2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 2 bytes for the hashlen, EVP_MAX_MD_SIZE for
21 * transcript hash, 1 byte for app cookie length, app cookie length bytes,
22 * SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + number of bytes in legacy session id + 2 bytes for ciphersuite
30 * + 1 byte for legacy compression + 2 bytes for extension block length
31 * + 6 bytes for key_share extension + 4 bytes for cookie extension header
32 * + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
45 const unsigned char *data;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
55 /* Check that the extension matches */
56 if (ilen != s->s3->previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
62 if (memcmp(data, s->s3->previous_client_finished,
63 s->s3->previous_client_finished_len)) {
64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
69 s->s3->send_connection_binding = 1;
75 * The servername extension is treated as follows:
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
95 * - On session reconnect, the servername extension may be absent.
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98 X509 *x, size_t chainidx)
100 unsigned int servname_type;
101 PACKET sni, hostname;
103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
133 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
134 SSL_R_BAD_EXTENSION);
138 if (PACKET_contains_zero_byte(&hostname)) {
139 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
140 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
141 SSL_R_BAD_EXTENSION);
145 OPENSSL_free(s->session->ext.hostname);
146 s->session->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 ERR_R_INTERNAL_ERROR);
153 s->servername_done = 1;
156 * TODO(openssl-team): if the SNI doesn't match, we MUST
157 * fall back to a full handshake.
159 s->servername_done = s->session->ext.hostname
160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
163 if (!s->servername_done && s->session->ext.hostname != NULL)
164 s->ext.early_data_ok = 0;
170 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
171 X509 *x, size_t chainidx)
175 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
176 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
177 SSL_R_BAD_EXTENSION);
181 /* Received |value| should be a valid max-fragment-length code. */
182 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
183 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
184 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
185 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
190 * RFC 6066: The negotiated length applies for the duration of the session
191 * including session resumptions.
192 * We should receive the same code as in resumed session !
194 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
195 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
196 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
197 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
202 * Store it in session, so it'll become binding for us
203 * and we'll include it in a next Server Hello.
205 s->session->ext.max_fragment_len_mode = value;
209 #ifndef OPENSSL_NO_SRP
210 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
215 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
216 || PACKET_contains_zero_byte(&srp_I)) {
217 SSLfatal(s, SSL_AD_DECODE_ERROR,
218 SSL_F_TLS_PARSE_CTOS_SRP,
219 SSL_R_BAD_EXTENSION);
224 * TODO(openssl-team): currently, we re-authenticate the user
225 * upon resumption. Instead, we MUST ignore the login.
227 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
229 ERR_R_INTERNAL_ERROR);
237 #ifndef OPENSSL_NO_EC
238 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
239 X509 *x, size_t chainidx)
241 PACKET ec_point_format_list;
243 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
244 || PACKET_remaining(&ec_point_format_list) == 0) {
245 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
246 SSL_R_BAD_EXTENSION);
251 if (!PACKET_memdup(&ec_point_format_list,
252 &s->session->ext.ecpointformats,
253 &s->session->ext.ecpointformats_len)) {
254 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
255 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
262 #endif /* OPENSSL_NO_EC */
264 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
265 X509 *x, size_t chainidx)
267 if (s->ext.session_ticket_cb &&
268 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
269 PACKET_remaining(pkt),
270 s->ext.session_ticket_cb_arg)) {
271 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
272 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
279 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
282 PACKET supported_sig_algs;
284 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
285 || PACKET_remaining(&supported_sig_algs) == 0) {
286 SSLfatal(s, SSL_AD_DECODE_ERROR,
287 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
291 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR,
293 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
300 #ifndef OPENSSL_NO_OCSP
301 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
302 X509 *x, size_t chainidx)
304 PACKET responder_id_list, exts;
306 /* Not defined if we get one of these in a client Certificate */
310 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
311 SSLfatal(s, SSL_AD_DECODE_ERROR,
312 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
316 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
318 * We don't know what to do with any other type so ignore it.
