2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
45 const unsigned char *data;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
54 /* Check that the extension matches */
55 if (ilen != s->s3.previous_client_finished_len) {
56 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
60 if (memcmp(data, s->s3.previous_client_finished,
61 s->s3.previous_client_finished_len)) {
62 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
66 s->s3.send_connection_binding = 1;
72 * The servername extension is treated as follows:
74 * - Only the hostname type is supported with a maximum length of 255.
75 * - The servername is rejected if too long or if it contains zeros,
76 * in which case an fatal alert is generated.
77 * - The servername field is maintained together with the session cache.
78 * - When a session is resumed, the servername call back invoked in order
79 * to allow the application to position itself to the right context.
80 * - The servername is acknowledged if it is new for a session or when
81 * it is identical to a previously used for the same session.
82 * Applications can control the behaviour. They can at any time
83 * set a 'desirable' servername for a new SSL object. This can be the
84 * case for example with HTTPS when a Host: header field is received and
85 * a renegotiation is requested. In this case, a possible servername
86 * presented in the new client hello is only acknowledged if it matches
87 * the value of the Host: field.
88 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
89 * if they provide for changing an explicit servername context for the
90 * session, i.e. when the session has been established with a servername
92 * - On session reconnect, the servername extension may be absent.
94 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
95 X509 *x, size_t chainidx)
97 unsigned int servname_type;
100 if (!PACKET_as_length_prefixed_2(pkt, &sni)
101 /* ServerNameList must be at least 1 byte long. */
102 || PACKET_remaining(&sni) == 0) {
103 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
108 * Although the intent was for server_name to be extensible, RFC 4366
109 * was not clear about it; and so OpenSSL among other implementations,
110 * always and only allows a 'host_name' name types.
111 * RFC 6066 corrected the mistake but adding new name types
112 * is nevertheless no longer feasible, so act as if no other
113 * SNI types can exist, to simplify parsing.
115 * Also note that the RFC permits only one SNI value per type,
116 * i.e., we can only have a single hostname.
118 if (!PACKET_get_1(&sni, &servname_type)
119 || servname_type != TLSEXT_NAMETYPE_host_name
120 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
121 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
126 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
127 * we always use the SNI value from the handshake.
129 if (!s->hit || SSL_IS_TLS13(s)) {
130 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
131 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
135 if (PACKET_contains_zero_byte(&hostname)) {
136 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
141 * Store the requested SNI in the SSL as temporary storage.
142 * If we accept it, it will get stored in the SSL_SESSION as well.
144 OPENSSL_free(s->ext.hostname);
145 s->ext.hostname = NULL;
146 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
151 s->servername_done = 1;
154 * In TLSv1.2 and below we should check if the SNI is consistent between
155 * the initial handshake and the resumption. In TLSv1.3 SNI is not
156 * associated with the session.
158 s->servername_done = (s->session->ext.hostname != NULL)
159 && PACKET_equal(&hostname, s->session->ext.hostname,
160 strlen(s->session->ext.hostname));
166 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx)
171 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
172 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
176 /* Received |value| should be a valid max-fragment-length code. */
177 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
178 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
179 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
184 * RFC 6066: The negotiated length applies for the duration of the session
185 * including session resumptions.
186 * We should receive the same code as in resumed session !
188 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
189 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
190 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
195 * Store it in session, so it'll become binding for us
196 * and we'll include it in a next Server Hello.
198 s->session->ext.max_fragment_len_mode = value;
202 #ifndef OPENSSL_NO_SRP
203 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
208 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
209 || PACKET_contains_zero_byte(&srp_I)) {
210 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
214 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
223 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
224 X509 *x, size_t chainidx)
226 PACKET ec_point_format_list;
228 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
229 || PACKET_remaining(&ec_point_format_list) == 0) {
230 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
235 if (!PACKET_memdup(&ec_point_format_list,
236 &s->ext.peer_ecpointformats,
237 &s->ext.peer_ecpointformats_len)) {
238 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
246 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
247 X509 *x, size_t chainidx)
249 if (s->ext.session_ticket_cb &&
250 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
251 PACKET_remaining(pkt),
252 s->ext.session_ticket_cb_arg)) {
253 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
260 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
261 ossl_unused unsigned int context,
263 ossl_unused size_t chainidx)
265 PACKET supported_sig_algs;
267 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
268 || PACKET_remaining(&supported_sig_algs) == 0) {
269 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
273 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
274 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
281 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
284 PACKET supported_sig_algs;
286 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
287 || PACKET_remaining(&supported_sig_algs) == 0) {
288 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
292 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
293 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
300 #ifndef OPENSSL_NO_OCSP
301 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
302 X509 *x, size_t chainidx)
304 PACKET responder_id_list, exts;
306 /* We ignore this in a resumption handshake */
310 /* Not defined if we get one of these in a client Certificate */
314 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
315 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
319 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
321 * We don't know what to do with any other type so ignore it.
