2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
122 *al = TLS1_AD_INTERNAL_ERROR;
126 s->servername_done = 1;
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
140 #ifndef OPENSSL_NO_SRP
141 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
157 *al = SSL_AD_INTERNAL_ERROR;
165 #ifndef OPENSSL_NO_EC
166 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx, int *al)
169 PACKET ec_point_format_list;
171 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
172 || PACKET_remaining(&ec_point_format_list) == 0) {
173 *al = SSL_AD_DECODE_ERROR;
178 if (!PACKET_memdup(&ec_point_format_list,
179 &s->session->ext.ecpointformats,
180 &s->session->ext.ecpointformats_len)) {
181 *al = SSL_AD_INTERNAL_ERROR;
188 #endif /* OPENSSL_NO_EC */
190 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
193 if (s->ext.session_ticket_cb &&
194 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
195 PACKET_remaining(pkt),
196 s->ext.session_ticket_cb_arg)) {
197 *al = SSL_AD_INTERNAL_ERROR;
204 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
205 size_t chainidx, int *al)
207 PACKET supported_sig_algs;
209 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
210 || PACKET_remaining(&supported_sig_algs) == 0) {
211 *al = SSL_AD_DECODE_ERROR;
215 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
216 *al = SSL_AD_DECODE_ERROR;
223 #ifndef OPENSSL_NO_OCSP
224 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
225 X509 *x, size_t chainidx, int *al)
227 PACKET responder_id_list, exts;
229 /* Not defined if we get one of these in a client Certificate */
233 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
234 *al = SSL_AD_DECODE_ERROR;
238 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
240 * We don't know what to do with any other type so ignore it.
242 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
246 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
247 *al = SSL_AD_DECODE_ERROR;
252 * We remove any OCSP_RESPIDs from a previous handshake
253 * to prevent unbounded memory growth - CVE-2016-6304
255 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
256 if (PACKET_remaining(&responder_id_list) > 0) {
257 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
258 if (s->ext.ocsp.ids == NULL) {
259 *al = SSL_AD_INTERNAL_ERROR;
263 s->ext.ocsp.ids = NULL;
266 while (PACKET_remaining(&responder_id_list) > 0) {
269 const unsigned char *id_data;
271 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
272 || PACKET_remaining(&responder_id) == 0) {
273 *al = SSL_AD_DECODE_ERROR;
277 id_data = PACKET_data(&responder_id);
278 /* TODO(size_t): Convert d2i_* to size_t */
279 id = d2i_OCSP_RESPID(NULL, &id_data,
280 (int)PACKET_remaining(&responder_id));
282 *al = SSL_AD_DECODE_ERROR;
286 if (id_data != PACKET_end(&responder_id)) {
287 OCSP_RESPID_free(id);
288 *al = SSL_AD_DECODE_ERROR;
292 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
293 OCSP_RESPID_free(id);
294 *al = SSL_AD_INTERNAL_ERROR;
299 /* Read in request_extensions */
300 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
301 *al = SSL_AD_DECODE_ERROR;
305 if (PACKET_remaining(&exts) > 0) {
306 const unsigned char *ext_data = PACKET_data(&exts);
308 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
309 X509_EXTENSION_free);
311 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
312 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
313 *al = SSL_AD_DECODE_ERROR;
322 #ifndef OPENSSL_NO_NEXTPROTONEG
323 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
324 size_t chainidx, int *al)
327 * We shouldn't accept this extension on a
330 if (SSL_IS_FIRST_HANDSHAKE(s))
338 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
339 * extension, not including type and length. |al| is a pointer to the alert
340 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
342 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
345 PACKET protocol_list, save_protocol_list, protocol;
347 if (!SSL_IS_FIRST_HANDSHAKE(s))
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
356 save_protocol_list = protocol_list;
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
364 } while (PACKET_remaining(&protocol_list) != 0);
366 OPENSSL_free(s->s3->alpn_proposed);
367 s->s3->alpn_proposed = NULL;
368 s->s3->alpn_proposed_len = 0;
369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
371 *al = SSL_AD_INTERNAL_ERROR;
378 #ifndef OPENSSL_NO_SRTP
379 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
380 size_t chainidx, int *al)
382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
391 /* Pull off the length of the cipher suite list and check it is even */
392 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
393 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
394 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
407 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
414 * Only look for match in profiles of higher preference than
416 * If no profiles have been have been configured then this
419 for (i = 0; i < srtp_pref; i++) {
420 SRTP_PROTECTION_PROFILE *sprof =
421 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
423 if (sprof->id == id) {
424 s->srtp_profile = sprof;
431 /* Now extract the MKI value as a sanity check, but discard it for now */
432 if (!PACKET_get_1(pkt, &mki_len)) {
433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
441 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
442 *al = SSL_AD_DECODE_ERROR;
450 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx, int *al)
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
460 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
461 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
462 * If a failure occurs then |*al| is set to an appropriate alert value.
