2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
122 *al = TLS1_AD_INTERNAL_ERROR;
126 s->servername_done = 1;
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
140 #ifndef OPENSSL_NO_SRP
141 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
157 *al = SSL_AD_INTERNAL_ERROR;
165 #ifndef OPENSSL_NO_EC
166 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx, int *al)
169 PACKET ec_point_format_list;
171 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
172 || PACKET_remaining(&ec_point_format_list) == 0) {
173 *al = SSL_AD_DECODE_ERROR;
178 if (!PACKET_memdup(&ec_point_format_list,
179 &s->session->ext.ecpointformats,
180 &s->session->ext.ecpointformats_len)) {
181 *al = SSL_AD_INTERNAL_ERROR;
188 #endif /* OPENSSL_NO_EC */
190 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
193 if (s->ext.session_ticket_cb &&
194 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
195 PACKET_remaining(pkt),
196 s->ext.session_ticket_cb_arg)) {
197 *al = SSL_AD_INTERNAL_ERROR;
204 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
205 size_t chainidx, int *al)
207 PACKET supported_sig_algs;
209 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
210 || PACKET_remaining(&supported_sig_algs) == 0) {
211 *al = SSL_AD_DECODE_ERROR;
215 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
216 *al = SSL_AD_DECODE_ERROR;
223 #ifndef OPENSSL_NO_OCSP
224 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
225 X509 *x, size_t chainidx, int *al)
227 PACKET responder_id_list, exts;
229 /* Not defined if we get one of these in a client Certificate */
233 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
234 *al = SSL_AD_DECODE_ERROR;
238 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
240 * We don't know what to do with any other type so ignore it.
242 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
246 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
247 *al = SSL_AD_DECODE_ERROR;
252 * We remove any OCSP_RESPIDs from a previous handshake
253 * to prevent unbounded memory growth - CVE-2016-6304
255 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
256 if (PACKET_remaining(&responder_id_list) > 0) {
257 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
258 if (s->ext.ocsp.ids == NULL) {
259 *al = SSL_AD_INTERNAL_ERROR;
263 s->ext.ocsp.ids = NULL;
266 while (PACKET_remaining(&responder_id_list) > 0) {
269 const unsigned char *id_data;
271 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
272 || PACKET_remaining(&responder_id) == 0) {
273 *al = SSL_AD_DECODE_ERROR;
277 id_data = PACKET_data(&responder_id);
278 /* TODO(size_t): Convert d2i_* to size_t */
279 id = d2i_OCSP_RESPID(NULL, &id_data,
280 (int)PACKET_remaining(&responder_id));
282 *al = SSL_AD_DECODE_ERROR;
286 if (id_data != PACKET_end(&responder_id)) {
287 OCSP_RESPID_free(id);
288 *al = SSL_AD_DECODE_ERROR;
292 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
293 OCSP_RESPID_free(id);
294 *al = SSL_AD_INTERNAL_ERROR;
299 /* Read in request_extensions */
300 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
301 *al = SSL_AD_DECODE_ERROR;
305 if (PACKET_remaining(&exts) > 0) {
306 const unsigned char *ext_data = PACKET_data(&exts);
308 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
309 X509_EXTENSION_free);
311 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
312 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
313 *al = SSL_AD_DECODE_ERROR;
322 #ifndef OPENSSL_NO_NEXTPROTONEG
323 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
324 size_t chainidx, int *al)
327 * We shouldn't accept this extension on a
330 if (SSL_IS_FIRST_HANDSHAKE(s))
338 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
339 * extension, not including type and length. |al| is a pointer to the alert
340 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
342 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
345 PACKET protocol_list, save_protocol_list, protocol;
347 if (!SSL_IS_FIRST_HANDSHAKE(s))
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
356 save_protocol_list = protocol_list;
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
364 } while (PACKET_remaining(&protocol_list) != 0);
366 OPENSSL_free(s->s3->alpn_proposed);
367 s->s3->alpn_proposed = NULL;
368 s->s3->alpn_proposed_len = 0;
369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
371 *al = SSL_AD_INTERNAL_ERROR;
378 #ifndef OPENSSL_NO_SRTP
379 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
380 size_t chainidx, int *al)
382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
391 /* Pull off the length of the cipher suite list and check it is even */
392 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
393 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
394 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
407 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
414 * Only look for match in profiles of higher preference than
416 * If no profiles have been have been configured then this
419 for (i = 0; i < srtp_pref; i++) {
420 SRTP_PROTECTION_PROFILE *sprof =
421 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
423 if (sprof->id == id) {
424 s->srtp_profile = sprof;
431 /* Now extract the MKI value as a sanity check, but discard it for now */
432 if (!PACKET_get_1(pkt, &mki_len)) {
433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
441 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
442 *al = SSL_AD_DECODE_ERROR;
450 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx, int *al)
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
460 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
461 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
462 * If a failure occurs then |*al| is set to an appropriate alert value.
