2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "internal/cryptlib.h"
13 #include "statem_local.h"
15 EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
16 unsigned int context, X509 *x,
19 /* Add RI if renegotiating */
21 return EXT_RETURN_NOT_SENT;
23 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
24 || !WPACKET_start_sub_packet_u16(pkt)
25 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
26 s->s3.previous_client_finished_len)
27 || !WPACKET_close(pkt)) {
28 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
29 return EXT_RETURN_FAIL;
32 return EXT_RETURN_SENT;
35 EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
36 unsigned int context, X509 *x,
39 if (s->ext.hostname == NULL)
40 return EXT_RETURN_NOT_SENT;
42 /* Add TLS extension servername to the Client Hello message */
43 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
44 /* Sub-packet for server_name extension */
45 || !WPACKET_start_sub_packet_u16(pkt)
46 /* Sub-packet for servername list (always 1 hostname)*/
47 || !WPACKET_start_sub_packet_u16(pkt)
48 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
49 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
50 strlen(s->ext.hostname))
51 || !WPACKET_close(pkt)
52 || !WPACKET_close(pkt)) {
53 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
54 return EXT_RETURN_FAIL;
57 return EXT_RETURN_SENT;
60 /* Push a Max Fragment Len extension into ClientHello */
61 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
62 unsigned int context, X509 *x,
65 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
66 return EXT_RETURN_NOT_SENT;
68 /* Add Max Fragment Length extension if client enabled it. */
70 * 4 bytes for this extension type and extension length
71 * 1 byte for the Max Fragment Length code value.
73 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
74 /* Sub-packet for Max Fragment Length extension (1 byte) */
75 || !WPACKET_start_sub_packet_u16(pkt)
76 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
77 || !WPACKET_close(pkt)) {
78 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
79 return EXT_RETURN_FAIL;
82 return EXT_RETURN_SENT;
85 #ifndef OPENSSL_NO_SRP
86 EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
87 X509 *x, size_t chainidx)
89 /* Add SRP username if there is one */
90 if (s->srp_ctx.login == NULL)
91 return EXT_RETURN_NOT_SENT;
93 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
94 /* Sub-packet for SRP extension */
95 || !WPACKET_start_sub_packet_u16(pkt)
96 || !WPACKET_start_sub_packet_u8(pkt)
97 /* login must not be zero...internal error if so */
98 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
99 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
100 strlen(s->srp_ctx.login))
101 || !WPACKET_close(pkt)
102 || !WPACKET_close(pkt)) {
103 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
104 return EXT_RETURN_FAIL;
107 return EXT_RETURN_SENT;
111 static int use_ecc(SSL *s, int min_version, int max_version)
114 unsigned long alg_k, alg_a;
115 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
116 const uint16_t *pgroups = NULL;
117 size_t num_groups, j;
119 /* See if we support any ECC ciphersuites */
120 if (s->version == SSL3_VERSION)
123 cipher_stack = SSL_get1_supported_ciphers(s);
124 end = sk_SSL_CIPHER_num(cipher_stack);
125 for (i = 0; i < end; i++) {
126 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
128 alg_k = c->algorithm_mkey;
129 alg_a = c->algorithm_auth;
130 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
131 || (alg_a & SSL_aECDSA)
132 || c->min_tls >= TLS1_3_VERSION) {
137 sk_SSL_CIPHER_free(cipher_stack);
141 /* Check we have at least one EC supported group */
142 tls1_get_supported_groups(s, &pgroups, &num_groups);
143 for (j = 0; j < num_groups; j++) {
144 uint16_t ctmp = pgroups[j];
146 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
147 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
154 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
155 unsigned int context, X509 *x,
158 const unsigned char *pformats;
160 int reason, min_version, max_version;
162 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
165 return EXT_RETURN_FAIL;
167 if (!use_ecc(s, min_version, max_version))
168 return EXT_RETURN_NOT_SENT;
170 /* Add TLS extension ECPointFormats to the ClientHello message */
171 tls1_get_formatlist(s, &pformats, &num_formats);
173 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
174 /* Sub-packet for formats extension */
175 || !WPACKET_start_sub_packet_u16(pkt)
176 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
177 || !WPACKET_close(pkt)) {
178 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
179 return EXT_RETURN_FAIL;
182 return EXT_RETURN_SENT;
185 EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
186 unsigned int context, X509 *x,
189 const uint16_t *pgroups = NULL;
190 size_t num_groups = 0, i, tls13added = 0, added = 0;
191 int min_version, max_version, reason;
193 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
196 return EXT_RETURN_FAIL;
200 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
201 * if we don't have EC support then we don't send this extension.
