2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the intent was for server_name to be extensible, RFC 4366
91 * was not clear about it; and so OpenSSL among other implementations,
92 * always and only allows a 'host_name' name types.
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
118 OPENSSL_free(s->session->ext.hostname);
119 s->session->ext.hostname = NULL;
120 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
121 *al = TLS1_AD_INTERNAL_ERROR;
125 s->servername_done = 1;
128 * TODO(openssl-team): if the SNI doesn't match, we MUST
129 * fall back to a full handshake.
131 s->servername_done = s->session->ext.hostname
132 && PACKET_equal(&hostname, s->session->ext.hostname,
133 strlen(s->session->ext.hostname));
139 #ifndef OPENSSL_NO_SRP
140 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
141 size_t chainidx, int *al)
145 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
146 || PACKET_contains_zero_byte(&srp_I)) {
147 *al = SSL_AD_DECODE_ERROR;
152 * TODO(openssl-team): currently, we re-authenticate the user
153 * upon resumption. Instead, we MUST ignore the login.
155 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
156 *al = SSL_AD_INTERNAL_ERROR;
164 #ifndef OPENSSL_NO_EC
165 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
166 X509 *x, size_t chainidx, int *al)
168 PACKET ec_point_format_list;
170 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
171 || PACKET_remaining(&ec_point_format_list) == 0) {
172 *al = SSL_AD_DECODE_ERROR;
177 if (!PACKET_memdup(&ec_point_format_list,
178 &s->session->ext.ecpointformats,
179 &s->session->ext.ecpointformats_len)) {
180 *al = SSL_AD_INTERNAL_ERROR;
187 #endif /* OPENSSL_NO_EC */
189 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
190 X509 *x, size_t chainidx, int *al)
192 if (s->ext.session_ticket_cb &&
193 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
194 PACKET_remaining(pkt),
195 s->ext.session_ticket_cb_arg)) {
196 *al = SSL_AD_INTERNAL_ERROR;
203 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
204 size_t chainidx, int *al)
206 PACKET supported_sig_algs;
208 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
209 || PACKET_remaining(&supported_sig_algs) == 0) {
210 *al = SSL_AD_DECODE_ERROR;
214 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
215 *al = SSL_AD_DECODE_ERROR;
222 #ifndef OPENSSL_NO_OCSP
223 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
224 X509 *x, size_t chainidx, int *al)
226 PACKET responder_id_list, exts;
228 /* Not defined if we get one of these in a client Certificate */
232 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
233 *al = SSL_AD_DECODE_ERROR;
237 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
239 * We don't know what to do with any other type so ignore it.
241 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
245 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
246 *al = SSL_AD_DECODE_ERROR;
251 * We remove any OCSP_RESPIDs from a previous handshake
252 * to prevent unbounded memory growth - CVE-2016-6304
254 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
255 if (PACKET_remaining(&responder_id_list) > 0) {
256 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
257 if (s->ext.ocsp.ids == NULL) {
258 *al = SSL_AD_INTERNAL_ERROR;
262 s->ext.ocsp.ids = NULL;
265 while (PACKET_remaining(&responder_id_list) > 0) {
268 const unsigned char *id_data;
270 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
271 || PACKET_remaining(&responder_id) == 0) {
272 *al = SSL_AD_DECODE_ERROR;
276 id_data = PACKET_data(&responder_id);
277 /* TODO(size_t): Convert d2i_* to size_t */
278 id = d2i_OCSP_RESPID(NULL, &id_data,
279 (int)PACKET_remaining(&responder_id));
281 *al = SSL_AD_DECODE_ERROR;
285 if (id_data != PACKET_end(&responder_id)) {
286 OCSP_RESPID_free(id);
287 *al = SSL_AD_DECODE_ERROR;
291 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
292 OCSP_RESPID_free(id);
293 *al = SSL_AD_INTERNAL_ERROR;
298 /* Read in request_extensions */
299 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
300 *al = SSL_AD_DECODE_ERROR;
304 if (PACKET_remaining(&exts) > 0) {
305 const unsigned char *ext_data = PACKET_data(&exts);
307 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
308 X509_EXTENSION_free);
310 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
311 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
312 *al = SSL_AD_DECODE_ERROR;
321 #ifndef OPENSSL_NO_NEXTPROTONEG
322 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
323 size_t chainidx, int *al)
326 * We shouldn't accept this extension on a
329 if (SSL_IS_FIRST_HANDSHAKE(s))
337 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
338 * extension, not including type and length. |al| is a pointer to the alert
339 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
341 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
342 size_t chainidx, int *al)
344 PACKET protocol_list, save_protocol_list, protocol;
346 if (!SSL_IS_FIRST_HANDSHAKE(s))
349 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
350 || PACKET_remaining(&protocol_list) < 2) {
351 *al = SSL_AD_DECODE_ERROR;
355 save_protocol_list = protocol_list;