320 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
324 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
325 SSLfatal(s, SSL_AD_DECODE_ERROR,
326 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
331 * We remove any OCSP_RESPIDs from a previous handshake
332 * to prevent unbounded memory growth - CVE-2016-6304
334 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
335 if (PACKET_remaining(&responder_id_list) > 0) {
336 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
337 if (s->ext.ocsp.ids == NULL) {
338 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
339 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
343 s->ext.ocsp.ids = NULL;
346 while (PACKET_remaining(&responder_id_list) > 0) {
349 const unsigned char *id_data;
351 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
352 || PACKET_remaining(&responder_id) == 0) {
353 SSLfatal(s, SSL_AD_DECODE_ERROR,
354 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
358 id_data = PACKET_data(&responder_id);
359 /* TODO(size_t): Convert d2i_* to size_t */
360 id = d2i_OCSP_RESPID(NULL, &id_data,
361 (int)PACKET_remaining(&responder_id));
363 SSLfatal(s, SSL_AD_DECODE_ERROR,
364 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
368 if (id_data != PACKET_end(&responder_id)) {
369 OCSP_RESPID_free(id);
370 SSLfatal(s, SSL_AD_DECODE_ERROR,
371 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
376 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
377 OCSP_RESPID_free(id);
378 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
379 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
385 /* Read in request_extensions */
386 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
387 SSLfatal(s, SSL_AD_DECODE_ERROR,
388 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
396 X509_EXTENSION_free);
398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
400 SSLfatal(s, SSL_AD_DECODE_ERROR,
401 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
410 #ifndef OPENSSL_NO_NEXTPROTONEG
411 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
415 * We shouldn't accept this extension on a
418 if (SSL_IS_FIRST_HANDSHAKE(s))
426 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
427 * extension, not including type and length. Returns: 1 on success, 0 on error.
429 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
432 PACKET protocol_list, save_protocol_list, protocol;
434 if (!SSL_IS_FIRST_HANDSHAKE(s))
437 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
438 || PACKET_remaining(&protocol_list) < 2) {
439 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
440 SSL_R_BAD_EXTENSION);
444 save_protocol_list = protocol_list;
446 /* Protocol names can't be empty. */
447 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
448 || PACKET_remaining(&protocol) == 0) {
449 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
450 SSL_R_BAD_EXTENSION);
453 } while (PACKET_remaining(&protocol_list) != 0);
455 OPENSSL_free(s->s3->alpn_proposed);
456 s->s3->alpn_proposed = NULL;
457 s->s3->alpn_proposed_len = 0;
458 if (!PACKET_memdup(&save_protocol_list,
459 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
461 ERR_R_INTERNAL_ERROR);
468 #ifndef OPENSSL_NO_SRTP
469 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
472 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
473 unsigned int ct, mki_len, id;
477 /* Ignore this if we have no SRTP profiles */
478 if (SSL_get_srtp_profiles(s) == NULL)
481 /* Pull off the length of the cipher suite list and check it is even */
482 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
483 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
484 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
485 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
489 srvr = SSL_get_srtp_profiles(s);
490 s->srtp_profile = NULL;
491 /* Search all profiles for a match initially */
492 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
494 while (PACKET_remaining(&subpkt)) {
495 if (!PACKET_get_net_2(&subpkt, &id)) {
496 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
497 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
502 * Only look for match in profiles of higher preference than
504 * If no profiles have been have been configured then this
507 for (i = 0; i < srtp_pref; i++) {
508 SRTP_PROTECTION_PROFILE *sprof =
509 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
511 if (sprof->id == id) {
512 s->srtp_profile = sprof;
519 /* Now extract the MKI value as a sanity check, but discard it for now */
520 if (!PACKET_get_1(pkt, &mki_len)) {
521 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
522 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
526 if (!PACKET_forward(pkt, mki_len)
527 || PACKET_remaining(pkt)) {
528 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
529 SSL_R_BAD_SRTP_MKI_VALUE);
537 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
540 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
547 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
548 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
550 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
551 X509 *x, size_t chainidx)
553 #ifndef OPENSSL_NO_TLS1_3
554 PACKET psk_kex_modes;
557 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
558 || PACKET_remaining(&psk_kex_modes) == 0) {
559 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
560 SSL_R_BAD_EXTENSION);
564 while (PACKET_get_1(&psk_kex_modes, &mode)) {
565 if (mode == TLSEXT_KEX_MODE_KE_DHE)
566 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
567 else if (mode == TLSEXT_KEX_MODE_KE
568 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
569 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
577 * Process a key_share extension received in the ClientHello. |pkt| contains
578 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
580 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
583 #ifndef OPENSSL_NO_TLS1_3
584 unsigned int group_id;
585 PACKET key_share_list, encoded_pt;
586 const uint16_t *clntgroups, *srvrgroups;
587 size_t clnt_num_groups, srvr_num_groups;
590 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
594 if (s->s3->peer_tmp != NULL) {
595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
596 ERR_R_INTERNAL_ERROR);
600 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
601 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
602 SSL_R_LENGTH_MISMATCH);
606 /* Get our list of supported groups */
607 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
608 /* Get the clients list of supported groups. */
609 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
610 if (clnt_num_groups == 0) {
612 * This can only happen if the supported_groups extension was not sent,
613 * because we verify that the length is non-zero when we process that
616 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
617 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
621 if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
623 * If we set a group_id already, then we must have sent an HRR
624 * requesting a new key_share. If we haven't got one then that is an
627 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
628 SSL_R_BAD_KEY_SHARE);
632 while (PACKET_remaining(&key_share_list) > 0) {
633 if (!PACKET_get_net_2(&key_share_list, &group_id)
634 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
635 || PACKET_remaining(&encoded_pt) == 0) {
636 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
637 SSL_R_LENGTH_MISMATCH);
642 * If we already found a suitable key_share we loop through the
643 * rest to verify the structure, but don't process them.