203 if (!use_ecc(s, min_version, max_version)
204 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))
205 return EXT_RETURN_NOT_SENT;
208 * Add TLS extension supported_groups to the ClientHello message
210 tls1_get_supported_groups(s, &pgroups, &num_groups);
212 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
213 /* Sub-packet for supported_groups extension */
214 || !WPACKET_start_sub_packet_u16(pkt)
215 || !WPACKET_start_sub_packet_u16(pkt)
216 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
218 return EXT_RETURN_FAIL;
220 /* Copy group ID if supported */
221 for (i = 0; i < num_groups; i++) {
222 uint16_t ctmp = pgroups[i];
225 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
226 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
227 #ifndef OPENSSL_NO_TLS1_3
228 int ctmp13 = ssl_group_id_internal_to_tls13(ctmp);
230 if (ctmp13 != 0 && ctmp13 != ctmp
231 && max_version == TLS1_3_VERSION) {
232 if (!WPACKET_put_bytes_u16(pkt, ctmp13)) {
233 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
234 return EXT_RETURN_FAIL;
238 if (min_version == TLS1_3_VERSION)
242 if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
244 return EXT_RETURN_FAIL;
246 if (okfortls13 && max_version == TLS1_3_VERSION)
251 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
253 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
254 "No groups enabled for max supported SSL/TLS version");
256 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
257 return EXT_RETURN_FAIL;
260 if (tls13added == 0 && max_version == TLS1_3_VERSION) {
261 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
262 "No groups enabled for max supported SSL/TLS version");
263 return EXT_RETURN_FAIL;
266 return EXT_RETURN_SENT;
269 EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
270 unsigned int context, X509 *x,
275 if (!tls_use_ticket(s))
276 return EXT_RETURN_NOT_SENT;
278 if (!s->new_session && s->session != NULL
279 && s->session->ext.tick != NULL
280 && s->session->ssl_version != TLS1_3_VERSION) {
281 ticklen = s->session->ext.ticklen;
282 } else if (s->session && s->ext.session_ticket != NULL
283 && s->ext.session_ticket->data != NULL) {
284 ticklen = s->ext.session_ticket->length;
285 s->session->ext.tick = OPENSSL_malloc(ticklen);
286 if (s->session->ext.tick == NULL) {
287 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
288 return EXT_RETURN_FAIL;
290 memcpy(s->session->ext.tick,
291 s->ext.session_ticket->data, ticklen);
292 s->session->ext.ticklen = ticklen;
297 if (ticklen == 0 && s->ext.session_ticket != NULL &&
298 s->ext.session_ticket->data == NULL)
299 return EXT_RETURN_NOT_SENT;
301 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
302 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
303 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
304 return EXT_RETURN_FAIL;
307 return EXT_RETURN_SENT;
310 EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
311 unsigned int context, X509 *x,
315 const uint16_t *salg;
317 if (!SSL_CLIENT_USE_SIGALGS(s))
318 return EXT_RETURN_NOT_SENT;
320 salglen = tls12_get_psigalgs(s, 1, &salg);
321 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
322 /* Sub-packet for sig-algs extension */
323 || !WPACKET_start_sub_packet_u16(pkt)
324 /* Sub-packet for the actual list */
325 || !WPACKET_start_sub_packet_u16(pkt)
326 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
327 || !WPACKET_close(pkt)
328 || !WPACKET_close(pkt)) {
329 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
330 return EXT_RETURN_FAIL;
333 return EXT_RETURN_SENT;
336 #ifndef OPENSSL_NO_OCSP
337 EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
338 unsigned int context, X509 *x,
343 /* This extension isn't defined for client Certificates */
345 return EXT_RETURN_NOT_SENT;
347 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
348 return EXT_RETURN_NOT_SENT;
350 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
351 /* Sub-packet for status request extension */
352 || !WPACKET_start_sub_packet_u16(pkt)
353 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
354 /* Sub-packet for the ids */
355 || !WPACKET_start_sub_packet_u16(pkt)) {
356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
357 return EXT_RETURN_FAIL;
359 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
360 unsigned char *idbytes;
361 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
362 int idlen = i2d_OCSP_RESPID(id, NULL);
365 /* Sub-packet for an individual id */
366 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
367 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
368 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
369 return EXT_RETURN_FAIL;
372 if (!WPACKET_close(pkt)
373 || !WPACKET_start_sub_packet_u16(pkt)) {
374 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
375 return EXT_RETURN_FAIL;
377 if (s->ext.ocsp.exts) {
378 unsigned char *extbytes;
379 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
383 return EXT_RETURN_FAIL;
385 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
386 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
389 return EXT_RETURN_FAIL;
392 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
393 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
394 return EXT_RETURN_FAIL;
397 return EXT_RETURN_SENT;
401 #ifndef OPENSSL_NO_NEXTPROTONEG
402 EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
403 X509 *x, size_t chainidx)
405 if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
406 return EXT_RETURN_NOT_SENT;
409 * The client advertises an empty extension to indicate its support
410 * for Next Protocol Negotiation
412 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
413 || !WPACKET_put_bytes_u16(pkt, 0)) {
414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
415 return EXT_RETURN_FAIL;
418 return EXT_RETURN_SENT;
422 EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
423 X509 *x, size_t chainidx)
427 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
428 return EXT_RETURN_NOT_SENT;
430 if (!WPACKET_put_bytes_u16(pkt,
431 TLSEXT_TYPE_application_layer_protocol_negotiation)
432 /* Sub-packet ALPN extension */
433 || !WPACKET_start_sub_packet_u16(pkt)
434 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
435 || !WPACKET_close(pkt)) {
436 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