323 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
327 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
328 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
333 * We remove any OCSP_RESPIDs from a previous handshake
334 * to prevent unbounded memory growth - CVE-2016-6304
336 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
337 if (PACKET_remaining(&responder_id_list) > 0) {
338 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
339 if (s->ext.ocsp.ids == NULL) {
340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
344 s->ext.ocsp.ids = NULL;
347 while (PACKET_remaining(&responder_id_list) > 0) {
350 const unsigned char *id_data;
352 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
353 || PACKET_remaining(&responder_id) == 0) {
354 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
358 id_data = PACKET_data(&responder_id);
359 id = d2i_OCSP_RESPID(NULL, &id_data,
360 (int)PACKET_remaining(&responder_id));
362 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
366 if (id_data != PACKET_end(&responder_id)) {
367 OCSP_RESPID_free(id);
368 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
373 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
374 OCSP_RESPID_free(id);
375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
381 /* Read in request_extensions */
382 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
383 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
387 if (PACKET_remaining(&exts) > 0) {
388 const unsigned char *ext_data = PACKET_data(&exts);
390 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
391 X509_EXTENSION_free);
393 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
394 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
395 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
404 #ifndef OPENSSL_NO_NEXTPROTONEG
405 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
409 * We shouldn't accept this extension on a
412 if (SSL_IS_FIRST_HANDSHAKE(s))
420 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
421 * extension, not including type and length. Returns: 1 on success, 0 on error.
423 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
426 PACKET protocol_list, save_protocol_list, protocol;
428 if (!SSL_IS_FIRST_HANDSHAKE(s))
431 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
432 || PACKET_remaining(&protocol_list) < 2) {
433 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
437 save_protocol_list = protocol_list;
439 /* Protocol names can't be empty. */
440 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
441 || PACKET_remaining(&protocol) == 0) {
442 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
445 } while (PACKET_remaining(&protocol_list) != 0);
447 OPENSSL_free(s->s3.alpn_proposed);
448 s->s3.alpn_proposed = NULL;
449 s->s3.alpn_proposed_len = 0;
450 if (!PACKET_memdup(&save_protocol_list,
451 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
459 #ifndef OPENSSL_NO_SRTP
460 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
463 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
464 unsigned int ct, mki_len, id;
468 /* Ignore this if we have no SRTP profiles */
469 if (SSL_get_srtp_profiles(s) == NULL)
472 /* Pull off the length of the cipher suite list and check it is even */
473 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
474 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
475 SSLfatal(s, SSL_AD_DECODE_ERROR,
476 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
480 srvr = SSL_get_srtp_profiles(s);
481 s->srtp_profile = NULL;
482 /* Search all profiles for a match initially */
483 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
485 while (PACKET_remaining(&subpkt)) {
486 if (!PACKET_get_net_2(&subpkt, &id)) {
487 SSLfatal(s, SSL_AD_DECODE_ERROR,
488 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
493 * Only look for match in profiles of higher preference than
495 * If no profiles have been have been configured then this
498 for (i = 0; i < srtp_pref; i++) {
499 SRTP_PROTECTION_PROFILE *sprof =
500 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
502 if (sprof->id == id) {
503 s->srtp_profile = sprof;
510 /* Now extract the MKI value as a sanity check, but discard it for now */
511 if (!PACKET_get_1(pkt, &mki_len)) {
512 SSLfatal(s, SSL_AD_DECODE_ERROR,
513 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
517 if (!PACKET_forward(pkt, mki_len)
518 || PACKET_remaining(pkt)) {
519 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
527 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
530 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
537 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
538 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
540 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
541 X509 *x, size_t chainidx)
543 #ifndef OPENSSL_NO_TLS1_3
544 PACKET psk_kex_modes;
547 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
548 || PACKET_remaining(&psk_kex_modes) == 0) {
549 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
553 while (PACKET_get_1(&psk_kex_modes, &mode)) {
554 if (mode == TLSEXT_KEX_MODE_KE_DHE)
555 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
556 else if (mode == TLSEXT_KEX_MODE_KE
557 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
558 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
566 * Process a key_share extension received in the ClientHello. |pkt| contains
567 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
569 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
572 #ifndef OPENSSL_NO_TLS1_3
573 unsigned int group_id;
574 PACKET key_share_list, encoded_pt;
575 const uint16_t *clntgroups, *srvrgroups;
576 size_t clnt_num_groups, srvr_num_groups;
579 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
583 if (s->s3.peer_tmp != NULL) {
584 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
588 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
589 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
593 /* Get our list of supported groups */
594 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
595 /* Get the clients list of supported groups. */
596 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
597 if (clnt_num_groups == 0) {
599 * This can only happen if the supported_groups extension was not sent,
600 * because we verify that the length is non-zero when we process that
603 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
604 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
608 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
610 * If we set a group_id already, then we must have sent an HRR
611 * requesting a new key_share. If we haven't got one then that is an
614 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
618 while (PACKET_remaining(&key_share_list) > 0) {
619 if (!PACKET_get_net_2(&key_share_list, &group_id)
620 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
621 || PACKET_remaining(&encoded_pt) == 0) {
622 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
627 * If we already found a suitable key_share we loop through the
628 * rest to verify the structure, but don't process them.