649 * If we sent an HRR then the key_share sent back MUST be for the group
650 * we requested, and must be the only key_share sent.
652 if (s->s3->group_id != 0
653 && (group_id != s->s3->group_id
654 || PACKET_remaining(&key_share_list) != 0)) {
655 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
656 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
660 /* Check if this share is in supported_groups sent from client */
661 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
662 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
663 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
667 /* Check if this share is for a group we can use */
668 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
669 /* Share not suitable */
673 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
674 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
675 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
679 s->s3->group_id = group_id;
681 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
682 PACKET_data(&encoded_pt),
683 PACKET_remaining(&encoded_pt))) {
684 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
685 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
696 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
699 unsigned int format, version, key_share;
702 PACKET cookie, raw, chhash, appcookie;
704 const unsigned char *data, *mdin, *ciphdata;
705 unsigned char hmac[SHA256_DIGEST_LENGTH];
706 unsigned char hrr[MAX_HRR_SIZE];
707 size_t rawlen, hmaclen, hrrlen, ciphlen;
709 /* Ignore any cookie if we're not set up to verify it */
710 if (s->ctx->app_verify_cookie_cb == NULL
711 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
714 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
715 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
716 SSL_R_LENGTH_MISMATCH);
721 data = PACKET_data(&raw);
722 rawlen = PACKET_remaining(&raw);
723 if (rawlen < SHA256_DIGEST_LENGTH
724 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
725 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
726 SSL_R_LENGTH_MISMATCH);
729 mdin = PACKET_data(&raw);
731 /* Verify the HMAC of the cookie */
732 hctx = EVP_MD_CTX_create();
733 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
734 s->session_ctx->ext.cookie_hmac_key,
735 sizeof(s->session_ctx->ext.cookie_hmac_key));
736 if (hctx == NULL || pkey == NULL) {
737 EVP_MD_CTX_free(hctx);
739 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
740 ERR_R_MALLOC_FAILURE);
744 hmaclen = sizeof(s->session_ctx->ext.cookie_hmac_key);
745 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
746 || EVP_DigestSignUpdate(hctx, data,
747 rawlen - SHA256_DIGEST_LENGTH) <= 0
748 || EVP_DigestSignFinal(hctx, hmac, &hmaclen) <= 0
749 || hmaclen != SHA256_DIGEST_LENGTH) {
750 EVP_MD_CTX_free(hctx);
752 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
753 ERR_R_INTERNAL_ERROR);
757 EVP_MD_CTX_free(hctx);
760 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
761 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
762 SSL_R_COOKIE_MISMATCH);
766 if (!PACKET_get_net_2(&cookie, &format)) {
767 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
768 SSL_R_LENGTH_MISMATCH);
771 /* Check the cookie format is something we recognise. Ignore it if not */
772 if (format != COOKIE_STATE_FORMAT_VERSION)
776 * The rest of these checks really shouldn't fail since we have verified the
780 /* Check the version number is sane */
781 if (!PACKET_get_net_2(&cookie, &version)) {
782 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
783 SSL_R_LENGTH_MISMATCH);
786 if (version != TLS1_3_VERSION) {
787 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
788 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
792 if (!PACKET_get_net_2(&cookie, &s->s3->group_id)) {
793 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
794 SSL_R_LENGTH_MISMATCH);
797 ciphdata = PACKET_data(&cookie);
798 if (!PACKET_forward(&cookie, 2)) {
799 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
800 SSL_R_LENGTH_MISMATCH);
803 s->s3->tmp.new_cipher = ssl_get_cipher_by_char(s, ciphdata, 0);
804 if (s->s3->tmp.new_cipher == NULL) {
805 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
806 ERR_R_INTERNAL_ERROR);
810 if (!PACKET_get_1(&cookie, &key_share)
811 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
812 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
813 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
814 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
815 SSL_R_LENGTH_MISMATCH);
819 /* Verify the app cookie */
820 if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&appcookie),
821 PACKET_remaining(&appcookie)) == 0) {
822 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
823 SSL_R_COOKIE_MISMATCH);
828 * Reconstruct the HRR that we would have sent in response to the original
829 * ClientHello so we can add it to the transcript hash.
