Parse the early_data extension

[openssl.git] / ssl / statem / extensions_srvr.c
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c

index df1e6c252ee59ee9442cb11afc98121f4b026244..8994ab9cc1b65cbb8037789da5285ec009d5d12d 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -14,8 +14,8 @@
  /*
   * Parse the client's renegotiation binding and abort if it's not right
   */
-int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                               int *al)
+int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
+                               X509 *x, size_t chainidx, int *al)
  {
      unsigned int ilen;
      const unsigned char *data;
@@ -73,8 +73,8 @@ int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
   *   extension.
   * - On session reconnect, the servername extension may be absent.
   */
-int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                               int *al)
+int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
+                               X509 *x, size_t chainidx, int *al)
  {
      unsigned int servname_type;
      PACKET sni, hostname;
@@ -116,6 +116,8 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
              return 0;
          }
  
+        OPENSSL_free(s->session->ext.hostname);
+        s->session->ext.hostname = NULL;
          if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
              *al = TLS1_AD_INTERNAL_ERROR;
              return 0;
@@ -136,7 +138,8 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
  }
  
  #ifndef OPENSSL_NO_SRP
-int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
+int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx, int *al)
  {
      PACKET srp_I;
  
@@ -159,9 +162,22 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
  }
  #endif
  
+int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
+                              X509 *x, size_t chainidx, int *al)
+{
+    if (PACKET_remaining(pkt) != 0) {
+        *al = SSL_AD_DECODE_ERROR;
+        return 0;
+    }
+
+    s->ext.expect_early_data = 1;
+
+    return 1;
+}
+
  #ifndef OPENSSL_NO_EC
-int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                                 int *al)
+int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
+                                 X509 *x, size_t chainidx, int *al)
  {
      PACKET ec_point_format_list;
  
@@ -184,8 +200,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
  }
  #endif                          /* OPENSSL_NO_EC */
  
-int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                                  int *al)
+int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx, int *al)
  {
      if (s->ext.session_ticket_cb &&
              !s->ext.session_ticket_cb(s, PACKET_data(pkt),
@@ -198,8 +214,8 @@ int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
      return 1;
  }
  
-int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                            int *al)
+int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                            size_t chainidx, int *al)
  {
      PACKET supported_sig_algs;
  
@@ -218,8 +234,8 @@ int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
  }
  
  #ifndef OPENSSL_NO_OCSP
-int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                                  int *al)
+int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx, int *al)
  {
      PACKET responder_id_list, exts;
  
@@ -317,7 +333,8 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
  #endif
  
  #ifndef OPENSSL_NO_NEXTPROTONEG
-int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
+int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx, int *al)
  {
      /*
       * We shouldn't accept this extension on a
@@ -335,7 +352,8 @@ int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
   * extension, not including type and length. |al| is a pointer to the alert
   * value to send in the event of a failure. Returns: 1 on success, 0 on error.
   */
-int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
+int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                        size_t chainidx, int *al)
  {
      PACKET protocol_list, save_protocol_list, protocol;
  
@@ -358,6 +376,9 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
          }
      } while (PACKET_remaining(&protocol_list) != 0);
  
+    OPENSSL_free(s->s3->alpn_proposed);
+    s->s3->alpn_proposed = NULL;
+    s->s3->alpn_proposed_len = 0;
      if (!PACKET_memdup(&save_protocol_list,
                         &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
          *al = TLS1_AD_INTERNAL_ERROR;
@@ -368,8 +389,8 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
  }
  
  #ifndef OPENSSL_NO_SRTP
-int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                            int *al)
+int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                            size_t chainidx, int *al)
  {
      STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
      unsigned int ct, mki_len, id;
@@ -439,52 +460,22 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
  }
  #endif
  
-int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
+int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx, int *al)
  {
      if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
-        s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+        s->ext.use_etm = 1;
  
      return 1;
  }
  
-/*
- * Checks a list of |groups| to determine if the |group_id| is in it. If it is
- * and |checkallow| is 1 then additionally check if the group is allowed to be
- * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
- * 1) or 0 otherwise.
- */
-#ifndef OPENSSL_NO_TLS1_3
-static int check_in_list(SSL *s, unsigned int group_id,
-                         const unsigned char *groups, size_t num_groups,
-                         int checkallow)
-{
-    size_t i;
-
-    if (groups == NULL || num_groups == 0)
-        return 0;
-
-    for (i = 0; i < num_groups; i++, groups += 2) {
-        unsigned int share_id = (groups[0] << 8) | (groups[1]);
-
-        if (group_id == share_id
-                && (!checkallow
-                    || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
-            break;
-        }
-    }
-
-    /* If i == num_groups then not in the list */
-    return i < num_groups;
-}
-#endif
-
  /*
   * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
   * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
   * If a failure occurs then |*al| is set to an appropriate alert value.
   */
-int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                                 int *al)
+int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
+                                 X509 *x, size_t chainidx, int *al)
  {
  #ifndef OPENSSL_NO_TLS1_3
      PACKET psk_kex_modes;
@@ -512,8 +503,8 @@ int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
   * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
   * If a failure occurs then |*al| is set to an appropriate alert value.
   */
-int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
-                             int *al)
+int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                             size_t chainidx, int *al)
  {
  #ifndef OPENSSL_NO_TLS1_3
      unsigned int group_id;
@@ -642,8 +633,8 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
  }
  
  #ifndef OPENSSL_NO_EC
-int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
-                                    size_t chainidx, int *al)
+int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
+                                    X509 *x, size_t chainidx, int *al)
  {
      PACKET supported_groups_list;
  
