2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/ocsp.h>
12 #include "../ssl_locl.h"
13 #include "statem_locl.h"
15 int tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
16 X509 *x, size_t chainidx, int *al)
18 /* Add RI if renegotiating */
22 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
23 || !WPACKET_start_sub_packet_u16(pkt)
24 || !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
25 s->s3->previous_client_finished_len)
26 || !WPACKET_close(pkt)) {
27 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
34 int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context,
35 X509 *x, size_t chainidx, int *al)
37 if (s->ext.hostname == NULL)
40 /* Add TLS extension servername to the Client Hello message */
41 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
42 /* Sub-packet for server_name extension */
43 || !WPACKET_start_sub_packet_u16(pkt)
44 /* Sub-packet for servername list (always 1 hostname)*/
45 || !WPACKET_start_sub_packet_u16(pkt)
46 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
47 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
48 strlen(s->ext.hostname))
49 || !WPACKET_close(pkt)
50 || !WPACKET_close(pkt)) {
51 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR);
58 #ifndef OPENSSL_NO_SRP
59 int tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
60 size_t chainidx, int *al)
62 /* Add SRP username if there is one */
63 if (s->srp_ctx.login == NULL)
66 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
67 /* Sub-packet for SRP extension */
68 || !WPACKET_start_sub_packet_u16(pkt)
69 || !WPACKET_start_sub_packet_u8(pkt)
70 /* login must not be zero...internal error if so */
71 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
72 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
73 strlen(s->srp_ctx.login))
74 || !WPACKET_close(pkt)
75 || !WPACKET_close(pkt)) {
76 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SRP, ERR_R_INTERNAL_ERROR);
85 static int use_ecc(SSL *s)
88 unsigned long alg_k, alg_a;
89 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
91 /* See if we support any ECC ciphersuites */
92 if (s->version == SSL3_VERSION)
95 cipher_stack = SSL_get_ciphers(s);
96 end = sk_SSL_CIPHER_num(cipher_stack);
97 for (i = 0; i < end; i++) {
98 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
100 alg_k = c->algorithm_mkey;
101 alg_a = c->algorithm_auth;
102 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
103 || (alg_a & SSL_aECDSA)
104 || c->min_tls >= TLS1_3_VERSION)
111 int tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, unsigned int context,
112 X509 *x, size_t chainidx, int *al)
114 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
115 || s->session->ext.max_early_data == 0) {
116 s->max_early_data = 0;
119 s->max_early_data = s->session->ext.max_early_data;
121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
122 || !WPACKET_start_sub_packet_u16(pkt)
123 || !WPACKET_close(pkt)) {
124 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR);
131 int tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
132 X509 *x, size_t chainidx, int *al)
134 const unsigned char *pformats;
140 /* Add TLS extension ECPointFormats to the ClientHello message */
141 tls1_get_formatlist(s, &pformats, &num_formats);
143 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
144 /* Sub-packet for formats extension */
145 || !WPACKET_start_sub_packet_u16(pkt)
146 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
147 || !WPACKET_close(pkt)) {
148 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
155 int tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
156 unsigned int context, X509 *x,
157 size_t chainidx, int *al)
159 const unsigned char *pcurves = NULL, *pcurvestmp;
160 size_t num_curves = 0, i;
166 * Add TLS extension supported_groups to the ClientHello message
168 /* TODO(TLS1.3): Add support for DHE groups */
169 pcurves = s->ext.supportedgroups;
170 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
171 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
172 ERR_R_INTERNAL_ERROR);
175 pcurvestmp = pcurves;
177 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
178 /* Sub-packet for supported_groups extension */
179 || !WPACKET_start_sub_packet_u16(pkt)
180 || !WPACKET_start_sub_packet_u16(pkt)) {
181 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
182 ERR_R_INTERNAL_ERROR);
185 /* Copy curve ID if supported */
186 for (i = 0; i < num_curves; i++, pcurvestmp += 2) {
187 if (tls_curve_allowed(s, pcurvestmp, SSL_SECOP_CURVE_SUPPORTED)) {
188 if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0])
189 || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) {
190 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
191 ERR_R_INTERNAL_ERROR);