437 return EXT_RETURN_FAIL;
441 return EXT_RETURN_SENT;
445 #ifndef OPENSSL_NO_SRTP
446 EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
447 unsigned int context, X509 *x,
450 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
454 return EXT_RETURN_NOT_SENT;
456 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
457 /* Sub-packet for SRTP extension */
458 || !WPACKET_start_sub_packet_u16(pkt)
459 /* Sub-packet for the protection profile list */
460 || !WPACKET_start_sub_packet_u16(pkt)) {
461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
462 return EXT_RETURN_FAIL;
465 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
466 for (i = 0; i < end; i++) {
467 const SRTP_PROTECTION_PROFILE *prof =
468 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
470 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
471 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
472 return EXT_RETURN_FAIL;
475 if (!WPACKET_close(pkt)
476 /* Add an empty use_mki value */
477 || !WPACKET_put_bytes_u8(pkt, 0)
478 || !WPACKET_close(pkt)) {
479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
480 return EXT_RETURN_FAIL;
483 return EXT_RETURN_SENT;
487 EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
488 X509 *x, size_t chainidx)
490 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
491 return EXT_RETURN_NOT_SENT;
493 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
494 || !WPACKET_put_bytes_u16(pkt, 0)) {
495 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
496 return EXT_RETURN_FAIL;
499 return EXT_RETURN_SENT;
502 #ifndef OPENSSL_NO_CT
503 EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
504 X509 *x, size_t chainidx)
506 if (s->ct_validation_callback == NULL)
507 return EXT_RETURN_NOT_SENT;
509 /* Not defined for client Certificates */
511 return EXT_RETURN_NOT_SENT;
513 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
514 || !WPACKET_put_bytes_u16(pkt, 0)) {
515 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
516 return EXT_RETURN_FAIL;
519 return EXT_RETURN_SENT;
523 EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
524 X509 *x, size_t chainidx)
526 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
527 return EXT_RETURN_NOT_SENT;
529 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
530 || !WPACKET_put_bytes_u16(pkt, 0)) {
531 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
532 return EXT_RETURN_FAIL;
535 return EXT_RETURN_SENT;
538 EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
539 unsigned int context, X509 *x,
542 int currv, min_version, max_version, reason;
544 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
546 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
547 return EXT_RETURN_FAIL;
551 * Don't include this if we can't negotiate TLSv1.3. We can do a straight
552 * comparison here because we will never be called in DTLS.
554 if (max_version < TLS1_3_VERSION)
555 return EXT_RETURN_NOT_SENT;
557 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
558 || !WPACKET_start_sub_packet_u16(pkt)
559 || !WPACKET_start_sub_packet_u8(pkt)) {
560 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
561 return EXT_RETURN_FAIL;
564 for (currv = max_version; currv >= min_version; currv--) {
565 if (!WPACKET_put_bytes_u16(pkt, currv)) {
566 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
567 return EXT_RETURN_FAIL;
570 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
571 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
572 return EXT_RETURN_FAIL;
575 return EXT_RETURN_SENT;
579 * Construct a psk_kex_modes extension.
581 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
582 unsigned int context, X509 *x,
585 #ifndef OPENSSL_NO_TLS1_3
586 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
588 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
589 || !WPACKET_start_sub_packet_u16(pkt)
590 || !WPACKET_start_sub_packet_u8(pkt)
591 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
592 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
593 || !WPACKET_close(pkt)
594 || !WPACKET_close(pkt)) {
595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
596 return EXT_RETURN_FAIL;
599 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
601 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
604 return EXT_RETURN_SENT;
607 #ifndef OPENSSL_NO_TLS1_3
608 static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
610 unsigned char *encoded_point = NULL;
611 EVP_PKEY *key_share_key = NULL;
614 if (s->s3.tmp.pkey != NULL) {
615 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
620 * Could happen if we got an HRR that wasn't requesting a new key_share
622 key_share_key = s->s3.tmp.pkey;
624 key_share_key = ssl_generate_pkey_group(s, curve_id);
625 if (key_share_key == NULL) {
626 /* SSLfatal() already called */
631 /* Encode the public key. */
632 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
634 if (encodedlen == 0) {
635 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
639 /* Create KeyShareEntry */
640 if (!WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(curve_id))
641 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
642 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
647 * When changing to send more than one key_share we're
648 * going to need to be able to save more than one EVP_PKEY. For now
649 * we reuse the existing tmp.pkey
651 s->s3.tmp.pkey = key_share_key;
652 s->s3.group_id = curve_id;
653 OPENSSL_free(encoded_point);
657 if (s->s3.tmp.pkey == NULL)
658 EVP_PKEY_free(key_share_key);
659 OPENSSL_free(encoded_point);
664 EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
665 unsigned int context, X509 *x,
668 #ifndef OPENSSL_NO_TLS1_3
669 size_t i, num_groups = 0;
670 const uint16_t *pgroups = NULL;
671 uint16_t curve_id = 0;
673 /* key_share extension */
674 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
675 /* Extension data sub-packet */
676 || !WPACKET_start_sub_packet_u16(pkt)
677 /* KeyShare list sub-packet */
678 || !WPACKET_start_sub_packet_u16(pkt)) {
679 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
680 return EXT_RETURN_FAIL;
683 tls1_get_supported_groups(s, &pgroups, &num_groups);
686 * Make the number of key_shares sent configurable. For
687 * now, we just send one
689 if (s->s3.group_id != 0) {