830 * Note: This won't work with custom HRR extensions
832 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
833 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
834 ERR_R_INTERNAL_ERROR);
837 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
838 || !WPACKET_start_sub_packet_u24(&hrrpkt)
839 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
840 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
841 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
842 s->tmp_session_id_len)
843 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
845 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
846 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
847 WPACKET_cleanup(&hrrpkt);
848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
849 ERR_R_INTERNAL_ERROR);
852 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
853 || !WPACKET_start_sub_packet_u16(&hrrpkt)
854 /* TODO(TLS1.3): Fix this before release */
855 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
856 || !WPACKET_close(&hrrpkt)) {
857 WPACKET_cleanup(&hrrpkt);
858 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
859 ERR_R_INTERNAL_ERROR);
863 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
864 || !WPACKET_start_sub_packet_u16(&hrrpkt)
865 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
866 || !WPACKET_close(&hrrpkt)) {
867 WPACKET_cleanup(&hrrpkt);
868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
869 ERR_R_INTERNAL_ERROR);
873 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
874 || !WPACKET_start_sub_packet_u16(&hrrpkt)
875 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
876 || !WPACKET_close(&hrrpkt) /* cookie extension */
877 || !WPACKET_close(&hrrpkt) /* extension block */
878 || !WPACKET_close(&hrrpkt) /* message */
879 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
880 || !WPACKET_finish(&hrrpkt)) {
881 WPACKET_cleanup(&hrrpkt);
882 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
883 ERR_R_INTERNAL_ERROR);
887 /* Reconstruct the transcript hash */
888 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
889 PACKET_remaining(&chhash), hrr,
891 /* SSLfatal() already called */
895 /* Act as if this ClientHello came after a HelloRetryRequest */
896 s->hello_retry_request = 1;
901 #ifndef OPENSSL_NO_EC
902 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
903 X509 *x, size_t chainidx)
905 PACKET supported_groups_list;
907 /* Each group is 2 bytes and we must have at least 1. */
908 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
909 || PACKET_remaining(&supported_groups_list) == 0
910 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
911 SSLfatal(s, SSL_AD_DECODE_ERROR,
912 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
916 if (!s->hit || SSL_IS_TLS13(s)) {
917 OPENSSL_free(s->session->ext.supportedgroups);
918 s->session->ext.supportedgroups = NULL;
919 s->session->ext.supportedgroups_len = 0;
920 if (!tls1_save_u16(&supported_groups_list,
921 &s->session->ext.supportedgroups,
922 &s->session->ext.supportedgroups_len)) {
923 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
924 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
925 ERR_R_INTERNAL_ERROR);
934 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
937 /* The extension must always be empty */
938 if (PACKET_remaining(pkt) != 0) {
939 SSLfatal(s, SSL_AD_DECODE_ERROR,
940 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
944 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
950 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
951 X509 *x, size_t chainidx)
953 if (PACKET_remaining(pkt) != 0) {
954 SSLfatal(s, SSL_AD_DECODE_ERROR,
955 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
959 if (s->hello_retry_request != SSL_HRR_NONE) {
960 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
961 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
968 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
971 PACKET identities, binders, binder;
972 size_t binderoffset, hashsize;
973 SSL_SESSION *sess = NULL;
974 unsigned int id, i, ext = 0;
975 const EVP_MD *md = NULL;
978 * If we have no PSK kex mode that we recognise then we can't resume so
979 * ignore this extension
981 if ((s->ext.psk_kex_mode
982 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
985 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
986 SSLfatal(s, SSL_AD_DECODE_ERROR,
987 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
991 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
993 unsigned long ticket_agel;
995 if (!PACKET_get_length_prefixed_2(&identities, &identity)
996 || !PACKET_get_net_4(&identities, &ticket_agel)) {
997 SSLfatal(s, SSL_AD_DECODE_ERROR,
998 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1002 if (s->psk_find_session_cb != NULL
1003 && !s->psk_find_session_cb(s, PACKET_data(&identity),
1004 PACKET_remaining(&identity),
1006 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1007 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1012 /* We found a PSK */
1013 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1015 if (sesstmp == NULL) {
1016 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1017 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1020 SSL_SESSION_free(sess);
1024 * We've just been told to use this session for this context so
1025 * make sure the sid_ctx matches up.
