2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
122 *al = TLS1_AD_INTERNAL_ERROR;
126 s->servername_done = 1;
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
140 #ifndef OPENSSL_NO_SRP
141 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
157 *al = TLS1_AD_INTERNAL_ERROR;
165 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
166 X509 *x, size_t chainidx, int *al)
168 if (PACKET_remaining(pkt) != 0) {
169 *al = SSL_AD_DECODE_ERROR;
173 if (s->max_early_data == 0 || !s->hit || s->session->ext.tick_identity != 0
174 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING) {
175 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
177 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
179 if (!tls13_change_cipher_state(s,
180 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
181 *al = SSL_AD_INTERNAL_ERROR;
189 #ifndef OPENSSL_NO_EC
190 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
193 PACKET ec_point_format_list;
195 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
196 || PACKET_remaining(&ec_point_format_list) == 0) {
197 *al = SSL_AD_DECODE_ERROR;
202 if (!PACKET_memdup(&ec_point_format_list,
203 &s->session->ext.ecpointformats,
204 &s->session->ext.ecpointformats_len)) {
205 *al = TLS1_AD_INTERNAL_ERROR;
212 #endif /* OPENSSL_NO_EC */
214 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
215 X509 *x, size_t chainidx, int *al)
217 if (s->ext.session_ticket_cb &&
218 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
219 PACKET_remaining(pkt),
220 s->ext.session_ticket_cb_arg)) {
221 *al = TLS1_AD_INTERNAL_ERROR;
228 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
229 size_t chainidx, int *al)
231 PACKET supported_sig_algs;
233 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
234 || PACKET_remaining(&supported_sig_algs) == 0) {
235 *al = SSL_AD_DECODE_ERROR;
239 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
240 *al = TLS1_AD_DECODE_ERROR;
247 #ifndef OPENSSL_NO_OCSP
248 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
249 X509 *x, size_t chainidx, int *al)
251 PACKET responder_id_list, exts;
253 /* Not defined if we get one of these in a client Certificate */
257 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
258 *al = SSL_AD_DECODE_ERROR;
262 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
264 * We don't know what to do with any other type so ignore it.
266 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
270 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
271 *al = SSL_AD_DECODE_ERROR;
276 * We remove any OCSP_RESPIDs from a previous handshake
277 * to prevent unbounded memory growth - CVE-2016-6304
279 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
280 if (PACKET_remaining(&responder_id_list) > 0) {
281 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
282 if (s->ext.ocsp.ids == NULL) {
283 *al = SSL_AD_INTERNAL_ERROR;
287 s->ext.ocsp.ids = NULL;
290 while (PACKET_remaining(&responder_id_list) > 0) {
293 const unsigned char *id_data;
295 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
296 || PACKET_remaining(&responder_id) == 0) {
297 *al = SSL_AD_DECODE_ERROR;
301 id_data = PACKET_data(&responder_id);
302 /* TODO(size_t): Convert d2i_* to size_t */
303 id = d2i_OCSP_RESPID(NULL, &id_data,
304 (int)PACKET_remaining(&responder_id));
306 *al = SSL_AD_DECODE_ERROR;
310 if (id_data != PACKET_end(&responder_id)) {
311 OCSP_RESPID_free(id);
312 *al = SSL_AD_DECODE_ERROR;
316 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
317 OCSP_RESPID_free(id);
318 *al = SSL_AD_INTERNAL_ERROR;
323 /* Read in request_extensions */
324 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
325 *al = SSL_AD_DECODE_ERROR;
329 if (PACKET_remaining(&exts) > 0) {
330 const unsigned char *ext_data = PACKET_data(&exts);
332 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
333 X509_EXTENSION_free);
335 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
336 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
337 *al = SSL_AD_DECODE_ERROR;
346 #ifndef OPENSSL_NO_NEXTPROTONEG
347 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
348 size_t chainidx, int *al)
351 * We shouldn't accept this extension on a
354 if (SSL_IS_FIRST_HANDSHAKE(s))
362 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
363 * extension, not including type and length. |al| is a pointer to the alert
364 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
366 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
367 size_t chainidx, int *al)
369 PACKET protocol_list, save_protocol_list, protocol;
371 if (!SSL_IS_FIRST_HANDSHAKE(s))
374 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
375 || PACKET_remaining(&protocol_list) < 2) {
376 *al = SSL_AD_DECODE_ERROR;
380 save_protocol_list = protocol_list;
382 /* Protocol names can't be empty. */
383 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