357 /* Protocol names can't be empty. */
358 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
359 || PACKET_remaining(&protocol) == 0) {
360 *al = SSL_AD_DECODE_ERROR;
363 } while (PACKET_remaining(&protocol_list) != 0);
365 OPENSSL_free(s->s3->alpn_proposed);
366 s->s3->alpn_proposed = NULL;
367 s->s3->alpn_proposed_len = 0;
368 if (!PACKET_memdup(&save_protocol_list,
369 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
370 *al = SSL_AD_INTERNAL_ERROR;
377 #ifndef OPENSSL_NO_SRTP
378 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
379 size_t chainidx, int *al)
381 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
382 unsigned int ct, mki_len, id;
386 /* Ignore this if we have no SRTP profiles */
387 if (SSL_get_srtp_profiles(s) == NULL)
390 /* Pull off the length of the cipher suite list and check it is even */
391 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
392 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
393 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
394 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
395 *al = SSL_AD_DECODE_ERROR;
399 srvr = SSL_get_srtp_profiles(s);
400 s->srtp_profile = NULL;
401 /* Search all profiles for a match initially */
402 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
404 while (PACKET_remaining(&subpkt)) {
405 if (!PACKET_get_net_2(&subpkt, &id)) {
406 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
407 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
408 *al = SSL_AD_DECODE_ERROR;
413 * Only look for match in profiles of higher preference than
415 * If no profiles have been have been configured then this
418 for (i = 0; i < srtp_pref; i++) {
419 SRTP_PROTECTION_PROFILE *sprof =
420 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
422 if (sprof->id == id) {
423 s->srtp_profile = sprof;
430 /* Now extract the MKI value as a sanity check, but discard it for now */
431 if (!PACKET_get_1(pkt, &mki_len)) {
432 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
433 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
434 *al = SSL_AD_DECODE_ERROR;
438 if (!PACKET_forward(pkt, mki_len)
439 || PACKET_remaining(pkt)) {
440 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
441 *al = SSL_AD_DECODE_ERROR;
449 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
450 size_t chainidx, int *al)
452 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
459 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
460 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
461 * If a failure occurs then |*al| is set to an appropriate alert value.
463 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
464 X509 *x, size_t chainidx, int *al)
466 #ifndef OPENSSL_NO_TLS1_3
467 PACKET psk_kex_modes;
470 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
471 || PACKET_remaining(&psk_kex_modes) == 0) {
472 *al = SSL_AD_DECODE_ERROR;
476 while (PACKET_get_1(&psk_kex_modes, &mode)) {
477 if (mode == TLSEXT_KEX_MODE_KE_DHE)
478 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
479 else if (mode == TLSEXT_KEX_MODE_KE
480 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
489 * Process a key_share extension received in the ClientHello. |pkt| contains
490 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
491 * If a failure occurs then |*al| is set to an appropriate alert value.
493 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
494 size_t chainidx, int *al)
496 #ifndef OPENSSL_NO_TLS1_3
497 unsigned int group_id;
498 PACKET key_share_list, encoded_pt;
499 const unsigned char *clntcurves, *srvrcurves;
500 size_t clnt_num_curves, srvr_num_curves;
501 int group_nid, found = 0;
502 unsigned int curve_flags;
504 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
508 if (s->s3->peer_tmp != NULL) {
509 *al = SSL_AD_INTERNAL_ERROR;
510 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
514 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
515 *al = SSL_AD_DECODE_ERROR;
516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
520 /* Get our list of supported curves */
521 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
522 *al = SSL_AD_INTERNAL_ERROR;
523 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
527 /* Get the clients list of supported curves. */
528 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
529 *al = SSL_AD_INTERNAL_ERROR;
530 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
533 if (clnt_num_curves == 0) {
535 * This can only happen if the supported_groups extension was not sent,
536 * because we verify that the length is non-zero when we process that
539 *al = SSL_AD_MISSING_EXTENSION;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
541 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
545 while (PACKET_remaining(&key_share_list) > 0) {
546 if (!PACKET_get_net_2(&key_share_list, &group_id)
547 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
548 || PACKET_remaining(&encoded_pt) == 0) {
549 *al = SSL_AD_DECODE_ERROR;
550 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
551 SSL_R_LENGTH_MISMATCH);
556 * If we already found a suitable key_share we loop through the
557 * rest to verify the structure, but don't process them.