1027 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1028 sess->sid_ctx_length = s->sid_ctx_length;
1031 s->ext.early_data_ok = 1;
1033 uint32_t ticket_age = 0, now, agesec, agems;
1034 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1035 PACKET_remaining(&identity), NULL, 0,
1038 if (ret == TICKET_FATAL_ERR_MALLOC
1039 || ret == TICKET_FATAL_ERR_OTHER) {
1040 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1041 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1044 if (ret == TICKET_NO_DECRYPT)
1047 ticket_age = (uint32_t)ticket_agel;
1048 now = (uint32_t)time(NULL);
1049 agesec = now - (uint32_t)sess->time;
1050 agems = agesec * (uint32_t)1000;
1051 ticket_age -= sess->ext.tick_age_add;
1054 * For simplicity we do our age calculations in seconds. If the
1055 * client does it in ms then it could appear that their ticket age
1056 * is longer than ours (our ticket age calculation should always be
1057 * slightly longer than the client's due to the network latency).
1058 * Therefore we add 1000ms to our age calculation to adjust for
1062 && sess->timeout >= (long)agesec
1063 && agems / (uint32_t)1000 == agesec
1064 && ticket_age <= agems + 1000
1065 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1067 * Ticket age is within tolerance and not expired. We allow it
1070 s->ext.early_data_ok = 1;
1074 md = ssl_md(sess->cipher->algorithm2);
1075 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1076 /* The ciphersuite is not compatible with this session. */
1077 SSL_SESSION_free(sess);
1079 s->ext.early_data_ok = 0;
1088 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1089 hashsize = EVP_MD_size(md);
1091 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1092 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1093 SSL_R_BAD_EXTENSION);
1097 for (i = 0; i <= id; i++) {
1098 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1099 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1100 SSL_R_BAD_EXTENSION);
1105 if (PACKET_remaining(&binder) != hashsize) {
1106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1107 SSL_R_BAD_EXTENSION);
1110 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1111 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1113 /* SSLfatal() already called */
1117 sess->ext.tick_identity = id;
1119 SSL_SESSION_free(s->session);
1123 SSL_SESSION_free(sess);
1128 * Add the server's renegotiation binding
1130 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1131 unsigned int context, X509 *x,
1134 if (!s->s3->send_connection_binding)
1135 return EXT_RETURN_NOT_SENT;
1137 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1138 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1139 || !WPACKET_start_sub_packet_u16(pkt)
1140 || !WPACKET_start_sub_packet_u8(pkt)
1141 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1142 s->s3->previous_client_finished_len)
1143 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1144 s->s3->previous_server_finished_len)
1145 || !WPACKET_close(pkt)
1146 || !WPACKET_close(pkt)) {
1147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1148 ERR_R_INTERNAL_ERROR);
1149 return EXT_RETURN_FAIL;
1152 return EXT_RETURN_SENT;
1155 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1156 unsigned int context, X509 *x,
1159 if (s->hit || s->servername_done != 1
1160 || s->session->ext.hostname == NULL)
1161 return EXT_RETURN_NOT_SENT;
1163 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1164 || !WPACKET_put_bytes_u16(pkt, 0)) {
1165 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1166 ERR_R_INTERNAL_ERROR);
1167 return EXT_RETURN_FAIL;
1170 return EXT_RETURN_SENT;
1173 /* Add/include the server's max fragment len extension into ServerHello */
1174 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1175 unsigned int context, X509 *x,
1178 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1179 return EXT_RETURN_NOT_SENT;
1182 * 4 bytes for this extension type and extension length
1183 * 1 byte for the Max Fragment Length code value.