464 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
465 X509 *x, size_t chainidx, int *al)
467 #ifndef OPENSSL_NO_TLS1_3
468 PACKET psk_kex_modes;
471 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
472 || PACKET_remaining(&psk_kex_modes) == 0) {
473 *al = SSL_AD_DECODE_ERROR;
477 while (PACKET_get_1(&psk_kex_modes, &mode)) {
478 if (mode == TLSEXT_KEX_MODE_KE_DHE)
479 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
480 else if (mode == TLSEXT_KEX_MODE_KE
481 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
482 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
490 * Process a key_share extension received in the ClientHello. |pkt| contains
491 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
492 * If a failure occurs then |*al| is set to an appropriate alert value.
494 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
495 size_t chainidx, int *al)
497 #ifndef OPENSSL_NO_TLS1_3
498 unsigned int group_id;
499 PACKET key_share_list, encoded_pt;
500 const unsigned char *clntcurves, *srvrcurves;
501 size_t clnt_num_curves, srvr_num_curves;
502 int group_nid, found = 0;
503 unsigned int curve_flags;
505 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
509 if (s->s3->peer_tmp != NULL) {
510 *al = SSL_AD_INTERNAL_ERROR;
511 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
515 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
516 *al = SSL_AD_DECODE_ERROR;
517 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
521 /* Get our list of supported curves */
522 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
523 *al = SSL_AD_INTERNAL_ERROR;
524 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
528 /* Get the clients list of supported curves. */
529 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
530 *al = SSL_AD_INTERNAL_ERROR;
531 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
534 if (clnt_num_curves == 0) {
536 * This can only happen if the supported_groups extension was not sent,
537 * because we verify that the length is non-zero when we process that
540 *al = SSL_AD_MISSING_EXTENSION;
541 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
542 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
546 while (PACKET_remaining(&key_share_list) > 0) {
547 if (!PACKET_get_net_2(&key_share_list, &group_id)
548 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
549 || PACKET_remaining(&encoded_pt) == 0) {
550 *al = SSL_AD_DECODE_ERROR;
551 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
552 SSL_R_LENGTH_MISMATCH);
557 * If we already found a suitable key_share we loop through the
558 * rest to verify the structure, but don't process them.