562 /* Check if this share is in supported_groups sent from client */
563 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
564 *al = SSL_AD_ILLEGAL_PARAMETER;
565 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
569 /* Check if this share is for a group we can use */
570 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
571 /* Share not suitable */
575 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
577 if (group_nid == 0) {
578 *al = SSL_AD_INTERNAL_ERROR;
579 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
580 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
584 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
585 /* Can happen for some curves, e.g. X25519 */
586 EVP_PKEY *key = EVP_PKEY_new();
588 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
589 *al = SSL_AD_INTERNAL_ERROR;
590 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
594 s->s3->peer_tmp = key;
596 /* Set up EVP_PKEY with named curve as parameters */
597 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
600 || EVP_PKEY_paramgen_init(pctx) <= 0
601 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
603 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
604 *al = SSL_AD_INTERNAL_ERROR;
605 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
606 EVP_PKEY_CTX_free(pctx);
609 EVP_PKEY_CTX_free(pctx);
612 s->s3->group_id = group_id;
614 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
615 PACKET_data(&encoded_pt),
616 PACKET_remaining(&encoded_pt))) {
617 *al = SSL_AD_ILLEGAL_PARAMETER;
618 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
629 #ifndef OPENSSL_NO_EC
630 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
631 X509 *x, size_t chainidx, int *al)
633 PACKET supported_groups_list;
635 /* Each group is 2 bytes and we must have at least 1. */
636 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
637 || PACKET_remaining(&supported_groups_list) == 0
638 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
639 *al = SSL_AD_DECODE_ERROR;
643 if (!s->hit || SSL_IS_TLS13(s)) {
644 OPENSSL_free(s->session->ext.supportedgroups);
645 s->session->ext.supportedgroups = NULL;
646 s->session->ext.supportedgroups_len = 0;
647 if (!PACKET_memdup(&supported_groups_list,
648 &s->session->ext.supportedgroups,
649 &s->session->ext.supportedgroups_len)) {
650 *al = SSL_AD_INTERNAL_ERROR;
659 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
660 size_t chainidx, int *al)
662 /* The extension must always be empty */
663 if (PACKET_remaining(pkt) != 0) {
664 *al = SSL_AD_DECODE_ERROR;
668 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
674 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
675 X509 *x, size_t chainidx, int *al)
677 if (PACKET_remaining(pkt) != 0) {
678 *al = SSL_AD_DECODE_ERROR;
682 if (s->hello_retry_request) {
683 *al = SSL_AD_ILLEGAL_PARAMETER;
690 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
691 size_t chainidx, int *al)
693 PACKET identities, binders, binder;
694 size_t binderoffset, hashsize;
695 SSL_SESSION *sess = NULL;
696 unsigned int id, i, ext = 0;
697 const EVP_MD *md = NULL;
700 * If we have no PSK kex mode that we recognise then we can't resume so
701 * ignore this extension
703 if ((s->ext.psk_kex_mode
704 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
707 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
708 *al = SSL_AD_DECODE_ERROR;
712 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
714 unsigned long ticket_agel;
716 if (!PACKET_get_length_prefixed_2(&identities, &identity)
717 || !PACKET_get_net_4(&identities, &ticket_agel)) {
718 *al = SSL_AD_DECODE_ERROR;
722 if (s->psk_find_session_cb != NULL
723 && !s->psk_find_session_cb(s, PACKET_data(&identity),
724 PACKET_remaining(&identity),
726 *al = SSL_AD_INTERNAL_ERROR;
732 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
734 if (sesstmp == NULL) {
735 *al = SSL_AD_INTERNAL_ERROR;
738 SSL_SESSION_free(sess);
742 * We've just been told to use this session for this context so
743 * make sure the sid_ctx matches up.