1185 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1186 || !WPACKET_start_sub_packet_u16(pkt)
1187 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1188 || !WPACKET_close(pkt)) {
1189 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1190 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1191 return EXT_RETURN_FAIL;
1194 return EXT_RETURN_SENT;
1197 #ifndef OPENSSL_NO_EC
1198 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1199 unsigned int context, X509 *x,
1202 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1203 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1204 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1205 && (s->session->ext.ecpointformats != NULL);
1206 const unsigned char *plist;
1210 return EXT_RETURN_NOT_SENT;
1212 tls1_get_formatlist(s, &plist, &plistlen);
1213 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1214 || !WPACKET_start_sub_packet_u16(pkt)
1215 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1216 || !WPACKET_close(pkt)) {
1217 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1218 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1219 return EXT_RETURN_FAIL;
1222 return EXT_RETURN_SENT;
1226 #ifndef OPENSSL_NO_EC
1227 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1228 unsigned int context, X509 *x,
1231 const uint16_t *groups;
1232 size_t numgroups, i, first = 1;
1234 /* s->s3->group_id is non zero if we accepted a key_share */
1235 if (s->s3->group_id == 0)
1236 return EXT_RETURN_NOT_SENT;
1238 /* Get our list of supported groups */
1239 tls1_get_supported_groups(s, &groups, &numgroups);
1240 if (numgroups == 0) {
1241 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1242 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1243 return EXT_RETURN_FAIL;
1246 /* Copy group ID if supported */
1247 for (i = 0; i < numgroups; i++) {
1248 uint16_t group = groups[i];
1250 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1253 * Check if the client is already using our preferred group. If
1254 * so we don't need to add this extension
1256 if (s->s3->group_id == group)
1257 return EXT_RETURN_NOT_SENT;
1259 /* Add extension header */
1260 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1261 /* Sub-packet for supported_groups extension */
1262 || !WPACKET_start_sub_packet_u16(pkt)
1263 || !WPACKET_start_sub_packet_u16(pkt)) {
1264 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1265 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1266 ERR_R_INTERNAL_ERROR);
1267 return EXT_RETURN_FAIL;
1272 if (!WPACKET_put_bytes_u16(pkt, group)) {
1273 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1274 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1275 ERR_R_INTERNAL_ERROR);
1276 return EXT_RETURN_FAIL;
1281 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1282 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1283 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1284 ERR_R_INTERNAL_ERROR);
1285 return EXT_RETURN_FAIL;
1288 return EXT_RETURN_SENT;
1292 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1293 unsigned int context, X509 *x,
1296 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1297 s->ext.ticket_expected = 0;
1298 return EXT_RETURN_NOT_SENT;
1301 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1302 || !WPACKET_put_bytes_u16(pkt, 0)) {
1303 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1304 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1305 return EXT_RETURN_FAIL;
1308 return EXT_RETURN_SENT;
1311 #ifndef OPENSSL_NO_OCSP
1312 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1313 unsigned int context, X509 *x,
1316 if (!s->ext.status_expected)
1317 return EXT_RETURN_NOT_SENT;
1319 if (SSL_IS_TLS13(s) && chainidx != 0)
1320 return EXT_RETURN_NOT_SENT;
1322 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1323 || !WPACKET_start_sub_packet_u16(pkt)) {
1324 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1325 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1326 return EXT_RETURN_FAIL;
1330 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1331 * send back an empty extension, with the certificate status appearing as a
1334 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1335 /* SSLfatal() already called */
1336 return EXT_RETURN_FAIL;
1338 if (!WPACKET_close(pkt)) {
1339 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1340 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1341 return EXT_RETURN_FAIL;
1344 return EXT_RETURN_SENT;
1348 #ifndef OPENSSL_NO_NEXTPROTONEG
1349 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1350 unsigned int context, X509 *x,
1353 const unsigned char *npa;
1354 unsigned int npalen;
1356 int npn_seen = s->s3->npn_seen;
1358 s->s3->npn_seen = 0;
1359 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1360 return EXT_RETURN_NOT_SENT;
1362 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1363 s->ctx->ext.npn_advertised_cb_arg);
1364 if (ret == SSL_TLSEXT_ERR_OK) {
1365 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1366 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1367 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1368 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1369 ERR_R_INTERNAL_ERROR);
1370 return EXT_RETURN_FAIL;
1372 s->s3->npn_seen = 1;
1375 return EXT_RETURN_SENT;
1379 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1380 X509 *x, size_t chainidx)
1382 if (s->s3->alpn_selected == NULL)
1383 return EXT_RETURN_NOT_SENT;
1385 if (!WPACKET_put_bytes_u16(pkt,
1386 TLSEXT_TYPE_application_layer_protocol_negotiation)
1387 || !WPACKET_start_sub_packet_u16(pkt)
1388 || !WPACKET_start_sub_packet_u16(pkt)
1389 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1390 s->s3->alpn_selected_len)
1391 || !WPACKET_close(pkt)
1392 || !WPACKET_close(pkt)) {
1393 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1394 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1395 return EXT_RETURN_FAIL;
1398 return EXT_RETURN_SENT;
1401 #ifndef OPENSSL_NO_SRTP
1402 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1403 unsigned int context, X509 *x,
1406 if (s->srtp_profile == NULL)
1407 return EXT_RETURN_NOT_SENT;
1409 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1410 || !WPACKET_start_sub_packet_u16(pkt)
1411 || !WPACKET_put_bytes_u16(pkt, 2)
1412 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1413 || !WPACKET_put_bytes_u8(pkt, 0)
1414 || !WPACKET_close(pkt)) {
1415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1416 ERR_R_INTERNAL_ERROR);
1417 return EXT_RETURN_FAIL;
1420 return EXT_RETURN_SENT;
1424 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1425 X509 *x, size_t chainidx)
1427 if (!s->ext.use_etm)
1428 return EXT_RETURN_NOT_SENT;
1431 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1432 * for other cases too.