690 curve_id = s->s3.group_id;
692 for (i = 0; i < num_groups; i++) {
693 if (ssl_group_id_internal_to_tls13(pgroups[i]) == 0)
696 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
699 curve_id = pgroups[i];
705 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
706 return EXT_RETURN_FAIL;
709 if (!add_key_share(s, pkt, curve_id)) {
710 /* SSLfatal() already called */
711 return EXT_RETURN_FAIL;
714 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
715 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
716 return EXT_RETURN_FAIL;
718 return EXT_RETURN_SENT;
720 return EXT_RETURN_NOT_SENT;
724 EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
725 X509 *x, size_t chainidx)
727 EXT_RETURN ret = EXT_RETURN_FAIL;
729 /* Should only be set if we've had an HRR */
730 if (s->ext.tls13_cookie_len == 0)
731 return EXT_RETURN_NOT_SENT;
733 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
734 /* Extension data sub-packet */
735 || !WPACKET_start_sub_packet_u16(pkt)
736 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
737 s->ext.tls13_cookie_len)
738 || !WPACKET_close(pkt)) {
739 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
743 ret = EXT_RETURN_SENT;
745 OPENSSL_free(s->ext.tls13_cookie);
746 s->ext.tls13_cookie = NULL;
747 s->ext.tls13_cookie_len = 0;
752 EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
753 unsigned int context, X509 *x,
756 #ifndef OPENSSL_NO_PSK
757 char identity[PSK_MAX_IDENTITY_LEN + 1];
758 #endif /* OPENSSL_NO_PSK */
759 const unsigned char *id = NULL;
761 SSL_SESSION *psksess = NULL;
762 SSL_SESSION *edsess = NULL;
763 const EVP_MD *handmd = NULL;
765 if (s->hello_retry_request == SSL_HRR_PENDING)
766 handmd = ssl_handshake_md(s);
768 if (s->psk_use_session_cb != NULL
769 && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess)
771 && psksess->ssl_version != TLS1_3_VERSION))) {
772 SSL_SESSION_free(psksess);
773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
774 return EXT_RETURN_FAIL;
777 #ifndef OPENSSL_NO_PSK
778 if (psksess == NULL && s->psk_client_callback != NULL) {
779 unsigned char psk[PSK_MAX_PSK_LEN];
782 memset(identity, 0, sizeof(identity));
783 psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1,
786 if (psklen > PSK_MAX_PSK_LEN) {
787 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
788 return EXT_RETURN_FAIL;
789 } else if (psklen > 0) {
790 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
791 const SSL_CIPHER *cipher;
793 idlen = strlen(identity);
794 if (idlen > PSK_MAX_IDENTITY_LEN) {
795 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
796 return EXT_RETURN_FAIL;
798 id = (unsigned char *)identity;
801 * We found a PSK using an old style callback. We don't know
802 * the digest so we default to SHA256 as per the TLSv1.3 spec
804 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
805 if (cipher == NULL) {
806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
807 return EXT_RETURN_FAIL;
810 psksess = SSL_SESSION_new();
812 || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
813 || !SSL_SESSION_set_cipher(psksess, cipher)
814 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
815 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
816 OPENSSL_cleanse(psk, psklen);
817 return EXT_RETURN_FAIL;
819 OPENSSL_cleanse(psk, psklen);
822 #endif /* OPENSSL_NO_PSK */
824 SSL_SESSION_free(s->psksession);
825 s->psksession = psksess;
826 if (psksess != NULL) {
827 OPENSSL_free(s->psksession_id);
828 s->psksession_id = OPENSSL_memdup(id, idlen);
829 if (s->psksession_id == NULL) {
830 s->psksession_id_len = 0;
831 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
832 return EXT_RETURN_FAIL;
834 s->psksession_id_len = idlen;
837 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
838 || (s->session->ext.max_early_data == 0
839 && (psksess == NULL || psksess->ext.max_early_data == 0))) {
840 s->max_early_data = 0;
841 return EXT_RETURN_NOT_SENT;
843 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
844 s->max_early_data = edsess->ext.max_early_data;
846 if (edsess->ext.hostname != NULL) {
847 if (s->ext.hostname == NULL
848 || (s->ext.hostname != NULL
849 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
850 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
851 SSL_R_INCONSISTENT_EARLY_DATA_SNI);
852 return EXT_RETURN_FAIL;
856 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
857 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
858 return EXT_RETURN_FAIL;
862 * Verify that we are offering an ALPN protocol consistent with the early
865 if (edsess->ext.alpn_selected != NULL) {
866 PACKET prots, alpnpkt;
869 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
870 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
871 return EXT_RETURN_FAIL;
873 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
874 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
875 edsess->ext.alpn_selected_len)) {
881 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
882 SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
883 return EXT_RETURN_FAIL;
887 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
888 || !WPACKET_start_sub_packet_u16(pkt)
889 || !WPACKET_close(pkt)) {
890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
891 return EXT_RETURN_FAIL;
895 * We set this to rejected here. Later, if the server acknowledges the
896 * extension, we set it to accepted.
898 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
899 s->ext.early_data_ok = 1;
901 return EXT_RETURN_SENT;
904 #define F5_WORKAROUND_MIN_MSG_LEN 0xff
905 #define F5_WORKAROUND_MAX_MSG_LEN 0x200
908 * PSK pre binder overhead =
909 * 2 bytes for TLSEXT_TYPE_psk
910 * 2 bytes for extension length
911 * 2 bytes for identities list length
912 * 2 bytes for identity length
913 * 4 bytes for obfuscated_ticket_age
914 * 2 bytes for binder list length
915 * 1 byte for binder length
916 * The above excludes the number of bytes for the identity itself and the
917 * subsequent binder bytes
919 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
921 EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
922 unsigned int context, X509 *x,
925 unsigned char *padbytes;
928 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
929 return EXT_RETURN_NOT_SENT;
932 * Add padding to workaround bugs in F5 terminators. See RFC7685.
