VirtualBox

source: vbox/trunk/src/libs/openssl-3.4.1/ssl/statem/extensions_clnt.c@ 109052

Last change on this file since 109052 was 109052, checked in by vboxsync, 4 weeks ago

openssl-3.4.1: Applied our changes, regenerated files, added missing files and functions. This time with a three way merge. ​bugref:10890
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 72.9 KB
Line 
1/*
2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_local.h"
12#include "internal/cryptlib.h"
13#include "statem_local.h"
14
15EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
16 unsigned int context, X509 *x,
17 size_t chainidx)
18{
19 if (!s->renegotiate) {
20 /* If not renegotiating, send an empty RI extension to indicate support */
21
22#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
23# error Internal DTLS version error
24#endif
25
26 if (!SSL_CONNECTION_IS_DTLS(s)
27 && (s->min_proto_version >= TLS1_3_VERSION
28 || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL)
29 && s->min_proto_version <= TLS1_VERSION))) {
30 /*
31 * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this
32 * extension isn't used at all.
33 */
34 return EXT_RETURN_NOT_SENT;
35 }
36
37
38 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
39 || !WPACKET_start_sub_packet_u16(pkt)
40 || !WPACKET_put_bytes_u8(pkt, 0)
41 || !WPACKET_close(pkt)) {
42 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43 return EXT_RETURN_FAIL;
44 }
45
46 return EXT_RETURN_SENT;
47 }
48
49 /* Add a complete RI extension if renegotiating */
50 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
51 || !WPACKET_start_sub_packet_u16(pkt)
52 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
53 s->s3.previous_client_finished_len)
54 || !WPACKET_close(pkt)) {
55 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
56 return EXT_RETURN_FAIL;
57 }
58
59 return EXT_RETURN_SENT;
60}
61
62EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,
63 unsigned int context, X509 *x,
64 size_t chainidx)
65{
66 if (s->ext.hostname == NULL)
67 return EXT_RETURN_NOT_SENT;
68
69 /* Add TLS extension servername to the Client Hello message */
70 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
71 /* Sub-packet for server_name extension */
72 || !WPACKET_start_sub_packet_u16(pkt)
73 /* Sub-packet for servername list (always 1 hostname)*/
74 || !WPACKET_start_sub_packet_u16(pkt)
75 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
76 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
77 strlen(s->ext.hostname))
78 || !WPACKET_close(pkt)
79 || !WPACKET_close(pkt)) {
80 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
81 return EXT_RETURN_FAIL;
82 }
83
84 return EXT_RETURN_SENT;
85}
86
87/* Push a Max Fragment Len extension into ClientHello */
88EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
89 unsigned int context, X509 *x,
90 size_t chainidx)
91{
92 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
93 return EXT_RETURN_NOT_SENT;
94
95 /* Add Max Fragment Length extension if client enabled it. */
96 /*-
97 * 4 bytes for this extension type and extension length
98 * 1 byte for the Max Fragment Length code value.
99 */
100 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
101 /* Sub-packet for Max Fragment Length extension (1 byte) */
102 || !WPACKET_start_sub_packet_u16(pkt)
103 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
104 || !WPACKET_close(pkt)) {
105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
106 return EXT_RETURN_FAIL;
107 }
108
109 return EXT_RETURN_SENT;
110}
111
112#ifndef OPENSSL_NO_SRP
113EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,
114 unsigned int context,
115 X509 *x, size_t chainidx)
116{
117 /* Add SRP username if there is one */
118 if (s->srp_ctx.login == NULL)
119 return EXT_RETURN_NOT_SENT;
120
121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
122 /* Sub-packet for SRP extension */
123 || !WPACKET_start_sub_packet_u16(pkt)
124 || !WPACKET_start_sub_packet_u8(pkt)
125 /* login must not be zero...internal error if so */
126 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
127 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
128 strlen(s->srp_ctx.login))
129 || !WPACKET_close(pkt)
130 || !WPACKET_close(pkt)) {
131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
132 return EXT_RETURN_FAIL;
133 }
134
135 return EXT_RETURN_SENT;
136}
137#endif
138
139static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)
140{
141 int i, end, ret = 0;
142 unsigned long alg_k, alg_a;
143 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
144 const uint16_t *pgroups = NULL;
145 size_t num_groups, j;
146 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
147
148 /* See if we support any ECC ciphersuites */
149 if (s->version == SSL3_VERSION)
150 return 0;
151
152 cipher_stack = SSL_get1_supported_ciphers(ssl);
153 end = sk_SSL_CIPHER_num(cipher_stack);
154 for (i = 0; i < end; i++) {
155 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
156
157 alg_k = c->algorithm_mkey;
158 alg_a = c->algorithm_auth;
159 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
160 || (alg_a & SSL_aECDSA)
161 || c->min_tls >= TLS1_3_VERSION) {
162 ret = 1;
163 break;
164 }
165 }
166 sk_SSL_CIPHER_free(cipher_stack);
167 if (!ret)
168 return 0;
169
170 /* Check we have at least one EC supported group */
171 tls1_get_supported_groups(s, &pgroups, &num_groups);
172 for (j = 0; j < num_groups; j++) {
173 uint16_t ctmp = pgroups[j];
174
175 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
176 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
177 return 1;
178 }
179
180 return 0;
181}
182
183EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
184 unsigned int context, X509 *x,
185 size_t chainidx)
186{
187 const unsigned char *pformats;
188 size_t num_formats;
189 int reason, min_version, max_version;
190
191 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
192 if (reason != 0) {
193 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
194 return EXT_RETURN_FAIL;
195 }
196 if (!use_ecc(s, min_version, max_version))
197 return EXT_RETURN_NOT_SENT;
198
199 /* Add TLS extension ECPointFormats to the ClientHello message */
200 tls1_get_formatlist(s, &pformats, &num_formats);
201
202 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
203 /* Sub-packet for formats extension */
204 || !WPACKET_start_sub_packet_u16(pkt)
205 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
206 || !WPACKET_close(pkt)) {
207 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
208 return EXT_RETURN_FAIL;
209 }
210
211 return EXT_RETURN_SENT;
212}
213
214EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
215 unsigned int context, X509 *x,
216 size_t chainidx)
217{
218 const uint16_t *pgroups = NULL;
219 size_t num_groups = 0, i, tls13added = 0, added = 0;
220 int min_version, max_version, reason;
221
222 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
223 if (reason != 0) {
224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
225 return EXT_RETURN_FAIL;
226 }
227
228 /*
229 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
230 * if we don't have EC support then we don't send this extension.