1434 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1435 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1436 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1437 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1439 return EXT_RETURN_NOT_SENT;
1442 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1443 || !WPACKET_put_bytes_u16(pkt, 0)) {
1444 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1445 ERR_R_INTERNAL_ERROR);
1446 return EXT_RETURN_FAIL;
1449 return EXT_RETURN_SENT;
1452 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1453 X509 *x, size_t chainidx)
1455 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1456 return EXT_RETURN_NOT_SENT;
1458 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1459 || !WPACKET_put_bytes_u16(pkt, 0)) {
1460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1461 ERR_R_INTERNAL_ERROR);
1462 return EXT_RETURN_FAIL;
1465 return EXT_RETURN_SENT;
1468 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1469 unsigned int context, X509 *x,
1472 if (!SSL_IS_TLS13(s))
1473 return EXT_RETURN_NOT_SENT;
1475 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1476 || !WPACKET_start_sub_packet_u16(pkt)
1477 /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1478 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1479 || !WPACKET_close(pkt)) {
1480 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1481 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1482 ERR_R_INTERNAL_ERROR);
1483 return EXT_RETURN_FAIL;
1486 return EXT_RETURN_SENT;
1489 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1490 unsigned int context, X509 *x,
1493 #ifndef OPENSSL_NO_TLS1_3
1494 unsigned char *encodedPoint;
1495 size_t encoded_pt_len = 0;
1496 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1499 /* No key_share received from client */
1500 if (s->hello_retry_request == SSL_HRR_PENDING) {
1501 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1502 || !WPACKET_start_sub_packet_u16(pkt)
1503 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1504 || !WPACKET_close(pkt)) {
1505 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1506 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1507 ERR_R_INTERNAL_ERROR);
1508 return EXT_RETURN_FAIL;
1511 return EXT_RETURN_SENT;
1514 /* Must be resuming. */
1515 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1516 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1517 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1518 return EXT_RETURN_FAIL;
1520 return EXT_RETURN_NOT_SENT;
1523 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1524 || !WPACKET_start_sub_packet_u16(pkt)
1525 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1526 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1527 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1528 return EXT_RETURN_FAIL;
1531 skey = ssl_generate_pkey(ckey);
1533 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1534 ERR_R_MALLOC_FAILURE);
1535 return EXT_RETURN_FAIL;
1538 /* Generate encoding of server key */
1539 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1540 if (encoded_pt_len == 0) {
1541 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1543 EVP_PKEY_free(skey);
1544 return EXT_RETURN_FAIL;
1547 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1548 || !WPACKET_close(pkt)) {
1549 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1550 ERR_R_INTERNAL_ERROR);
1551 EVP_PKEY_free(skey);
1552 OPENSSL_free(encodedPoint);
1553 return EXT_RETURN_FAIL;
1555 OPENSSL_free(encodedPoint);
1557 /* This causes the crypto state to be updated based on the derived keys */
1558 s->s3->tmp.pkey = skey;
1559 if (ssl_derive(s, skey, ckey, 1) == 0) {
1560 /* SSLfatal() already called */
1561 return EXT_RETURN_FAIL;
1565 return EXT_RETURN_SENT;
1568 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1569 X509 *x, size_t chainidx)
1571 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1572 unsigned char *hmac, *hmac2;
1573 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen;
1574 unsigned int appcookielen;
1577 int ret = EXT_RETURN_FAIL;
1579 if (s->ctx->app_gen_cookie_cb == NULL
1580 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1581 return EXT_RETURN_NOT_SENT;
1583 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1584 || !WPACKET_start_sub_packet_u16(pkt)
1585 || !WPACKET_start_sub_packet_u16(pkt)
1586 || !WPACKET_get_total_written(pkt, &startlen)
1587 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1588 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1589 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1590 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1591 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1593 /* Is there a key_share extension present in this HRR? */
1594 || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
1595 || !WPACKET_start_sub_packet_u16(pkt)
1596 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1597 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1598 ERR_R_INTERNAL_ERROR);