634 * If we sent an HRR then the key_share sent back MUST be for the group
635 * we requested, and must be the only key_share sent.
637 if (s->s3.group_id != 0
638 && (ssl_group_id_tls13_to_internal(group_id) != s->s3.group_id
639 || PACKET_remaining(&key_share_list) != 0)) {
640 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
644 /* Check if this share is in supported_groups sent from client */
645 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
646 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
650 /* Check if this share is for a group we can use */
651 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
652 /* Share not suitable */
656 s->s3.group_id = group_id;
657 /* Cache the selected group ID in the SSL_SESSION */
658 s->session->kex_group = group_id;
660 group_id = ssl_group_id_tls13_to_internal(group_id);
662 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
663 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
664 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
668 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
669 PACKET_data(&encoded_pt),
670 PACKET_remaining(&encoded_pt)) <= 0) {
671 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
682 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
685 #ifndef OPENSSL_NO_TLS1_3
686 unsigned int format, version, key_share, group_id;
689 PACKET cookie, raw, chhash, appcookie;
691 const unsigned char *data, *mdin, *ciphdata;
692 unsigned char hmac[SHA256_DIGEST_LENGTH];
693 unsigned char hrr[MAX_HRR_SIZE];
694 size_t rawlen, hmaclen, hrrlen, ciphlen;
695 unsigned long tm, now;
697 /* Ignore any cookie if we're not set up to verify it */
698 if (s->ctx->verify_stateless_cookie_cb == NULL
699 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
702 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
703 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
708 data = PACKET_data(&raw);
709 rawlen = PACKET_remaining(&raw);
710 if (rawlen < SHA256_DIGEST_LENGTH
711 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
712 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
715 mdin = PACKET_data(&raw);
717 /* Verify the HMAC of the cookie */
718 hctx = EVP_MD_CTX_create();
719 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
721 s->session_ctx->ext.cookie_hmac_key,
722 sizeof(s->session_ctx->ext.cookie_hmac_key));
723 if (hctx == NULL || pkey == NULL) {
724 EVP_MD_CTX_free(hctx);
726 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
730 hmaclen = SHA256_DIGEST_LENGTH;
731 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
732 s->ctx->propq, pkey, NULL) <= 0
733 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
734 rawlen - SHA256_DIGEST_LENGTH) <= 0
735 || hmaclen != SHA256_DIGEST_LENGTH) {
736 EVP_MD_CTX_free(hctx);
738 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
742 EVP_MD_CTX_free(hctx);
745 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
746 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
750 if (!PACKET_get_net_2(&cookie, &format)) {
751 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
754 /* Check the cookie format is something we recognise. Ignore it if not */
755 if (format != COOKIE_STATE_FORMAT_VERSION)
759 * The rest of these checks really shouldn't fail since we have verified the
763 /* Check the version number is sane */
764 if (!PACKET_get_net_2(&cookie, &version)) {
765 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
768 if (version != TLS1_3_VERSION) {
769 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
770 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
774 if (!PACKET_get_net_2(&cookie, &group_id)) {
775 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
779 ciphdata = PACKET_data(&cookie);
780 if (!PACKET_forward(&cookie, 2)) {
781 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
784 if (group_id != s->s3.group_id
785 || s->s3.tmp.new_cipher
786 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
788 * We chose a different cipher or group id this time around to what is
789 * in the cookie. Something must have changed.
791 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
795 if (!PACKET_get_1(&cookie, &key_share)
796 || !PACKET_get_net_4(&cookie, &tm)
797 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
798 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
799 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
800 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
804 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
805 now = (unsigned long)time(NULL);
806 if (tm > now || (now - tm) > 600) {
807 /* Cookie is stale. Ignore it */
811 /* Verify the app cookie */
812 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
813 PACKET_remaining(&appcookie)) == 0) {
814 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
819 * Reconstruct the HRR that we would have sent in response to the original
820 * ClientHello so we can add it to the transcript hash.