231 */
232 if (!use_ecc(s, min_version, max_version)
233 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
234 return EXT_RETURN_NOT_SENT;
235
236 /*
237 * Add TLS extension supported_groups to the ClientHello message
238 */
239 tls1_get_supported_groups(s, &pgroups, &num_groups);
240
241 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
242 /* Sub-packet for supported_groups extension */
243 || !WPACKET_start_sub_packet_u16(pkt)
244 || !WPACKET_start_sub_packet_u16(pkt)
245 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
247 return EXT_RETURN_FAIL;
248 }
249 /* Copy group ID if supported */
250 for (i = 0; i < num_groups; i++) {
251 uint16_t ctmp = pgroups[i];
252 int okfortls13;
253
254 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
255 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
256 if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
258 return EXT_RETURN_FAIL;
259 }
260 if (okfortls13 && max_version == TLS1_3_VERSION)
261 tls13added++;
262 added++;
263 }
264 }
265 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
266 if (added == 0)
267 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
268 "No groups enabled for max supported SSL/TLS version");
269 else
270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
271 return EXT_RETURN_FAIL;
272 }
273
274 if (tls13added == 0 && max_version == TLS1_3_VERSION) {
275 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
276 "No groups enabled for max supported SSL/TLS version");
277 return EXT_RETURN_FAIL;
278 }
279
280 return EXT_RETURN_SENT;
281}
282
283EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
284 unsigned int context, X509 *x,
285 size_t chainidx)
286{
287 size_t ticklen;
288
289 if (!tls_use_ticket(s))
290 return EXT_RETURN_NOT_SENT;
291
292 if (!s->new_session && s->session != NULL
293 && s->session->ext.tick != NULL
294 && s->session->ssl_version != TLS1_3_VERSION) {
295 ticklen = s->session->ext.ticklen;
296 } else if (s->session && s->ext.session_ticket != NULL
297 && s->ext.session_ticket->data != NULL) {
298 ticklen = s->ext.session_ticket->length;
299 s->session->ext.tick = OPENSSL_malloc(ticklen);
300 if (s->session->ext.tick == NULL) {
301 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
302 return EXT_RETURN_FAIL;
303 }
304 memcpy(s->session->ext.tick,
305 s->ext.session_ticket->data, ticklen);
306 s->session->ext.ticklen = ticklen;
307 } else {
308 ticklen = 0;
309 }
310
311 if (ticklen == 0 && s->ext.session_ticket != NULL &&
312 s->ext.session_ticket->data == NULL)
313 return EXT_RETURN_NOT_SENT;
314
315 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
316 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
318 return EXT_RETURN_FAIL;
319 }
320
321 return EXT_RETURN_SENT;
322}
323
324EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,
325 unsigned int context, X509 *x,
326 size_t chainidx)
327{
328 size_t salglen;
329 const uint16_t *salg;
330
331 if (!SSL_CLIENT_USE_SIGALGS(s))
332 return EXT_RETURN_NOT_SENT;
333
334 salglen = tls12_get_psigalgs(s, 1, &salg);
335 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
336 /* Sub-packet for sig-algs extension */
337 || !WPACKET_start_sub_packet_u16(pkt)
338 /* Sub-packet for the actual list */
339 || !WPACKET_start_sub_packet_u16(pkt)
340 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
341 || !WPACKET_close(pkt)
342 || !WPACKET_close(pkt)) {
343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
344 return EXT_RETURN_FAIL;
345 }
346
347 return EXT_RETURN_SENT;
348}
349
350#ifndef OPENSSL_NO_OCSP
351EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,
352 unsigned int context, X509 *x,
353 size_t chainidx)
354{
355 int i;
356
357 /* This extension isn't defined for client Certificates */
358 if (x != NULL)
359 return EXT_RETURN_NOT_SENT;
360
361 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
362 return EXT_RETURN_NOT_SENT;
363
364 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
365 /* Sub-packet for status request extension */
366 || !WPACKET_start_sub_packet_u16(pkt)
367 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
368 /* Sub-packet for the ids */
369 || !WPACKET_start_sub_packet_u16(pkt)) {
370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
371 return EXT_RETURN_FAIL;
372 }
373 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
374 unsigned char *idbytes;
375 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
376 int idlen = i2d_OCSP_RESPID(id, NULL);
377
378 if (idlen <= 0
379 /* Sub-packet for an individual id */
380 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
381 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
383 return EXT_RETURN_FAIL;
384 }
385 }
386 if (!WPACKET_close(pkt)
387 || !WPACKET_start_sub_packet_u16(pkt)) {
388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
389 return EXT_RETURN_FAIL;
390 }
391 if (s->ext.ocsp.exts) {
392 unsigned char *extbytes;
393 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
394
395 if (extlen < 0) {
396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
397 return EXT_RETURN_FAIL;
398 }
399 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
400 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
401 != extlen) {
402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
403 return EXT_RETURN_FAIL;
404 }
405 }
406 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
408 return EXT_RETURN_FAIL;
409 }
410
411 return EXT_RETURN_SENT;
412}
413#endif
414
415#ifndef OPENSSL_NO_NEXTPROTONEG
416EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,
417 unsigned int context,
418 X509 *x, size_t chainidx)
419{
420 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL
421 || !SSL_IS_FIRST_HANDSHAKE(s))
422 return EXT_RETURN_NOT_SENT;
423
424 /*
425 * The client advertises an empty extension to indicate its support
426 * for Next Protocol Negotiation
427 */
428 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
429 || !WPACKET_put_bytes_u16(pkt, 0)) {
430 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
431 return EXT_RETURN_FAIL;
432 }
433
434 return EXT_RETURN_SENT;
435}
436#endif
437
438EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,
439 unsigned int context,
440 X509 *x, size_t chainidx)
441{
442 s->s3.alpn_sent = 0;
443
444 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
445 return EXT_RETURN_NOT_SENT;
446
447 if (!WPACKET_put_bytes_u16(pkt,
448 TLSEXT_TYPE_application_layer_protocol_negotiation)
449 /* Sub-packet ALPN extension */
450 || !WPACKET_start_sub_packet_u16(pkt)
451 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
452 || !WPACKET_close(pkt)) {
453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
454 return EXT_RETURN_FAIL;
455 }
456 s->s3.alpn_sent = 1;
457
458 return EXT_RETURN_SENT;
459}
460
461
462#ifndef OPENSSL_NO_SRTP
463EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
464 unsigned int context, X509 *x,
465 size_t chainidx)
466{
467 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
468 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);
469 int i, end;
470
471 if (clnt == NULL)
472 return EXT_RETURN_NOT_SENT;
473
474 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
475 /* Sub-packet for SRTP extension */
476 || !WPACKET_start_sub_packet_u16(pkt)
477 /* Sub-packet for the protection profile list */
478 || !WPACKET_start_sub_packet_u16(pkt)) {
479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
480 return EXT_RETURN_FAIL;
481 }
482
483 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
484 for (i = 0; i < end; i++) {
485 const SRTP_PROTECTION_PROFILE *prof =
486 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
487
488 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
489 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
490 return EXT_RETURN_FAIL;
491 }
492 }
493 if (!WPACKET_close(pkt)
494 /* Add an empty use_mki value */
495 || !WPACKET_put_bytes_u8(pkt, 0)
496 || !WPACKET_close(pkt)) {
497 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
498 return EXT_RETURN_FAIL;
499 }
500
501 return EXT_RETURN_SENT;
502}
503#endif
504
505EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,
506 unsigned int context,
507 X509 *x, size_t chainidx)
508{
509 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
510 return EXT_RETURN_NOT_SENT;
511
512 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
513 || !WPACKET_put_bytes_u16(pkt, 0)) {
514 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
515 return EXT_RETURN_FAIL;
516 }
517
518 return EXT_RETURN_SENT;
519}
520
521#ifndef OPENSSL_NO_CT
522EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,
523 unsigned int context,
524 X509 *x, size_t chainidx)
525{
526 if (s->ct_validation_callback == NULL)
527 return EXT_RETURN_NOT_SENT;
528
529 /* Not defined for client Certificates */
530 if (x != NULL)
531 return EXT_RETURN_NOT_SENT;
532
533 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
534 || !WPACKET_put_bytes_u16(pkt, 0)) {
535 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
536 return EXT_RETURN_FAIL;
537 }
538
539 return EXT_RETURN_SENT;
540}
541#endif
542
543EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,
544 unsigned int context,
545 X509 *x, size_t chainidx)
546{
547 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
548 return EXT_RETURN_NOT_SENT;
549
550 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
551 || !WPACKET_put_bytes_u16(pkt, 0)) {
552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
553 return EXT_RETURN_FAIL;
554 }
555
556 return EXT_RETURN_SENT;
557}
558
559EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
560 unsigned int context, X509 *x,
561 size_t chainidx)
562{
563 int currv, min_version, max_version, reason;
564
565 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
566 if (reason != 0) {
567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
568 return EXT_RETURN_FAIL;
569 }
570
571 /*
572 * Don't include this if we can't negotiate TLSv1.3. We can do a straight
573 * comparison here because we will never be called in DTLS.