384 || PACKET_remaining(&protocol) == 0) {
385 *al = SSL_AD_DECODE_ERROR;
388 } while (PACKET_remaining(&protocol_list) != 0);
390 OPENSSL_free(s->s3->alpn_proposed);
391 s->s3->alpn_proposed = NULL;
392 s->s3->alpn_proposed_len = 0;
393 if (!PACKET_memdup(&save_protocol_list,
394 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
395 *al = TLS1_AD_INTERNAL_ERROR;
402 #ifndef OPENSSL_NO_SRTP
403 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
404 size_t chainidx, int *al)
406 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
407 unsigned int ct, mki_len, id;
411 /* Ignore this if we have no SRTP profiles */
412 if (SSL_get_srtp_profiles(s) == NULL)
415 /* Pull off the length of the cipher suite list and check it is even */
416 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
417 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
418 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
419 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
420 *al = SSL_AD_DECODE_ERROR;
424 srvr = SSL_get_srtp_profiles(s);
425 s->srtp_profile = NULL;
426 /* Search all profiles for a match initially */
427 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
429 while (PACKET_remaining(&subpkt)) {
430 if (!PACKET_get_net_2(&subpkt, &id)) {
431 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
432 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
433 *al = SSL_AD_DECODE_ERROR;
438 * Only look for match in profiles of higher preference than
440 * If no profiles have been have been configured then this
443 for (i = 0; i < srtp_pref; i++) {
444 SRTP_PROTECTION_PROFILE *sprof =
445 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
447 if (sprof->id == id) {
448 s->srtp_profile = sprof;
455 /* Now extract the MKI value as a sanity check, but discard it for now */
456 if (!PACKET_get_1(pkt, &mki_len)) {
457 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
458 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
459 *al = SSL_AD_DECODE_ERROR;
463 if (!PACKET_forward(pkt, mki_len)
464 || PACKET_remaining(pkt)) {
465 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
466 *al = SSL_AD_DECODE_ERROR;
474 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
475 size_t chainidx, int *al)
477 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
484 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
485 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
486 * If a failure occurs then |*al| is set to an appropriate alert value.
488 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
489 X509 *x, size_t chainidx, int *al)
491 #ifndef OPENSSL_NO_TLS1_3
492 PACKET psk_kex_modes;
495 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
496 || PACKET_remaining(&psk_kex_modes) == 0) {
497 *al = SSL_AD_DECODE_ERROR;
501 while (PACKET_get_1(&psk_kex_modes, &mode)) {
502 if (mode == TLSEXT_KEX_MODE_KE_DHE)
503 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
504 else if (mode == TLSEXT_KEX_MODE_KE)
505 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
513 * Process a key_share extension received in the ClientHello. |pkt| contains
514 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
515 * If a failure occurs then |*al| is set to an appropriate alert value.
517 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
518 size_t chainidx, int *al)
520 #ifndef OPENSSL_NO_TLS1_3
521 unsigned int group_id;
522 PACKET key_share_list, encoded_pt;
523 const unsigned char *clntcurves, *srvrcurves;
524 size_t clnt_num_curves, srvr_num_curves;
525 int group_nid, found = 0;
526 unsigned int curve_flags;
528 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
532 if (s->s3->peer_tmp != NULL) {
533 *al = SSL_AD_INTERNAL_ERROR;
534 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
538 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
539 *al = SSL_AD_HANDSHAKE_FAILURE;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
544 /* Get our list of supported curves */
545 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
546 *al = SSL_AD_INTERNAL_ERROR;
547 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
552 * Get the clients list of supported curves.
553 * TODO(TLS1.3): We should validate that we actually received
556 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
557 *al = SSL_AD_INTERNAL_ERROR;
558 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
562 while (PACKET_remaining(&key_share_list) > 0) {
563 if (!PACKET_get_net_2(&key_share_list, &group_id)
564 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
565 || PACKET_remaining(&encoded_pt) == 0) {
566 *al = SSL_AD_HANDSHAKE_FAILURE;
567 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
568 SSL_R_LENGTH_MISMATCH);
573 * If we already found a suitable key_share we loop through the
574 * rest to verify the structure, but don't process them.