745 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
746 sess->sid_ctx_length = s->sid_ctx_length;
748 s->ext.early_data_ok = 1;
750 uint32_t ticket_age = 0, now, agesec, agems;
751 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
752 PACKET_remaining(&identity), NULL, 0,
755 if (ret == TICKET_FATAL_ERR_MALLOC
756 || ret == TICKET_FATAL_ERR_OTHER) {
757 *al = SSL_AD_INTERNAL_ERROR;
760 if (ret == TICKET_NO_DECRYPT)
763 ticket_age = (uint32_t)ticket_agel;
764 now = (uint32_t)time(NULL);
765 agesec = now - (uint32_t)sess->time;
766 agems = agesec * (uint32_t)1000;
767 ticket_age -= sess->ext.tick_age_add;
770 * For simplicity we do our age calculations in seconds. If the
771 * client does it in ms then it could appear that their ticket age
772 * is longer than ours (our ticket age calculation should always be
773 * slightly longer than the client's due to the network latency).
774 * Therefore we add 1000ms to our age calculation to adjust for
777 if (sess->timeout >= (long)agesec
778 && agems / (uint32_t)1000 == agesec
779 && ticket_age <= agems + 1000
780 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
782 * Ticket age is within tolerance and not expired. We allow it
785 s->ext.early_data_ok = 1;
789 md = ssl_md(sess->cipher->algorithm2);
790 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
791 /* The ciphersuite is not compatible with this session. */
792 SSL_SESSION_free(sess);
802 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
803 hashsize = EVP_MD_size(md);
805 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
806 *al = SSL_AD_DECODE_ERROR;
810 for (i = 0; i <= id; i++) {
811 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
812 *al = SSL_AD_DECODE_ERROR;
817 if (PACKET_remaining(&binder) != hashsize
818 || tls_psk_do_binder(s, md,
819 (const unsigned char *)s->init_buf->data,
820 binderoffset, PACKET_data(&binder), NULL,
821 sess, 0, ext) != 1) {
822 *al = SSL_AD_DECODE_ERROR;
823 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
827 sess->ext.tick_identity = id;
829 SSL_SESSION_free(s->session);
833 SSL_SESSION_free(sess);
838 * Add the server's renegotiation binding
840 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
841 unsigned int context, X509 *x,
842 size_t chainidx, int *al)
844 if (!s->s3->send_connection_binding)
845 return EXT_RETURN_NOT_SENT;
847 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
848 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
849 || !WPACKET_start_sub_packet_u16(pkt)
850 || !WPACKET_start_sub_packet_u8(pkt)
851 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
852 s->s3->previous_client_finished_len)
853 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
854 s->s3->previous_server_finished_len)
855 || !WPACKET_close(pkt)
856 || !WPACKET_close(pkt)) {
857 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
858 return EXT_RETURN_FAIL;
861 return EXT_RETURN_SENT;
864 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
865 unsigned int context, X509 *x,
866 size_t chainidx, int *al)
868 if (s->hit || s->servername_done != 1
869 || s->session->ext.hostname == NULL)
870 return EXT_RETURN_NOT_SENT;
872 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
873 || !WPACKET_put_bytes_u16(pkt, 0)) {
874 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
875 return EXT_RETURN_FAIL;
878 return EXT_RETURN_SENT;
881 #ifndef OPENSSL_NO_EC
882 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
883 unsigned int context, X509 *x,
884 size_t chainidx, int *al)
886 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
887 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
888 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
889 && (s->session->ext.ecpointformats != NULL);
890 const unsigned char *plist;
894 return EXT_RETURN_NOT_SENT;
896 tls1_get_formatlist(s, &plist, &plistlen);
897 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
898 || !WPACKET_start_sub_packet_u16(pkt)
899 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
900 || !WPACKET_close(pkt)) {
901 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
902 return EXT_RETURN_FAIL;
905 return EXT_RETURN_SENT;
909 #ifndef OPENSSL_NO_EC
910 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
911 unsigned int context, X509 *x,
912 size_t chainidx, int *al)
914 const unsigned char *groups;
915 size_t numgroups, i, first = 1;
917 /* s->s3->group_id is non zero if we accepted a key_share */
918 if (s->s3->group_id == 0)
919 return EXT_RETURN_NOT_SENT;
921 /* Get our list of supported groups */
922 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
923 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