574 */
575 if (max_version < TLS1_3_VERSION)
576 return EXT_RETURN_NOT_SENT;
577
578 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
579 || !WPACKET_start_sub_packet_u16(pkt)
580 || !WPACKET_start_sub_packet_u8(pkt)) {
581 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
582 return EXT_RETURN_FAIL;
583 }
584
585 for (currv = max_version; currv >= min_version; currv--) {
586 if (!WPACKET_put_bytes_u16(pkt, currv)) {
587 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
588 return EXT_RETURN_FAIL;
589 }
590 }
591 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
593 return EXT_RETURN_FAIL;
594 }
595
596 return EXT_RETURN_SENT;
597}
598
599/*
600 * Construct a psk_kex_modes extension.
601 */
602EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
603 unsigned int context, X509 *x,
604 size_t chainidx)
605{
606#ifndef OPENSSL_NO_TLS1_3
607 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
608
609 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
610 || !WPACKET_start_sub_packet_u16(pkt)
611 || !WPACKET_start_sub_packet_u8(pkt)
612 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
613 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
614 || !WPACKET_close(pkt)
615 || !WPACKET_close(pkt)) {
616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
617 return EXT_RETURN_FAIL;
618 }
619
620 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
621 if (nodhe)
622 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
623#endif
624
625 return EXT_RETURN_SENT;
626}
627
628#ifndef OPENSSL_NO_TLS1_3
629static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id)
630{
631 unsigned char *encoded_point = NULL;
632 EVP_PKEY *key_share_key = NULL;
633 size_t encodedlen;
634
635 if (s->s3.tmp.pkey != NULL) {
636 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
638 return 0;
639 }
640 /*
641 * Could happen if we got an HRR that wasn't requesting a new key_share
642 */
643 key_share_key = s->s3.tmp.pkey;
644 } else {
645 key_share_key = ssl_generate_pkey_group(s, curve_id);
646 if (key_share_key == NULL) {
647 /* SSLfatal() already called */
648 return 0;
649 }
650 }
651
652 /* Encode the public key. */
653 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
654 &encoded_point);
655 if (encodedlen == 0) {
656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
657 goto err;
658 }
659
660 /* Create KeyShareEntry */
661 if (!WPACKET_put_bytes_u16(pkt, curve_id)
662 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
663 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
664 goto err;
665 }
666
667 /*
668 * When changing to send more than one key_share we're
669 * going to need to be able to save more than one EVP_PKEY. For now
670 * we reuse the existing tmp.pkey
671 */
672 s->s3.tmp.pkey = key_share_key;
673 s->s3.group_id = curve_id;
674 OPENSSL_free(encoded_point);
675
676 return 1;
677 err:
678 if (s->s3.tmp.pkey == NULL)
679 EVP_PKEY_free(key_share_key);
680 OPENSSL_free(encoded_point);
681 return 0;
682}
683#endif
684
685EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
686 unsigned int context, X509 *x,
687 size_t chainidx)
688{
689#ifndef OPENSSL_NO_TLS1_3
690 size_t i, num_groups = 0;
691 const uint16_t *pgroups = NULL;
692 uint16_t curve_id = 0;
693
694 /* key_share extension */
695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
696 /* Extension data sub-packet */
697 || !WPACKET_start_sub_packet_u16(pkt)
698 /* KeyShare list sub-packet */
699 || !WPACKET_start_sub_packet_u16(pkt)) {
700 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
701 return EXT_RETURN_FAIL;
702 }
703
704 tls1_get_supported_groups(s, &pgroups, &num_groups);
705
706 /*
707 * Make the number of key_shares sent configurable. For
708 * now, we just send one
709 */
710 if (s->s3.group_id != 0) {
711 curve_id = s->s3.group_id;
712 } else {
713 for (i = 0; i < num_groups; i++) {
714 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
715 continue;
716
717 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
718 0, NULL))
719 continue;
720
721 curve_id = pgroups[i];
722 break;
723 }
724 }
725
726 if (curve_id == 0) {
727 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
728 return EXT_RETURN_FAIL;
729 }
730
731 if (!add_key_share(s, pkt, curve_id)) {
732 /* SSLfatal() already called */
733 return EXT_RETURN_FAIL;
734 }
735
736 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
737 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
738 return EXT_RETURN_FAIL;
739 }
740 return EXT_RETURN_SENT;
741#else
742 return EXT_RETURN_NOT_SENT;
743#endif
744}
745
746EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,
747 unsigned int context,
748 X509 *x, size_t chainidx)
749{
750 EXT_RETURN ret = EXT_RETURN_FAIL;
751
752 /* Should only be set if we've had an HRR */
753 if (s->ext.tls13_cookie_len == 0)
754 return EXT_RETURN_NOT_SENT;
755
756 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
757 /* Extension data sub-packet */
758 || !WPACKET_start_sub_packet_u16(pkt)
759 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
760 s->ext.tls13_cookie_len)
761 || !WPACKET_close(pkt)) {
762 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
763 goto end;
764 }
765
766 ret = EXT_RETURN_SENT;
767 end:
768 OPENSSL_free(s->ext.tls13_cookie);
769 s->ext.tls13_cookie = NULL;
770 s->ext.tls13_cookie_len = 0;
771
772 return ret;
773}
774
775EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
776 unsigned int context, X509 *x,
777 size_t chainidx)
778{
779#ifndef OPENSSL_NO_PSK
780 char identity[PSK_MAX_IDENTITY_LEN + 1];
781#endif /* OPENSSL_NO_PSK */
782 const unsigned char *id = NULL;
783 size_t idlen = 0;
784 SSL_SESSION *psksess = NULL;
785 SSL_SESSION *edsess = NULL;
786 const EVP_MD *handmd = NULL;
787 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
788
789 if (s->hello_retry_request == SSL_HRR_PENDING)
790 handmd = ssl_handshake_md(s);
791
792 if (s->psk_use_session_cb != NULL
793 && (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess)
794 || (psksess != NULL
795 && psksess->ssl_version != TLS1_3_VERSION))) {
796 SSL_SESSION_free(psksess);
797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
798 return EXT_RETURN_FAIL;
799 }
800
801#ifndef OPENSSL_NO_PSK
802 if (psksess == NULL && s->psk_client_callback != NULL) {
803 unsigned char psk[PSK_MAX_PSK_LEN];
804 size_t psklen = 0;
805
806 memset(identity, 0, sizeof(identity));
807 psklen = s->psk_client_callback(ussl, NULL,
808 identity, sizeof(identity) - 1,
809 psk, sizeof(psk));
810
811 if (psklen > PSK_MAX_PSK_LEN) {
812 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
813 return EXT_RETURN_FAIL;
814 } else if (psklen > 0) {
815 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
816 const SSL_CIPHER *cipher;
817
818 idlen = strlen(identity);
819 if (idlen > PSK_MAX_IDENTITY_LEN) {
820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
821 return EXT_RETURN_FAIL;
822 }
823 id = (unsigned char *)identity;
824
825 /*
826 * We found a PSK using an old style callback. We don't know
827 * the digest so we default to SHA256 as per the TLSv1.3 spec
828 */
829 cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s),
830 tls13_aes128gcmsha256_id);
831 if (cipher == NULL) {
832 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
833 return EXT_RETURN_FAIL;
834 }
835
836 psksess = SSL_SESSION_new();
837 if (psksess == NULL
838 || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
839 || !SSL_SESSION_set_cipher(psksess, cipher)
840 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
842 OPENSSL_cleanse(psk, psklen);
843 return EXT_RETURN_FAIL;
844 }
845 OPENSSL_cleanse(psk, psklen);
846 }
847 }
848#endif /* OPENSSL_NO_PSK */
849
850 SSL_SESSION_free(s->psksession);
851 s->psksession = psksess;
852 if (psksess != NULL) {
853 OPENSSL_free(s->psksession_id);
854 s->psksession_id = OPENSSL_memdup(id, idlen);
855 if (s->psksession_id == NULL) {
856 s->psksession_id_len = 0;
857 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
858 return EXT_RETURN_FAIL;
859 }
860 s->psksession_id_len = idlen;
861 }
862
863 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
864 || (s->session->ext.max_early_data == 0
865 && (psksess == NULL || psksess->ext.max_early_data == 0))) {
866 s->max_early_data = 0;
867 return EXT_RETURN_NOT_SENT;
868 }
869 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
870 s->max_early_data = edsess->ext.max_early_data;
871
872 if (edsess->ext.hostname != NULL) {
873 if (s->ext.hostname == NULL
874 || (s->ext.hostname != NULL
875 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
876 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
877 SSL_R_INCONSISTENT_EARLY_DATA_SNI);
878 return EXT_RETURN_FAIL;
879 }
880 }
881
882 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
883 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
884 return EXT_RETURN_FAIL;
885 }
886
887 /*
888 * Verify that we are offering an ALPN protocol consistent with the early
889 * data.