821 * Note: This won't work with custom HRR extensions
823 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
824 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
827 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
828 || !WPACKET_start_sub_packet_u24(&hrrpkt)
829 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
830 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
831 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
832 s->tmp_session_id_len)
833 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
835 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
836 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
837 WPACKET_cleanup(&hrrpkt);
838 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
841 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
842 || !WPACKET_start_sub_packet_u16(&hrrpkt)
843 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
844 || !WPACKET_close(&hrrpkt)) {
845 WPACKET_cleanup(&hrrpkt);
846 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
850 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
851 || !WPACKET_start_sub_packet_u16(&hrrpkt)
852 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
853 || !WPACKET_close(&hrrpkt)) {
854 WPACKET_cleanup(&hrrpkt);
855 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
859 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
860 || !WPACKET_start_sub_packet_u16(&hrrpkt)
861 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
862 || !WPACKET_close(&hrrpkt) /* cookie extension */
863 || !WPACKET_close(&hrrpkt) /* extension block */
864 || !WPACKET_close(&hrrpkt) /* message */
865 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
866 || !WPACKET_finish(&hrrpkt)) {
867 WPACKET_cleanup(&hrrpkt);
868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
872 /* Reconstruct the transcript hash */
873 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
874 PACKET_remaining(&chhash), hrr,
876 /* SSLfatal() already called */
880 /* Act as if this ClientHello came after a HelloRetryRequest */
881 s->hello_retry_request = 1;
889 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
890 X509 *x, size_t chainidx)
892 PACKET supported_groups_list;
894 /* Each group is 2 bytes and we must have at least 1. */
895 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
896 || PACKET_remaining(&supported_groups_list) == 0
897 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
898 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
902 if (!s->hit || SSL_IS_TLS13(s)) {
903 OPENSSL_free(s->ext.peer_supportedgroups);
904 s->ext.peer_supportedgroups = NULL;
905 s->ext.peer_supportedgroups_len = 0;
906 if (!tls1_save_u16(&supported_groups_list,
907 &s->ext.peer_supportedgroups,
908 &s->ext.peer_supportedgroups_len)) {
909 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
917 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
920 /* The extension must always be empty */
921 if (PACKET_remaining(pkt) != 0) {
922 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
926 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
929 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
935 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
936 X509 *x, size_t chainidx)
938 if (PACKET_remaining(pkt) != 0) {
939 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
943 if (s->hello_retry_request != SSL_HRR_NONE) {
944 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
951 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
954 SSL_SESSION *tmpsess = NULL;
956 s->ext.ticket_expected = 1;
958 switch (PACKET_remaining(tick)) {
960 return SSL_TICKET_EMPTY;
962 case SSL_MAX_SSL_SESSION_ID_LENGTH:
966 return SSL_TICKET_NO_DECRYPT;
969 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
970 SSL_MAX_SSL_SESSION_ID_LENGTH);
973 return SSL_TICKET_NO_DECRYPT;
976 return SSL_TICKET_SUCCESS;
979 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
982 PACKET identities, binders, binder;
983 size_t binderoffset, hashsize;
984 SSL_SESSION *sess = NULL;
985 unsigned int id, i, ext = 0;
986 const EVP_MD *md = NULL;
989 * If we have no PSK kex mode that we recognise then we can't resume so
990 * ignore this extension
992 if ((s->ext.psk_kex_mode
993 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
996 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
997 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1001 s->ext.ticket_expected = 0;
1002 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1004 unsigned long ticket_agel;
1007 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1008 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1009 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1013 idlen = PACKET_remaining(&identity);
1014 if (s->psk_find_session_cb != NULL
1015 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1017 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1021 #ifndef OPENSSL_NO_PSK
1023 && s->psk_server_callback != NULL
1024 && idlen <= PSK_MAX_IDENTITY_LEN) {
1026 unsigned char pskdata[PSK_MAX_PSK_LEN];
1027 unsigned int pskdatalen;
1029 if (!PACKET_strndup(&identity, &pskid)) {
1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1033 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1035 OPENSSL_free(pskid);
1036 if (pskdatalen > PSK_MAX_PSK_LEN) {
1037 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1039 } else if (pskdatalen > 0) {
1040 const SSL_CIPHER *cipher;
1041 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1044 * We found a PSK using an old style callback. We don't know
1045 * the digest so we default to SHA256 as per the TLSv1.3 spec
1047 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1048 if (cipher == NULL) {
1049 OPENSSL_cleanse(pskdata, pskdatalen);
1050 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1054 sess = SSL_SESSION_new();
1056 || !SSL_SESSION_set1_master_key(sess, pskdata,
1058 || !SSL_SESSION_set_cipher(sess, cipher)
1059 || !SSL_SESSION_set_protocol_version(sess,
1061 OPENSSL_cleanse(pskdata, pskdatalen);
1062 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1065 OPENSSL_cleanse(pskdata, pskdatalen);
1068 #endif /* OPENSSL_NO_PSK */
1071 /* We found a PSK */
1072 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1074 if (sesstmp == NULL) {
1075 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1078 SSL_SESSION_free(sess);
1082 * We've just been told to use this session for this context so
1083 * make sure the sid_ctx matches up.
