1861 1.1 christos 1862 1.2 christos if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80 1863 1.2 christos && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81) 1864 1.1 christos || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0) 1865 1.1 christos return EXT_RETURN_NOT_SENT; 1866 1.1 christos 1867 1.1 christos if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) { 1868 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1869 1.1 christos return EXT_RETURN_FAIL; 1870 1.1 christos } 1871 1.1 christos 1872 1.1 christos return EXT_RETURN_SENT; 1873 1.1 christos } 1874 1.1 christos 1875 1.1 christos EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, 1876 1.1 christos unsigned int context, X509 *x, 1877 1.1 christos size_t chainidx) 1878 1.1 christos { 1879 1.1 christos if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 1880 1.1 christos if (s->max_early_data == 0) 1881 1.1 christos return EXT_RETURN_NOT_SENT; 1882 1.1 christos 1883 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 1884 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1885 1.1 christos || !WPACKET_put_bytes_u32(pkt, s->max_early_data) 1886 1.1 christos || !WPACKET_close(pkt)) { 1887 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1888 1.1 christos return EXT_RETURN_FAIL; 1889 1.1 christos } 1890 1.1 christos 1891 1.1 christos return EXT_RETURN_SENT; 1892 1.1 christos } 1893 1.1 christos 1894 1.1 christos if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED) 1895 1.1 christos return EXT_RETURN_NOT_SENT; 1896 1.1 christos 1897 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 1898 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1899 1.1 christos || !WPACKET_close(pkt)) { 1900 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1901 1.1 christos return EXT_RETURN_FAIL; 1902 1.1 christos } 1903 1.1 christos 1904 1.1 christos return EXT_RETURN_SENT; 1905 1.1 christos } 1906 1.1 christos 1907 1.1 christos EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, 1908 1.1 christos X509 *x, size_t chainidx) 1909 1.1 christos { 1910 1.1 christos if (!s->hit) 1911 1.1 christos return EXT_RETURN_NOT_SENT; 1912 1.1 christos 1913 1.1 christos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1914 1.1 christos || !WPACKET_start_sub_packet_u16(pkt) 1915 1.2 christos || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity) 1916 1.1 christos || !WPACKET_close(pkt)) { 1917 1.2 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1918 1.1 christos return EXT_RETURN_FAIL; 1919 1.1 christos } 1920 1.1 christos 1921 1.1 christos return EXT_RETURN_SENT; 1922 1.1 christos } 1923
Indexes created Sun Mar 01 05:31:48 UTC 2026