2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the intent was for server_name to be extensible, RFC 4366
91 * was not clear about it; and so OpenSSL among other implementations,
92 * always and only allows a 'host_name' name types.
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
118 OPENSSL_free(s->session->ext.hostname);
119 s->session->ext.hostname = NULL;
120 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
121 *al = TLS1_AD_INTERNAL_ERROR;
125 s->servername_done = 1;
128 * TODO(openssl-team): if the SNI doesn't match, we MUST
129 * fall back to a full handshake.
131 s->servername_done = s->session->ext.hostname
132 && PACKET_equal(&hostname, s->session->ext.hostname,
133 strlen(s->session->ext.hostname));
135 if (!s->servername_done && s->session->ext.hostname != NULL)
136 s->ext.early_data_ok = 0;
142 #ifndef OPENSSL_NO_SRP
143 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
144 size_t chainidx, int *al)
148 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
149 || PACKET_contains_zero_byte(&srp_I)) {
150 *al = SSL_AD_DECODE_ERROR;
155 * TODO(openssl-team): currently, we re-authenticate the user
156 * upon resumption. Instead, we MUST ignore the login.
158 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
159 *al = SSL_AD_INTERNAL_ERROR;
167 #ifndef OPENSSL_NO_EC
168 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
169 X509 *x, size_t chainidx, int *al)
171 PACKET ec_point_format_list;
173 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
174 || PACKET_remaining(&ec_point_format_list) == 0) {
175 *al = SSL_AD_DECODE_ERROR;
180 if (!PACKET_memdup(&ec_point_format_list,
181 &s->session->ext.ecpointformats,
182 &s->session->ext.ecpointformats_len)) {
183 *al = SSL_AD_INTERNAL_ERROR;
190 #endif /* OPENSSL_NO_EC */
192 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
193 X509 *x, size_t chainidx, int *al)
195 if (s->ext.session_ticket_cb &&
196 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
197 PACKET_remaining(pkt),
198 s->ext.session_ticket_cb_arg)) {
199 *al = SSL_AD_INTERNAL_ERROR;
206 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
207 size_t chainidx, int *al)
209 PACKET supported_sig_algs;
211 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
212 || PACKET_remaining(&supported_sig_algs) == 0) {
213 *al = SSL_AD_DECODE_ERROR;
217 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
218 *al = SSL_AD_DECODE_ERROR;
225 #ifndef OPENSSL_NO_OCSP
226 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
227 X509 *x, size_t chainidx, int *al)
229 PACKET responder_id_list, exts;
231 /* Not defined if we get one of these in a client Certificate */
235 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
236 *al = SSL_AD_DECODE_ERROR;
240 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
242 * We don't know what to do with any other type so ignore it.
244 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
248 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
249 *al = SSL_AD_DECODE_ERROR;
254 * We remove any OCSP_RESPIDs from a previous handshake
255 * to prevent unbounded memory growth - CVE-2016-6304
257 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
258 if (PACKET_remaining(&responder_id_list) > 0) {
259 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
260 if (s->ext.ocsp.ids == NULL) {
261 *al = SSL_AD_INTERNAL_ERROR;
265 s->ext.ocsp.ids = NULL;
268 while (PACKET_remaining(&responder_id_list) > 0) {
271 const unsigned char *id_data;
273 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
274 || PACKET_remaining(&responder_id) == 0) {
275 *al = SSL_AD_DECODE_ERROR;
279 id_data = PACKET_data(&responder_id);
280 /* TODO(size_t): Convert d2i_* to size_t */
281 id = d2i_OCSP_RESPID(NULL, &id_data,
282 (int)PACKET_remaining(&responder_id));
284 *al = SSL_AD_DECODE_ERROR;
288 if (id_data != PACKET_end(&responder_id)) {
289 OCSP_RESPID_free(id);
290 *al = SSL_AD_DECODE_ERROR;
294 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
295 OCSP_RESPID_free(id);
296 *al = SSL_AD_INTERNAL_ERROR;
301 /* Read in request_extensions */
302 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
303 *al = SSL_AD_DECODE_ERROR;
307 if (PACKET_remaining(&exts) > 0) {
308 const unsigned char *ext_data = PACKET_data(&exts);
310 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
311 X509_EXTENSION_free);
313 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
314 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
315 *al = SSL_AD_DECODE_ERROR;
324 #ifndef OPENSSL_NO_NEXTPROTONEG
325 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
326 size_t chainidx, int *al)
329 * We shouldn't accept this extension on a
332 if (SSL_IS_FIRST_HANDSHAKE(s))
340 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
341 * extension, not including type and length. |al| is a pointer to the alert
342 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
344 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
345 size_t chainidx, int *al)
347 PACKET protocol_list, save_protocol_list, protocol;
349 if (!SSL_IS_FIRST_HANDSHAKE(s))
352 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
353 || PACKET_remaining(&protocol_list) < 2) {
354 *al = SSL_AD_DECODE_ERROR;
358 save_protocol_list = protocol_list;
360 /* Protocol names can't be empty. */
361 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
362 || PACKET_remaining(&protocol) == 0) {
363 *al = SSL_AD_DECODE_ERROR;
366 } while (PACKET_remaining(&protocol_list) != 0);
368 OPENSSL_free(s->s3->alpn_proposed);
369 s->s3->alpn_proposed = NULL;
370 s->s3->alpn_proposed_len = 0;
371 if (!PACKET_memdup(&save_protocol_list,
372 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
373 *al = SSL_AD_INTERNAL_ERROR;
380 #ifndef OPENSSL_NO_SRTP
381 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
382 size_t chainidx, int *al)
384 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
385 unsigned int ct, mki_len, id;
389 /* Ignore this if we have no SRTP profiles */
390 if (SSL_get_srtp_profiles(s) == NULL)
393 /* Pull off the length of the cipher suite list and check it is even */
394 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
395 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
396 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
397 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
398 *al = SSL_AD_DECODE_ERROR;
402 srvr = SSL_get_srtp_profiles(s);
403 s->srtp_profile = NULL;
404 /* Search all profiles for a match initially */
405 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
407 while (PACKET_remaining(&subpkt)) {
408 if (!PACKET_get_net_2(&subpkt, &id)) {
409 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
410 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
411 *al = SSL_AD_DECODE_ERROR;
416 * Only look for match in profiles of higher preference than
418 * If no profiles have been have been configured then this
421 for (i = 0; i < srtp_pref; i++) {
422 SRTP_PROTECTION_PROFILE *sprof =
423 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
425 if (sprof->id == id) {
426 s->srtp_profile = sprof;
433 /* Now extract the MKI value as a sanity check, but discard it for now */
434 if (!PACKET_get_1(pkt, &mki_len)) {
435 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
436 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
437 *al = SSL_AD_DECODE_ERROR;
441 if (!PACKET_forward(pkt, mki_len)
442 || PACKET_remaining(pkt)) {
443 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
444 *al = SSL_AD_DECODE_ERROR;
452 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
453 size_t chainidx, int *al)
455 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
462 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
463 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
464 * If a failure occurs then |*al| is set to an appropriate alert value.
466 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
467 X509 *x, size_t chainidx, int *al)
469 #ifndef OPENSSL_NO_TLS1_3
470 PACKET psk_kex_modes;
473 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
474 || PACKET_remaining(&psk_kex_modes) == 0) {
475 *al = SSL_AD_DECODE_ERROR;
479 while (PACKET_get_1(&psk_kex_modes, &mode)) {
480 if (mode == TLSEXT_KEX_MODE_KE_DHE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
482 else if (mode == TLSEXT_KEX_MODE_KE
483 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
484 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
492 * Process a key_share extension received in the ClientHello. |pkt| contains
493 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
494 * If a failure occurs then |*al| is set to an appropriate alert value.
496 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
497 size_t chainidx, int *al)
499 #ifndef OPENSSL_NO_TLS1_3
500 unsigned int group_id;
501 PACKET key_share_list, encoded_pt;
502 const uint16_t *clntcurves, *srvrcurves;
503 size_t clnt_num_curves, srvr_num_curves;
506 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
510 if (s->s3->peer_tmp != NULL) {
511 *al = SSL_AD_INTERNAL_ERROR;
512 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
516 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
517 *al = SSL_AD_DECODE_ERROR;
518 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
522 /* Get our list of supported curves */
523 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
524 *al = SSL_AD_INTERNAL_ERROR;
525 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
529 /* Get the clients list of supported curves. */
530 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
531 *al = SSL_AD_INTERNAL_ERROR;
532 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
535 if (clnt_num_curves == 0) {
537 * This can only happen if the supported_groups extension was not sent,
538 * because we verify that the length is non-zero when we process that
541 *al = SSL_AD_MISSING_EXTENSION;
542 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
543 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
547 while (PACKET_remaining(&key_share_list) > 0) {
548 if (!PACKET_get_net_2(&key_share_list, &group_id)
549 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
550 || PACKET_remaining(&encoded_pt) == 0) {
551 *al = SSL_AD_DECODE_ERROR;
552 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
553 SSL_R_LENGTH_MISMATCH);
558 * If we already found a suitable key_share we loop through the
559 * rest to verify the structure, but don't process them.
564 /* Check if this share is in supported_groups sent from client */
565 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
566 *al = SSL_AD_ILLEGAL_PARAMETER;
567 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
571 /* Check if this share is for a group we can use */
572 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
573 /* Share not suitable */
577 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
578 *al = SSL_AD_INTERNAL_ERROR;
579 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
580 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
584 s->s3->group_id = group_id;
586 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
587 PACKET_data(&encoded_pt),
588 PACKET_remaining(&encoded_pt))) {
589 *al = SSL_AD_ILLEGAL_PARAMETER;
590 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
601 #ifndef OPENSSL_NO_EC
602 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
603 X509 *x, size_t chainidx, int *al)
605 PACKET supported_groups_list;
607 /* Each group is 2 bytes and we must have at least 1. */
608 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
609 || PACKET_remaining(&supported_groups_list) == 0
610 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
611 *al = SSL_AD_DECODE_ERROR;
615 if (!s->hit || SSL_IS_TLS13(s)) {
616 OPENSSL_free(s->session->ext.supportedgroups);
617 s->session->ext.supportedgroups = NULL;
618 s->session->ext.supportedgroups_len = 0;
619 if (!tls1_save_u16(&supported_groups_list,
620 &s->session->ext.supportedgroups,
621 &s->session->ext.supportedgroups_len)) {
622 *al = SSL_AD_INTERNAL_ERROR;
631 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
632 size_t chainidx, int *al)
634 /* The extension must always be empty */
635 if (PACKET_remaining(pkt) != 0) {
636 *al = SSL_AD_DECODE_ERROR;
640 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
646 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
647 X509 *x, size_t chainidx, int *al)
649 if (PACKET_remaining(pkt) != 0) {
650 *al = SSL_AD_DECODE_ERROR;
654 if (s->hello_retry_request) {
655 *al = SSL_AD_ILLEGAL_PARAMETER;
662 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
663 size_t chainidx, int *al)
665 PACKET identities, binders, binder;
666 size_t binderoffset, hashsize;
667 SSL_SESSION *sess = NULL;
668 unsigned int id, i, ext = 0;
669 const EVP_MD *md = NULL;
672 * If we have no PSK kex mode that we recognise then we can't resume so
673 * ignore this extension
675 if ((s->ext.psk_kex_mode
676 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
679 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
680 *al = SSL_AD_DECODE_ERROR;
684 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
686 unsigned long ticket_agel;
688 if (!PACKET_get_length_prefixed_2(&identities, &identity)
689 || !PACKET_get_net_4(&identities, &ticket_agel)) {
690 *al = SSL_AD_DECODE_ERROR;
694 if (s->psk_find_session_cb != NULL
695 && !s->psk_find_session_cb(s, PACKET_data(&identity),
696 PACKET_remaining(&identity),
698 *al = SSL_AD_INTERNAL_ERROR;
704 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
706 if (sesstmp == NULL) {
707 *al = SSL_AD_INTERNAL_ERROR;
710 SSL_SESSION_free(sess);
714 * We've just been told to use this session for this context so
715 * make sure the sid_ctx matches up.
717 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
718 sess->sid_ctx_length = s->sid_ctx_length;
721 s->ext.early_data_ok = 1;
723 uint32_t ticket_age = 0, now, agesec, agems;
724 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
725 PACKET_remaining(&identity), NULL, 0,
728 if (ret == TICKET_FATAL_ERR_MALLOC
729 || ret == TICKET_FATAL_ERR_OTHER) {
730 *al = SSL_AD_INTERNAL_ERROR;
733 if (ret == TICKET_NO_DECRYPT)
736 ticket_age = (uint32_t)ticket_agel;
737 now = (uint32_t)time(NULL);
738 agesec = now - (uint32_t)sess->time;
739 agems = agesec * (uint32_t)1000;
740 ticket_age -= sess->ext.tick_age_add;
743 * For simplicity we do our age calculations in seconds. If the
744 * client does it in ms then it could appear that their ticket age
745 * is longer than ours (our ticket age calculation should always be
746 * slightly longer than the client's due to the network latency).
747 * Therefore we add 1000ms to our age calculation to adjust for
751 && sess->timeout >= (long)agesec
752 && agems / (uint32_t)1000 == agesec
753 && ticket_age <= agems + 1000
754 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
756 * Ticket age is within tolerance and not expired. We allow it
759 s->ext.early_data_ok = 1;
763 md = ssl_md(sess->cipher->algorithm2);
764 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
765 /* The ciphersuite is not compatible with this session. */
766 SSL_SESSION_free(sess);
768 s->ext.early_data_ok = 0;
777 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
778 hashsize = EVP_MD_size(md);
780 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
781 *al = SSL_AD_DECODE_ERROR;
785 for (i = 0; i <= id; i++) {
786 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
787 *al = SSL_AD_DECODE_ERROR;
792 if (PACKET_remaining(&binder) != hashsize
793 || tls_psk_do_binder(s, md,
794 (const unsigned char *)s->init_buf->data,
795 binderoffset, PACKET_data(&binder), NULL,
796 sess, 0, ext) != 1) {
797 *al = SSL_AD_DECODE_ERROR;
798 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
802 sess->ext.tick_identity = id;
804 SSL_SESSION_free(s->session);
808 SSL_SESSION_free(sess);
813 * Add the server's renegotiation binding
815 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
816 unsigned int context, X509 *x,
817 size_t chainidx, int *al)
819 if (!s->s3->send_connection_binding)
820 return EXT_RETURN_NOT_SENT;
822 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
823 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
824 || !WPACKET_start_sub_packet_u16(pkt)
825 || !WPACKET_start_sub_packet_u8(pkt)
826 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
827 s->s3->previous_client_finished_len)
828 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
829 s->s3->previous_server_finished_len)
830 || !WPACKET_close(pkt)
831 || !WPACKET_close(pkt)) {
832 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
833 return EXT_RETURN_FAIL;
836 return EXT_RETURN_SENT;
839 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
840 unsigned int context, X509 *x,
841 size_t chainidx, int *al)
843 if (s->hit || s->servername_done != 1
844 || s->session->ext.hostname == NULL)
845 return EXT_RETURN_NOT_SENT;
847 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
848 || !WPACKET_put_bytes_u16(pkt, 0)) {
849 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
850 return EXT_RETURN_FAIL;
853 return EXT_RETURN_SENT;
856 #ifndef OPENSSL_NO_EC
857 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
858 unsigned int context, X509 *x,
859 size_t chainidx, int *al)
861 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
862 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
863 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
864 && (s->session->ext.ecpointformats != NULL);
865 const unsigned char *plist;
869 return EXT_RETURN_NOT_SENT;
871 tls1_get_formatlist(s, &plist, &plistlen);
872 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
873 || !WPACKET_start_sub_packet_u16(pkt)
874 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
875 || !WPACKET_close(pkt)) {
876 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
877 return EXT_RETURN_FAIL;
880 return EXT_RETURN_SENT;
884 #ifndef OPENSSL_NO_EC
885 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
886 unsigned int context, X509 *x,
887 size_t chainidx, int *al)
889 const uint16_t *groups;
890 size_t numgroups, i, first = 1;
892 /* s->s3->group_id is non zero if we accepted a key_share */
893 if (s->s3->group_id == 0)
894 return EXT_RETURN_NOT_SENT;
896 /* Get our list of supported groups */
897 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
898 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
899 return EXT_RETURN_FAIL;
902 /* Copy group ID if supported */
903 for (i = 0; i < numgroups; i++) {
904 uint16_t group = groups[i];
906 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
909 * Check if the client is already using our preferred group. If
910 * so we don't need to add this extension
912 if (s->s3->group_id == group)
913 return EXT_RETURN_NOT_SENT;
915 /* Add extension header */
916 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
917 /* Sub-packet for supported_groups extension */
918 || !WPACKET_start_sub_packet_u16(pkt)
919 || !WPACKET_start_sub_packet_u16(pkt)) {
920 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
921 ERR_R_INTERNAL_ERROR);
922 return EXT_RETURN_FAIL;
927 if (!WPACKET_put_bytes_u16(pkt, group)) {
928 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
929 ERR_R_INTERNAL_ERROR);
930 return EXT_RETURN_FAIL;
935 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
936 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
937 return EXT_RETURN_FAIL;
940 return EXT_RETURN_SENT;
944 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
945 unsigned int context, X509 *x,
946 size_t chainidx, int *al)
948 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
949 s->ext.ticket_expected = 0;
950 return EXT_RETURN_NOT_SENT;
953 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
954 || !WPACKET_put_bytes_u16(pkt, 0)) {
955 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
956 return EXT_RETURN_FAIL;
959 return EXT_RETURN_SENT;
962 #ifndef OPENSSL_NO_OCSP
963 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
964 unsigned int context, X509 *x,
965 size_t chainidx, int *al)
967 if (!s->ext.status_expected)
968 return EXT_RETURN_NOT_SENT;
970 if (SSL_IS_TLS13(s) && chainidx != 0)
971 return EXT_RETURN_NOT_SENT;
973 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
974 || !WPACKET_start_sub_packet_u16(pkt)) {
975 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
976 return EXT_RETURN_FAIL;
980 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
981 * send back an empty extension, with the certificate status appearing as a
984 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
985 || !WPACKET_close(pkt)) {
986 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
987 return EXT_RETURN_FAIL;
990 return EXT_RETURN_SENT;
994 #ifndef OPENSSL_NO_NEXTPROTONEG
995 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
996 unsigned int context, X509 *x,
997 size_t chainidx, int *al)
999 const unsigned char *npa;
1000 unsigned int npalen;
1002 int npn_seen = s->s3->npn_seen;
1004 s->s3->npn_seen = 0;
1005 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1006 return EXT_RETURN_NOT_SENT;
1008 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1009 s->ctx->ext.npn_advertised_cb_arg);
1010 if (ret == SSL_TLSEXT_ERR_OK) {
1011 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1012 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1013 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1014 ERR_R_INTERNAL_ERROR);
1015 return EXT_RETURN_FAIL;
1017 s->s3->npn_seen = 1;
1020 return EXT_RETURN_SENT;
1024 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1025 X509 *x, size_t chainidx, int *al)
1027 if (s->s3->alpn_selected == NULL)
1028 return EXT_RETURN_NOT_SENT;
1030 if (!WPACKET_put_bytes_u16(pkt,
1031 TLSEXT_TYPE_application_layer_protocol_negotiation)
1032 || !WPACKET_start_sub_packet_u16(pkt)
1033 || !WPACKET_start_sub_packet_u16(pkt)
1034 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1035 s->s3->alpn_selected_len)
1036 || !WPACKET_close(pkt)
1037 || !WPACKET_close(pkt)) {
1038 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1039 return EXT_RETURN_FAIL;
1042 return EXT_RETURN_SENT;
1045 #ifndef OPENSSL_NO_SRTP
1046 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1047 unsigned int context, X509 *x,
1048 size_t chainidx, int *al)
1050 if (s->srtp_profile == NULL)
1051 return EXT_RETURN_NOT_SENT;
1053 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1054 || !WPACKET_start_sub_packet_u16(pkt)
1055 || !WPACKET_put_bytes_u16(pkt, 2)
1056 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1057 || !WPACKET_put_bytes_u8(pkt, 0)
1058 || !WPACKET_close(pkt)) {
1059 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1060 return EXT_RETURN_FAIL;
1063 return EXT_RETURN_SENT;
1067 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1068 X509 *x, size_t chainidx, int *al)
1070 if (!s->ext.use_etm)
1071 return EXT_RETURN_NOT_SENT;
1074 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1075 * for other cases too.
1077 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1078 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1079 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1080 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1082 return EXT_RETURN_NOT_SENT;
1085 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1086 || !WPACKET_put_bytes_u16(pkt, 0)) {
1087 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1088 return EXT_RETURN_FAIL;
1091 return EXT_RETURN_SENT;
1094 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1095 X509 *x, size_t chainidx, int *al)
1097 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1098 return EXT_RETURN_NOT_SENT;
1100 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1101 || !WPACKET_put_bytes_u16(pkt, 0)) {
1102 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1103 return EXT_RETURN_FAIL;
1106 return EXT_RETURN_SENT;
1109 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1110 unsigned int context, X509 *x,
1111 size_t chainidx, int *al)
1113 #ifndef OPENSSL_NO_TLS1_3
1114 unsigned char *encodedPoint;
1115 size_t encoded_pt_len = 0;
1116 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1119 /* No key_share received from client */
1120 if (s->hello_retry_request) {
1121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1122 || !WPACKET_start_sub_packet_u16(pkt)
1123 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1124 || !WPACKET_close(pkt)) {
1125 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1126 ERR_R_INTERNAL_ERROR);
1127 return EXT_RETURN_FAIL;
1130 return EXT_RETURN_SENT;
1133 /* Must be resuming. */
1134 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1135 *al = SSL_AD_INTERNAL_ERROR;
1136 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1137 return EXT_RETURN_FAIL;
1139 return EXT_RETURN_NOT_SENT;
1142 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1143 || !WPACKET_start_sub_packet_u16(pkt)
1144 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1145 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1146 return EXT_RETURN_FAIL;
1149 skey = ssl_generate_pkey(ckey);
1151 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1152 return EXT_RETURN_FAIL;
1155 /* Generate encoding of server key */
1156 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1157 if (encoded_pt_len == 0) {
1158 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1159 EVP_PKEY_free(skey);
1160 return EXT_RETURN_FAIL;
1163 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1164 || !WPACKET_close(pkt)) {
1165 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1166 EVP_PKEY_free(skey);
1167 OPENSSL_free(encodedPoint);
1168 return EXT_RETURN_FAIL;
1170 OPENSSL_free(encodedPoint);
1172 /* This causes the crypto state to be updated based on the derived keys */
1173 s->s3->tmp.pkey = skey;
1174 if (ssl_derive(s, skey, ckey, 1) == 0) {
1175 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1176 return EXT_RETURN_FAIL;
1180 return EXT_RETURN_SENT;
1183 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1184 unsigned int context, X509 *x,
1185 size_t chainidx, int *al)
1187 const unsigned char cryptopro_ext[36] = {
1188 0xfd, 0xe8, /* 65000 */
1189 0x00, 0x20, /* 32 bytes length */
1190 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1191 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1192 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1193 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1196 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1197 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1198 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1199 return EXT_RETURN_NOT_SENT;
1201 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1202 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1203 return EXT_RETURN_FAIL;
1206 return EXT_RETURN_SENT;
1209 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1210 unsigned int context, X509 *x,
1211 size_t chainidx, int *al)
1213 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1214 if (s->max_early_data == 0)
1215 return EXT_RETURN_NOT_SENT;
1217 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1218 || !WPACKET_start_sub_packet_u16(pkt)
1219 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1220 || !WPACKET_close(pkt)) {
1221 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1222 return EXT_RETURN_FAIL;
1225 return EXT_RETURN_SENT;
1228 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1229 return EXT_RETURN_NOT_SENT;
1231 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1232 || !WPACKET_start_sub_packet_u16(pkt)
1233 || !WPACKET_close(pkt)) {
1234 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1235 return EXT_RETURN_FAIL;
1238 return EXT_RETURN_SENT;
1241 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1242 X509 *x, size_t chainidx, int *al)
1245 return EXT_RETURN_NOT_SENT;
1247 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1248 || !WPACKET_start_sub_packet_u16(pkt)
1249 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1250 || !WPACKET_close(pkt)) {
1251 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1252 return EXT_RETURN_FAIL;
1255 return EXT_RETURN_SENT;