196 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
197 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
198 ERR_R_INTERNAL_ERROR);
206 int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
207 unsigned int context, X509 *x,
208 size_t chainidx, int *al)
212 if (!tls_use_ticket(s))
215 if (!s->new_session && s->session != NULL
216 && s->session->ext.tick != NULL
217 && s->session->ssl_version != TLS1_3_VERSION) {
218 ticklen = s->session->ext.ticklen;
219 } else if (s->session && s->ext.session_ticket != NULL
220 && s->ext.session_ticket->data != NULL) {
221 ticklen = s->ext.session_ticket->length;
222 s->session->ext.tick = OPENSSL_malloc(ticklen);
223 if (s->session->ext.tick == NULL) {
224 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
225 ERR_R_INTERNAL_ERROR);
228 memcpy(s->session->ext.tick,
229 s->ext.session_ticket->data, ticklen);
230 s->session->ext.ticklen = ticklen;
235 if (ticklen == 0 && s->ext.session_ticket != NULL &&
236 s->ext.session_ticket->data == NULL)
239 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
240 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
241 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
248 int tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, unsigned int context,
249 X509 *x, size_t chainidx, int *al)
252 const uint16_t *salg;
254 if (!SSL_CLIENT_USE_SIGALGS(s))
257 salglen = tls12_get_psigalgs(s, 1, &salg);
258 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
259 /* Sub-packet for sig-algs extension */
260 || !WPACKET_start_sub_packet_u16(pkt)
261 /* Sub-packet for the actual list */
262 || !WPACKET_start_sub_packet_u16(pkt)
263 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
264 || !WPACKET_close(pkt)
265 || !WPACKET_close(pkt)) {
266 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, ERR_R_INTERNAL_ERROR);
273 #ifndef OPENSSL_NO_OCSP
274 int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
275 unsigned int context, X509 *x,
276 size_t chainidx, int *al)
280 /* This extension isn't defined for client Certificates */
284 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
287 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
288 /* Sub-packet for status request extension */
289 || !WPACKET_start_sub_packet_u16(pkt)
290 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
291 /* Sub-packet for the ids */
292 || !WPACKET_start_sub_packet_u16(pkt)) {
293 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
296 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
297 unsigned char *idbytes;
298 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
299 int idlen = i2d_OCSP_RESPID(id, NULL);
302 /* Sub-packet for an individual id */
303 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
304 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
305 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
306 ERR_R_INTERNAL_ERROR);
310 if (!WPACKET_close(pkt)
311 || !WPACKET_start_sub_packet_u16(pkt)) {
312 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
315 if (s->ext.ocsp.exts) {
316 unsigned char *extbytes;
317 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
320 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
321 ERR_R_INTERNAL_ERROR);
324 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
325 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
327 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
328 ERR_R_INTERNAL_ERROR);
332 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
333 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
341 #ifndef OPENSSL_NO_NEXTPROTONEG
342 int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
345 if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
349 * The client advertises an empty extension to indicate its support
350 * for Next Protocol Negotiation
352 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
353 || !WPACKET_put_bytes_u16(pkt, 0)) {
354 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_NPN, ERR_R_INTERNAL_ERROR);
362 int tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
363 size_t chainidx, int *al)
365 s->s3->alpn_sent = 0;
367 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
370 if (!WPACKET_put_bytes_u16(pkt,
371 TLSEXT_TYPE_application_layer_protocol_negotiation)
372 /* Sub-packet ALPN extension */
373 || !WPACKET_start_sub_packet_u16(pkt)
374 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
375 || !WPACKET_close(pkt)) {
376 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR);
379 s->s3->alpn_sent = 1;
385 #ifndef OPENSSL_NO_SRTP
386 int tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
387 X509 *x, size_t chainidx, int *al)
389 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
395 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