1085 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1086 sess->sid_ctx_length = s->sid_ctx_length;
1089 s->ext.early_data_ok = 1;
1090 s->ext.ticket_expected = 1;
1092 uint32_t ticket_age = 0, now, agesec, agems;
1096 * If we are using anti-replay protection then we behave as if
1097 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1098 * is no point in using full stateless tickets.
1100 if ((s->options & SSL_OP_NO_TICKET) != 0
1101 || (s->max_early_data > 0
1102 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1103 ret = tls_get_stateful_ticket(s, &identity, &sess);
1105 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1106 PACKET_remaining(&identity), NULL, 0,
1109 if (ret == SSL_TICKET_EMPTY) {
1110 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1114 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1115 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1116 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1119 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1122 /* Check for replay */
1123 if (s->max_early_data > 0
1124 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1125 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1126 SSL_SESSION_free(sess);
1131 ticket_age = (uint32_t)ticket_agel;
1132 now = (uint32_t)time(NULL);
1133 agesec = now - (uint32_t)sess->time;
1134 agems = agesec * (uint32_t)1000;
1135 ticket_age -= sess->ext.tick_age_add;
1138 * For simplicity we do our age calculations in seconds. If the
1139 * client does it in ms then it could appear that their ticket age
1140 * is longer than ours (our ticket age calculation should always be
1141 * slightly longer than the client's due to the network latency).
1142 * Therefore we add 1000ms to our age calculation to adjust for
1146 && sess->timeout >= (long)agesec
1147 && agems / (uint32_t)1000 == agesec
1148 && ticket_age <= agems + 1000
1149 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1151 * Ticket age is within tolerance and not expired. We allow it
1154 s->ext.early_data_ok = 1;
1158 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1159 if (!EVP_MD_is_a(md,
1160 EVP_MD_get0_name(ssl_md(s->ctx,
1161 s->s3.tmp.new_cipher->algorithm2)))) {
1162 /* The ciphersuite is not compatible with this session. */
1163 SSL_SESSION_free(sess);
1165 s->ext.early_data_ok = 0;
1166 s->ext.ticket_expected = 0;
1175 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1176 hashsize = EVP_MD_get_size(md);
1178 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1179 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1183 for (i = 0; i <= id; i++) {
1184 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1185 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1190 if (PACKET_remaining(&binder) != hashsize) {
1191 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1194 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1195 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1197 /* SSLfatal() already called */
1201 s->ext.tick_identity = id;
1203 SSL_SESSION_free(s->session);
1207 SSL_SESSION_free(sess);
1211 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
1212 ossl_unused unsigned int context,
1213 ossl_unused X509 *x,
1214 ossl_unused size_t chainidx)
1216 if (PACKET_remaining(pkt) != 0) {
1217 SSLfatal(s, SSL_AD_DECODE_ERROR,
1218 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1222 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1228 * Add the server's renegotiation binding
1230 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1231 unsigned int context, X509 *x,
1234 if (!s->s3.send_connection_binding)
1235 return EXT_RETURN_NOT_SENT;
1237 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1238 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1239 || !WPACKET_start_sub_packet_u16(pkt)
1240 || !WPACKET_start_sub_packet_u8(pkt)
1241 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1242 s->s3.previous_client_finished_len)
1243 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1244 s->s3.previous_server_finished_len)
1245 || !WPACKET_close(pkt)
1246 || !WPACKET_close(pkt)) {
1247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1248 return EXT_RETURN_FAIL;
1251 return EXT_RETURN_SENT;
1254 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1255 unsigned int context, X509 *x,
1258 if (s->servername_done != 1)
1259 return EXT_RETURN_NOT_SENT;
1262 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1263 * We just use the servername from the initial handshake.
1265 if (s->hit && !SSL_IS_TLS13(s))
1266 return EXT_RETURN_NOT_SENT;
1268 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1269 || !WPACKET_put_bytes_u16(pkt, 0)) {
1270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1271 return EXT_RETURN_FAIL;
1274 return EXT_RETURN_SENT;
1277 /* Add/include the server's max fragment len extension into ServerHello */
1278 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1279 unsigned int context, X509 *x,
1282 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1283 return EXT_RETURN_NOT_SENT;
1286 * 4 bytes for this extension type and extension length
1287 * 1 byte for the Max Fragment Length code value.