924 return EXT_RETURN_FAIL;
927 /* Copy group ID if supported */
928 for (i = 0; i < numgroups; i++, groups += 2) {
929 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
932 * Check if the client is already using our preferred group. If
933 * so we don't need to add this extension
935 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
936 return EXT_RETURN_NOT_SENT;
938 /* Add extension header */
939 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
940 /* Sub-packet for supported_groups extension */
941 || !WPACKET_start_sub_packet_u16(pkt)
942 || !WPACKET_start_sub_packet_u16(pkt)) {
943 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
944 ERR_R_INTERNAL_ERROR);
945 return EXT_RETURN_FAIL;
950 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
951 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
952 ERR_R_INTERNAL_ERROR);
953 return EXT_RETURN_FAIL;
958 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
959 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
960 return EXT_RETURN_FAIL;
963 return EXT_RETURN_SENT;
967 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
968 unsigned int context, X509 *x,
969 size_t chainidx, int *al)
971 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
972 s->ext.ticket_expected = 0;
973 return EXT_RETURN_NOT_SENT;
976 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
977 || !WPACKET_put_bytes_u16(pkt, 0)) {
978 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
979 return EXT_RETURN_FAIL;
982 return EXT_RETURN_SENT;
985 #ifndef OPENSSL_NO_OCSP
986 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
987 unsigned int context, X509 *x,
988 size_t chainidx, int *al)
990 if (!s->ext.status_expected)
991 return EXT_RETURN_NOT_SENT;
993 if (SSL_IS_TLS13(s) && chainidx != 0)
994 return EXT_RETURN_NOT_SENT;
996 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
997 || !WPACKET_start_sub_packet_u16(pkt)) {
998 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
999 return EXT_RETURN_FAIL;
1003 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1004 * send back an empty extension, with the certificate status appearing as a
1007 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1008 || !WPACKET_close(pkt)) {
1009 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1010 return EXT_RETURN_FAIL;
1013 return EXT_RETURN_SENT;
1017 #ifndef OPENSSL_NO_NEXTPROTONEG
1018 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1019 unsigned int context, X509 *x,
1020 size_t chainidx, int *al)
1022 const unsigned char *npa;
1023 unsigned int npalen;
1025 int npn_seen = s->s3->npn_seen;
1027 s->s3->npn_seen = 0;
1028 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1029 return EXT_RETURN_NOT_SENT;
1031 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1032 s->ctx->ext.npn_advertised_cb_arg);
1033 if (ret == SSL_TLSEXT_ERR_OK) {
1034 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1035 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1036 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1037 ERR_R_INTERNAL_ERROR);
1038 return EXT_RETURN_FAIL;
1040 s->s3->npn_seen = 1;
1043 return EXT_RETURN_SENT;
1047 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1048 X509 *x, size_t chainidx, int *al)
1050 if (s->s3->alpn_selected == NULL)
1051 return EXT_RETURN_NOT_SENT;
1053 if (!WPACKET_put_bytes_u16(pkt,
1054 TLSEXT_TYPE_application_layer_protocol_negotiation)
1055 || !WPACKET_start_sub_packet_u16(pkt)
1056 || !WPACKET_start_sub_packet_u16(pkt)
1057 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1058 s->s3->alpn_selected_len)
1059 || !WPACKET_close(pkt)
1060 || !WPACKET_close(pkt)) {
1061 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1062 return EXT_RETURN_FAIL;
1065 return EXT_RETURN_SENT;
1068 #ifndef OPENSSL_NO_SRTP
1069 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1070 unsigned int context, X509 *x,
1071 size_t chainidx, int *al)
1073 if (s->srtp_profile == NULL)
1074 return EXT_RETURN_NOT_SENT;
1076 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1077 || !WPACKET_start_sub_packet_u16(pkt)
1078 || !WPACKET_put_bytes_u16(pkt, 2)
1079 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1080 || !WPACKET_put_bytes_u8(pkt, 0)
1081 || !WPACKET_close(pkt)) {
1082 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1083 return EXT_RETURN_FAIL;
1086 return EXT_RETURN_SENT;
1090 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1091 X509 *x, size_t chainidx, int *al)
1093 if (!s->ext.use_etm)
1094 return EXT_RETURN_NOT_SENT;
1097 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1098 * for other cases too.
1100 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1101 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1102 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1103 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1105 return EXT_RETURN_NOT_SENT;
1108 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1109 || !WPACKET_put_bytes_u16(pkt, 0)) {
1110 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1111 return EXT_RETURN_FAIL;
1114 return EXT_RETURN_SENT;
1117 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1118 X509 *x, size_t chainidx, int *al)
1120 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1121 return EXT_RETURN_NOT_SENT;
1123 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1124 || !WPACKET_put_bytes_u16(pkt, 0)) {
1125 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1126 return EXT_RETURN_FAIL;
1129 return EXT_RETURN_SENT;
1132 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1133 unsigned int context, X509 *x,
1134 size_t chainidx, int *al)
1136 #ifndef OPENSSL_NO_TLS1_3
1137 unsigned char *encodedPoint;
1138 size_t encoded_pt_len = 0;
1139 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1142 /* No key_share received from client */
1143 if (s->hello_retry_request) {
1144 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1145 || !WPACKET_start_sub_packet_u16(pkt)
1146 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1147 || !WPACKET_close(pkt)) {
1148 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1149 ERR_R_INTERNAL_ERROR);
1150 return EXT_RETURN_FAIL;
1153 return EXT_RETURN_SENT;
1156 /* Must be resuming. */
1157 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1158 *al = SSL_AD_INTERNAL_ERROR;
1159 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1160 return EXT_RETURN_FAIL;
1162 return EXT_RETURN_NOT_SENT;
1165 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1166 || !WPACKET_start_sub_packet_u16(pkt)
1167 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1168 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1169 return EXT_RETURN_FAIL;
1172 skey = ssl_generate_pkey(ckey);
1174 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1175 return EXT_RETURN_FAIL;
1178 /* Generate encoding of server key */
1179 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1180 if (encoded_pt_len == 0) {
1181 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1182 EVP_PKEY_free(skey);
1183 return EXT_RETURN_FAIL;
1186 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1187 || !WPACKET_close(pkt)) {
1188 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1189 EVP_PKEY_free(skey);
1190 OPENSSL_free(encodedPoint);
1191 return EXT_RETURN_FAIL;
1193 OPENSSL_free(encodedPoint);
1195 /* This causes the crypto state to be updated based on the derived keys */
1196 s->s3->tmp.pkey = skey;
1197 if (ssl_derive(s, skey, ckey, 1) == 0) {
1198 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1199 return EXT_RETURN_FAIL;
1203 return EXT_RETURN_SENT;
1206 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1207 unsigned int context, X509 *x,
1208 size_t chainidx, int *al)
1210 const unsigned char cryptopro_ext[36] = {
1211 0xfd, 0xe8, /* 65000 */
1212 0x00, 0x20, /* 32 bytes length */
1213 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1214 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1215 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1216 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1219 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1220 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1221 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1222 return EXT_RETURN_NOT_SENT;
1224 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1225 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1226 return EXT_RETURN_FAIL;
1229 return EXT_RETURN_SENT;
1232 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1233 unsigned int context, X509 *x,
1234 size_t chainidx, int *al)
1236 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1237 if (s->max_early_data == 0)
1238 return EXT_RETURN_NOT_SENT;
1240 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1241 || !WPACKET_start_sub_packet_u16(pkt)
1242 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1243 || !WPACKET_close(pkt)) {
1244 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1245 return EXT_RETURN_FAIL;
1248 return EXT_RETURN_SENT;
1251 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1252 return EXT_RETURN_NOT_SENT;
1254 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1255 || !WPACKET_start_sub_packet_u16(pkt)
1256 || !WPACKET_close(pkt)) {
1257 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1258 return EXT_RETURN_FAIL;
1261 return EXT_RETURN_SENT;
1264 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1265 X509 *x, size_t chainidx, int *al)
1268 return EXT_RETURN_NOT_SENT;
1270 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1271 || !WPACKET_start_sub_packet_u16(pkt)
1272 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1273 || !WPACKET_close(pkt)) {
1274 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1275 return EXT_RETURN_FAIL;
1278 return EXT_RETURN_SENT;