933 * This code calculates the length of all extensions added so far but
934 * excludes the PSK extension (because that MUST be written last). Therefore
935 * this extension MUST always appear second to last.
937 if (!WPACKET_get_total_written(pkt, &hlen)) {
938 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
939 return EXT_RETURN_FAIL;
943 * If we're going to send a PSK then that will be written out after this
944 * extension, so we need to calculate how long it is going to be.
946 if (s->session->ssl_version == TLS1_3_VERSION
947 && s->session->ext.ticklen != 0
948 && s->session->cipher != NULL) {
949 const EVP_MD *md = ssl_md(s->ctx, s->session->cipher->algorithm2);
953 * Add the fixed PSK overhead, the identity length and the binder
956 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
957 + EVP_MD_get_size(md);
961 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
962 /* Calculate the amount of padding we need to add */
963 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
966 * Take off the size of extension header itself (2 bytes for type and
967 * 2 bytes for length bytes), but ensure that the extension is at least
968 * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
969 * 8.x are intolerant of that condition)
976 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
977 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
978 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
979 return EXT_RETURN_FAIL;
981 memset(padbytes, 0, hlen);
984 return EXT_RETURN_SENT;
988 * Construct the pre_shared_key extension
990 EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
991 X509 *x, size_t chainidx)
993 #ifndef OPENSSL_NO_TLS1_3
994 uint32_t now, agesec, agems = 0;
995 size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
996 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
997 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
1000 s->ext.tick_identity = 0;
1003 * Note: At this stage of the code we only support adding a single
1004 * resumption PSK. If we add support for multiple PSKs then the length
1005 * calculations in the padding extension will need to be adjusted.
1009 * If this is an incompatible or new session then we have nothing to resume
1010 * so don't add this extension.
1012 if (s->session->ssl_version != TLS1_3_VERSION
1013 || (s->session->ext.ticklen == 0 && s->psksession == NULL))
1014 return EXT_RETURN_NOT_SENT;
1016 if (s->hello_retry_request == SSL_HRR_PENDING)
1017 handmd = ssl_handshake_md(s);
1019 if (s->session->ext.ticklen != 0) {
1020 /* Get the digest associated with the ciphersuite in the session */
1021 if (s->session->cipher == NULL) {
1022 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1023 return EXT_RETURN_FAIL;
1025 mdres = ssl_md(s->ctx, s->session->cipher->algorithm2);
1026 if (mdres == NULL) {
1028 * Don't recognize this cipher so we can't use the session.
1034 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
1036 * Selected ciphersuite hash does not match the hash for the session
1037 * so we can't use it.
1043 * Technically the C standard just says time() returns a time_t and says
1044 * nothing about the encoding of that type. In practice most
1045 * implementations follow POSIX which holds it as an integral type in
1046 * seconds since epoch. We've already made the assumption that we can do
1047 * this in multiple places in the code, so portability shouldn't be an
1050 now = (uint32_t)time(NULL);
1051 agesec = now - (uint32_t)s->session->time;
1053 * We calculate the age in seconds but the server may work in ms. Due to
1054 * rounding errors we could overestimate the age by up to 1s. It is
1055 * better to underestimate it. Otherwise, if the RTT is very short, when
1056 * the server calculates the age reported by the client it could be
1057 * bigger than the age calculated on the server - which should never
1063 if (s->session->ext.tick_lifetime_hint < agesec) {
1064 /* Ticket is too old. Ignore it. */
1069 * Calculate age in ms. We're just doing it to nearest second. Should be
1072 agems = agesec * (uint32_t)1000;
1074 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
1076 * Overflow. Shouldn't happen unless this is a *really* old session.
1077 * If so we just ignore it.
1083 * Obfuscate the age. Overflow here is fine, this addition is supposed
1086 agems += s->session->ext.tick_age_add;
1088 reshashsize = EVP_MD_get_size(mdres);
1089 s->ext.tick_identity++;
1094 if (!dores && s->psksession == NULL)
1095 return EXT_RETURN_NOT_SENT;
1097 if (s->psksession != NULL) {
1098 mdpsk = ssl_md(s->ctx, s->psksession->cipher->algorithm2);
1099 if (mdpsk == NULL) {
1101 * Don't recognize this cipher so we can't use the session.
1102 * If this happens it's an application bug.
1104 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1105 return EXT_RETURN_FAIL;
1108 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
1110 * Selected ciphersuite hash does not match the hash for the PSK
1111 * session. This is an application bug.