464 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
465 X509 *x, size_t chainidx, int *al)
467 #ifndef OPENSSL_NO_TLS1_3
468 PACKET psk_kex_modes;
471 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
472 || PACKET_remaining(&psk_kex_modes) == 0) {
473 *al = SSL_AD_DECODE_ERROR;
477 while (PACKET_get_1(&psk_kex_modes, &mode)) {
478 if (mode == TLSEXT_KEX_MODE_KE_DHE)
479 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
480 else if (mode == TLSEXT_KEX_MODE_KE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
489 * Process a key_share extension received in the ClientHello. |pkt| contains
490 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
491 * If a failure occurs then |*al| is set to an appropriate alert value.
493 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
494 size_t chainidx, int *al)
496 #ifndef OPENSSL_NO_TLS1_3
497 unsigned int group_id;
498 PACKET key_share_list, encoded_pt;
499 const unsigned char *clntcurves, *srvrcurves;
500 size_t clnt_num_curves, srvr_num_curves;
501 int group_nid, found = 0;
502 unsigned int curve_flags;
504 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
508 if (s->s3->peer_tmp != NULL) {
509 *al = SSL_AD_INTERNAL_ERROR;
510 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
514 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
515 *al = SSL_AD_DECODE_ERROR;
516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
520 /* Get our list of supported curves */
521 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
522 *al = SSL_AD_INTERNAL_ERROR;
523 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
527 /* Get the clients list of supported curves. */
528 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
529 *al = SSL_AD_INTERNAL_ERROR;
530 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
533 if (clnt_num_curves == 0) {
535 * This can only happen if the supported_groups extension was not sent,
536 * because we verify that the length is non-zero when we process that
539 *al = SSL_AD_MISSING_EXTENSION;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
541 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
545 while (PACKET_remaining(&key_share_list) > 0) {
546 if (!PACKET_get_net_2(&key_share_list, &group_id)
547 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
548 || PACKET_remaining(&encoded_pt) == 0) {
549 *al = SSL_AD_DECODE_ERROR;
550 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
551 SSL_R_LENGTH_MISMATCH);
556 * If we already found a suitable key_share we loop through the
557 * rest to verify the structure, but don't process them.