579 /* Check if this share is in supported_groups sent from client */
580 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
581 *al = SSL_AD_HANDSHAKE_FAILURE;
582 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
586 /* Check if this share is for a group we can use */
587 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
588 /* Share not suitable */
592 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
594 if (group_nid == 0) {
595 *al = SSL_AD_INTERNAL_ERROR;
596 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
597 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
601 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
602 /* Can happen for some curves, e.g. X25519 */
603 EVP_PKEY *key = EVP_PKEY_new();
605 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
606 *al = SSL_AD_INTERNAL_ERROR;
607 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
611 s->s3->peer_tmp = key;
613 /* Set up EVP_PKEY with named curve as parameters */
614 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
617 || EVP_PKEY_paramgen_init(pctx) <= 0
618 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
620 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
621 *al = SSL_AD_INTERNAL_ERROR;
622 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
623 EVP_PKEY_CTX_free(pctx);
626 EVP_PKEY_CTX_free(pctx);
629 s->s3->group_id = group_id;
631 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
632 PACKET_data(&encoded_pt),
633 PACKET_remaining(&encoded_pt))) {
634 *al = SSL_AD_DECODE_ERROR;
635 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
646 #ifndef OPENSSL_NO_EC
647 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
648 X509 *x, size_t chainidx, int *al)
650 PACKET supported_groups_list;
652 /* Each group is 2 bytes and we must have at least 1. */
653 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
654 || PACKET_remaining(&supported_groups_list) == 0
655 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
656 *al = SSL_AD_DECODE_ERROR;
660 OPENSSL_free(s->session->ext.supportedgroups);
661 s->session->ext.supportedgroups = NULL;
662 s->session->ext.supportedgroups_len = 0;
663 if (!PACKET_memdup(&supported_groups_list,
664 &s->session->ext.supportedgroups,
665 &s->session->ext.supportedgroups_len)) {
666 *al = SSL_AD_DECODE_ERROR;
674 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
675 size_t chainidx, int *al)
677 /* The extension must always be empty */
678 if (PACKET_remaining(pkt) != 0) {
679 *al = SSL_AD_DECODE_ERROR;
683 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
688 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
689 size_t chainidx, int *al)
691 PACKET identities, binders, binder;
692 size_t binderoffset, hashsize;
693 SSL_SESSION *sess = NULL;
695 const EVP_MD *md = NULL;
698 * If we have no PSK kex mode that we recognise then we can't resume so
699 * ignore this extension
701 if ((s->ext.psk_kex_mode
702 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
705 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
706 *al = SSL_AD_DECODE_ERROR;
710 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
712 unsigned long ticket_age;
715 if (!PACKET_get_length_prefixed_2(&identities, &identity)
716 || !PACKET_get_net_4(&identities, &ticket_age)) {
717 *al = SSL_AD_DECODE_ERROR;
721 /* TODO(TLS1.3): Should we validate the ticket age? */
723 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
724 PACKET_remaining(&identity), NULL, 0, &sess);
725 if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
726 *al = SSL_AD_INTERNAL_ERROR;
729 if (ret == TICKET_NO_DECRYPT)
732 md = ssl_md(sess->cipher->algorithm2);
735 * Don't recognise this cipher so we can't use the session.
738 SSL_SESSION_free(sess);
744 * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
754 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
755 hashsize = EVP_MD_size(md);
757 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
758 *al = SSL_AD_DECODE_ERROR;
762 for (i = 0; i <= id; i++) {
763 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
764 *al = SSL_AD_DECODE_ERROR;
769 if (PACKET_remaining(&binder) != hashsize
770 || tls_psk_do_binder(s, md,
771 (const unsigned char *)s->init_buf->data,
772 binderoffset, PACKET_data(&binder), NULL,
774 *al = SSL_AD_DECODE_ERROR;
775 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
779 sess->ext.tick_identity = id;
780 SSL_SESSION_free(s->session);
788 * Add the server's renegotiation binding
790 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
791 X509 *x, size_t chainidx, int *al)
793 if (!s->s3->send_connection_binding)
796 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
797 || !WPACKET_start_sub_packet_u16(pkt)
798 || !WPACKET_start_sub_packet_u8(pkt)
799 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
800 s->s3->previous_client_finished_len)
801 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
802 s->s3->previous_server_finished_len)
803 || !WPACKET_close(pkt)
804 || !WPACKET_close(pkt)) {
805 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
812 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
813 X509 *x, size_t chainidx, int *al)
815 if (s->hit || s->servername_done != 1
816 || s->session->ext.hostname == NULL)
819 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
820 || !WPACKET_put_bytes_u16(pkt, 0)) {
821 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
828 int tls_construct_stoc_early_data_info(SSL *s, WPACKET *pkt,
829 unsigned int context, X509 *x,
830 size_t chainidx, int *al)
832 if (s->max_early_data == 0)
835 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data_info)
836 || !WPACKET_start_sub_packet_u16(pkt)
837 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
838 || !WPACKET_close(pkt)) {
839 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO, ERR_R_INTERNAL_ERROR);
846 int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
847 X509 *x, size_t chainidx, int *al)
849 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
852 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
853 || !WPACKET_start_sub_packet_u16(pkt)
854 || !WPACKET_close(pkt)) {
855 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
862 #ifndef OPENSSL_NO_EC
863 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
864 X509 *x, size_t chainidx, int *al)
866 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
867 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
868 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
869 && (s->session->ext.ecpointformats != NULL);
870 const unsigned char *plist;
876 tls1_get_formatlist(s, &plist, &plistlen);