1113 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1114 return EXT_RETURN_FAIL;
1117 pskhashsize = EVP_MD_get_size(mdpsk);
1120 /* Create the extension, but skip over the binder for now */
1121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1122 || !WPACKET_start_sub_packet_u16(pkt)
1123 || !WPACKET_start_sub_packet_u16(pkt)) {
1124 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1125 return EXT_RETURN_FAIL;
1129 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1130 s->session->ext.ticklen)
1131 || !WPACKET_put_bytes_u32(pkt, agems)) {
1132 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1133 return EXT_RETURN_FAIL;
1137 if (s->psksession != NULL) {
1138 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1139 s->psksession_id_len)
1140 || !WPACKET_put_bytes_u32(pkt, 0)) {
1141 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1142 return EXT_RETURN_FAIL;
1144 s->ext.tick_identity++;
1147 if (!WPACKET_close(pkt)
1148 || !WPACKET_get_total_written(pkt, &binderoffset)
1149 || !WPACKET_start_sub_packet_u16(pkt)
1151 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
1152 || (s->psksession != NULL
1153 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
1154 || !WPACKET_close(pkt)
1155 || !WPACKET_close(pkt)
1156 || !WPACKET_get_total_written(pkt, &msglen)
1158 * We need to fill in all the sub-packet lengths now so we can
1159 * calculate the HMAC of the message up to the binders
1161 || !WPACKET_fill_lengths(pkt)) {
1162 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1163 return EXT_RETURN_FAIL;
1166 msgstart = WPACKET_get_curr(pkt) - msglen;
1169 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1170 resbinder, s->session, 1, 0) != 1) {
1171 /* SSLfatal() already called */
1172 return EXT_RETURN_FAIL;
1175 if (s->psksession != NULL
1176 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
1177 pskbinder, s->psksession, 1, 1) != 1) {
1178 /* SSLfatal() already called */
1179 return EXT_RETURN_FAIL;
1182 return EXT_RETURN_SENT;
1184 return EXT_RETURN_NOT_SENT;
1188 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
1189 ossl_unused unsigned int context,
1190 ossl_unused X509 *x,
1191 ossl_unused size_t chainidx)
1193 #ifndef OPENSSL_NO_TLS1_3
1194 if (!s->pha_enabled)
1195 return EXT_RETURN_NOT_SENT;
1197 /* construct extension - 0 length, no contents */
1198 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
1199 || !WPACKET_start_sub_packet_u16(pkt)
1200 || !WPACKET_close(pkt)) {
1201 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1202 return EXT_RETURN_FAIL;
1205 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1207 return EXT_RETURN_SENT;
1209 return EXT_RETURN_NOT_SENT;
1215 * Parse the server's renegotiation binding and abort if it's not right
1217 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
1218 X509 *x, size_t chainidx)
1220 size_t expected_len = s->s3.previous_client_finished_len
1221 + s->s3.previous_server_finished_len;
1223 const unsigned char *data;
1225 /* Check for logic errors */
1226 if (!ossl_assert(expected_len == 0
1227 || s->s3.previous_client_finished_len != 0)
1228 || !ossl_assert(expected_len == 0
1229 || s->s3.previous_server_finished_len != 0)) {
1230 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1234 /* Parse the length byte */
1235 if (!PACKET_get_1_len(pkt, &ilen)) {
1236 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1240 /* Consistency check */
1241 if (PACKET_remaining(pkt) != ilen) {
1242 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1246 /* Check that the extension matches */
1247 if (ilen != expected_len) {
1248 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1252 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
1253 || memcmp(data, s->s3.previous_client_finished,
1254 s->s3.previous_client_finished_len) != 0) {
1255 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1259 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
1260 || memcmp(data, s->s3.previous_server_finished,
1261 s->s3.previous_server_finished_len) != 0) {
1262 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1265 s->s3.send_connection_binding = 1;
1270 /* Parse the server's max fragment len extension packet */
1271 int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
1272 X509 *x, size_t chainidx)
1276 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
1277 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1281 /* |value| should contains a valid max-fragment-length code. */
1282 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
1283 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1284 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1288 /* Must be the same value as client-configured one who was sent to server */
1290 * RFC 6066: if a client receives a maximum fragment length negotiation
1291 * response that differs from the length it requested, ...
1292 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
1294 if (value != s->ext.max_fragment_len_mode) {
1295 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1296 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1301 * Maximum Fragment Length Negotiation succeeded.
1302 * The negotiated Maximum Fragment Length is binding now.
1304 s->session->ext.max_fragment_len_mode = value;
1309 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
1310 X509 *x, size_t chainidx)
1312 if (s->ext.hostname == NULL) {
1313 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1317 if (PACKET_remaining(pkt) > 0) {
1318 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1323 if (s->session->ext.hostname != NULL) {
1324 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1327 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1328 if (s->session->ext.hostname == NULL) {
1329 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1337 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
1338 X509 *x, size_t chainidx)
1340 size_t ecpointformats_len;
1341 PACKET ecptformatlist;
1343 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
1344 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1348 ecpointformats_len = PACKET_remaining(&ecptformatlist);
1349 if (ecpointformats_len == 0) {
1350 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1354 s->ext.peer_ecpointformats_len = 0;
1355 OPENSSL_free(s->ext.peer_ecpointformats);
1356 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
1357 if (s->ext.peer_ecpointformats == NULL) {
1358 s->ext.peer_ecpointformats_len = 0;
1359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1363 s->ext.peer_ecpointformats_len = ecpointformats_len;
1365 if (!PACKET_copy_bytes(&ecptformatlist,
1366 s->ext.peer_ecpointformats,
1367 ecpointformats_len)) {
1368 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1376 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
1377 X509 *x, size_t chainidx)
1379 if (s->ext.session_ticket_cb != NULL &&
1380 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
1381 PACKET_remaining(pkt),
1382 s->ext.session_ticket_cb_arg)) {
1383 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1387 if (!tls_use_ticket(s)) {
1388 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1391 if (PACKET_remaining(pkt) > 0) {
1392 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1396 s->ext.ticket_expected = 1;
1401 #ifndef OPENSSL_NO_OCSP
1402 int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
1403 X509 *x, size_t chainidx)
1405 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1406 /* We ignore this if the server sends a CertificateRequest */
1411 * MUST only be sent if we've requested a status
1412 * request message. In TLS <= 1.2 it must also be empty.
1414 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
1415 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1418 if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
1419 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1423 if (SSL_IS_TLS13(s)) {
1424 /* We only know how to handle this if it's for the first Certificate in
1425 * the chain. We ignore any other responses.
1430 /* SSLfatal() already called */
1431 return tls_process_cert_status_body(s, pkt);
1434 /* Set flag to expect CertificateStatus message */
1435 s->ext.status_expected = 1;
1442 #ifndef OPENSSL_NO_CT
1443 int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1446 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1447 /* We ignore this if the server sends it in a CertificateRequest */
1452 * Only take it if we asked for it - i.e if there is no CT validation
1453 * callback set, then a custom extension MAY be processing it, so we
1454 * need to let control continue to flow to that.
1456 if (s->ct_validation_callback != NULL) {
1457 size_t size = PACKET_remaining(pkt);
1459 /* Simply copy it off for later processing */
1460 OPENSSL_free(s->ext.scts);
1463 s->ext.scts_len = (uint16_t)size;
1465 s->ext.scts = OPENSSL_malloc(size);
1466 if (s->ext.scts == NULL) {
1467 s->ext.scts_len = 0;
1468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1471 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1472 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1477 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1478 ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1481 * If we didn't ask for it then there must be a custom extension,
1482 * otherwise this is unsolicited.
1484 if (custom_ext_find(&s->cert->custext, role,
1485 TLSEXT_TYPE_signed_certificate_timestamp,
1487 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1491 if (!custom_ext_parse(s, context,
1492 TLSEXT_TYPE_signed_certificate_timestamp,
1493 PACKET_data(pkt), PACKET_remaining(pkt),
1495 /* SSLfatal already called */
1505 #ifndef OPENSSL_NO_NEXTPROTONEG
1507 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1508 * elements of zero length are allowed and the set of elements must exactly
1509 * fill the length of the block. Returns 1 on success or 0 on failure.
1511 static int ssl_next_proto_validate(SSL *s, PACKET *pkt)
1513 PACKET tmp_protocol;
1515 while (PACKET_remaining(pkt)) {
1516 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
1517 || PACKET_remaining(&tmp_protocol) == 0) {
1518 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1526 int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1529 unsigned char *selected;
1530 unsigned char selected_len;
1533 /* Check if we are in a renegotiation. If so ignore this extension */
1534 if (!SSL_IS_FIRST_HANDSHAKE(s))
1537 /* We must have requested it. */
1538 if (s->ctx->ext.npn_select_cb == NULL) {
1539 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1543 /* The data must be valid */
1545 if (!ssl_next_proto_validate(s, &tmppkt)) {
1546 /* SSLfatal() already called */
1549 if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
1551 PACKET_remaining(pkt),
1552 s->ctx->ext.npn_select_cb_arg) !=
1553 SSL_TLSEXT_ERR_OK) {
1554 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1559 * Could be non-NULL if server has sent multiple NPN extensions in
1560 * a single Serverhello
1562 OPENSSL_free(s->ext.npn);
1563 s->ext.npn = OPENSSL_malloc(selected_len);
1564 if (s->ext.npn == NULL) {
1566 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1570 memcpy(s->ext.npn, selected, selected_len);
1571 s->ext.npn_len = selected_len;
1578 int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1583 /* We must have requested it. */
1584 if (!s->s3.alpn_sent) {
1585 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1589 * The extension data consists of:
1590 * uint16 list_length
1591 * uint8 proto_length;
1592 * uint8 proto[proto_length];
1594 if (!PACKET_get_net_2_len(pkt, &len)
1595 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1596 || PACKET_remaining(pkt) != len) {
1597 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1600 OPENSSL_free(s->s3.alpn_selected);
1601 s->s3.alpn_selected = OPENSSL_malloc(len);
1602 if (s->s3.alpn_selected == NULL) {
1603 s->s3.alpn_selected_len = 0;
1604 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1607 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
1608 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1611 s->s3.alpn_selected_len = len;
1613 if (s->session->ext.alpn_selected == NULL
1614 || s->session->ext.alpn_selected_len != len
1615 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
1617 /* ALPN not consistent with the old session so cannot use early_data */
1618 s->ext.early_data_ok = 0;
1622 * This is a new session and so alpn_selected should have been
1623 * initialised to NULL. We should update it with the selected ALPN.