563 /* Check if this share is in supported_groups sent from client */
564 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
565 *al = SSL_AD_ILLEGAL_PARAMETER;
566 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
570 /* Check if this share is for a group we can use */
571 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
572 /* Share not suitable */
576 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
578 if (group_nid == 0) {
579 *al = SSL_AD_INTERNAL_ERROR;
580 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
581 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
585 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
586 /* Can happen for some curves, e.g. X25519 */
587 EVP_PKEY *key = EVP_PKEY_new();
589 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
590 *al = SSL_AD_INTERNAL_ERROR;
591 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
595 s->s3->peer_tmp = key;
597 /* Set up EVP_PKEY with named curve as parameters */
598 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
601 || EVP_PKEY_paramgen_init(pctx) <= 0
602 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
604 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
605 *al = SSL_AD_INTERNAL_ERROR;
606 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
607 EVP_PKEY_CTX_free(pctx);
610 EVP_PKEY_CTX_free(pctx);
613 s->s3->group_id = group_id;
615 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
616 PACKET_data(&encoded_pt),
617 PACKET_remaining(&encoded_pt))) {
618 *al = SSL_AD_ILLEGAL_PARAMETER;
619 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
630 #ifndef OPENSSL_NO_EC
631 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
632 X509 *x, size_t chainidx, int *al)
634 PACKET supported_groups_list;
636 /* Each group is 2 bytes and we must have at least 1. */
637 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
638 || PACKET_remaining(&supported_groups_list) == 0
639 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
640 *al = SSL_AD_DECODE_ERROR;
644 OPENSSL_free(s->session->ext.supportedgroups);
645 s->session->ext.supportedgroups = NULL;
646 s->session->ext.supportedgroups_len = 0;
647 if (!PACKET_memdup(&supported_groups_list,
648 &s->session->ext.supportedgroups,
649 &s->session->ext.supportedgroups_len)) {
650 *al = SSL_AD_INTERNAL_ERROR;
658 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
659 size_t chainidx, int *al)
661 /* The extension must always be empty */
662 if (PACKET_remaining(pkt) != 0) {
663 *al = SSL_AD_DECODE_ERROR;
667 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
673 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
674 X509 *x, size_t chainidx, int *al)
676 if (PACKET_remaining(pkt) != 0) {
677 *al = SSL_AD_DECODE_ERROR;
681 if (s->hello_retry_request) {
682 *al = SSL_AD_ILLEGAL_PARAMETER;
689 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
690 size_t chainidx, int *al)
692 PACKET identities, binders, binder;
693 size_t binderoffset, hashsize;
694 SSL_SESSION *sess = NULL;
695 unsigned int id, i, ext = 0;
696 const EVP_MD *md = NULL;
699 * If we have no PSK kex mode that we recognise then we can't resume so
700 * ignore this extension
702 if ((s->ext.psk_kex_mode
703 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
706 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
707 *al = SSL_AD_DECODE_ERROR;
711 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
713 unsigned long ticket_agel;
715 if (!PACKET_get_length_prefixed_2(&identities, &identity)
716 || !PACKET_get_net_4(&identities, &ticket_agel)) {
717 *al = SSL_AD_DECODE_ERROR;
721 if (s->psk_find_session_cb != NULL
722 && !s->psk_find_session_cb(s, PACKET_data(&identity),
723 PACKET_remaining(&identity),
725 *al = SSL_AD_INTERNAL_ERROR;
731 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
733 if (sesstmp == NULL) {
734 *al = SSL_AD_INTERNAL_ERROR;
737 SSL_SESSION_free(sess);
741 * We've just been told to use this session for this context so
742 * make sure the sid_ctx matches up.
744 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
745 sess->sid_ctx_length = s->sid_ctx_length;
748 uint32_t ticket_age = 0, now, agesec, agems;
749 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
750 PACKET_remaining(&identity), NULL, 0,
753 if (ret == TICKET_FATAL_ERR_MALLOC
754 || ret == TICKET_FATAL_ERR_OTHER) {
755 *al = SSL_AD_INTERNAL_ERROR;
758 if (ret == TICKET_NO_DECRYPT)
761 ticket_age = (uint32_t)ticket_agel;
762 now = (uint32_t)time(NULL);
763 agesec = now - (uint32_t)sess->time;
764 agems = agesec * (uint32_t)1000;
765 ticket_age -= sess->ext.tick_age_add;
768 * For simplicity we do our age calculations in seconds. If the
769 * client does it in ms then it could appear that their ticket age
770 * is longer than ours (our ticket age calculation should always be
771 * slightly longer than the client's due to the network latency).