890 */
891 if (edsess->ext.alpn_selected != NULL) {
892 PACKET prots, alpnpkt;
893 int found = 0;
894
895 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
896 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
897 return EXT_RETURN_FAIL;
898 }
899 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
900 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
901 edsess->ext.alpn_selected_len)) {
902 found = 1;
903 break;
904 }
905 }
906 if (!found) {
907 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
908 SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
909 return EXT_RETURN_FAIL;
910 }
911 }
912
913 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
914 || !WPACKET_start_sub_packet_u16(pkt)
915 || !WPACKET_close(pkt)) {
916 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
917 return EXT_RETURN_FAIL;
918 }
919
920 /*
921 * We set this to rejected here. Later, if the server acknowledges the
922 * extension, we set it to accepted.
923 */
924 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
925 s->ext.early_data_ok = 1;
926
927 return EXT_RETURN_SENT;
928}
929
930#define F5_WORKAROUND_MIN_MSG_LEN 0xff
931#define F5_WORKAROUND_MAX_MSG_LEN 0x200
932
933/*
934 * PSK pre binder overhead =
935 * 2 bytes for TLSEXT_TYPE_psk
936 * 2 bytes for extension length
937 * 2 bytes for identities list length
938 * 2 bytes for identity length
939 * 4 bytes for obfuscated_ticket_age
940 * 2 bytes for binder list length
941 * 1 byte for binder length
942 * The above excludes the number of bytes for the identity itself and the
943 * subsequent binder bytes
944 */
945#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
946
947EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,
948 unsigned int context, X509 *x,
949 size_t chainidx)
950{
951 unsigned char *padbytes;
952 size_t hlen;
953
954 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
955 return EXT_RETURN_NOT_SENT;
956
957 /*
958 * Add padding to workaround bugs in F5 terminators. See RFC7685.
959 * This code calculates the length of all extensions added so far but
960 * excludes the PSK extension (because that MUST be written last). Therefore
961 * this extension MUST always appear second to last.
962 */
963 if (!WPACKET_get_total_written(pkt, &hlen)) {
964 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
965 return EXT_RETURN_FAIL;
966 }
967
968 /*
969 * If we're going to send a PSK then that will be written out after this
970 * extension, so we need to calculate how long it is going to be.
971 */
972 if (s->session->ssl_version == TLS1_3_VERSION
973 && s->session->ext.ticklen != 0
974 && s->session->cipher != NULL) {
975 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),
976 s->session->cipher->algorithm2);
977
978 if (md != NULL) {
979 /*
980 * Add the fixed PSK overhead, the identity length and the binder
981 * length.
982 */
983 int md_size = EVP_MD_get_size(md);
984
985 if (md_size <= 0)
986 return EXT_RETURN_FAIL;
987 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
988 + md_size;
989 }
990 }
991
992 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
993 /* Calculate the amount of padding we need to add */
994 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
995
996 /*
997 * Take off the size of extension header itself (2 bytes for type and
998 * 2 bytes for length bytes), but ensure that the extension is at least
999 * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
1000 * 8.x are intolerant of that condition)
1001 */
1002 if (hlen > 4)
1003 hlen -= 4;
1004 else
1005 hlen = 1;
1006
1007 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
1008 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
1009 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1010 return EXT_RETURN_FAIL;
1011 }
1012 memset(padbytes, 0, hlen);
1013 }
1014
1015 return EXT_RETURN_SENT;
1016}
1017
1018/*
1019 * Construct the pre_shared_key extension
1020 */
1021EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
1022 unsigned int context,
1023 X509 *x, size_t chainidx)
1024{
1025#ifndef OPENSSL_NO_TLS1_3
1026 uint32_t agesec, agems = 0;
1027 size_t binderoffset, msglen;
1028 int reshashsize = 0, pskhashsize = 0;
1029 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
1030 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
1031 int dores = 0;
1032 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1033 OSSL_TIME t;
1034
1035 s->ext.tick_identity = 0;
1036
1037 /*
1038 * Note: At this stage of the code we only support adding a single
1039 * resumption PSK. If we add support for multiple PSKs then the length
1040 * calculations in the padding extension will need to be adjusted.
1041 */
1042
1043 /*
1044 * If this is an incompatible or new session then we have nothing to resume
1045 * so don't add this extension.
1046 */
1047 if (s->session->ssl_version != TLS1_3_VERSION
1048 || (s->session->ext.ticklen == 0 && s->psksession == NULL))
1049 return EXT_RETURN_NOT_SENT;
1050
1051 if (s->hello_retry_request == SSL_HRR_PENDING)
1052 handmd = ssl_handshake_md(s);
1053
1054 if (s->session->ext.ticklen != 0) {
1055 /* Get the digest associated with the ciphersuite in the session */
1056 if (s->session->cipher == NULL) {
1057 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1058 return EXT_RETURN_FAIL;
1059 }
1060 mdres = ssl_md(sctx, s->session->cipher->algorithm2);
1061 if (mdres == NULL) {
1062 /*
1063 * Don't recognize this cipher so we can't use the session.
1064 * Ignore it
1065 */
1066 goto dopsksess;
1067 }
1068
1069 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
1070 /*
1071 * Selected ciphersuite hash does not match the hash for the session
1072 * so we can't use it.