396 /* Sub-packet for SRTP extension */
397 || !WPACKET_start_sub_packet_u16(pkt)
398 /* Sub-packet for the protection profile list */
399 || !WPACKET_start_sub_packet_u16(pkt)) {
400 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
404 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
405 for (i = 0; i < end; i++) {
406 const SRTP_PROTECTION_PROFILE *prof =
407 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
409 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
410 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
414 if (!WPACKET_close(pkt)
415 /* Add an empty use_mki value */
416 || !WPACKET_put_bytes_u8(pkt, 0)
417 || !WPACKET_close(pkt)) {
418 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR);
426 int tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
427 size_t chainidx, int *al)
429 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
432 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
433 || !WPACKET_put_bytes_u16(pkt, 0)) {
434 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ETM, ERR_R_INTERNAL_ERROR);
441 #ifndef OPENSSL_NO_CT
442 int tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
443 size_t chainidx, int *al)
445 if (s->ct_validation_callback == NULL)
448 /* Not defined for client Certificates */
452 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
453 || !WPACKET_put_bytes_u16(pkt, 0)) {
454 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SCT, ERR_R_INTERNAL_ERROR);
462 int tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
463 size_t chainidx, int *al)
465 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
466 || !WPACKET_put_bytes_u16(pkt, 0)) {
467 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_EMS, ERR_R_INTERNAL_ERROR);
474 int tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
475 unsigned int context, X509 *x,
476 size_t chainidx, int *al)
478 int currv, min_version, max_version, reason;
480 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
481 || !WPACKET_start_sub_packet_u16(pkt)
482 || !WPACKET_start_sub_packet_u8(pkt)) {
483 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
484 ERR_R_INTERNAL_ERROR);
488 reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
490 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
495 * TODO(TLS1.3): There is some discussion on the TLS list as to wheter
496 * we should include versions <TLS1.2. For the moment we do. To be
499 for (currv = max_version; currv >= min_version; currv--) {
500 /* TODO(TLS1.3): Remove this first if clause prior to release!! */
501 if (currv == TLS1_3_VERSION) {
502 if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)) {
503 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
504 ERR_R_INTERNAL_ERROR);
507 } else if (!WPACKET_put_bytes_u16(pkt, currv)) {
508 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
509 ERR_R_INTERNAL_ERROR);
513 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
514 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS,
515 ERR_R_INTERNAL_ERROR);
523 * Construct a psk_kex_modes extension. We only have two modes we know about
524 * at this stage, so we send both.
526 int tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, unsigned int context,
527 X509 *x, size_t chainidx, int *al)
529 #ifndef OPENSSL_NO_TLS1_3
531 * TODO(TLS1.3): Do we want this list to be configurable? For now we always
532 * just send both supported modes
534 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
535 || !WPACKET_start_sub_packet_u16(pkt)
536 || !WPACKET_start_sub_packet_u8(pkt)
537 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
538 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)
539 || !WPACKET_close(pkt)
540 || !WPACKET_close(pkt)) {
541 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR);
545 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE;
551 #ifndef OPENSSL_NO_TLS1_3
552 static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
554 unsigned char *encoded_point;
555 EVP_PKEY *key_share_key;
558 key_share_key = ssl_generate_pkey_curve(curve_id);
559 if (key_share_key == NULL) {
560 SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EVP_LIB);
564 /* Encode the public key. */
565 encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
567 if (encodedlen == 0) {
568 SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB);
569 EVP_PKEY_free(key_share_key);
573 /* Create KeyShareEntry */
574 if (!WPACKET_put_bytes_u16(pkt, curve_id)
575 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
576 SSLerr(SSL_F_ADD_KEY_SHARE, ERR_R_INTERNAL_ERROR);
577 EVP_PKEY_free(key_share_key);
578 OPENSSL_free(encoded_point);
583 * TODO(TLS1.3): When changing to send more than one key_share we're