772 * Therefore we add 1000ms to our age calculation to adjust for
775 if (sess->timeout >= (long)agesec
776 && agems / (uint32_t)1000 == agesec
777 && ticket_age <= agems + 1000
778 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
780 * Ticket age is within tolerance and not expired. We allow it
783 s->ext.early_data_ok = 1;
787 md = ssl_md(sess->cipher->algorithm2);
788 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
789 /* The ciphersuite is not compatible with this session. */
790 SSL_SESSION_free(sess);
800 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
801 hashsize = EVP_MD_size(md);
803 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
804 *al = SSL_AD_DECODE_ERROR;
808 for (i = 0; i <= id; i++) {
809 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
810 *al = SSL_AD_DECODE_ERROR;
815 if (PACKET_remaining(&binder) != hashsize
816 || tls_psk_do_binder(s, md,
817 (const unsigned char *)s->init_buf->data,
818 binderoffset, PACKET_data(&binder), NULL,
819 sess, 0, ext) != 1) {
820 *al = SSL_AD_DECODE_ERROR;
821 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
825 sess->ext.tick_identity = id;
827 SSL_SESSION_free(s->session);
831 SSL_SESSION_free(sess);
836 * Add the server's renegotiation binding
838 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
839 unsigned int context, X509 *x,
840 size_t chainidx, int *al)
842 if (!s->s3->send_connection_binding)
843 return EXT_RETURN_NOT_SENT;
845 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
846 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
847 || !WPACKET_start_sub_packet_u16(pkt)
848 || !WPACKET_start_sub_packet_u8(pkt)
849 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
850 s->s3->previous_client_finished_len)
851 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
852 s->s3->previous_server_finished_len)
853 || !WPACKET_close(pkt)
854 || !WPACKET_close(pkt)) {
855 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
856 return EXT_RETURN_FAIL;
859 return EXT_RETURN_SENT;
862 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
863 unsigned int context, X509 *x,
864 size_t chainidx, int *al)
866 if (s->hit || s->servername_done != 1
867 || s->session->ext.hostname == NULL)
868 return EXT_RETURN_NOT_SENT;
870 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
871 || !WPACKET_put_bytes_u16(pkt, 0)) {
872 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
873 return EXT_RETURN_FAIL;
876 return EXT_RETURN_SENT;
879 #ifndef OPENSSL_NO_EC
880 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
881 unsigned int context, X509 *x,
882 size_t chainidx, int *al)
884 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
885 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
886 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
887 && (s->session->ext.ecpointformats != NULL);
888 const unsigned char *plist;
892 return EXT_RETURN_NOT_SENT;
894 tls1_get_formatlist(s, &plist, &plistlen);
895 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
896 || !WPACKET_start_sub_packet_u16(pkt)
897 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
898 || !WPACKET_close(pkt)) {
899 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
900 return EXT_RETURN_FAIL;
903 return EXT_RETURN_SENT;
907 #ifndef OPENSSL_NO_EC
908 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
909 unsigned int context, X509 *x,
910 size_t chainidx, int *al)
912 const unsigned char *groups;
913 size_t numgroups, i, first = 1;
915 /* s->s3->group_id is non zero if we accepted a key_share */
916 if (s->s3->group_id == 0)
917 return EXT_RETURN_NOT_SENT;
919 /* Get our list of supported groups */
920 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
921 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
922 return EXT_RETURN_FAIL;
925 /* Copy group ID if supported */
926 for (i = 0; i < numgroups; i++, groups += 2) {
927 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
930 * Check if the client is already using our preferred group. If
931 * so we don't need to add this extension
933 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
934 return EXT_RETURN_NOT_SENT;
936 /* Add extension header */