1073 */
1074 goto dopsksess;
1075 }
1076
1077 /*
1078 * Technically the C standard just says time() returns a time_t and says
1079 * nothing about the encoding of that type. In practice most
1080 * implementations follow POSIX which holds it as an integral type in
1081 * seconds since epoch. We've already made the assumption that we can do
1082 * this in multiple places in the code, so portability shouldn't be an
1083 * issue.
1084 */
1085 t = ossl_time_subtract(ossl_time_now(), s->session->time);
1086 agesec = (uint32_t)ossl_time2seconds(t);
1087 /*
1088 * We calculate the age in seconds but the server may work in ms. Due to
1089 * rounding errors we could overestimate the age by up to 1s. It is
1090 * better to underestimate it. Otherwise, if the RTT is very short, when
1091 * the server calculates the age reported by the client it could be
1092 * bigger than the age calculated on the server - which should never
1093 * happen.
1094 */
1095 if (agesec > 0)
1096 agesec--;
1097
1098 if (s->session->ext.tick_lifetime_hint < agesec) {
1099 /* Ticket is too old. Ignore it. */
1100 goto dopsksess;
1101 }
1102
1103 /*
1104 * Calculate age in ms. We're just doing it to nearest second. Should be
1105 * good enough.
1106 */
1107 agems = agesec * (uint32_t)1000;
1108
1109 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
1110 /*
1111 * Overflow. Shouldn't happen unless this is a *really* old session.
1112 * If so we just ignore it.
1113 */
1114 goto dopsksess;
1115 }
1116
1117 /*
1118 * Obfuscate the age. Overflow here is fine, this addition is supposed
1119 * to be mod 2^32.
1120 */
1121 agems += s->session->ext.tick_age_add;
1122
1123 reshashsize = EVP_MD_get_size(mdres);
1124 if (reshashsize <= 0)
1125 goto dopsksess;
1126 s->ext.tick_identity++;
1127 dores = 1;
1128 }
1129
1130 dopsksess:
1131 if (!dores && s->psksession == NULL)
1132 return EXT_RETURN_NOT_SENT;
1133
1134 if (s->psksession != NULL) {
1135 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);
1136 if (mdpsk == NULL) {
1137 /*
1138 * Don't recognize this cipher so we can't use the session.
1139 * If this happens it's an application bug.
1140 */
1141 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1142 return EXT_RETURN_FAIL;
1143 }
1144
1145 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
1146 /*
1147 * Selected ciphersuite hash does not match the hash for the PSK
1148 * session. This is an application bug.
1149 */
1150 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1151 return EXT_RETURN_FAIL;
1152 }
1153
1154 pskhashsize = EVP_MD_get_size(mdpsk);
1155 if (pskhashsize <= 0) {
1156 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1157 return EXT_RETURN_FAIL;
1158 }
1159 }
1160
1161 /* Create the extension, but skip over the binder for now */
1162 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1163 || !WPACKET_start_sub_packet_u16(pkt)
1164 || !WPACKET_start_sub_packet_u16(pkt)) {
1165 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1166 return EXT_RETURN_FAIL;
1167 }
1168
1169 if (dores) {
1170 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1171 s->session->ext.ticklen)
1172 || !WPACKET_put_bytes_u32(pkt, agems)) {
1173 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1174 return EXT_RETURN_FAIL;
1175 }
1176 }
1177
1178 if (s->psksession != NULL) {
1179 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1180 s->psksession_id_len)
1181 || !WPACKET_put_bytes_u32(pkt, 0)) {
1182 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1183 return EXT_RETURN_FAIL;
1184 }
1185 s->ext.tick_identity++;
1186 }
1187
1188 if (!WPACKET_close(pkt)
1189 || !WPACKET_get_total_written(pkt, &binderoffset)
1190 || !WPACKET_start_sub_packet_u16(pkt)
1191 || (dores
1192 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
1193 || (s->psksession != NULL
1194 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
1195 || !WPACKET_close(pkt)
1196 || !WPACKET_close(pkt)
1197 || !WPACKET_get_total_written(pkt, &msglen)
1198 /*
1199 * We need to fill in all the sub-packet lengths now so we can
1200 * calculate the HMAC of the message up to the binders
1201 */
1202 || !WPACKET_fill_lengths(pkt)) {
1203 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1204 return EXT_RETURN_FAIL;
1205 }
1206
1207 msgstart = WPACKET_get_curr(pkt) - msglen;
1208
1209 if (dores
1210 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1211 resbinder, s->session, 1, 0) != 1) {
1212 /* SSLfatal() already called */
1213 return EXT_RETURN_FAIL;
1214 }
1215
1216 if (s->psksession != NULL
1217 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
1218 pskbinder, s->psksession, 1, 1) != 1) {
1219 /* SSLfatal() already called */
1220 return EXT_RETURN_FAIL;
1221 }
1222
1223 return EXT_RETURN_SENT;
1224#else
1225 return EXT_RETURN_NOT_SENT;
1226#endif
1227}
1228
1229EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,
1230 ossl_unused unsigned int context,
1231 ossl_unused X509 *x,
1232 ossl_unused size_t chainidx)
1233{
1234#ifndef OPENSSL_NO_TLS1_3
1235 if (!s->pha_enabled)
1236 return EXT_RETURN_NOT_SENT;
1237
1238 /* construct extension - 0 length, no contents */
1239 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
1240 || !WPACKET_start_sub_packet_u16(pkt)
1241 || !WPACKET_close(pkt)) {
1242 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1243 return EXT_RETURN_FAIL;
1244 }
1245
1246 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1247
1248 return EXT_RETURN_SENT;
1249#else
1250 return EXT_RETURN_NOT_SENT;
1251#endif
1252}
1253
1254
1255/*
1256 * Parse the server's renegotiation binding and abort if it's not right
1257 */
1258int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
1259 unsigned int context,
1260 X509 *x, size_t chainidx)
1261{
1262 size_t expected_len = s->s3.previous_client_finished_len
1263 + s->s3.previous_server_finished_len;
1264 size_t ilen;
1265 const unsigned char *data;
1266
1267 /* Check for logic errors */
1268 if (!ossl_assert(expected_len == 0
1269 || s->s3.previous_client_finished_len != 0)
1270 || !ossl_assert(expected_len == 0
1271 || s->s3.previous_server_finished_len != 0)) {
1272 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1273 return 0;
1274 }
1275
1276 /* Parse the length byte */
1277 if (!PACKET_get_1_len(pkt, &ilen)) {
1278 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1279 return 0;
1280 }
1281
1282 /* Consistency check */
1283 if (PACKET_remaining(pkt) != ilen) {
1284 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1285 return 0;
1286 }
1287
1288 /* Check that the extension matches */
1289 if (ilen != expected_len) {
1290 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1291 return 0;
1292 }
1293
1294 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
1295 || memcmp(data, s->s3.previous_client_finished,
1296 s->s3.previous_client_finished_len) != 0) {
1297 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1298 return 0;
1299 }
1300
1301 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
1302 || memcmp(data, s->s3.previous_server_finished,
1303 s->s3.previous_server_finished_len) != 0) {
1304 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1305 return 0;
1306 }
1307 s->s3.send_connection_binding = 1;
1308
1309 return 1;
1310}
1311
1312/* Parse the server's max fragment len extension packet */
1313int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
1314 unsigned int context,
1315 X509 *x, size_t chainidx)
1316{
1317 unsigned int value;
1318
1319 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
1320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1321 return 0;
1322 }
1323
1324 /* |value| should contains a valid max-fragment-length code. */
1325 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
1326 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1327 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1328 return 0;
1329 }
1330
1331 /* Must be the same value as client-configured one who was sent to server */
1332 /*-
1333 * RFC 6066: if a client receives a maximum fragment length negotiation
1334 * response that differs from the length it requested, ...