1289 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1290 || !WPACKET_start_sub_packet_u16(pkt)
1291 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1292 || !WPACKET_close(pkt)) {
1293 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1294 return EXT_RETURN_FAIL;
1297 return EXT_RETURN_SENT;
1300 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1301 unsigned int context, X509 *x,
1304 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1305 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1306 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1307 && (s->ext.peer_ecpointformats != NULL);
1308 const unsigned char *plist;
1312 return EXT_RETURN_NOT_SENT;
1314 tls1_get_formatlist(s, &plist, &plistlen);
1315 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1316 || !WPACKET_start_sub_packet_u16(pkt)
1317 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1318 || !WPACKET_close(pkt)) {
1319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1320 return EXT_RETURN_FAIL;
1323 return EXT_RETURN_SENT;
1326 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1327 unsigned int context, X509 *x,
1330 const uint16_t *groups;
1331 size_t numgroups, i, first = 1;
1334 /* s->s3.group_id is non zero if we accepted a key_share */
1335 if (s->s3.group_id == 0)
1336 return EXT_RETURN_NOT_SENT;
1338 /* Get our list of supported groups */
1339 tls1_get_supported_groups(s, &groups, &numgroups);
1340 if (numgroups == 0) {
1341 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1342 return EXT_RETURN_FAIL;
1345 /* Copy group ID if supported */
1346 version = SSL_version(s);
1347 for (i = 0; i < numgroups; i++) {
1348 uint16_t group = groups[i];
1350 if (tls_valid_group(s, group, version, version, 0, NULL)
1351 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1354 * Check if the client is already using our preferred group. If
1355 * so we don't need to add this extension
1357 if (s->s3.group_id == group)
1358 return EXT_RETURN_NOT_SENT;
1360 /* Add extension header */
1361 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1362 /* Sub-packet for supported_groups extension */
1363 || !WPACKET_start_sub_packet_u16(pkt)
1364 || !WPACKET_start_sub_packet_u16(pkt)) {
1365 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1366 return EXT_RETURN_FAIL;
1371 if (!WPACKET_put_bytes_u16(pkt, group)) {
1372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1373 return EXT_RETURN_FAIL;
1378 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1380 return EXT_RETURN_FAIL;
1383 return EXT_RETURN_SENT;
1386 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1387 unsigned int context, X509 *x,
1390 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1391 s->ext.ticket_expected = 0;
1392 return EXT_RETURN_NOT_SENT;
1395 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1396 || !WPACKET_put_bytes_u16(pkt, 0)) {
1397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1398 return EXT_RETURN_FAIL;
1401 return EXT_RETURN_SENT;
1404 #ifndef OPENSSL_NO_OCSP
1405 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1406 unsigned int context, X509 *x,
1409 /* We don't currently support this extension inside a CertificateRequest */
1410 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1411 return EXT_RETURN_NOT_SENT;
1413 if (!s->ext.status_expected)
1414 return EXT_RETURN_NOT_SENT;
1416 if (SSL_IS_TLS13(s) && chainidx != 0)
1417 return EXT_RETURN_NOT_SENT;
1419 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1420 || !WPACKET_start_sub_packet_u16(pkt)) {
1421 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1422 return EXT_RETURN_FAIL;
1426 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1427 * send back an empty extension, with the certificate status appearing as a
1430 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1431 /* SSLfatal() already called */
1432 return EXT_RETURN_FAIL;
1434 if (!WPACKET_close(pkt)) {
1435 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1436 return EXT_RETURN_FAIL;
1439 return EXT_RETURN_SENT;
1443 #ifndef OPENSSL_NO_NEXTPROTONEG
1444 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1445 unsigned int context, X509 *x,
1448 const unsigned char *npa;
1449 unsigned int npalen;
1451 int npn_seen = s->s3.npn_seen;
1454 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1455 return EXT_RETURN_NOT_SENT;
1457 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1458 s->ctx->ext.npn_advertised_cb_arg);
1459 if (ret == SSL_TLSEXT_ERR_OK) {
1460 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1461 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1462 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1463 return EXT_RETURN_FAIL;
1468 return EXT_RETURN_SENT;
1472 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1473 X509 *x, size_t chainidx)
1475 if (s->s3.alpn_selected == NULL)
1476 return EXT_RETURN_NOT_SENT;
1478 if (!WPACKET_put_bytes_u16(pkt,
1479 TLSEXT_TYPE_application_layer_protocol_negotiation)
1480 || !WPACKET_start_sub_packet_u16(pkt)
1481 || !WPACKET_start_sub_packet_u16(pkt)
1482 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1483 s->s3.alpn_selected_len)
1484 || !WPACKET_close(pkt)
1485 || !WPACKET_close(pkt)) {
1486 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1487 return EXT_RETURN_FAIL;
1490 return EXT_RETURN_SENT;
1493 #ifndef OPENSSL_NO_SRTP
1494 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1495 unsigned int context, X509 *x,
1498 if (s->srtp_profile == NULL)
1499 return EXT_RETURN_NOT_SENT;
1501 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1502 || !WPACKET_start_sub_packet_u16(pkt)
1503 || !WPACKET_put_bytes_u16(pkt, 2)
1504 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1505 || !WPACKET_put_bytes_u8(pkt, 0)
1506 || !WPACKET_close(pkt)) {
1507 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1508 return EXT_RETURN_FAIL;
1511 return EXT_RETURN_SENT;
1515 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1516 X509 *x, size_t chainidx)
1518 if (!s->ext.use_etm)
1519 return EXT_RETURN_NOT_SENT;
1522 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1523 * for other cases too.
