2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 2 bytes for the hashlen, EVP_MAX_MD_SIZE for
21 * transcript hash, 1 byte for app cookie length, app cookie length bytes,
22 * SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + number of bytes in legacy session id + 2 bytes for ciphersuite
30 * + 1 byte for legacy compression + 2 bytes for extension block length
31 * + 6 bytes for key_share extension + 4 bytes for cookie extension header
32 * + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
45 const unsigned char *data;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
55 /* Check that the extension matches */
56 if (ilen != s->s3->previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
62 if (memcmp(data, s->s3->previous_client_finished,
63 s->s3->previous_client_finished_len)) {
64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
69 s->s3->send_connection_binding = 1;
75 * The servername extension is treated as follows:
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
95 * - On session reconnect, the servername extension may be absent.
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98 X509 *x, size_t chainidx)
100 unsigned int servname_type;
101 PACKET sni, hostname;
103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
133 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
134 SSL_R_BAD_EXTENSION);
138 if (PACKET_contains_zero_byte(&hostname)) {
139 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
140 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
141 SSL_R_BAD_EXTENSION);
145 OPENSSL_free(s->session->ext.hostname);
146 s->session->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 ERR_R_INTERNAL_ERROR);
153 s->servername_done = 1;
156 * TODO(openssl-team): if the SNI doesn't match, we MUST
157 * fall back to a full handshake.
159 s->servername_done = s->session->ext.hostname
160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
163 if (!s->servername_done && s->session->ext.hostname != NULL)
164 s->ext.early_data_ok = 0;
170 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
171 X509 *x, size_t chainidx)
175 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
176 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
177 SSL_R_BAD_EXTENSION);
181 /* Received |value| should be a valid max-fragment-length code. */
182 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
183 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
184 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
185 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
190 * RFC 6066: The negotiated length applies for the duration of the session
191 * including session resumptions.
192 * We should receive the same code as in resumed session !
194 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
195 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
196 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
197 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
202 * Store it in session, so it'll become binding for us
203 * and we'll include it in a next Server Hello.
205 s->session->ext.max_fragment_len_mode = value;
209 #ifndef OPENSSL_NO_SRP
210 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
215 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
216 || PACKET_contains_zero_byte(&srp_I)) {
217 SSLfatal(s, SSL_AD_DECODE_ERROR,
218 SSL_F_TLS_PARSE_CTOS_SRP,
219 SSL_R_BAD_EXTENSION);
224 * TODO(openssl-team): currently, we re-authenticate the user
225 * upon resumption. Instead, we MUST ignore the login.
227 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
229 ERR_R_INTERNAL_ERROR);
237 #ifndef OPENSSL_NO_EC
238 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
239 X509 *x, size_t chainidx)
241 PACKET ec_point_format_list;
243 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
244 || PACKET_remaining(&ec_point_format_list) == 0) {
245 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
246 SSL_R_BAD_EXTENSION);
251 if (!PACKET_memdup(&ec_point_format_list,
252 &s->session->ext.ecpointformats,
253 &s->session->ext.ecpointformats_len)) {
254 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
255 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
262 #endif /* OPENSSL_NO_EC */
264 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
265 X509 *x, size_t chainidx)
267 if (s->ext.session_ticket_cb &&
268 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
269 PACKET_remaining(pkt),
270 s->ext.session_ticket_cb_arg)) {
271 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
272 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
279 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
282 PACKET supported_sig_algs;
284 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
285 || PACKET_remaining(&supported_sig_algs) == 0) {
286 SSLfatal(s, SSL_AD_DECODE_ERROR,
287 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
291 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR,
293 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
300 #ifndef OPENSSL_NO_OCSP
301 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
302 X509 *x, size_t chainidx)
304 PACKET responder_id_list, exts;
306 /* Not defined if we get one of these in a client Certificate */
310 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
311 SSLfatal(s, SSL_AD_DECODE_ERROR,
312 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
316 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
318 * We don't know what to do with any other type so ignore it.