1335 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
1336 */
1337 if (value != s->ext.max_fragment_len_mode) {
1338 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1339 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1340 return 0;
1341 }
1342
1343 /*
1344 * Maximum Fragment Length Negotiation succeeded.
1345 * The negotiated Maximum Fragment Length is binding now.
1346 */
1347 s->session->ext.max_fragment_len_mode = value;
1348
1349 return 1;
1350}
1351
1352int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,
1353 unsigned int context,
1354 X509 *x, size_t chainidx)
1355{
1356 if (s->ext.hostname == NULL) {
1357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1358 return 0;
1359 }
1360
1361 if (PACKET_remaining(pkt) > 0) {
1362 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1363 return 0;
1364 }
1365
1366 if (!s->hit) {
1367 if (s->session->ext.hostname != NULL) {
1368 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1369 return 0;
1370 }
1371 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1372 if (s->session->ext.hostname == NULL) {
1373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1374 return 0;
1375 }
1376 }
1377
1378 return 1;
1379}
1380
1381int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
1382 unsigned int context,
1383 X509 *x, size_t chainidx)
1384{
1385 size_t ecpointformats_len;
1386 PACKET ecptformatlist;
1387
1388 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
1389 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1390 return 0;
1391 }
1392 if (!s->hit) {
1393 ecpointformats_len = PACKET_remaining(&ecptformatlist);
1394 if (ecpointformats_len == 0) {
1395 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1396 return 0;
1397 }
1398
1399 s->ext.peer_ecpointformats_len = 0;
1400 OPENSSL_free(s->ext.peer_ecpointformats);
1401 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
1402 if (s->ext.peer_ecpointformats == NULL) {
1403 s->ext.peer_ecpointformats_len = 0;
1404 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1405 return 0;
1406 }
1407
1408 s->ext.peer_ecpointformats_len = ecpointformats_len;
1409
1410 if (!PACKET_copy_bytes(&ecptformatlist,
1411 s->ext.peer_ecpointformats,
1412 ecpointformats_len)) {
1413 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1414 return 0;
1415 }
1416 }
1417
1418 return 1;
1419}
1420
1421int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
1422 unsigned int context,
1423 X509 *x, size_t chainidx)
1424{
1425 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);
1426
1427 if (s->ext.session_ticket_cb != NULL &&
1428 !s->ext.session_ticket_cb(ssl, PACKET_data(pkt),
1429 PACKET_remaining(pkt),
1430 s->ext.session_ticket_cb_arg)) {
1431 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1432 return 0;
1433 }
1434
1435 if (!tls_use_ticket(s)) {
1436 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1437 return 0;
1438 }
1439 if (PACKET_remaining(pkt) > 0) {
1440 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1441 return 0;
1442 }
1443
1444 s->ext.ticket_expected = 1;
1445
1446 return 1;
1447}
1448
1449#ifndef OPENSSL_NO_OCSP
1450int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
1451 unsigned int context,
1452 X509 *x, size_t chainidx)
1453{
1454 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1455 /* We ignore this if the server sends a CertificateRequest */
1456 return 1;
1457 }
1458
1459 /*
1460 * MUST only be sent if we've requested a status
1461 * request message. In TLS <= 1.2 it must also be empty.
1462 */
1463 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
1464 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1465 return 0;
1466 }
1467 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
1468 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1469 return 0;
1470 }
1471
1472 if (SSL_CONNECTION_IS_TLS13(s)) {
1473 /* We only know how to handle this if it's for the first Certificate in
1474 * the chain. We ignore any other responses.
1475 */
1476 if (chainidx != 0)
1477 return 1;
1478
1479 /* SSLfatal() already called */
1480 return tls_process_cert_status_body(s, pkt);
1481 }
1482
1483 /* Set flag to expect CertificateStatus message */
1484 s->ext.status_expected = 1;
1485
1486 return 1;
1487}
1488#endif
1489
1490
1491#ifndef OPENSSL_NO_CT
1492int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1493 X509 *x, size_t chainidx)
1494{
1495 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1496 /* We ignore this if the server sends it in a CertificateRequest */
1497 return 1;
1498 }
1499
1500 /*
1501 * Only take it if we asked for it - i.e if there is no CT validation
1502 * callback set, then a custom extension MAY be processing it, so we
1503 * need to let control continue to flow to that.
1504 */
1505 if (s->ct_validation_callback != NULL) {
1506 size_t size = PACKET_remaining(pkt);
1507
1508 /* Simply copy it off for later processing */
1509 OPENSSL_free(s->ext.scts);
1510 s->ext.scts = NULL;
1511
1512 s->ext.scts_len = (uint16_t)size;
1513 if (size > 0) {
1514 s->ext.scts = OPENSSL_malloc(size);
1515 if (s->ext.scts == NULL) {
1516 s->ext.scts_len = 0;
1517 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
1518 return 0;
1519 }
1520 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1521 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1522 return 0;
1523 }
1524 }
1525 } else {
1526 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1527 ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1528
1529 /*
1530 * If we didn't ask for it then there must be a custom extension,
1531 * otherwise this is unsolicited.
1532 */
1533 if (custom_ext_find(&s->cert->custext, role,
1534 TLSEXT_TYPE_signed_certificate_timestamp,
1535 NULL) == NULL) {
1536 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1537 return 0;
1538 }
1539
1540 if (!custom_ext_parse(s, context,
1541 TLSEXT_TYPE_signed_certificate_timestamp,
1542 PACKET_data(pkt), PACKET_remaining(pkt),
1543 x, chainidx)) {
1544 /* SSLfatal already called */
1545 return 0;
1546 }
1547 }
1548
1549 return 1;
1550}
1551#endif
1552
1553
1554#ifndef OPENSSL_NO_NEXTPROTONEG
1555/*
1556 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1557 * elements of zero length are allowed and the set of elements must exactly
1558 * fill the length of the block. Returns 1 on success or 0 on failure.