1525 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1526 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1527 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1528 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1529 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1530 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1532 return EXT_RETURN_NOT_SENT;
1535 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1536 || !WPACKET_put_bytes_u16(pkt, 0)) {
1537 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1538 return EXT_RETURN_FAIL;
1541 return EXT_RETURN_SENT;
1544 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1545 X509 *x, size_t chainidx)
1547 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1548 return EXT_RETURN_NOT_SENT;
1550 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1551 || !WPACKET_put_bytes_u16(pkt, 0)) {
1552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1553 return EXT_RETURN_FAIL;
1556 return EXT_RETURN_SENT;
1559 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1560 unsigned int context, X509 *x,
1563 if (!ossl_assert(SSL_IS_TLS13(s))) {
1564 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1565 return EXT_RETURN_FAIL;
1568 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1569 || !WPACKET_start_sub_packet_u16(pkt)
1570 || !WPACKET_put_bytes_u16(pkt, s->version)
1571 || !WPACKET_close(pkt)) {
1572 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1573 return EXT_RETURN_FAIL;
1576 return EXT_RETURN_SENT;
1579 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1580 unsigned int context, X509 *x,
1583 #ifndef OPENSSL_NO_TLS1_3
1584 unsigned char *encodedPoint;
1585 size_t encoded_pt_len = 0;
1586 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1587 const TLS_GROUP_INFO *ginf = NULL;
1589 if (s->hello_retry_request == SSL_HRR_PENDING) {
1591 /* Original key_share was acceptable so don't ask for another one */
1592 return EXT_RETURN_NOT_SENT;
1594 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1595 || !WPACKET_start_sub_packet_u16(pkt)
1596 || !WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(
1598 || !WPACKET_close(pkt)) {
1599 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1600 return EXT_RETURN_FAIL;
1603 return EXT_RETURN_SENT;
1607 /* No key_share received from client - must be resuming */
1608 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1609 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1610 return EXT_RETURN_FAIL;
1612 return EXT_RETURN_NOT_SENT;
1614 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1616 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1617 * DHE option we always take it); don't send key share.
1619 return EXT_RETURN_NOT_SENT;
1622 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1623 || !WPACKET_start_sub_packet_u16(pkt)
1624 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1625 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1626 return EXT_RETURN_FAIL;
1629 if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) {
1630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1631 return EXT_RETURN_FAIL;
1634 if (!ginf->is_kem) {
1636 skey = ssl_generate_pkey(s, ckey);
1638 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1639 return EXT_RETURN_FAIL;
1642 /* Generate encoding of server key */
1643 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1644 if (encoded_pt_len == 0) {
1645 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1646 EVP_PKEY_free(skey);
1647 return EXT_RETURN_FAIL;
1650 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1651 || !WPACKET_close(pkt)) {
1652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1653 EVP_PKEY_free(skey);
1654 OPENSSL_free(encodedPoint);
1655 return EXT_RETURN_FAIL;
1657 OPENSSL_free(encodedPoint);
1660 * This causes the crypto state to be updated based on the derived keys
1662 s->s3.tmp.pkey = skey;
1663 if (ssl_derive(s, skey, ckey, 1) == 0) {
1664 /* SSLfatal() already called */
1665 return EXT_RETURN_FAIL;
1669 unsigned char *ct = NULL;
1673 * This does not update the crypto state.