320 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
324 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
325 SSLfatal(s, SSL_AD_DECODE_ERROR,
326 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
331 * We remove any OCSP_RESPIDs from a previous handshake
332 * to prevent unbounded memory growth - CVE-2016-6304
334 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
335 if (PACKET_remaining(&responder_id_list) > 0) {
336 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
337 if (s->ext.ocsp.ids == NULL) {
338 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
339 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
343 s->ext.ocsp.ids = NULL;
346 while (PACKET_remaining(&responder_id_list) > 0) {
349 const unsigned char *id_data;
351 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
352 || PACKET_remaining(&responder_id) == 0) {
353 SSLfatal(s, SSL_AD_DECODE_ERROR,
354 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
358 id_data = PACKET_data(&responder_id);
359 /* TODO(size_t): Convert d2i_* to size_t */
360 id = d2i_OCSP_RESPID(NULL, &id_data,
361 (int)PACKET_remaining(&responder_id));
363 SSLfatal(s, SSL_AD_DECODE_ERROR,
364 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
368 if (id_data != PACKET_end(&responder_id)) {
369 OCSP_RESPID_free(id);
370 SSLfatal(s, SSL_AD_DECODE_ERROR,
371 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
376 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
377 OCSP_RESPID_free(id);
378 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
379 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
385 /* Read in request_extensions */
386 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
387 SSLfatal(s, SSL_AD_DECODE_ERROR,
388 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
396 X509_EXTENSION_free);
398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
400 SSLfatal(s, SSL_AD_DECODE_ERROR,
401 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
410 #ifndef OPENSSL_NO_NEXTPROTONEG
411 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
415 * We shouldn't accept this extension on a
418 if (SSL_IS_FIRST_HANDSHAKE(s))
426 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
427 * extension, not including type and length. Returns: 1 on success, 0 on error.
429 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
432 PACKET protocol_list, save_protocol_list, protocol;
434 if (!SSL_IS_FIRST_HANDSHAKE(s))
437 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
438 || PACKET_remaining(&protocol_list) < 2) {
439 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
440 SSL_R_BAD_EXTENSION);
444 save_protocol_list = protocol_list;
446 /* Protocol names can't be empty. */
447 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
448 || PACKET_remaining(&protocol) == 0) {
449 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
450 SSL_R_BAD_EXTENSION);
453 } while (PACKET_remaining(&protocol_list) != 0);
455 OPENSSL_free(s->s3->alpn_proposed);
456 s->s3->alpn_proposed = NULL;
457 s->s3->alpn_proposed_len = 0;
458 if (!PACKET_memdup(&save_protocol_list,
459 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
461 ERR_R_INTERNAL_ERROR);
468 #ifndef OPENSSL_NO_SRTP
469 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
472 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
473 unsigned int ct, mki_len, id;
477 /* Ignore this if we have no SRTP profiles */
478 if (SSL_get_srtp_profiles(s) == NULL)
481 /* Pull off the length of the cipher suite list and check it is even */
482 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
483 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
484 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
485 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
489 srvr = SSL_get_srtp_profiles(s);
490 s->srtp_profile = NULL;
491 /* Search all profiles for a match initially */
492 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
494 while (PACKET_remaining(&subpkt)) {
495 if (!PACKET_get_net_2(&subpkt, &id)) {
496 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
497 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
502 * Only look for match in profiles of higher preference than
504 * If no profiles have been have been configured then this
507 for (i = 0; i < srtp_pref; i++) {
508 SRTP_PROTECTION_PROFILE *sprof =
509 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
511 if (sprof->id == id) {
512 s->srtp_profile = sprof;
519 /* Now extract the MKI value as a sanity check, but discard it for now */
520 if (!PACKET_get_1(pkt, &mki_len)) {
521 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
522 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
526 if (!PACKET_forward(pkt, mki_len)
527 || PACKET_remaining(pkt)) {
528 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
529 SSL_R_BAD_SRTP_MKI_VALUE);
537 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
540 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
547 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
548 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
550 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
551 X509 *x, size_t chainidx)
553 #ifndef OPENSSL_NO_TLS1_3
554 PACKET psk_kex_modes;
557 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
558 || PACKET_remaining(&psk_kex_modes) == 0) {
559 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
560 SSL_R_BAD_EXTENSION);
564 while (PACKET_get_1(&psk_kex_modes, &mode)) {
565 if (mode == TLSEXT_KEX_MODE_KE_DHE)
566 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
567 else if (mode == TLSEXT_KEX_MODE_KE
568 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
569 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
577 * Process a key_share extension received in the ClientHello. |pkt| contains
578 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
580 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
583 #ifndef OPENSSL_NO_TLS1_3
584 unsigned int group_id;
585 PACKET key_share_list, encoded_pt;
586 const uint16_t *clntgroups, *srvrgroups;
587 size_t clnt_num_groups, srvr_num_groups;
590 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
594 if (s->s3->peer_tmp != NULL) {
595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
596 ERR_R_INTERNAL_ERROR);
600 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
601 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
602 SSL_R_LENGTH_MISMATCH);
606 /* Get our list of supported groups */
607 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
608 /* Get the clients list of supported groups. */
609 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
610 if (clnt_num_groups == 0) {
612 * This can only happen if the supported_groups extension was not sent,
613 * because we verify that the length is non-zero when we process that
616 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
617 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
621 if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
623 * If we set a group_id already, then we must have sent an HRR
624 * requesting a new key_share. If we haven't got one then that is an
627 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
628 SSL_R_BAD_KEY_SHARE);
632 while (PACKET_remaining(&key_share_list) > 0) {
633 if (!PACKET_get_net_2(&key_share_list, &group_id)
634 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
635 || PACKET_remaining(&encoded_pt) == 0) {
636 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
637 SSL_R_LENGTH_MISMATCH);
642 * If we already found a suitable key_share we loop through the
643 * rest to verify the structure, but don't process them.
649 * If we sent an HRR then the key_share sent back MUST be for the group
650 * we requested, and must be the only key_share sent.
652 if (s->s3->group_id != 0
653 && (group_id != s->s3->group_id
654 || PACKET_remaining(&key_share_list) != 0)) {
655 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
656 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
660 /* Check if this share is in supported_groups sent from client */
661 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
662 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
663 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
667 /* Check if this share is for a group we can use */
668 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
669 /* Share not suitable */
673 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
674 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
675 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
679 s->s3->group_id = group_id;
681 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
682 PACKET_data(&encoded_pt),
683 PACKET_remaining(&encoded_pt))) {
684 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
685 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
696 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
699 unsigned int format, version, key_share, group_id;
702 PACKET cookie, raw, chhash, appcookie;
704 const unsigned char *data, *mdin, *ciphdata;
705 unsigned char hmac[SHA256_DIGEST_LENGTH];
706 unsigned char hrr[MAX_HRR_SIZE];
707 size_t rawlen, hmaclen, hrrlen, ciphlen;
709 /* Ignore any cookie if we're not set up to verify it */
710 if (s->ctx->app_verify_cookie_cb == NULL
711 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
714 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
715 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
716 SSL_R_LENGTH_MISMATCH);
721 data = PACKET_data(&raw);
722 rawlen = PACKET_remaining(&raw);
723 if (rawlen < SHA256_DIGEST_LENGTH
724 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
725 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
726 SSL_R_LENGTH_MISMATCH);
729 mdin = PACKET_data(&raw);
731 /* Verify the HMAC of the cookie */
732 hctx = EVP_MD_CTX_create();
733 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
734 s->session_ctx->ext.cookie_hmac_key,
735 sizeof(s->session_ctx->ext.cookie_hmac_key));
736 if (hctx == NULL || pkey == NULL) {
737 EVP_MD_CTX_free(hctx);
739 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
740 ERR_R_MALLOC_FAILURE);
744 hmaclen = sizeof(s->session_ctx->ext.cookie_hmac_key);
745 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
746 || EVP_DigestSignUpdate(hctx, data,
747 rawlen - SHA256_DIGEST_LENGTH) <= 0
748 || EVP_DigestSignFinal(hctx, hmac, &hmaclen) <= 0
749 || hmaclen != SHA256_DIGEST_LENGTH) {
750 EVP_MD_CTX_free(hctx);
752 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
753 ERR_R_INTERNAL_ERROR);
757 EVP_MD_CTX_free(hctx);
760 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
761 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
762 SSL_R_COOKIE_MISMATCH);
766 if (!PACKET_get_net_2(&cookie, &format)) {
767 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
768 SSL_R_LENGTH_MISMATCH);
771 /* Check the cookie format is something we recognise. Ignore it if not */
772 if (format != COOKIE_STATE_FORMAT_VERSION)
776 * The rest of these checks really shouldn't fail since we have verified the
780 /* Check the version number is sane */
781 if (!PACKET_get_net_2(&cookie, &version)) {
782 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
783 SSL_R_LENGTH_MISMATCH);
786 if (version != TLS1_3_VERSION) {
787 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
788 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
792 if (!PACKET_get_net_2(&cookie, &group_id)) {
793 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
794 SSL_R_LENGTH_MISMATCH);
798 ciphdata = PACKET_data(&cookie);
799 if (!PACKET_forward(&cookie, 2)) {
800 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
801 SSL_R_LENGTH_MISMATCH);
804 if (group_id != s->s3->group_id
805 || s->s3->tmp.new_cipher
806 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
808 * We chose a different cipher or group id this time around to what is
809 * in the cookie. Something must have changed.
811 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
816 if (!PACKET_get_1(&cookie, &key_share)
817 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
818 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
819 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
820 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
821 SSL_R_LENGTH_MISMATCH);
825 /* Verify the app cookie */
826 if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&appcookie),
827 PACKET_remaining(&appcookie)) == 0) {
828 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
829 SSL_R_COOKIE_MISMATCH);
834 * Reconstruct the HRR that we would have sent in response to the original
835 * ClientHello so we can add it to the transcript hash.
836 * Note: This won't work with custom HRR extensions
838 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
839 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
840 ERR_R_INTERNAL_ERROR);
843 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
844 || !WPACKET_start_sub_packet_u24(&hrrpkt)
845 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
846 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
847 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
848 s->tmp_session_id_len)
849 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
851 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
852 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
853 WPACKET_cleanup(&hrrpkt);
854 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
855 ERR_R_INTERNAL_ERROR);
858 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
859 || !WPACKET_start_sub_packet_u16(&hrrpkt)
860 /* TODO(TLS1.3): Fix this before release */
861 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
862 || !WPACKET_close(&hrrpkt)) {
863 WPACKET_cleanup(&hrrpkt);
864 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
865 ERR_R_INTERNAL_ERROR);
869 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
870 || !WPACKET_start_sub_packet_u16(&hrrpkt)
871 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
872 || !WPACKET_close(&hrrpkt)) {
873 WPACKET_cleanup(&hrrpkt);
874 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
875 ERR_R_INTERNAL_ERROR);
879 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
880 || !WPACKET_start_sub_packet_u16(&hrrpkt)
881 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
882 || !WPACKET_close(&hrrpkt) /* cookie extension */
883 || !WPACKET_close(&hrrpkt) /* extension block */
884 || !WPACKET_close(&hrrpkt) /* message */
885 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
886 || !WPACKET_finish(&hrrpkt)) {
887 WPACKET_cleanup(&hrrpkt);
888 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
889 ERR_R_INTERNAL_ERROR);
893 /* Reconstruct the transcript hash */
894 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
895 PACKET_remaining(&chhash), hrr,
897 /* SSLfatal() already called */
901 /* Act as if this ClientHello came after a HelloRetryRequest */
902 s->hello_retry_request = 1;
909 #ifndef OPENSSL_NO_EC
910 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
911 X509 *x, size_t chainidx)
913 PACKET supported_groups_list;
915 /* Each group is 2 bytes and we must have at least 1. */
916 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
917 || PACKET_remaining(&supported_groups_list) == 0
918 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
919 SSLfatal(s, SSL_AD_DECODE_ERROR,
920 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
924 if (!s->hit || SSL_IS_TLS13(s)) {
925 OPENSSL_free(s->session->ext.supportedgroups);
926 s->session->ext.supportedgroups = NULL;
927 s->session->ext.supportedgroups_len = 0;
928 if (!tls1_save_u16(&supported_groups_list,
929 &s->session->ext.supportedgroups,
930 &s->session->ext.supportedgroups_len)) {
931 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
932 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
933 ERR_R_INTERNAL_ERROR);
942 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
945 /* The extension must always be empty */
946 if (PACKET_remaining(pkt) != 0) {
947 SSLfatal(s, SSL_AD_DECODE_ERROR,
948 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
952 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
958 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
959 X509 *x, size_t chainidx)
961 if (PACKET_remaining(pkt) != 0) {
962 SSLfatal(s, SSL_AD_DECODE_ERROR,
963 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
967 if (s->hello_retry_request != SSL_HRR_NONE) {
968 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
969 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
976 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
979 PACKET identities, binders, binder;
980 size_t binderoffset, hashsize;
981 SSL_SESSION *sess = NULL;
982 unsigned int id, i, ext = 0;
983 const EVP_MD *md = NULL;
986 * If we have no PSK kex mode that we recognise then we can't resume so
987 * ignore this extension
989 if ((s->ext.psk_kex_mode
990 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
993 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
994 SSLfatal(s, SSL_AD_DECODE_ERROR,
995 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
999 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1001 unsigned long ticket_agel;
1003 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1004 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1005 SSLfatal(s, SSL_AD_DECODE_ERROR,
1006 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1010 if (s->psk_find_session_cb != NULL
1011 && !s->psk_find_session_cb(s, PACKET_data(&identity),
1012 PACKET_remaining(&identity),
1014 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1015 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1020 /* We found a PSK */
1021 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1023 if (sesstmp == NULL) {
1024 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1025 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1028 SSL_SESSION_free(sess);
1032 * We've just been told to use this session for this context so
1033 * make sure the sid_ctx matches up.
1035 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1036 sess->sid_ctx_length = s->sid_ctx_length;
1039 s->ext.early_data_ok = 1;
1041 uint32_t ticket_age = 0, now, agesec, agems;
1042 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1043 PACKET_remaining(&identity), NULL, 0,
1046 if (ret == TICKET_FATAL_ERR_MALLOC
1047 || ret == TICKET_FATAL_ERR_OTHER) {
1048 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1049 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1052 if (ret == TICKET_NO_DECRYPT)
1055 ticket_age = (uint32_t)ticket_agel;
1056 now = (uint32_t)time(NULL);
1057 agesec = now - (uint32_t)sess->time;
1058 agems = agesec * (uint32_t)1000;
1059 ticket_age -= sess->ext.tick_age_add;
1062 * For simplicity we do our age calculations in seconds. If the
1063 * client does it in ms then it could appear that their ticket age
1064 * is longer than ours (our ticket age calculation should always be
1065 * slightly longer than the client's due to the network latency).
1066 * Therefore we add 1000ms to our age calculation to adjust for
1070 && sess->timeout >= (long)agesec
1071 && agems / (uint32_t)1000 == agesec
1072 && ticket_age <= agems + 1000
1073 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1075 * Ticket age is within tolerance and not expired. We allow it
1078 s->ext.early_data_ok = 1;
1082 md = ssl_md(sess->cipher->algorithm2);
1083 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1084 /* The ciphersuite is not compatible with this session. */
1085 SSL_SESSION_free(sess);
1087 s->ext.early_data_ok = 0;
1096 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1097 hashsize = EVP_MD_size(md);
1099 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1100 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1101 SSL_R_BAD_EXTENSION);
1105 for (i = 0; i <= id; i++) {
1106 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1107 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1108 SSL_R_BAD_EXTENSION);
1113 if (PACKET_remaining(&binder) != hashsize) {
1114 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1115 SSL_R_BAD_EXTENSION);
1118 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1119 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1121 /* SSLfatal() already called */
1125 sess->ext.tick_identity = id;
1127 SSL_SESSION_free(s->session);
1131 SSL_SESSION_free(sess);
1136 * Add the server's renegotiation binding
1138 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1139 unsigned int context, X509 *x,
1142 if (!s->s3->send_connection_binding)
1143 return EXT_RETURN_NOT_SENT;
1145 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1146 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1147 || !WPACKET_start_sub_packet_u16(pkt)
1148 || !WPACKET_start_sub_packet_u8(pkt)
1149 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1150 s->s3->previous_client_finished_len)
1151 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1152 s->s3->previous_server_finished_len)
1153 || !WPACKET_close(pkt)
1154 || !WPACKET_close(pkt)) {
1155 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1156 ERR_R_INTERNAL_ERROR);
1157 return EXT_RETURN_FAIL;
1160 return EXT_RETURN_SENT;
1163 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1164 unsigned int context, X509 *x,
1167 if (s->hit || s->servername_done != 1
1168 || s->session->ext.hostname == NULL)
1169 return EXT_RETURN_NOT_SENT;
1171 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1172 || !WPACKET_put_bytes_u16(pkt, 0)) {
1173 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1174 ERR_R_INTERNAL_ERROR);
1175 return EXT_RETURN_FAIL;
1178 return EXT_RETURN_SENT;
1181 /* Add/include the server's max fragment len extension into ServerHello */
1182 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1183 unsigned int context, X509 *x,
1186 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1187 return EXT_RETURN_NOT_SENT;
1190 * 4 bytes for this extension type and extension length
1191 * 1 byte for the Max Fragment Length code value.
1193 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1194 || !WPACKET_start_sub_packet_u16(pkt)
1195 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1196 || !WPACKET_close(pkt)) {
1197 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1198 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1199 return EXT_RETURN_FAIL;
1202 return EXT_RETURN_SENT;
1205 #ifndef OPENSSL_NO_EC
1206 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1207 unsigned int context, X509 *x,
1210 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1211 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1212 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1213 && (s->session->ext.ecpointformats != NULL);
1214 const unsigned char *plist;
1218 return EXT_RETURN_NOT_SENT;
1220 tls1_get_formatlist(s, &plist, &plistlen);
1221 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1222 || !WPACKET_start_sub_packet_u16(pkt)
1223 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1224 || !WPACKET_close(pkt)) {
1225 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1226 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1227 return EXT_RETURN_FAIL;
1230 return EXT_RETURN_SENT;
1234 #ifndef OPENSSL_NO_EC
1235 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1236 unsigned int context, X509 *x,
1239 const uint16_t *groups;
1240 size_t numgroups, i, first = 1;
1242 /* s->s3->group_id is non zero if we accepted a key_share */
1243 if (s->s3->group_id == 0)
1244 return EXT_RETURN_NOT_SENT;
1246 /* Get our list of supported groups */
1247 tls1_get_supported_groups(s, &groups, &numgroups);
1248 if (numgroups == 0) {
1249 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1250 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1251 return EXT_RETURN_FAIL;
1254 /* Copy group ID if supported */
1255 for (i = 0; i < numgroups; i++) {
1256 uint16_t group = groups[i];
1258 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1261 * Check if the client is already using our preferred group. If
1262 * so we don't need to add this extension
1264 if (s->s3->group_id == group)
1265 return EXT_RETURN_NOT_SENT;
1267 /* Add extension header */
1268 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1269 /* Sub-packet for supported_groups extension */
1270 || !WPACKET_start_sub_packet_u16(pkt)
1271 || !WPACKET_start_sub_packet_u16(pkt)) {
1272 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1273 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1274 ERR_R_INTERNAL_ERROR);
1275 return EXT_RETURN_FAIL;
1280 if (!WPACKET_put_bytes_u16(pkt, group)) {
1281 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1282 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1283 ERR_R_INTERNAL_ERROR);
1284 return EXT_RETURN_FAIL;
1289 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1290 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1291 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1292 ERR_R_INTERNAL_ERROR);
1293 return EXT_RETURN_FAIL;
1296 return EXT_RETURN_SENT;
1300 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1301 unsigned int context, X509 *x,
1304 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1305 s->ext.ticket_expected = 0;
1306 return EXT_RETURN_NOT_SENT;
1309 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1310 || !WPACKET_put_bytes_u16(pkt, 0)) {
1311 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1312 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1313 return EXT_RETURN_FAIL;
1316 return EXT_RETURN_SENT;
1319 #ifndef OPENSSL_NO_OCSP
1320 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1321 unsigned int context, X509 *x,
1324 if (!s->ext.status_expected)
1325 return EXT_RETURN_NOT_SENT;
1327 if (SSL_IS_TLS13(s) && chainidx != 0)
1328 return EXT_RETURN_NOT_SENT;
1330 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1331 || !WPACKET_start_sub_packet_u16(pkt)) {
1332 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1333 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1334 return EXT_RETURN_FAIL;
1338 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1339 * send back an empty extension, with the certificate status appearing as a
1342 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1343 /* SSLfatal() already called */
1344 return EXT_RETURN_FAIL;
1346 if (!WPACKET_close(pkt)) {
1347 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1348 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1349 return EXT_RETURN_FAIL;
1352 return EXT_RETURN_SENT;
1356 #ifndef OPENSSL_NO_NEXTPROTONEG
1357 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1358 unsigned int context, X509 *x,
1361 const unsigned char *npa;
1362 unsigned int npalen;
1364 int npn_seen = s->s3->npn_seen;
1366 s->s3->npn_seen = 0;
1367 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1368 return EXT_RETURN_NOT_SENT;
1370 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1371 s->ctx->ext.npn_advertised_cb_arg);
1372 if (ret == SSL_TLSEXT_ERR_OK) {
1373 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1374 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1375 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1376 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1377 ERR_R_INTERNAL_ERROR);
1378 return EXT_RETURN_FAIL;
1380 s->s3->npn_seen = 1;
1383 return EXT_RETURN_SENT;
1387 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1388 X509 *x, size_t chainidx)
1390 if (s->s3->alpn_selected == NULL)
1391 return EXT_RETURN_NOT_SENT;
1393 if (!WPACKET_put_bytes_u16(pkt,
1394 TLSEXT_TYPE_application_layer_protocol_negotiation)
1395 || !WPACKET_start_sub_packet_u16(pkt)
1396 || !WPACKET_start_sub_packet_u16(pkt)
1397 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1398 s->s3->alpn_selected_len)
1399 || !WPACKET_close(pkt)
1400 || !WPACKET_close(pkt)) {
1401 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1402 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1403 return EXT_RETURN_FAIL;
1406 return EXT_RETURN_SENT;
1409 #ifndef OPENSSL_NO_SRTP
1410 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1411 unsigned int context, X509 *x,
1414 if (s->srtp_profile == NULL)
1415 return EXT_RETURN_NOT_SENT;
1417 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1418 || !WPACKET_start_sub_packet_u16(pkt)
1419 || !WPACKET_put_bytes_u16(pkt, 2)
1420 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1421 || !WPACKET_put_bytes_u8(pkt, 0)
1422 || !WPACKET_close(pkt)) {
1423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1424 ERR_R_INTERNAL_ERROR);
1425 return EXT_RETURN_FAIL;
1428 return EXT_RETURN_SENT;
1432 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1433 X509 *x, size_t chainidx)
1435 if (!s->ext.use_etm)
1436 return EXT_RETURN_NOT_SENT;
1439 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1440 * for other cases too.
1442 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1443 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1444 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1445 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1447 return EXT_RETURN_NOT_SENT;
1450 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1451 || !WPACKET_put_bytes_u16(pkt, 0)) {
1452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1453 ERR_R_INTERNAL_ERROR);
1454 return EXT_RETURN_FAIL;
1457 return EXT_RETURN_SENT;
1460 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1461 X509 *x, size_t chainidx)
1463 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1464 return EXT_RETURN_NOT_SENT;
1466 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1467 || !WPACKET_put_bytes_u16(pkt, 0)) {
1468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1469 ERR_R_INTERNAL_ERROR);
1470 return EXT_RETURN_FAIL;
1473 return EXT_RETURN_SENT;
1476 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1477 unsigned int context, X509 *x,
1480 if (!SSL_IS_TLS13(s))
1481 return EXT_RETURN_NOT_SENT;
1483 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1484 || !WPACKET_start_sub_packet_u16(pkt)
1485 /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1486 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1487 || !WPACKET_close(pkt)) {
1488 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1489 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1490 ERR_R_INTERNAL_ERROR);
1491 return EXT_RETURN_FAIL;
1494 return EXT_RETURN_SENT;
1497 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1498 unsigned int context, X509 *x,
1501 #ifndef OPENSSL_NO_TLS1_3
1502 unsigned char *encodedPoint;
1503 size_t encoded_pt_len = 0;
1504 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1506 if (s->hello_retry_request == SSL_HRR_PENDING) {
1508 /* Original key_share was acceptable so don't ask for another one */
1509 return EXT_RETURN_NOT_SENT;
1511 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1512 || !WPACKET_start_sub_packet_u16(pkt)
1513 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1514 || !WPACKET_close(pkt)) {
1515 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1516 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1517 ERR_R_INTERNAL_ERROR);
1518 return EXT_RETURN_FAIL;
1521 return EXT_RETURN_SENT;
1525 /* No key_share received from client - must be resuming */
1526 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1527 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1528 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1529 return EXT_RETURN_FAIL;
1531 return EXT_RETURN_NOT_SENT;
1534 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1535 || !WPACKET_start_sub_packet_u16(pkt)
1536 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1537 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1538 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1539 return EXT_RETURN_FAIL;
1542 skey = ssl_generate_pkey(ckey);
1544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1545 ERR_R_MALLOC_FAILURE);
1546 return EXT_RETURN_FAIL;
1549 /* Generate encoding of server key */
1550 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1551 if (encoded_pt_len == 0) {
1552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1554 EVP_PKEY_free(skey);
1555 return EXT_RETURN_FAIL;
1558 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1559 || !WPACKET_close(pkt)) {
1560 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1561 ERR_R_INTERNAL_ERROR);
1562 EVP_PKEY_free(skey);
1563 OPENSSL_free(encodedPoint);
1564 return EXT_RETURN_FAIL;
1566 OPENSSL_free(encodedPoint);
1568 /* This causes the crypto state to be updated based on the derived keys */
1569 s->s3->tmp.pkey = skey;
1570 if (ssl_derive(s, skey, ckey, 1) == 0) {
1571 /* SSLfatal() already called */
1572 return EXT_RETURN_FAIL;
1576 return EXT_RETURN_SENT;
1579 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1580 X509 *x, size_t chainidx)
1582 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1583 unsigned char *hmac, *hmac2;
1584 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen;
1585 unsigned int appcookielen;
1588 int ret = EXT_RETURN_FAIL;
1590 if (s->ctx->app_gen_cookie_cb == NULL
1591 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1592 return EXT_RETURN_NOT_SENT;
1594 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1595 || !WPACKET_start_sub_packet_u16(pkt)
1596 || !WPACKET_start_sub_packet_u16(pkt)
1597 || !WPACKET_get_total_written(pkt, &startlen)
1598 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1599 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1600 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1601 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1602 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1604 /* Is there a key_share extension present in this HRR? */
1605 || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
1606 || !WPACKET_start_sub_packet_u16(pkt)
1607 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1608 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1609 ERR_R_INTERNAL_ERROR);