@@ -655,6 +646,9 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
          return 0;
      }
  
+    OPENSSL_free(s->session->ext.supportedgroups);
+    s->session->ext.supportedgroups = NULL;
+    s->session->ext.supportedgroups_len = 0;
      if (!PACKET_memdup(&supported_groups_list,
                         &s->session->ext.supportedgroups,
                         &s->session->ext.supportedgroups_len)) {
@@ -666,7 +660,8 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
  }
  #endif
  
-int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
+int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx, int *al)
  {
      /* The extension must always be empty */
      if (PACKET_remaining(pkt) != 0) {
@@ -679,7 +674,8 @@ int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
      return 1;
  }
  
-int tls_parse_ctos_psk(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
+int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
+                       size_t chainidx, int *al)
  {
      PACKET identities, binders, binder;
      size_t binderoffset, hashsize;
@@ -780,8 +776,8 @@ err:
  /*
   * Add the server's renegotiation binding
   */
-int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t
-                                   chainidx, int *al)
+int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
+                                   X509 *x, size_t chainidx, int *al)
  {
      if (!s->s3->send_connection_binding)
          return 1;
@@ -802,8 +798,8 @@ int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t
      return 1;
  }
  
-int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
-                                   size_t chainidx, int *al)
+int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
+                                   X509 *x, size_t chainidx, int *al)
  {
      if (s->hit || s->servername_done != 1
              || s->session->ext.hostname == NULL)
@@ -818,9 +814,27 @@ int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
      return 1;
  }
  
+int tls_construct_stoc_early_data_info(SSL *s, WPACKET *pkt,
+                                       unsigned int context, X509 *x,
+                                       size_t chainidx, int *al)
+{
+    if (s->max_early_data == 0)
+        return 1;
+
+    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data_info)
+            || !WPACKET_start_sub_packet_u16(pkt)
+            || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
+            || !WPACKET_close(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
+
+    return 1;
+}
+
  #ifndef OPENSSL_NO_EC
-int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
-                                     size_t chainidx, int *al)
+int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
+                                     X509 *x, size_t chainidx, int *al)
  {
      unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
      unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -845,7 +859,8 @@ int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
  }
  #endif
  
-int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
+int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
+                                      unsigned int context, X509 *x,
                                        size_t chainidx, int *al)
  {
      if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
@@ -863,8 +878,9 @@ int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
  }
  
  #ifndef OPENSSL_NO_OCSP
-int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
-                                     size_t chainidx, int *al)
+int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
+                                      unsigned int context, X509 *x,
+                                      size_t chainidx, int *al)
  {
      if (!s->ext.status_expected)
          return 1;
@@ -894,7 +910,8 @@ int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
  #endif
  
  #ifndef OPENSSL_NO_NEXTPROTONEG
-int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
+int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
+                                      unsigned int context, X509 *x,
                                        size_t chainidx, int *al)
  {
      const unsigned char *npa;
@@ -922,8 +939,8 @@ int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
  }
  #endif
  
-int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
-                            int *al)
+int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+                            size_t chainidx, int *al)
  {
      if (s->s3->alpn_selected == NULL)
          return 1;
@@ -944,8 +961,8 @@ int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
  }
  
  #ifndef OPENSSL_NO_SRTP
-int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
-                                int *al)
+int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
+                                X509 *x, size_t chainidx, int *al)
  {
      if (s->srtp_profile == NULL)
          return 1;
@@ -964,10 +981,10 @@ int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
  }
  #endif
  
-int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
-                           int *al)
+int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+                           size_t chainidx, int *al)
  {
-    if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
+    if (!s->ext.use_etm)
          return 1;
  
      /*
@@ -978,7 +995,7 @@ int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
          || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
          || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
          || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
-        s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
+        s->ext.use_etm = 0;
          return 1;
      }
  
@@ -991,8 +1008,8 @@ int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
      return 1;
  }
  
-int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
-                           int *al)
+int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+                           size_t chainidx, int *al)
  {
      if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
          return 1;
@@ -1006,8 +1023,8 @@ int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
      return 1;
  }
  
-int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
-                                 int *al)
+int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
+                                 X509 *x, size_t chainidx, int *al)
  {
  #ifndef OPENSSL_NO_TLS1_3
      unsigned char *encodedPoint;
@@ -1015,7 +1032,21 @@ int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
      EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
  
      if (ckey == NULL) {
-        /* No key_share received from client; must be resuming. */
+        /* No key_share received from client */
+        if (s->hello_retry_request) {
+            if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
+                    || !WPACKET_start_sub_packet_u16(pkt)
+                    || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
+                    || !WPACKET_close(pkt)) {
+                SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
+                       ERR_R_INTERNAL_ERROR);
+                return 0;
+            }
+
+            return 1;
+        }
+
+        /* Must be resuming. */
          if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
              *al = SSL_AD_INTERNAL_ERROR;
              SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
@@ -1065,8 +1096,8 @@ int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
      return 1;
  }
  
-int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
-                                     size_t chainidx, int *al)
+int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
+                                     X509 *x, size_t chainidx, int *al)
  {
      const unsigned char cryptopro_ext[36] = {
          0xfd, 0xe8,         /* 65000 */
@@ -1090,8 +1121,8 @@ int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
      return 1;
  }
  
-int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
-                           int *al)
+int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+                           size_t chainidx, int *al)
  {
      if (!s->hit)
          return 1;