1599 return EXT_RETURN_FAIL;
1603 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1604 * on raw buffers, so we first reserve sufficient bytes (above) and then
1605 * subsequently allocate them (below)
1607 if (!ssl3_digest_cached_records(s, 0)
1608 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1609 /* SSLfatal() already called */
1610 return EXT_RETURN_FAIL;
1613 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1614 || !ossl_assert(hashval1 == hashval2)
1615 || !WPACKET_close(pkt)
1616 || !WPACKET_start_sub_packet_u8(pkt)
1617 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1618 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1619 ERR_R_INTERNAL_ERROR);
1620 return EXT_RETURN_FAIL;
1623 /* Generate the application cookie */
1624 if (s->ctx->app_gen_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1625 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1626 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1627 return EXT_RETURN_FAIL;
1630 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1631 || !ossl_assert(appcookie1 == appcookie2)
1632 || !WPACKET_close(pkt)
1633 || !WPACKET_get_total_written(pkt, &totcookielen)
1634 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1635 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1636 ERR_R_INTERNAL_ERROR);
1637 return EXT_RETURN_FAIL;
1639 hmaclen = SHA256_DIGEST_LENGTH;
1641 totcookielen -= startlen;
1642 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1643 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1644 ERR_R_INTERNAL_ERROR);
1645 return EXT_RETURN_FAIL;
1648 /* HMAC the cookie */
1649 hctx = EVP_MD_CTX_create();
1650 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
1651 s->session_ctx->ext.cookie_hmac_key,
1652 sizeof(s->session_ctx->ext.cookie_hmac_key));
1653 if (hctx == NULL || pkey == NULL) {
1654 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1655 ERR_R_MALLOC_FAILURE);
1659 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1660 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1661 totcookielen) <= 0) {
1662 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1663 ERR_R_INTERNAL_ERROR);
1667 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1668 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1669 ERR_R_INTERNAL_ERROR);
1673 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1674 || !ossl_assert(hmac == hmac2)
1675 || !ossl_assert(cookie == hmac - totcookielen)
1676 || !WPACKET_close(pkt)
1677 || !WPACKET_close(pkt)) {
1678 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1679 ERR_R_INTERNAL_ERROR);
1683 ret = EXT_RETURN_SENT;
1686 EVP_MD_CTX_free(hctx);
1687 EVP_PKEY_free(pkey);
1691 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1692 unsigned int context, X509 *x,
1695 const unsigned char cryptopro_ext[36] = {
1696 0xfd, 0xe8, /* 65000 */
1697 0x00, 0x20, /* 32 bytes length */
1698 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1699 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1700 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1701 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1704 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1705 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1706 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1707 return EXT_RETURN_NOT_SENT;
1709 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1710 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1711 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1712 return EXT_RETURN_FAIL;
1715 return EXT_RETURN_SENT;
1718 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1719 unsigned int context, X509 *x,
1722 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1723 if (s->max_early_data == 0)
1724 return EXT_RETURN_NOT_SENT;
1726 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1727 || !WPACKET_start_sub_packet_u16(pkt)
1728 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1729 || !WPACKET_close(pkt)) {
1730 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1731 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1732 return EXT_RETURN_FAIL;
1735 return EXT_RETURN_SENT;
1738 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1739 return EXT_RETURN_NOT_SENT;
1741 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1742 || !WPACKET_start_sub_packet_u16(pkt)
1743 || !WPACKET_close(pkt)) {
1744 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1745 ERR_R_INTERNAL_ERROR);
1746 return EXT_RETURN_FAIL;
1749 return EXT_RETURN_SENT;
1752 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1753 X509 *x, size_t chainidx)
1756 return EXT_RETURN_NOT_SENT;
1758 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1759 || !WPACKET_start_sub_packet_u16(pkt)
1760 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1761 || !WPACKET_close(pkt)) {
1762 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1763 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1764 return EXT_RETURN_FAIL;
1767 return EXT_RETURN_SENT;