1610 return EXT_RETURN_FAIL;
1614 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1615 * on raw buffers, so we first reserve sufficient bytes (above) and then
1616 * subsequently allocate them (below)
1618 if (!ssl3_digest_cached_records(s, 0)
1619 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1620 /* SSLfatal() already called */
1621 return EXT_RETURN_FAIL;
1624 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1625 || !ossl_assert(hashval1 == hashval2)
1626 || !WPACKET_close(pkt)
1627 || !WPACKET_start_sub_packet_u8(pkt)
1628 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1629 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1630 ERR_R_INTERNAL_ERROR);
1631 return EXT_RETURN_FAIL;
1634 /* Generate the application cookie */
1635 if (s->ctx->app_gen_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1636 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1637 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1638 return EXT_RETURN_FAIL;
1641 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1642 || !ossl_assert(appcookie1 == appcookie2)
1643 || !WPACKET_close(pkt)
1644 || !WPACKET_get_total_written(pkt, &totcookielen)
1645 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1646 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1647 ERR_R_INTERNAL_ERROR);
1648 return EXT_RETURN_FAIL;
1650 hmaclen = SHA256_DIGEST_LENGTH;
1652 totcookielen -= startlen;
1653 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1654 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1655 ERR_R_INTERNAL_ERROR);
1656 return EXT_RETURN_FAIL;
1659 /* HMAC the cookie */
1660 hctx = EVP_MD_CTX_create();
1661 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
1662 s->session_ctx->ext.cookie_hmac_key,
1663 sizeof(s->session_ctx->ext.cookie_hmac_key));
1664 if (hctx == NULL || pkey == NULL) {
1665 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1666 ERR_R_MALLOC_FAILURE);
1670 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1671 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1672 totcookielen) <= 0) {
1673 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1674 ERR_R_INTERNAL_ERROR);
1678 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1679 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1680 ERR_R_INTERNAL_ERROR);
1684 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1685 || !ossl_assert(hmac == hmac2)
1686 || !ossl_assert(cookie == hmac - totcookielen)
1687 || !WPACKET_close(pkt)
1688 || !WPACKET_close(pkt)) {
1689 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1690 ERR_R_INTERNAL_ERROR);
1694 ret = EXT_RETURN_SENT;
1697 EVP_MD_CTX_free(hctx);
1698 EVP_PKEY_free(pkey);
1702 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1703 unsigned int context, X509 *x,
1706 const unsigned char cryptopro_ext[36] = {
1707 0xfd, 0xe8, /* 65000 */
1708 0x00, 0x20, /* 32 bytes length */
1709 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1710 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1711 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1712 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1715 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1716 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1717 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1718 return EXT_RETURN_NOT_SENT;
1720 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1721 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1722 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1723 return EXT_RETURN_FAIL;
1726 return EXT_RETURN_SENT;
1729 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1730 unsigned int context, X509 *x,
1733 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1734 if (s->max_early_data == 0)
1735 return EXT_RETURN_NOT_SENT;
1737 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1738 || !WPACKET_start_sub_packet_u16(pkt)
1739 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1740 || !WPACKET_close(pkt)) {
1741 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1742 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1743 return EXT_RETURN_FAIL;
1746 return EXT_RETURN_SENT;
1749 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1750 return EXT_RETURN_NOT_SENT;
1752 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1753 || !WPACKET_start_sub_packet_u16(pkt)
1754 || !WPACKET_close(pkt)) {
1755 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1756 ERR_R_INTERNAL_ERROR);
1757 return EXT_RETURN_FAIL;
1760 return EXT_RETURN_SENT;
1763 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1764 X509 *x, size_t chainidx)
1767 return EXT_RETURN_NOT_SENT;
1769 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1770 || !WPACKET_start_sub_packet_u16(pkt)
1771 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1772 || !WPACKET_close(pkt)) {
1773 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1774 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1775 return EXT_RETURN_FAIL;
1778 return EXT_RETURN_SENT;