1559 */
1560static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)
1561{
1562 PACKET tmp_protocol;
1563
1564 while (PACKET_remaining(pkt)) {
1565 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
1566 || PACKET_remaining(&tmp_protocol) == 0) {
1567 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1568 return 0;
1569 }
1570 }
1571
1572 return 1;
1573}
1574
1575int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1576 X509 *x, size_t chainidx)
1577{
1578 unsigned char *selected;
1579 unsigned char selected_len;
1580 PACKET tmppkt;
1581 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1582
1583 /* Check if we are in a renegotiation. If so ignore this extension */
1584 if (!SSL_IS_FIRST_HANDSHAKE(s))
1585 return 1;
1586
1587 /* We must have requested it. */
1588 if (sctx->ext.npn_select_cb == NULL) {
1589 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1590 return 0;
1591 }
1592
1593 /* The data must be valid */
1594 tmppkt = *pkt;
1595 if (!ssl_next_proto_validate(s, &tmppkt)) {
1596 /* SSLfatal() already called */
1597 return 0;
1598 }
1599 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s),
1600 &selected, &selected_len,
1601 PACKET_data(pkt), PACKET_remaining(pkt),
1602 sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
1603 || selected_len == 0) {
1604 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1605 return 0;
1606 }
1607
1608 /*
1609 * Could be non-NULL if server has sent multiple NPN extensions in
1610 * a single Serverhello
1611 */
1612 OPENSSL_free(s->ext.npn);
1613 s->ext.npn = OPENSSL_malloc(selected_len);
1614 if (s->ext.npn == NULL) {
1615 s->ext.npn_len = 0;
1616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1617 return 0;
1618 }
1619
1620 memcpy(s->ext.npn, selected, selected_len);
1621 s->ext.npn_len = selected_len;
1622 s->s3.npn_seen = 1;
1623
1624 return 1;
1625}
1626#endif
1627
1628int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1629 X509 *x, size_t chainidx)
1630{
1631 size_t len;
1632 PACKET confpkt, protpkt;
1633 int valid = 0;
1634
1635 /* We must have requested it. */
1636 if (!s->s3.alpn_sent) {
1637 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1638 return 0;
1639 }
1640 /*-
1641 * The extension data consists of:
1642 * uint16 list_length
1643 * uint8 proto_length;
1644 * uint8 proto[proto_length];
1645 */
1646 if (!PACKET_get_net_2_len(pkt, &len)
1647 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1648 || PACKET_remaining(pkt) != len) {
1649 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1650 return 0;
1651 }
1652
1653 /* It must be a protocol that we sent */
1654 if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
1655 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1656 return 0;
1657 }
1658 while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
1659 if (PACKET_remaining(&protpkt) != len)
1660 continue;
1661 if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
1662 /* Valid protocol found */
1663 valid = 1;
1664 break;
1665 }
1666 }
1667
1668 if (!valid) {
1669 /* The protocol sent from the server does not match one we advertised */
1670 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1671 return 0;
1672 }
1673
1674 OPENSSL_free(s->s3.alpn_selected);
1675 s->s3.alpn_selected = OPENSSL_malloc(len);
1676 if (s->s3.alpn_selected == NULL) {
1677 s->s3.alpn_selected_len = 0;
1678 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1679 return 0;
1680 }
1681 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
1682 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1683 return 0;
1684 }
1685 s->s3.alpn_selected_len = len;
1686
1687 if (s->session->ext.alpn_selected == NULL
1688 || s->session->ext.alpn_selected_len != len
1689 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
1690 != 0) {
1691 /* ALPN not consistent with the old session so cannot use early_data */
1692 s->ext.early_data_ok = 0;
1693 }
1694 if (!s->hit) {
1695 /*
1696 * This is a new session and so alpn_selected should have been
1697 * initialised to NULL. We should update it with the selected ALPN.
1698 */
1699 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
1700 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1701 return 0;
1702 }
1703 s->session->ext.alpn_selected =
1704 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
1705 if (s->session->ext.alpn_selected == NULL) {
1706 s->session->ext.alpn_selected_len = 0;
1707 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1708 return 0;
1709 }
1710 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
1711 }
1712
1713 return 1;
1714}
1715
1716#ifndef OPENSSL_NO_SRTP
1717int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
1718 unsigned int context, X509 *x, size_t chainidx)
1719{
1720 unsigned int id, ct, mki;
1721 int i;
1722 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1723 SRTP_PROTECTION_PROFILE *prof;
1724
1725 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1726 || !PACKET_get_net_2(pkt, &id)
1727 || !PACKET_get_1(pkt, &mki)
1728 || PACKET_remaining(pkt) != 0) {
1729 SSLfatal(s, SSL_AD_DECODE_ERROR,
1730 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1731 return 0;
1732 }
1733
1734 if (mki != 0) {
1735 /* Must be no MKI, since we never offer one */
1736 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
1737 return 0;
1738 }
1739
1740 /* Throw an error if the server gave us an unsolicited extension */
1741 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));
1742 if (clnt == NULL) {
1743 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
1744 return 0;
1745 }
1746
1747 /*
1748 * Check to see if the server gave us something we support (and
1749 * presumably offered)
1750 */
1751 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1752 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1753
1754 if (prof->id == id) {
1755 s->srtp_profile = prof;
1756 return 1;
1757 }
1758 }
1759
1760 SSLfatal(s, SSL_AD_DECODE_ERROR,
1761 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1762 return 0;
1763}
1764#endif
1765
1766int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1767 X509 *x, size_t chainidx)
1768{
1769 /* Ignore if inappropriate ciphersuite */
1770 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
1771 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
1772 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
1773 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
1774 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
1775 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
1776 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
1777 s->ext.use_etm = 1;
1778
1779 return 1;
1780}
1781
1782int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1783 X509 *x, size_t chainidx)
1784{
1785 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1786 return 1;
1787 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1788 if (!s->hit)
1789 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1790
1791 return 1;
1792}
1793
1794int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,
1795 unsigned int context,
1796 X509 *x, size_t chainidx)
1797{
1798 unsigned int version;
1799
1800 if (!PACKET_get_net_2(pkt, &version)
1801 || PACKET_remaining(pkt) != 0) {
1802 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1803 return 0;
1804 }
1805
1806 /*
1807 * The only protocol version we support which is valid in this extension in
1808 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1809 */
1810 if (version != TLS1_3_VERSION) {
1811 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1812 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1813 return 0;
1814 }
1815
1816 /* We ignore this extension for HRRs except to sanity check it */
1817 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
1818 return 1;
1819
1820 /* We just set it here. We validate it in ssl_choose_client_version */
1821 s->version = version;
1822 if (!ssl_set_record_protocol_version(s, version)) {
1823 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1824 return 0;
1825 }
1826
1827 return 1;
1828}
1829
1830int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
1831 unsigned int context, X509 *x,
1832 size_t chainidx)
1833{
1834#ifndef OPENSSL_NO_TLS1_3
1835 unsigned int group_id;
1836 PACKET encoded_pt;
1837 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
1838 const TLS_GROUP_INFO *ginf = NULL;
1839
1840 /* Sanity check */
1841 if (ckey == NULL || s->s3.peer_tmp != NULL) {
1842 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1843 return 0;
1844 }
1845
1846 if (!PACKET_get_net_2(pkt, &group_id)) {
1847 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1848 return 0;
1849 }
1850
1851 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
1852 const uint16_t *pgroups = NULL;
1853 size_t i, num_groups;
1854
1855 if (PACKET_remaining(pkt) != 0) {
1856 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1857 return 0;
1858 }
1859
1860 /*
1861 * It is an error if the HelloRetryRequest wants a key_share that we
1862 * already sent in the first ClientHello
1863 */
1864 if (group_id == s->s3.group_id) {
1865 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1866 return 0;
1867 }
1868
1869 /* Validate the selected group is one we support */
1870 tls1_get_supported_groups(s, &pgroups, &num_groups);
1871 for (i = 0; i < num_groups; i++) {
1872 if (group_id == pgroups[i])
1873 break;
1874 }
1875 if (i >= num_groups
1876 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
1877 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
1878 0, NULL)) {
1879 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1880 return 0;
1881 }
1882
1883 s->s3.group_id = group_id;
1884 EVP_PKEY_free(s->s3.tmp.pkey);
1885 s->s3.tmp.pkey = NULL;
1886 return 1;
1887 }
1888
1889 if (group_id != s->s3.group_id) {
1890 /*
1891 * This isn't for the group that we sent in the original
1892 * key_share!
1893 */
1894 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1895 return 0;
1896 }
1897 /* Retain this group in the SSL_SESSION */
1898 if (!s->hit) {
1899 s->session->kex_group = group_id;
1900 } else if (group_id != s->session->kex_group) {
1901 /*
1902 * If this is a resumption but changed what group was used, we need
1903 * to record the new group in the session, but the session is not
1904 * a new session and could be in use by other threads. So, make
1905 * a copy of the session to record the new information so that it's
1906 * useful for any sessions resumed from tickets issued on this
1907 * connection.