584 * going to need to be able to save more than one EVP_PKEY. For now
585 * we reuse the existing tmp.pkey
587 s->s3->tmp.pkey = key_share_key;
588 s->s3->group_id = curve_id;
589 OPENSSL_free(encoded_point);
595 int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, unsigned int context,
596 X509 *x, size_t chainidx, int *al)
598 #ifndef OPENSSL_NO_TLS1_3
599 size_t i, num_curves = 0;
600 const unsigned char *pcurves = NULL;
601 unsigned int curve_id = 0;
603 /* key_share extension */
604 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
605 /* Extension data sub-packet */
606 || !WPACKET_start_sub_packet_u16(pkt)
607 /* KeyShare list sub-packet */
608 || !WPACKET_start_sub_packet_u16(pkt)) {
609 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
613 pcurves = s->ext.supportedgroups;
614 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
615 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
619 if (s->s3->tmp.pkey != NULL) {
620 /* Shouldn't happen! */
621 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
626 * TODO(TLS1.3): Make the number of key_shares sent configurable. For
629 if (s->s3->group_id != 0) {
630 curve_id = s->s3->group_id;
632 for (i = 0; i < num_curves; i++, pcurves += 2) {
634 if (!tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED))
637 curve_id = bytestogroup(pcurves);
643 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
647 if (!add_key_share(s, pkt, curve_id))
650 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
651 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
659 #define F5_WORKAROUND_MIN_MSG_LEN 0xff
660 #define F5_WORKAROUND_MAX_MSG_LEN 0x200
662 int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, unsigned int context,
663 X509 *x, size_t chainidx, int *al)
665 unsigned char *padbytes;
668 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
672 * Add padding to workaround bugs in F5 terminators. See
673 * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
674 * code calculates the length of all existing extensions it MUST always
677 if (!WPACKET_get_total_written(pkt, &hlen)) {
678 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
682 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
683 /* Calculate the amond of padding we need to add */
684 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
687 * Take off the size of extension header itself (2 bytes for type and
688 * 2 bytes for length bytes)
695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
696 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
697 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PADDING, ERR_R_INTERNAL_ERROR);
700 memset(padbytes, 0, hlen);
707 * Construct the pre_shared_key extension
709 int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
710 size_t chainidx, int *al)
712 #ifndef OPENSSL_NO_TLS1_3
713 uint32_t now, agesec, agems;
714 size_t hashsize, binderoffset, msglen;
715 unsigned char *binder = NULL, *msgstart = NULL;
719 s->session->ext.tick_identity = TLSEXT_PSK_BAD_IDENTITY;
722 * If this is an incompatible or new session then we have nothing to resume
723 * so don't add this extension.
725 if (s->session->ssl_version != TLS1_3_VERSION
726 || s->session->ext.ticklen == 0)
729 if (s->session->cipher == NULL) {
730 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
734 md = ssl_md(s->session->cipher->algorithm2);
736 /* Don't recognise this cipher so we can't use the session. Ignore it */
741 * Technically the C standard just says time() returns a time_t and says
742 * nothing about the encoding of that type. In practice most implementations
743 * follow POSIX which holds it as an integral type in seconds since epoch.
744 * We've already made the assumption that we can do this in multiple places
745 * in the code, so portability shouldn't be an issue.
747 now = (uint32_t)time(NULL);
748 agesec = now - (uint32_t)s->session->time;
750 if (s->session->ext.tick_lifetime_hint < agesec) {
751 /* Ticket is too old. Ignore it. */
756 * Calculate age in ms. We're just doing it to nearest second. Should be
759 agems = agesec * (uint32_t)1000;
761 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
763 * Overflow. Shouldn't happen unless this is a *really* old session. If
764 * so we just ignore it.
770 * Obfuscate the age. Overflow here is fine, this addition is supposed to
773 agems += s->session->ext.tick_age_add;
775 hashsize = EVP_MD_size(md);
777 /* Create the extension, but skip over the binder for now */
778 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
779 || !WPACKET_start_sub_packet_u16(pkt)
780 || !WPACKET_start_sub_packet_u16(pkt)
781 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
782 s->session->ext.ticklen)
783 || !WPACKET_put_bytes_u32(pkt, agems)
784 || !WPACKET_close(pkt)
785 || !WPACKET_get_total_written(pkt, &binderoffset)
786 || !WPACKET_start_sub_packet_u16(pkt)
787 || !WPACKET_sub_allocate_bytes_u8(pkt, hashsize, &binder)
788 || !WPACKET_close(pkt)
789 || !WPACKET_close(pkt)
790 || !WPACKET_get_total_written(pkt, &msglen)
792 * We need to fill in all the sub-packet lengths now so we can
793 * calculate the HMAC of the message up to the binders
795 || !WPACKET_fill_lengths(pkt)) {
796 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
800 msgstart = WPACKET_get_curr(pkt) - msglen;
802 if (tls_psk_do_binder(s, md, msgstart, binderoffset, NULL, binder,
803 s->session, 1) != 1) {
804 SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_PSK, ERR_R_INTERNAL_ERROR);
808 s->session->ext.tick_identity = 0;
819 * Parse the server's renegotiation binding and abort if it's not right
821 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
822 X509 *x, size_t chainidx, int *al)
824 size_t expected_len = s->s3->previous_client_finished_len
825 + s->s3->previous_server_finished_len;
827 const unsigned char *data;
829 /* Check for logic errors */
830 assert(expected_len == 0 || s->s3->previous_client_finished_len != 0);
831 assert(expected_len == 0 || s->s3->previous_server_finished_len != 0);
833 /* Parse the length byte */
834 if (!PACKET_get_1_len(pkt, &ilen)) {
835 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
836 SSL_R_RENEGOTIATION_ENCODING_ERR);
837 *al = SSL_AD_ILLEGAL_PARAMETER;
841 /* Consistency check */
842 if (PACKET_remaining(pkt) != ilen) {
843 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
844 SSL_R_RENEGOTIATION_ENCODING_ERR);
845 *al = SSL_AD_ILLEGAL_PARAMETER;
849 /* Check that the extension matches */
850 if (ilen != expected_len) {
851 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
852 SSL_R_RENEGOTIATION_MISMATCH);
853 *al = SSL_AD_HANDSHAKE_FAILURE;
857 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len)
858 || memcmp(data, s->s3->previous_client_finished,
859 s->s3->previous_client_finished_len) != 0) {
860 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
861 SSL_R_RENEGOTIATION_MISMATCH);
862 *al = SSL_AD_HANDSHAKE_FAILURE;
866 if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len)
867 || memcmp(data, s->s3->previous_server_finished,
868 s->s3->previous_server_finished_len) != 0) {
869 SSLerr(SSL_F_TLS_PARSE_STOC_RENEGOTIATE,
870 SSL_R_RENEGOTIATION_MISMATCH);
871 *al = SSL_AD_ILLEGAL_PARAMETER;
874 s->s3->send_connection_binding = 1;
879 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
880 X509 *x, size_t chainidx, int *al)
882 if (s->ext.hostname == NULL || PACKET_remaining(pkt) > 0) {
883 *al = SSL_AD_UNRECOGNIZED_NAME;
888 if (s->session->ext.hostname != NULL) {
889 *al = SSL_AD_INTERNAL_ERROR;
892 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
893 if (s->session->ext.hostname == NULL) {
894 *al = SSL_AD_INTERNAL_ERROR;
902 int tls_parse_stoc_early_data_info(SSL *s, PACKET *pkt, unsigned int context,
903 X509 *x, size_t chainidx, int *al)
905 unsigned long max_early_data;
907 if (!PACKET_get_net_4(pkt, &max_early_data)
908 || PACKET_remaining(pkt) != 0) {
909 SSLerr(SSL_F_TLS_PARSE_STOC_EARLY_DATA_INFO,
910 SSL_R_INVALID_MAX_EARLY_DATA);
911 *al = SSL_AD_DECODE_ERROR;
915 s->session->ext.max_early_data = max_early_data;
920 #ifndef OPENSSL_NO_EC
921 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
922 X509 *x, size_t chainidx, int *al)
924 unsigned int ecpointformats_len;
925 PACKET ecptformatlist;
927 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
928 *al = SSL_AD_DECODE_ERROR;
932 ecpointformats_len = PACKET_remaining(&ecptformatlist);
933 s->session->ext.ecpointformats_len = 0;
935 OPENSSL_free(s->session->ext.ecpointformats);
936 s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
937 if (s->session->ext.ecpointformats == NULL) {
938 *al = SSL_AD_INTERNAL_ERROR;
942 s->session->ext.ecpointformats_len = ecpointformats_len;
944 if (!PACKET_copy_bytes(&ecptformatlist,
945 s->session->ext.ecpointformats,
946 ecpointformats_len)) {
947 *al = SSL_AD_INTERNAL_ERROR;
956 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
957 X509 *x, size_t chainidx, int *al)
959 if (s->ext.session_ticket_cb != NULL &&
960 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
961 PACKET_remaining(pkt),
962 s->ext.session_ticket_cb_arg)) {
963 *al = SSL_AD_INTERNAL_ERROR;
967 if (!tls_use_ticket(s) || PACKET_remaining(pkt) > 0) {
968 *al = SSL_AD_UNSUPPORTED_EXTENSION;
972 s->ext.ticket_expected = 1;
977 #ifndef OPENSSL_NO_OCSP
978 int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
979 X509 *x, size_t chainidx, int *al)
982 * MUST only be sent if we've requested a status
983 * request message. In TLS <= 1.2 it must also be empty.
985 if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
986 || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
987 *al = SSL_AD_UNSUPPORTED_EXTENSION;
991 if (SSL_IS_TLS13(s)) {
992 /* We only know how to handle this if it's for the first Certificate in
993 * the chain. We ignore any other repsonses.
997 return tls_process_cert_status_body(s, pkt, al);
1000 /* Set flag to expect CertificateStatus message */
1001 s->ext.status_expected = 1;
1008 #ifndef OPENSSL_NO_CT
1009 int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1010 size_t chainidx, int *al)
1013 * Only take it if we asked for it - i.e if there is no CT validation
1014 * callback set, then a custom extension MAY be processing it, so we
1015 * need to let control continue to flow to that.
1017 if (s->ct_validation_callback != NULL) {
1018 size_t size = PACKET_remaining(pkt);
1020 /* Simply copy it off for later processing */
1021 OPENSSL_free(s->ext.scts);
1024 s->ext.scts_len = size;
1026 s->ext.scts = OPENSSL_malloc(size);
1027 if (s->ext.scts == NULL
1028 || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1029 *al = SSL_AD_INTERNAL_ERROR;
1034 if (custom_ext_parse(s, 0, TLSEXT_TYPE_signed_certificate_timestamp,
1035 PACKET_data(pkt), PACKET_remaining(pkt), al) <= 0)
1044 #ifndef OPENSSL_NO_NEXTPROTONEG
1046 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1047 * elements of zero length are allowed and the set of elements must exactly
1048 * fill the length of the block. Returns 1 on success or 0 on failure.
1050 static int ssl_next_proto_validate(PACKET *pkt)
1052 PACKET tmp_protocol;
1054 while (PACKET_remaining(pkt)) {
1055 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
1056 || PACKET_remaining(&tmp_protocol) == 0)
1063 int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1064 size_t chainidx, int *al)
1066 unsigned char *selected;
1067 unsigned char selected_len;
1070 /* Check if we are in a renegotiation. If so ignore this extension */
1071 if (!SSL_IS_FIRST_HANDSHAKE(s))
1074 /* We must have requested it. */
1075 if (s->ctx->ext.npn_select_cb == NULL) {
1076 *al = SSL_AD_UNSUPPORTED_EXTENSION;
1080 /* The data must be valid */
1082 if (!ssl_next_proto_validate(&tmppkt)) {
1083 *al = SSL_AD_DECODE_ERROR;
1086 if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
1088 PACKET_remaining(pkt),
1089 s->ctx->ext.npn_select_cb_arg) !=
1090 SSL_TLSEXT_ERR_OK) {
1091 *al = SSL_AD_INTERNAL_ERROR;
1096 * Could be non-NULL if server has sent multiple NPN extensions in
1097 * a single Serverhello
1099 OPENSSL_free(s->ext.npn);
1100 s->ext.npn = OPENSSL_malloc(selected_len);
1101 if (s->ext.npn == NULL) {
1102 *al = SSL_AD_INTERNAL_ERROR;
1106 memcpy(s->ext.npn, selected, selected_len);
1107 s->ext.npn_len = selected_len;
1108 s->s3->npn_seen = 1;
1114 int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1115 size_t chainidx, int *al)
1119 /* We must have requested it. */
1120 if (!s->s3->alpn_sent) {
1121 *al = SSL_AD_UNSUPPORTED_EXTENSION;
1125 * The extension data consists of:
1126 * uint16 list_length
1127 * uint8 proto_length;
1128 * uint8 proto[proto_length];
1130 if (!PACKET_get_net_2_len(pkt, &len)
1131 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1132 || PACKET_remaining(pkt) != len) {
1133 *al = SSL_AD_DECODE_ERROR;
1136 OPENSSL_free(s->s3->alpn_selected);
1137 s->s3->alpn_selected = OPENSSL_malloc(len);
1138 if (s->s3->alpn_selected == NULL) {
1139 *al = SSL_AD_INTERNAL_ERROR;
1142 if (!PACKET_copy_bytes(pkt, s->s3->alpn_selected, len)) {
1143 *al = SSL_AD_DECODE_ERROR;
1146 s->s3->alpn_selected_len = len;
1151 #ifndef OPENSSL_NO_SRTP
1152 int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1153 size_t chainidx, int *al)
1155 unsigned int id, ct, mki;
1157 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1158 SRTP_PROTECTION_PROFILE *prof;
1160 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1161 || !PACKET_get_net_2(pkt, &id)
1162 || !PACKET_get_1(pkt, &mki)
1163 || PACKET_remaining(pkt) != 0) {
1164 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
1165 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1166 *al = SSL_AD_DECODE_ERROR;
1171 /* Must be no MKI, since we never offer one */