562 /* Check if this share is in supported_groups sent from client */
563 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
564 *al = SSL_AD_ILLEGAL_PARAMETER;
565 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
569 /* Check if this share is for a group we can use */
570 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
571 /* Share not suitable */
575 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
577 if (group_nid == 0) {
578 *al = SSL_AD_INTERNAL_ERROR;
579 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
580 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
584 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
585 /* Can happen for some curves, e.g. X25519 */
586 EVP_PKEY *key = EVP_PKEY_new();
588 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
589 *al = SSL_AD_INTERNAL_ERROR;
590 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
594 s->s3->peer_tmp = key;
596 /* Set up EVP_PKEY with named curve as parameters */
597 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
600 || EVP_PKEY_paramgen_init(pctx) <= 0
601 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
603 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
604 *al = SSL_AD_INTERNAL_ERROR;
605 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
606 EVP_PKEY_CTX_free(pctx);
609 EVP_PKEY_CTX_free(pctx);
612 s->s3->group_id = group_id;
614 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
615 PACKET_data(&encoded_pt),
616 PACKET_remaining(&encoded_pt))) {
617 *al = SSL_AD_ILLEGAL_PARAMETER;
618 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
629 #ifndef OPENSSL_NO_EC
630 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
631 X509 *x, size_t chainidx, int *al)
633 PACKET supported_groups_list;
635 /* Each group is 2 bytes and we must have at least 1. */
636 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
637 || PACKET_remaining(&supported_groups_list) == 0
638 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
639 *al = SSL_AD_DECODE_ERROR;
643 OPENSSL_free(s->session->ext.supportedgroups);
644 s->session->ext.supportedgroups = NULL;
645 s->session->ext.supportedgroups_len = 0;
646 if (!PACKET_memdup(&supported_groups_list,
647 &s->session->ext.supportedgroups,
648 &s->session->ext.supportedgroups_len)) {
649 *al = SSL_AD_INTERNAL_ERROR;
657 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
658 size_t chainidx, int *al)
660 /* The extension must always be empty */
661 if (PACKET_remaining(pkt) != 0) {
662 *al = SSL_AD_DECODE_ERROR;
666 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
672 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
673 X509 *x, size_t chainidx, int *al)
675 if (PACKET_remaining(pkt) != 0) {
676 *al = SSL_AD_DECODE_ERROR;
683 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
684 size_t chainidx, int *al)
686 PACKET identities, binders, binder;
687 size_t binderoffset, hashsize;
688 SSL_SESSION *sess = NULL;
689 unsigned int id, i, ext = 0;
690 const EVP_MD *md = NULL;
693 * If we have no PSK kex mode that we recognise then we can't resume so
694 * ignore this extension
696 if ((s->ext.psk_kex_mode
697 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
700 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
701 *al = SSL_AD_DECODE_ERROR;
705 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
707 unsigned long ticket_agel;
709 if (!PACKET_get_length_prefixed_2(&identities, &identity)
710 || !PACKET_get_net_4(&identities, &ticket_agel)) {
711 *al = SSL_AD_DECODE_ERROR;
715 if (s->psk_find_session_cb != NULL
716 && !s->psk_find_session_cb(s, PACKET_data(&identity),
717 PACKET_remaining(&identity),
719 *al = SSL_AD_INTERNAL_ERROR;
725 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
727 if (sesstmp == NULL) {
728 *al = SSL_AD_INTERNAL_ERROR;
731 SSL_SESSION_free(sess);
735 * We've just been told to use this session for this context so
736 * make sure the sid_ctx matches up.
738 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
739 sess->sid_ctx_length = s->sid_ctx_length;
742 uint32_t ticket_age = 0, now, agesec, agems;
743 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
744 PACKET_remaining(&identity), NULL, 0,
747 if (ret == TICKET_FATAL_ERR_MALLOC
748 || ret == TICKET_FATAL_ERR_OTHER) {
749 *al = SSL_AD_INTERNAL_ERROR;
752 if (ret == TICKET_NO_DECRYPT)
755 ticket_age = (uint32_t)ticket_agel;
756 now = (uint32_t)time(NULL);
757 agesec = now - (uint32_t)sess->time;
758 agems = agesec * (uint32_t)1000;
759 ticket_age -= sess->ext.tick_age_add;
762 * For simplicity we do our age calculations in seconds. If the
763 * client does it in ms then it could appear that their ticket age
764 * is longer than ours (our ticket age calculation should always be
765 * slightly longer than the client's due to the network latency).
766 * Therefore we add 1000ms to our age calculation to adjust for
769 if (sess->timeout >= (long)agesec
770 && agems / (uint32_t)1000 == agesec
771 && ticket_age <= agems + 1000
772 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
774 * Ticket age is within tolerance and not expired. We allow it
777 s->ext.early_data_ok = 1;
781 md = ssl_md(sess->cipher->algorithm2);
782 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
783 /* The ciphersuite is not compatible with this session. */
784 SSL_SESSION_free(sess);
794 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
795 hashsize = EVP_MD_size(md);
797 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
798 *al = SSL_AD_DECODE_ERROR;
802 for (i = 0; i <= id; i++) {
803 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
804 *al = SSL_AD_DECODE_ERROR;
809 if (PACKET_remaining(&binder) != hashsize
810 || tls_psk_do_binder(s, md,
811 (const unsigned char *)s->init_buf->data,
812 binderoffset, PACKET_data(&binder), NULL,
813 sess, 0, ext) != 1) {
814 *al = SSL_AD_DECODE_ERROR;
815 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
819 sess->ext.tick_identity = id;
821 SSL_SESSION_free(s->session);
825 SSL_SESSION_free(sess);
830 * Add the server's renegotiation binding
832 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
833 unsigned int context, X509 *x,
834 size_t chainidx, int *al)
836 if (!s->s3->send_connection_binding)
837 return EXT_RETURN_NOT_SENT;
839 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
840 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
841 || !WPACKET_start_sub_packet_u16(pkt)
842 || !WPACKET_start_sub_packet_u8(pkt)
843 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
844 s->s3->previous_client_finished_len)
845 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
846 s->s3->previous_server_finished_len)
847 || !WPACKET_close(pkt)
848 || !WPACKET_close(pkt)) {
849 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
850 return EXT_RETURN_FAIL;
853 return EXT_RETURN_SENT;
856 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
857 unsigned int context, X509 *x,
858 size_t chainidx, int *al)
860 if (s->hit || s->servername_done != 1
861 || s->session->ext.hostname == NULL)
862 return EXT_RETURN_NOT_SENT;
864 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
865 || !WPACKET_put_bytes_u16(pkt, 0)) {
866 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
867 return EXT_RETURN_FAIL;
870 return EXT_RETURN_SENT;
873 #ifndef OPENSSL_NO_EC
874 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
875 unsigned int context, X509 *x,
876 size_t chainidx, int *al)
878 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
879 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
880 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
881 && (s->session->ext.ecpointformats != NULL);
882 const unsigned char *plist;
886 return EXT_RETURN_NOT_SENT;
888 tls1_get_formatlist(s, &plist, &plistlen);
889 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
890 || !WPACKET_start_sub_packet_u16(pkt)
891 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
892 || !WPACKET_close(pkt)) {
893 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
894 return EXT_RETURN_FAIL;
897 return EXT_RETURN_SENT;
901 #ifndef OPENSSL_NO_EC
902 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
903 unsigned int context, X509 *x,
904 size_t chainidx, int *al)
906 const unsigned char *groups;
907 size_t numgroups, i, first = 1;
909 /* s->s3->group_id is non zero if we accepted a key_share */
910 if (s->s3->group_id == 0)
911 return EXT_RETURN_NOT_SENT;
913 /* Get our list of supported groups */
914 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
915 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
916 return EXT_RETURN_FAIL;
919 /* Copy group ID if supported */
920 for (i = 0; i < numgroups; i++, groups += 2) {
921 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
924 * Check if the client is already using our preferred group. If
925 * so we don't need to add this extension
927 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
928 return EXT_RETURN_NOT_SENT;
930 /* Add extension header */
931 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
932 /* Sub-packet for supported_groups extension */
933 || !WPACKET_start_sub_packet_u16(pkt)
934 || !WPACKET_start_sub_packet_u16(pkt)) {
935 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
936 ERR_R_INTERNAL_ERROR);
937 return EXT_RETURN_FAIL;
942 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
943 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
944 ERR_R_INTERNAL_ERROR);
945 return EXT_RETURN_FAIL;
950 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
951 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
952 return EXT_RETURN_FAIL;
955 return EXT_RETURN_SENT;
959 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
960 unsigned int context, X509 *x,
961 size_t chainidx, int *al)
963 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
964 s->ext.ticket_expected = 0;
965 return EXT_RETURN_NOT_SENT;
968 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
969 || !WPACKET_put_bytes_u16(pkt, 0)) {
970 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
971 return EXT_RETURN_FAIL;
974 return EXT_RETURN_SENT;
977 #ifndef OPENSSL_NO_OCSP
978 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
979 unsigned int context, X509 *x,
980 size_t chainidx, int *al)
982 if (!s->ext.status_expected)
983 return EXT_RETURN_NOT_SENT;
985 if (SSL_IS_TLS13(s) && chainidx != 0)
986 return EXT_RETURN_NOT_SENT;
988 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
989 || !WPACKET_start_sub_packet_u16(pkt)) {
990 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
991 return EXT_RETURN_FAIL;
995 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
996 * send back an empty extension, with the certificate status appearing as a
999 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1000 || !WPACKET_close(pkt)) {
1001 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1002 return EXT_RETURN_FAIL;
1005 return EXT_RETURN_SENT;
1009 #ifndef OPENSSL_NO_NEXTPROTONEG
1010 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1011 unsigned int context, X509 *x,
1012 size_t chainidx, int *al)
1014 const unsigned char *npa;
1015 unsigned int npalen;
1017 int npn_seen = s->s3->npn_seen;
1019 s->s3->npn_seen = 0;
1020 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1021 return EXT_RETURN_NOT_SENT;
1023 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1024 s->ctx->ext.npn_advertised_cb_arg);
1025 if (ret == SSL_TLSEXT_ERR_OK) {
1026 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1027 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1028 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1029 ERR_R_INTERNAL_ERROR);
1030 return EXT_RETURN_FAIL;
1032 s->s3->npn_seen = 1;
1035 return EXT_RETURN_SENT;
1039 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1040 X509 *x, size_t chainidx, int *al)
1042 if (s->s3->alpn_selected == NULL)
1043 return EXT_RETURN_NOT_SENT;
1045 if (!WPACKET_put_bytes_u16(pkt,
1046 TLSEXT_TYPE_application_layer_protocol_negotiation)
1047 || !WPACKET_start_sub_packet_u16(pkt)
1048 || !WPACKET_start_sub_packet_u16(pkt)
1049 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1050 s->s3->alpn_selected_len)
1051 || !WPACKET_close(pkt)
1052 || !WPACKET_close(pkt)) {
1053 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1054 return EXT_RETURN_FAIL;
1057 return EXT_RETURN_SENT;
1060 #ifndef OPENSSL_NO_SRTP
1061 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1062 unsigned int context, X509 *x,
1063 size_t chainidx, int *al)
1065 if (s->srtp_profile == NULL)
1066 return EXT_RETURN_NOT_SENT;
1068 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1069 || !WPACKET_start_sub_packet_u16(pkt)
1070 || !WPACKET_put_bytes_u16(pkt, 2)
1071 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1072 || !WPACKET_put_bytes_u8(pkt, 0)
1073 || !WPACKET_close(pkt)) {
1074 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1075 return EXT_RETURN_FAIL;
1078 return EXT_RETURN_SENT;
1082 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1083 X509 *x, size_t chainidx, int *al)
1085 if (!s->ext.use_etm)
1086 return EXT_RETURN_NOT_SENT;
1089 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1090 * for other cases too.
1092 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1093 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1094 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1095 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1097 return EXT_RETURN_NOT_SENT;
1100 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1101 || !WPACKET_put_bytes_u16(pkt, 0)) {
1102 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1103 return EXT_RETURN_FAIL;
1106 return EXT_RETURN_SENT;
1109 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1110 X509 *x, size_t chainidx, int *al)
1112 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1113 return EXT_RETURN_NOT_SENT;
1115 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1116 || !WPACKET_put_bytes_u16(pkt, 0)) {
1117 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1118 return EXT_RETURN_FAIL;
1121 return EXT_RETURN_SENT;
1124 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1125 unsigned int context, X509 *x,
1126 size_t chainidx, int *al)
1128 #ifndef OPENSSL_NO_TLS1_3
1129 unsigned char *encodedPoint;
1130 size_t encoded_pt_len = 0;
1131 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1134 /* No key_share received from client */
1135 if (s->hello_retry_request) {
1136 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1137 || !WPACKET_start_sub_packet_u16(pkt)
1138 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1139 || !WPACKET_close(pkt)) {
1140 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1141 ERR_R_INTERNAL_ERROR);
1142 return EXT_RETURN_FAIL;
1145 return EXT_RETURN_SENT;
1148 /* Must be resuming. */
1149 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1150 *al = SSL_AD_INTERNAL_ERROR;
1151 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1152 return EXT_RETURN_FAIL;
1154 return EXT_RETURN_NOT_SENT;
1157 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1158 || !WPACKET_start_sub_packet_u16(pkt)
1159 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1160 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1161 return EXT_RETURN_FAIL;
1164 skey = ssl_generate_pkey(ckey);
1166 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1167 return EXT_RETURN_FAIL;
1170 /* Generate encoding of server key */
1171 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1172 if (encoded_pt_len == 0) {
1173 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1174 EVP_PKEY_free(skey);
1175 return EXT_RETURN_FAIL;
1178 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1179 || !WPACKET_close(pkt)) {
1180 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1181 EVP_PKEY_free(skey);
1182 OPENSSL_free(encodedPoint);
1183 return EXT_RETURN_FAIL;
1185 OPENSSL_free(encodedPoint);
1187 /* This causes the crypto state to be updated based on the derived keys */
1188 s->s3->tmp.pkey = skey;
1189 if (ssl_derive(s, skey, ckey, 1) == 0) {
1190 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1191 return EXT_RETURN_FAIL;
1195 return EXT_RETURN_SENT;
1198 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1199 unsigned int context, X509 *x,
1200 size_t chainidx, int *al)
1202 const unsigned char cryptopro_ext[36] = {
1203 0xfd, 0xe8, /* 65000 */
1204 0x00, 0x20, /* 32 bytes length */
1205 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1206 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1207 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1208 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1211 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1212 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1213 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1214 return EXT_RETURN_NOT_SENT;
1216 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1217 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1218 return EXT_RETURN_FAIL;
1221 return EXT_RETURN_SENT;
1224 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1225 unsigned int context, X509 *x,
1226 size_t chainidx, int *al)
1228 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1229 if (s->max_early_data == 0)
1230 return EXT_RETURN_NOT_SENT;
1232 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1233 || !WPACKET_start_sub_packet_u16(pkt)
1234 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1235 || !WPACKET_close(pkt)) {
1236 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1237 return EXT_RETURN_FAIL;
1240 return EXT_RETURN_SENT;
1243 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1244 return EXT_RETURN_NOT_SENT;
1246 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1247 || !WPACKET_start_sub_packet_u16(pkt)
1248 || !WPACKET_close(pkt)) {
1249 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1250 return EXT_RETURN_FAIL;
1253 return EXT_RETURN_SENT;
1256 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1257 X509 *x, size_t chainidx, int *al)
1260 return EXT_RETURN_NOT_SENT;
1262 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1263 || !WPACKET_start_sub_packet_u16(pkt)
1264 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1265 || !WPACKET_close(pkt)) {
1266 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1267 return EXT_RETURN_FAIL;
1270 return EXT_RETURN_SENT;