1625 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
1626 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1629 s->session->ext.alpn_selected =
1630 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
1631 if (s->session->ext.alpn_selected == NULL) {
1632 s->session->ext.alpn_selected_len = 0;
1633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1636 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
1642 #ifndef OPENSSL_NO_SRTP
1643 int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1646 unsigned int id, ct, mki;
1648 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1649 SRTP_PROTECTION_PROFILE *prof;
1651 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1652 || !PACKET_get_net_2(pkt, &id)
1653 || !PACKET_get_1(pkt, &mki)
1654 || PACKET_remaining(pkt) != 0) {
1655 SSLfatal(s, SSL_AD_DECODE_ERROR,
1656 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1661 /* Must be no MKI, since we never offer one */
1662 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
1666 /* Throw an error if the server gave us an unsolicited extension */
1667 clnt = SSL_get_srtp_profiles(s);
1669 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
1674 * Check to see if the server gave us something we support (and
1675 * presumably offered)
1677 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1678 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1680 if (prof->id == id) {
1681 s->srtp_profile = prof;
1686 SSLfatal(s, SSL_AD_DECODE_ERROR,
1687 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1692 int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1695 /* Ignore if inappropriate ciphersuite */
1696 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
1697 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
1698 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
1699 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
1700 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
1701 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
1702 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
1708 int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1711 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1713 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1715 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1720 int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1721 X509 *x, size_t chainidx)
1723 unsigned int version;
1725 if (!PACKET_get_net_2(pkt, &version)
1726 || PACKET_remaining(pkt) != 0) {
1727 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1732 * The only protocol version we support which is valid in this extension in
1733 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1735 if (version != TLS1_3_VERSION) {
1736 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1737 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1741 /* We ignore this extension for HRRs except to sanity check it */
1742 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
1745 /* We just set it here. We validate it in ssl_choose_client_version */
1746 s->version = version;
1751 int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1754 #ifndef OPENSSL_NO_TLS1_3
1755 unsigned int group_id;
1757 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
1758 const TLS_GROUP_INFO *ginf = NULL;
1761 if (ckey == NULL || s->s3.peer_tmp != NULL) {
1762 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1766 if (!PACKET_get_net_2(pkt, &group_id)) {
1767 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1771 group_id = ssl_group_id_tls13_to_internal(group_id);
1772 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
1773 const uint16_t *pgroups = NULL;
1774 size_t i, num_groups;
1776 if (PACKET_remaining(pkt) != 0) {
1777 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1782 * It is an error if the HelloRetryRequest wants a key_share that we
1783 * already sent in the first ClientHello
1785 if (group_id == s->s3.group_id) {
1786 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1790 /* Validate the selected group is one we support */
1791 tls1_get_supported_groups(s, &pgroups, &num_groups);
1792 for (i = 0; i < num_groups; i++) {
1793 if (group_id == pgroups[i])
1797 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
1798 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1802 s->s3.group_id = group_id;
1803 EVP_PKEY_free(s->s3.tmp.pkey);
1804 s->s3.tmp.pkey = NULL;
1808 if (group_id != s->s3.group_id) {
1810 * This isn't for the group that we sent in the original
1813 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1816 /* Retain this group in the SSL_SESSION */
1818 s->session->kex_group = group_id;
1819 } else if (group_id != s->session->kex_group) {
1821 * If this is a resumption but changed what group was used, we need
1822 * to record the new group in the session, but the session is not
1823 * a new session and could be in use by other threads. So, make
1824 * a copy of the session to record the new information so that it's
1825 * useful for any sessions resumed from tickets issued on this
1828 SSL_SESSION *new_sess;
1830 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
1831 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1834 SSL_SESSION_free(s->session);
1835 s->session = new_sess;
1836 s->session->kex_group = group_id;
1839 if ((ginf = tls1_group_id_lookup(s->ctx, group_id)) == NULL) {
1840 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1844 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1845 || PACKET_remaining(&encoded_pt) == 0) {
1846 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1850 if (!ginf->is_kem) {
1852 skey = EVP_PKEY_new();
1853 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
1854 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
1855 EVP_PKEY_free(skey);
1859 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
1860 PACKET_remaining(&encoded_pt)) <= 0) {
1861 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
1862 EVP_PKEY_free(skey);
1866 if (ssl_derive(s, ckey, skey, 1) == 0) {
1867 /* SSLfatal() already called */
1868 EVP_PKEY_free(skey);
1871 s->s3.peer_tmp = skey;
1874 const unsigned char *ct = PACKET_data(&encoded_pt);
1875 size_t ctlen = PACKET_remaining(&encoded_pt);
1877 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
1878 /* SSLfatal() already called */
1888 int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1893 if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1894 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1895 &s->ext.tls13_cookie_len)) {
1896 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1903 int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
1904 X509 *x, size_t chainidx)
1906 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1907 unsigned long max_early_data;
1909 if (!PACKET_get_net_4(pkt, &max_early_data)
1910 || PACKET_remaining(pkt) != 0) {
1911 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
1915 s->session->ext.max_early_data = max_early_data;
1920 if (PACKET_remaining(pkt) != 0) {
1921 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1925 if (!s->ext.early_data_ok
1928 * If we get here then we didn't send early data, or we didn't resume
1929 * using the first identity, or the SNI/ALPN is not consistent so the
1930 * server should not be accepting it.
1932 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
1936 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1941 int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1944 #ifndef OPENSSL_NO_TLS1_3
1945 unsigned int identity;
1947 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
1948 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1952 if (identity >= (unsigned int)s->ext.tick_identity) {
1953 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
1958 * Session resumption tickets are always sent before PSK tickets. If the
1959 * ticket index is 0 then it must be for a session resumption ticket if we
1960 * sent two tickets, or if we didn't send a PSK ticket.
1962 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
1964 SSL_SESSION_free(s->psksession);
1965 s->psksession = NULL;
1969 if (s->psksession == NULL) {
1970 /* Should never happen */
1971 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1976 * If we used the external PSK for sending early_data then s->early_secret
1977 * is already set up, so don't overwrite it. Otherwise we copy the
1978 * early_secret across that we generated earlier.
1980 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
1981 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
1982 || s->session->ext.max_early_data > 0
1983 || s->psksession->ext.max_early_data == 0)
1984 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
1986 SSL_SESSION_free(s->session);
1987 s->session = s->psksession;
1988 s->psksession = NULL;
1990 /* Early data is only allowed if we used the first ticket */
1992 s->ext.early_data_ok = 0;