1172 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
1173 *al = SSL_AD_ILLEGAL_PARAMETER;
1177 /* Throw an error if the server gave us an unsolicited extension */
1178 clnt = SSL_get_srtp_profiles(s);
1180 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP, SSL_R_NO_SRTP_PROFILES);
1181 *al = SSL_AD_DECODE_ERROR;
1186 * Check to see if the server gave us something we support (and
1187 * presumably offered)
1189 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1190 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1192 if (prof->id == id) {
1193 s->srtp_profile = prof;
1199 SSLerr(SSL_F_TLS_PARSE_STOC_USE_SRTP,
1200 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1201 *al = SSL_AD_DECODE_ERROR;
1206 int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1207 size_t chainidx, int *al)
1209 /* Ignore if inappropriate ciphersuite */
1210 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
1211 && s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
1212 && s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
1218 int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1219 size_t chainidx, int *al)
1221 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1223 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1228 int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1229 size_t chainidx, int *al)
1231 #ifndef OPENSSL_NO_TLS1_3
1232 unsigned int group_id;
1234 EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
1238 *al = SSL_AD_INTERNAL_ERROR;
1239 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1243 if (!PACKET_get_net_2(pkt, &group_id)) {
1244 *al = SSL_AD_HANDSHAKE_FAILURE;
1245 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
1249 if ((context & EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
1250 unsigned const char *pcurves = NULL;
1251 size_t i, num_curves;
1253 if (PACKET_remaining(pkt) != 0) {
1254 *al = SSL_AD_HANDSHAKE_FAILURE;
1255 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
1260 * It is an error if the HelloRetryRequest wants a key_share that we
1261 * already sent in the first ClientHello
1263 if (group_id == s->s3->group_id) {
1264 *al = SSL_AD_ILLEGAL_PARAMETER;
1265 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1269 /* Validate the selected group is one we support */
1270 pcurves = s->ext.supportedgroups;
1271 if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
1272 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1275 for (i = 0; i < num_curves; i++, pcurves += 2) {
1276 if (group_id == bytestogroup(pcurves))
1280 || !tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
1281 *al = SSL_AD_ILLEGAL_PARAMETER;
1282 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1286 s->s3->group_id = group_id;
1287 EVP_PKEY_free(s->s3->tmp.pkey);
1288 s->s3->tmp.pkey = NULL;
1292 if (group_id != s->s3->group_id) {
1294 * This isn't for the group that we sent in the original
1297 *al = SSL_AD_HANDSHAKE_FAILURE;
1298 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
1302 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1303 || PACKET_remaining(&encoded_pt) == 0) {
1304 *al = SSL_AD_DECODE_ERROR;
1305 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
1309 skey = ssl_generate_pkey(ckey);
1311 *al = SSL_AD_INTERNAL_ERROR;
1312 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1315 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
1316 PACKET_remaining(&encoded_pt))) {
1317 *al = SSL_AD_DECODE_ERROR;
1318 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_ECPOINT);
1319 EVP_PKEY_free(skey);
1323 if (ssl_derive(s, ckey, skey, 1) == 0) {
1324 *al = SSL_AD_INTERNAL_ERROR;
1325 SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1326 EVP_PKEY_free(skey);
1329 EVP_PKEY_free(skey);
1335 int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1336 size_t chainidx, int *al)
1338 #ifndef OPENSSL_NO_TLS1_3
1339 unsigned int identity;
1341 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
1342 *al = SSL_AD_HANDSHAKE_FAILURE;
1343 SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_LENGTH_MISMATCH);
1347 if (s->session->ext.tick_identity != (int)identity) {
1348 *al = SSL_AD_HANDSHAKE_FAILURE;
1349 SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_BAD_PSK_IDENTITY);