937 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
938 /* Sub-packet for supported_groups extension */
939 || !WPACKET_start_sub_packet_u16(pkt)
940 || !WPACKET_start_sub_packet_u16(pkt)) {
941 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
942 ERR_R_INTERNAL_ERROR);
943 return EXT_RETURN_FAIL;
948 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
949 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
950 ERR_R_INTERNAL_ERROR);
951 return EXT_RETURN_FAIL;
956 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
957 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
958 return EXT_RETURN_FAIL;
961 return EXT_RETURN_SENT;
965 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
966 unsigned int context, X509 *x,
967 size_t chainidx, int *al)
969 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
970 s->ext.ticket_expected = 0;
971 return EXT_RETURN_NOT_SENT;
974 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
975 || !WPACKET_put_bytes_u16(pkt, 0)) {
976 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
977 return EXT_RETURN_FAIL;
980 return EXT_RETURN_SENT;
983 #ifndef OPENSSL_NO_OCSP
984 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
985 unsigned int context, X509 *x,
986 size_t chainidx, int *al)
988 if (!s->ext.status_expected)
989 return EXT_RETURN_NOT_SENT;
991 if (SSL_IS_TLS13(s) && chainidx != 0)
992 return EXT_RETURN_NOT_SENT;
994 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
995 || !WPACKET_start_sub_packet_u16(pkt)) {
996 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
997 return EXT_RETURN_FAIL;
1001 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1002 * send back an empty extension, with the certificate status appearing as a
1005 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1006 || !WPACKET_close(pkt)) {
1007 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1008 return EXT_RETURN_FAIL;
1011 return EXT_RETURN_SENT;
1015 #ifndef OPENSSL_NO_NEXTPROTONEG
1016 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1017 unsigned int context, X509 *x,
1018 size_t chainidx, int *al)
1020 const unsigned char *npa;
1021 unsigned int npalen;
1023 int npn_seen = s->s3->npn_seen;
1025 s->s3->npn_seen = 0;
1026 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1027 return EXT_RETURN_NOT_SENT;
1029 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1030 s->ctx->ext.npn_advertised_cb_arg);
1031 if (ret == SSL_TLSEXT_ERR_OK) {
1032 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1033 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1034 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1035 ERR_R_INTERNAL_ERROR);
1036 return EXT_RETURN_FAIL;
1038 s->s3->npn_seen = 1;
1041 return EXT_RETURN_SENT;
1045 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1046 X509 *x, size_t chainidx, int *al)
1048 if (s->s3->alpn_selected == NULL)
1049 return EXT_RETURN_NOT_SENT;
1051 if (!WPACKET_put_bytes_u16(pkt,
1052 TLSEXT_TYPE_application_layer_protocol_negotiation)
1053 || !WPACKET_start_sub_packet_u16(pkt)
1054 || !WPACKET_start_sub_packet_u16(pkt)
1055 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1056 s->s3->alpn_selected_len)
1057 || !WPACKET_close(pkt)
1058 || !WPACKET_close(pkt)) {
1059 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1060 return EXT_RETURN_FAIL;
1063 return EXT_RETURN_SENT;
1066 #ifndef OPENSSL_NO_SRTP
1067 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1068 unsigned int context, X509 *x,
1069 size_t chainidx, int *al)
1071 if (s->srtp_profile == NULL)
1072 return EXT_RETURN_NOT_SENT;
1074 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1075 || !WPACKET_start_sub_packet_u16(pkt)
1076 || !WPACKET_put_bytes_u16(pkt, 2)
1077 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1078 || !WPACKET_put_bytes_u8(pkt, 0)
1079 || !WPACKET_close(pkt)) {
1080 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1081 return EXT_RETURN_FAIL;
1084 return EXT_RETURN_SENT;
1088 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1089 X509 *x, size_t chainidx, int *al)
1091 if (!s->ext.use_etm)
1092 return EXT_RETURN_NOT_SENT;
1095 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1096 * for other cases too.