877 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
878 || !WPACKET_start_sub_packet_u16(pkt)
879 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
880 || !WPACKET_close(pkt)) {
881 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
889 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
890 unsigned int context, X509 *x,
891 size_t chainidx, int *al)
893 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
894 s->ext.ticket_expected = 0;
898 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
899 || !WPACKET_put_bytes_u16(pkt, 0)) {
900 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
907 #ifndef OPENSSL_NO_OCSP
908 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
909 unsigned int context, X509 *x,
910 size_t chainidx, int *al)
912 if (!s->ext.status_expected)
915 if (SSL_IS_TLS13(s) && chainidx != 0)
918 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
919 || !WPACKET_start_sub_packet_u16(pkt)) {
920 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
925 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
926 * send back an empty extension, with the certificate status appearing as a
929 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
930 || !WPACKET_close(pkt)) {
931 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
939 #ifndef OPENSSL_NO_NEXTPROTONEG
940 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
941 unsigned int context, X509 *x,
942 size_t chainidx, int *al)
944 const unsigned char *npa;
947 int npn_seen = s->s3->npn_seen;
950 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
953 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
954 s->ctx->ext.npn_advertised_cb_arg);
955 if (ret == SSL_TLSEXT_ERR_OK) {
956 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
957 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
958 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
959 ERR_R_INTERNAL_ERROR);
969 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
970 size_t chainidx, int *al)
972 if (s->s3->alpn_selected == NULL)
975 if (!WPACKET_put_bytes_u16(pkt,
976 TLSEXT_TYPE_application_layer_protocol_negotiation)
977 || !WPACKET_start_sub_packet_u16(pkt)
978 || !WPACKET_start_sub_packet_u16(pkt)
979 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
980 s->s3->alpn_selected_len)
981 || !WPACKET_close(pkt)
982 || !WPACKET_close(pkt)) {
983 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
990 #ifndef OPENSSL_NO_SRTP
991 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
992 X509 *x, size_t chainidx, int *al)
994 if (s->srtp_profile == NULL)
997 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
998 || !WPACKET_start_sub_packet_u16(pkt)
999 || !WPACKET_put_bytes_u16(pkt, 2)
1000 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1001 || !WPACKET_put_bytes_u8(pkt, 0)
1002 || !WPACKET_close(pkt)) {
1003 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1011 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1012 size_t chainidx, int *al)
1014 if (!s->ext.use_etm)
1018 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1019 * for other cases too.
1021 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1022 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1023 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1024 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1029 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1030 || !WPACKET_put_bytes_u16(pkt, 0)) {
1031 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1038 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1039 size_t chainidx, int *al)
1041 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1044 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1045 || !WPACKET_put_bytes_u16(pkt, 0)) {
1046 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1053 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
1054 X509 *x, size_t chainidx, int *al)
1056 #ifndef OPENSSL_NO_TLS1_3
1057 unsigned char *encodedPoint;
1058 size_t encoded_pt_len = 0;
1059 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1062 /* No key_share received from client */
1063 if (s->hello_retry_request) {
1064 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1065 || !WPACKET_start_sub_packet_u16(pkt)
1066 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1067 || !WPACKET_close(pkt)) {
1068 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1069 ERR_R_INTERNAL_ERROR);
1076 /* Must be resuming. */
1077 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1078 *al = SSL_AD_INTERNAL_ERROR;
1079 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1085 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1086 || !WPACKET_start_sub_packet_u16(pkt)
1087 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1088 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1092 skey = ssl_generate_pkey(ckey);
1094 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1098 /* Generate encoding of server key */
1099 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1100 if (encoded_pt_len == 0) {
1101 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1102 EVP_PKEY_free(skey);
1106 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1107 || !WPACKET_close(pkt)) {
1108 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1109 EVP_PKEY_free(skey);
1110 OPENSSL_free(encodedPoint);
1113 OPENSSL_free(encodedPoint);
1115 /* This causes the crypto state to be updated based on the derived keys */
1116 s->s3->tmp.pkey = skey;
1117 if (ssl_derive(s, skey, ckey, 1) == 0) {
1118 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1126 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
1127 X509 *x, size_t chainidx, int *al)
1129 const unsigned char cryptopro_ext[36] = {
1130 0xfd, 0xe8, /* 65000 */
1131 0x00, 0x20, /* 32 bytes length */
1132 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1133 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1134 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1135 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1138 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1139 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1140 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1143 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1144 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1151 int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1152 size_t chainidx, int *al)
1157 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1158 || !WPACKET_start_sub_packet_u16(pkt)
1159 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1160 || !WPACKET_close(pkt)) {
1161 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);