1675 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1678 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1679 /* SSLfatal() already called */
1680 return EXT_RETURN_FAIL;
1684 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1686 return EXT_RETURN_FAIL;
1689 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1690 || !WPACKET_close(pkt)) {
1691 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1693 return EXT_RETURN_FAIL;
1698 * This causes the crypto state to be updated based on the generated pms
1700 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1701 /* SSLfatal() already called */
1702 return EXT_RETURN_FAIL;
1706 return EXT_RETURN_SENT;
1708 return EXT_RETURN_FAIL;
1712 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1713 X509 *x, size_t chainidx)
1715 #ifndef OPENSSL_NO_TLS1_3
1716 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1717 unsigned char *hmac, *hmac2;
1718 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1721 int ret = EXT_RETURN_FAIL;
1723 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1724 return EXT_RETURN_NOT_SENT;
1726 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1727 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1728 return EXT_RETURN_FAIL;
1731 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1732 || !WPACKET_start_sub_packet_u16(pkt)
1733 || !WPACKET_start_sub_packet_u16(pkt)
1734 || !WPACKET_get_total_written(pkt, &startlen)
1735 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1736 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1737 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1738 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1739 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1741 /* Is there a key_share extension present in this HRR? */
1742 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1743 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1744 || !WPACKET_start_sub_packet_u16(pkt)
1745 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1746 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1747 return EXT_RETURN_FAIL;
1751 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1752 * on raw buffers, so we first reserve sufficient bytes (above) and then
1753 * subsequently allocate them (below)
1755 if (!ssl3_digest_cached_records(s, 0)
1756 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1757 /* SSLfatal() already called */
1758 return EXT_RETURN_FAIL;
1761 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1762 || !ossl_assert(hashval1 == hashval2)
1763 || !WPACKET_close(pkt)
1764 || !WPACKET_start_sub_packet_u8(pkt)
1765 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1766 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1767 return EXT_RETURN_FAIL;
1770 /* Generate the application cookie */
1771 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1772 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1773 return EXT_RETURN_FAIL;
1776 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1777 || !ossl_assert(appcookie1 == appcookie2)
1778 || !WPACKET_close(pkt)
1779 || !WPACKET_get_total_written(pkt, &totcookielen)
1780 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1781 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1782 return EXT_RETURN_FAIL;
1784 hmaclen = SHA256_DIGEST_LENGTH;
1786 totcookielen -= startlen;
1787 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1788 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1789 return EXT_RETURN_FAIL;
1792 /* HMAC the cookie */
1793 hctx = EVP_MD_CTX_create();
1794 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
1796 s->session_ctx->ext.cookie_hmac_key,
1797 sizeof(s->session_ctx->ext.cookie_hmac_key));
1798 if (hctx == NULL || pkey == NULL) {
1799 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1803 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
1804 s->ctx->propq, pkey, NULL) <= 0
1805 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1806 totcookielen) <= 0) {
1807 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1811 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1812 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1816 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1817 || !ossl_assert(hmac == hmac2)
1818 || !ossl_assert(cookie == hmac - totcookielen)
1819 || !WPACKET_close(pkt)
1820 || !WPACKET_close(pkt)) {
1821 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1825 ret = EXT_RETURN_SENT;
1828 EVP_MD_CTX_free(hctx);
1829 EVP_PKEY_free(pkey);
1832 return EXT_RETURN_FAIL;
1836 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1837 unsigned int context, X509 *x,
1840 const unsigned char cryptopro_ext[36] = {
1841 0xfd, 0xe8, /* 65000 */
1842 0x00, 0x20, /* 32 bytes length */
1843 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1844 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1845 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1846 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1849 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1850 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1851 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1852 return EXT_RETURN_NOT_SENT;
1854 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1855 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1856 return EXT_RETURN_FAIL;
1859 return EXT_RETURN_SENT;
1862 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1863 unsigned int context, X509 *x,
1866 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1867 if (s->max_early_data == 0)
1868 return EXT_RETURN_NOT_SENT;
1870 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1871 || !WPACKET_start_sub_packet_u16(pkt)
1872 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1873 || !WPACKET_close(pkt)) {
1874 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1875 return EXT_RETURN_FAIL;
1878 return EXT_RETURN_SENT;
1881 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1882 return EXT_RETURN_NOT_SENT;
1884 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1885 || !WPACKET_start_sub_packet_u16(pkt)
1886 || !WPACKET_close(pkt)) {
1887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1888 return EXT_RETURN_FAIL;
1891 return EXT_RETURN_SENT;
1894 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1895 X509 *x, size_t chainidx)
1898 return EXT_RETURN_NOT_SENT;
1900 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1901 || !WPACKET_start_sub_packet_u16(pkt)
1902 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1903 || !WPACKET_close(pkt)) {
1904 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1905 return EXT_RETURN_FAIL;
1908 return EXT_RETURN_SENT;