1098 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1099 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1100 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1101 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1103 return EXT_RETURN_NOT_SENT;
1106 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1107 || !WPACKET_put_bytes_u16(pkt, 0)) {
1108 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1109 return EXT_RETURN_FAIL;
1112 return EXT_RETURN_SENT;
1115 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1116 X509 *x, size_t chainidx, int *al)
1118 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1119 return EXT_RETURN_NOT_SENT;
1121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1122 || !WPACKET_put_bytes_u16(pkt, 0)) {
1123 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1124 return EXT_RETURN_FAIL;
1127 return EXT_RETURN_SENT;
1130 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1131 unsigned int context, X509 *x,
1132 size_t chainidx, int *al)
1134 #ifndef OPENSSL_NO_TLS1_3
1135 unsigned char *encodedPoint;
1136 size_t encoded_pt_len = 0;
1137 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1140 /* No key_share received from client */
1141 if (s->hello_retry_request) {
1142 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1143 || !WPACKET_start_sub_packet_u16(pkt)
1144 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1145 || !WPACKET_close(pkt)) {
1146 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1147 ERR_R_INTERNAL_ERROR);
1148 return EXT_RETURN_FAIL;
1151 return EXT_RETURN_SENT;
1154 /* Must be resuming. */
1155 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1156 *al = SSL_AD_INTERNAL_ERROR;
1157 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1158 return EXT_RETURN_FAIL;
1160 return EXT_RETURN_NOT_SENT;
1163 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1164 || !WPACKET_start_sub_packet_u16(pkt)
1165 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1166 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1167 return EXT_RETURN_FAIL;
1170 skey = ssl_generate_pkey(ckey);
1172 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1173 return EXT_RETURN_FAIL;
1176 /* Generate encoding of server key */
1177 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1178 if (encoded_pt_len == 0) {
1179 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1180 EVP_PKEY_free(skey);
1181 return EXT_RETURN_FAIL;
1184 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1185 || !WPACKET_close(pkt)) {
1186 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1187 EVP_PKEY_free(skey);
1188 OPENSSL_free(encodedPoint);
1189 return EXT_RETURN_FAIL;
1191 OPENSSL_free(encodedPoint);
1193 /* This causes the crypto state to be updated based on the derived keys */
1194 s->s3->tmp.pkey = skey;
1195 if (ssl_derive(s, skey, ckey, 1) == 0) {
1196 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1197 return EXT_RETURN_FAIL;
1201 return EXT_RETURN_SENT;
1204 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1205 unsigned int context, X509 *x,
1206 size_t chainidx, int *al)
1208 const unsigned char cryptopro_ext[36] = {
1209 0xfd, 0xe8, /* 65000 */
1210 0x00, 0x20, /* 32 bytes length */
1211 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1212 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1213 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1214 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1217 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1218 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1219 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1220 return EXT_RETURN_NOT_SENT;
1222 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1223 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1224 return EXT_RETURN_FAIL;
1227 return EXT_RETURN_SENT;
1230 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1231 unsigned int context, X509 *x,
1232 size_t chainidx, int *al)
1234 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1235 if (s->max_early_data == 0)
1236 return EXT_RETURN_NOT_SENT;
1238 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1239 || !WPACKET_start_sub_packet_u16(pkt)
1240 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1241 || !WPACKET_close(pkt)) {
1242 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1243 return EXT_RETURN_FAIL;
1246 return EXT_RETURN_SENT;
1249 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1250 return EXT_RETURN_NOT_SENT;
1252 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1253 || !WPACKET_start_sub_packet_u16(pkt)
1254 || !WPACKET_close(pkt)) {
1255 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1256 return EXT_RETURN_FAIL;
1259 return EXT_RETURN_SENT;
1262 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1263 X509 *x, size_t chainidx, int *al)
1266 return EXT_RETURN_NOT_SENT;
1268 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1269 || !WPACKET_start_sub_packet_u16(pkt)
1270 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1271 || !WPACKET_close(pkt)) {
1272 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1273 return EXT_RETURN_FAIL;
1276 return EXT_RETURN_SENT;