1908 */
1909 SSL_SESSION *new_sess;
1910
1911 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
1912 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
1913 return 0;
1914 }
1915 SSL_SESSION_free(s->session);
1916 s->session = new_sess;
1917 s->session->kex_group = group_id;
1918 }
1919
1920 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1921 group_id)) == NULL) {
1922 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1923 return 0;
1924 }
1925
1926 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1927 || PACKET_remaining(&encoded_pt) == 0) {
1928 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1929 return 0;
1930 }
1931
1932 if (!ginf->is_kem) {
1933 /* Regular KEX */
1934 skey = EVP_PKEY_new();
1935 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
1936 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
1937 EVP_PKEY_free(skey);
1938 return 0;
1939 }
1940
1941 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
1942 PACKET_remaining(&encoded_pt)) <= 0) {
1943 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
1944 EVP_PKEY_free(skey);
1945 return 0;
1946 }
1947
1948 if (ssl_derive(s, ckey, skey, 1) == 0) {
1949 /* SSLfatal() already called */
1950 EVP_PKEY_free(skey);
1951 return 0;
1952 }
1953 s->s3.peer_tmp = skey;
1954 } else {
1955 /* KEM Mode */
1956 const unsigned char *ct = PACKET_data(&encoded_pt);
1957 size_t ctlen = PACKET_remaining(&encoded_pt);
1958
1959 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
1960 /* SSLfatal() already called */
1961 return 0;
1962 }
1963 }
1964 s->s3.did_kex = 1;
1965#endif
1966
1967 return 1;
1968}
1969
1970int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1971 X509 *x, size_t chainidx)
1972{
1973 PACKET cookie;
1974
1975 if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1976 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1977 &s->ext.tls13_cookie_len)) {
1978 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1979 return 0;
1980 }
1981
1982 return 1;
1983}
1984
1985int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,
1986 unsigned int context,
1987 X509 *x, size_t chainidx)
1988{
1989 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1990 unsigned long max_early_data;
1991
1992 if (!PACKET_get_net_4(pkt, &max_early_data)
1993 || PACKET_remaining(pkt) != 0) {
1994 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
1995 return 0;
1996 }
1997
1998 s->session->ext.max_early_data = max_early_data;
1999
2000 if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) {
2001 /*
2002 * QUIC allows missing max_early_data, or a max_early_data value
2003 * of 0xffffffff. Missing max_early_data is stored in the session
2004 * as 0. This is indistinguishable in OpenSSL from a present
2005 * max_early_data value that was 0. In order that later checks for
2006 * invalid max_early_data correctly treat as an error the case where
2007 * max_early_data is present and it is 0, we store any invalid
2008 * value in the same (non-zero) way. Otherwise we would have to
2009 * introduce a new flag just for this.
2010 */
2011 s->session->ext.max_early_data = 1;
2012 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
2013 return 0;
2014 }
2015
2016 return 1;
2017 }
2018
2019 if (PACKET_remaining(pkt) != 0) {
2020 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2021 return 0;
2022 }
2023
2024 if (!s->ext.early_data_ok
2025 || !s->hit) {
2026 /*
2027 * If we get here then we didn't send early data, or we didn't resume
2028 * using the first identity, or the SNI/ALPN is not consistent so the
2029 * server should not be accepting it.
2030 */
2031 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
2032 return 0;
2033 }
2034
2035 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
2036
2037 return 1;
2038}
2039
2040int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,
2041 unsigned int context, X509 *x,
2042 size_t chainidx)
2043{
2044#ifndef OPENSSL_NO_TLS1_3
2045 unsigned int identity;
2046
2047 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
2048 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2049 return 0;
2050 }
2051
2052 if (identity >= (unsigned int)s->ext.tick_identity) {
2053 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
2054 return 0;
2055 }
2056
2057 /*
2058 * Session resumption tickets are always sent before PSK tickets. If the
2059 * ticket index is 0 then it must be for a session resumption ticket if we
2060 * sent two tickets, or if we didn't send a PSK ticket.
2061 */
2062 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
2063 s->hit = 1;
2064 SSL_SESSION_free(s->psksession);
2065 s->psksession = NULL;
2066 return 1;
2067 }
2068
2069 if (s->psksession == NULL) {
2070 /* Should never happen */
2071 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2072 return 0;
2073 }
2074
2075 /*
2076 * If we used the external PSK for sending early_data then s->early_secret
2077 * is already set up, so don't overwrite it. Otherwise we copy the
2078 * early_secret across that we generated earlier.
2079 */
2080 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
2081 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
2082 || s->session->ext.max_early_data > 0
2083 || s->psksession->ext.max_early_data == 0)
2084 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
2085
2086 SSL_SESSION_free(s->session);
2087 s->session = s->psksession;
2088 s->psksession = NULL;
2089 s->hit = 1;
2090 /* Early data is only allowed if we used the first ticket */
2091 if (identity != 0)
2092 s->ext.early_data_ok = 0;
2093#endif
2094
2095 return 1;
2096}
2097
2098EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2099 unsigned int context,
2100 X509 *x, size_t chainidx)
2101{
2102 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2103 if (sc->client_cert_type == NULL)
2104 return EXT_RETURN_NOT_SENT;
2105
2106 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2107 || !WPACKET_start_sub_packet_u16(pkt)
2108 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len)
2109 || !WPACKET_close(pkt)) {
2110 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2111 return EXT_RETURN_FAIL;
2112 }
2113 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2114 return EXT_RETURN_SENT;
2115}
2116
2117int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2118 unsigned int context,
2119 X509 *x, size_t chainidx)
2120{
2121 unsigned int type;
2122
2123 if (PACKET_remaining(pkt) != 1) {
2124 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2125 return 0;
2126 }
2127 if (!PACKET_get_1(pkt, &type)) {
2128 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2129 return 0;
2130 }
2131 /* We did not send/ask for this */
2132 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2133 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2134 return 0;
2135 }
2136 /* We don't have this enabled */
2137 if (sc->client_cert_type == NULL) {
2138 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2139 return 0;
2140 }
2141 /* Given back a value we didn't configure */
2142 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) {
2143 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2144 return 0;
2145 }
2146 sc->ext.client_cert_type = type;
2147 return 1;
2148}
2149
2150EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2151 unsigned int context,
2152 X509 *x, size_t chainidx)
2153{
2154 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2155 if (sc->server_cert_type == NULL)
2156 return EXT_RETURN_NOT_SENT;
2157
2158 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2159 || !WPACKET_start_sub_packet_u16(pkt)
2160 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len)
2161 || !WPACKET_close(pkt)) {
2162 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2163 return EXT_RETURN_FAIL;
2164 }
2165 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2166 return EXT_RETURN_SENT;
2167}
2168
2169int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2170 unsigned int context,
2171 X509 *x, size_t chainidx)
2172{
2173 unsigned int type;
2174
2175 if (PACKET_remaining(pkt) != 1) {
2176 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2177 return 0;
2178 }
2179 if (!PACKET_get_1(pkt, &type)) {
2180 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2181 return 0;
2182 }
2183 /* We did not send/ask for this */
2184 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2185 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2186 return 0;
2187 }
2188 /* We don't have this enabled */
2189 if (sc->server_cert_type == NULL) {
2190 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2191 return 0;
2192 }
2193 /* Given back a value we didn't configure */
2194 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) {
2195 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2196 return 0;
2197 }
2198 sc->ext.server_cert_type = type;
2199 return 1;
2200}
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette