2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 2 bytes for the hashlen, EVP_MAX_MD_SIZE for
21 * transcript hash, 1 byte for app cookie length, app cookie length bytes,
22 * SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + number of bytes in legacy session id + 2 bytes for ciphersuite
30 * + 1 byte for legacy compression + 2 bytes for extension block length
31 * + 6 bytes for key_share extension + 4 bytes for cookie extension header
32 * + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
45 const unsigned char *data;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
55 /* Check that the extension matches */
56 if (ilen != s->s3->previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
62 if (memcmp(data, s->s3->previous_client_finished,
63 s->s3->previous_client_finished_len)) {
64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
69 s->s3->send_connection_binding = 1;
75 * The servername extension is treated as follows:
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
95 * - On session reconnect, the servername extension may be absent.
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98 X509 *x, size_t chainidx)
100 unsigned int servname_type;
101 PACKET sni, hostname;
103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
133 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
134 SSL_R_BAD_EXTENSION);
138 if (PACKET_contains_zero_byte(&hostname)) {
139 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
140 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
141 SSL_R_BAD_EXTENSION);
145 OPENSSL_free(s->session->ext.hostname);
146 s->session->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 ERR_R_INTERNAL_ERROR);
153 s->servername_done = 1;
156 * TODO(openssl-team): if the SNI doesn't match, we MUST
157 * fall back to a full handshake.
159 s->servername_done = s->session->ext.hostname
160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
163 if (!s->servername_done && s->session->ext.hostname != NULL)
164 s->ext.early_data_ok = 0;
170 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
171 X509 *x, size_t chainidx)
175 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
176 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
177 SSL_R_BAD_EXTENSION);
181 /* Received |value| should be a valid max-fragment-length code. */
182 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
183 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
184 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
185 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
190 * RFC 6066: The negotiated length applies for the duration of the session
191 * including session resumptions.
192 * We should receive the same code as in resumed session !
194 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
195 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
196 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
197 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
202 * Store it in session, so it'll become binding for us
203 * and we'll include it in a next Server Hello.
205 s->session->ext.max_fragment_len_mode = value;
209 #ifndef OPENSSL_NO_SRP
210 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
215 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
216 || PACKET_contains_zero_byte(&srp_I)) {
217 SSLfatal(s, SSL_AD_DECODE_ERROR,
218 SSL_F_TLS_PARSE_CTOS_SRP,
219 SSL_R_BAD_EXTENSION);
224 * TODO(openssl-team): currently, we re-authenticate the user
225 * upon resumption. Instead, we MUST ignore the login.
227 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
229 ERR_R_INTERNAL_ERROR);
237 #ifndef OPENSSL_NO_EC
238 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
239 X509 *x, size_t chainidx)
241 PACKET ec_point_format_list;
243 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
244 || PACKET_remaining(&ec_point_format_list) == 0) {
245 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
246 SSL_R_BAD_EXTENSION);
251 if (!PACKET_memdup(&ec_point_format_list,
252 &s->session->ext.ecpointformats,
253 &s->session->ext.ecpointformats_len)) {
254 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
255 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
262 #endif /* OPENSSL_NO_EC */
264 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
265 X509 *x, size_t chainidx)
267 if (s->ext.session_ticket_cb &&
268 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
269 PACKET_remaining(pkt),
270 s->ext.session_ticket_cb_arg)) {
271 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
272 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
279 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
282 PACKET supported_sig_algs;
284 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
285 || PACKET_remaining(&supported_sig_algs) == 0) {
286 SSLfatal(s, SSL_AD_DECODE_ERROR,
287 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
291 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR,
293 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
300 #ifndef OPENSSL_NO_OCSP
301 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
302 X509 *x, size_t chainidx)
304 PACKET responder_id_list, exts;
306 /* Not defined if we get one of these in a client Certificate */
310 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
311 SSLfatal(s, SSL_AD_DECODE_ERROR,
312 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
316 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
318 * We don't know what to do with any other type so ignore it.
320 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
324 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
325 SSLfatal(s, SSL_AD_DECODE_ERROR,
326 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
331 * We remove any OCSP_RESPIDs from a previous handshake
332 * to prevent unbounded memory growth - CVE-2016-6304
334 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
335 if (PACKET_remaining(&responder_id_list) > 0) {
336 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
337 if (s->ext.ocsp.ids == NULL) {
338 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
339 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
343 s->ext.ocsp.ids = NULL;
346 while (PACKET_remaining(&responder_id_list) > 0) {
349 const unsigned char *id_data;
351 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
352 || PACKET_remaining(&responder_id) == 0) {
353 SSLfatal(s, SSL_AD_DECODE_ERROR,
354 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
358 id_data = PACKET_data(&responder_id);
359 /* TODO(size_t): Convert d2i_* to size_t */
360 id = d2i_OCSP_RESPID(NULL, &id_data,
361 (int)PACKET_remaining(&responder_id));
363 SSLfatal(s, SSL_AD_DECODE_ERROR,
364 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
368 if (id_data != PACKET_end(&responder_id)) {
369 OCSP_RESPID_free(id);
370 SSLfatal(s, SSL_AD_DECODE_ERROR,
371 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
376 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
377 OCSP_RESPID_free(id);
378 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
379 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
385 /* Read in request_extensions */
386 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
387 SSLfatal(s, SSL_AD_DECODE_ERROR,
388 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
396 X509_EXTENSION_free);
398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
400 SSLfatal(s, SSL_AD_DECODE_ERROR,
401 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
410 #ifndef OPENSSL_NO_NEXTPROTONEG
411 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
415 * We shouldn't accept this extension on a
418 if (SSL_IS_FIRST_HANDSHAKE(s))
426 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
427 * extension, not including type and length. Returns: 1 on success, 0 on error.
429 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
432 PACKET protocol_list, save_protocol_list, protocol;
434 if (!SSL_IS_FIRST_HANDSHAKE(s))
437 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
438 || PACKET_remaining(&protocol_list) < 2) {
439 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
440 SSL_R_BAD_EXTENSION);
444 save_protocol_list = protocol_list;
446 /* Protocol names can't be empty. */
447 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
448 || PACKET_remaining(&protocol) == 0) {
449 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
450 SSL_R_BAD_EXTENSION);
453 } while (PACKET_remaining(&protocol_list) != 0);
455 OPENSSL_free(s->s3->alpn_proposed);
456 s->s3->alpn_proposed = NULL;
457 s->s3->alpn_proposed_len = 0;
458 if (!PACKET_memdup(&save_protocol_list,
459 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
461 ERR_R_INTERNAL_ERROR);
468 #ifndef OPENSSL_NO_SRTP
469 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
472 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
473 unsigned int ct, mki_len, id;
477 /* Ignore this if we have no SRTP profiles */
478 if (SSL_get_srtp_profiles(s) == NULL)
481 /* Pull off the length of the cipher suite list and check it is even */
482 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
483 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
484 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
485 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
489 srvr = SSL_get_srtp_profiles(s);
490 s->srtp_profile = NULL;
491 /* Search all profiles for a match initially */
492 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
494 while (PACKET_remaining(&subpkt)) {
495 if (!PACKET_get_net_2(&subpkt, &id)) {
496 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
497 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
502 * Only look for match in profiles of higher preference than
504 * If no profiles have been have been configured then this
507 for (i = 0; i < srtp_pref; i++) {
508 SRTP_PROTECTION_PROFILE *sprof =
509 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
511 if (sprof->id == id) {
512 s->srtp_profile = sprof;
519 /* Now extract the MKI value as a sanity check, but discard it for now */
520 if (!PACKET_get_1(pkt, &mki_len)) {
521 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
522 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
526 if (!PACKET_forward(pkt, mki_len)
527 || PACKET_remaining(pkt)) {
528 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
529 SSL_R_BAD_SRTP_MKI_VALUE);
537 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
540 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
547 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
548 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
550 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
551 X509 *x, size_t chainidx)
553 #ifndef OPENSSL_NO_TLS1_3
554 PACKET psk_kex_modes;
557 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
558 || PACKET_remaining(&psk_kex_modes) == 0) {
559 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
560 SSL_R_BAD_EXTENSION);
564 while (PACKET_get_1(&psk_kex_modes, &mode)) {
565 if (mode == TLSEXT_KEX_MODE_KE_DHE)
566 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
567 else if (mode == TLSEXT_KEX_MODE_KE
568 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
569 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
577 * Process a key_share extension received in the ClientHello. |pkt| contains
578 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
580 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
583 #ifndef OPENSSL_NO_TLS1_3
584 unsigned int group_id;
585 PACKET key_share_list, encoded_pt;
586 const uint16_t *clntgroups, *srvrgroups;
587 size_t clnt_num_groups, srvr_num_groups;
590 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
594 if (s->s3->peer_tmp != NULL) {
595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
596 ERR_R_INTERNAL_ERROR);
600 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
601 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
602 SSL_R_LENGTH_MISMATCH);
606 /* Get our list of supported groups */
607 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
608 /* Get the clients list of supported groups. */
609 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
610 if (clnt_num_groups == 0) {
612 * This can only happen if the supported_groups extension was not sent,
613 * because we verify that the length is non-zero when we process that
616 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
617 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
621 if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
623 * If we set a group_id already, then we must have sent an HRR
624 * requesting a new key_share. If we haven't got one then that is an
627 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
628 SSL_R_BAD_KEY_SHARE);
632 while (PACKET_remaining(&key_share_list) > 0) {
633 if (!PACKET_get_net_2(&key_share_list, &group_id)
634 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
635 || PACKET_remaining(&encoded_pt) == 0) {
636 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
637 SSL_R_LENGTH_MISMATCH);
642 * If we already found a suitable key_share we loop through the
643 * rest to verify the structure, but don't process them.
649 * If we sent an HRR then the key_share sent back MUST be for the group
650 * we requested, and must be the only key_share sent.
652 if (s->s3->group_id != 0
653 && (group_id != s->s3->group_id
654 || PACKET_remaining(&key_share_list) != 0)) {
655 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
656 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
660 /* Check if this share is in supported_groups sent from client */
661 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
662 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
663 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
667 /* Check if this share is for a group we can use */
668 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
669 /* Share not suitable */
673 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
674 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
675 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
679 s->s3->group_id = group_id;
681 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
682 PACKET_data(&encoded_pt),
683 PACKET_remaining(&encoded_pt))) {
684 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
685 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
696 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
699 unsigned int format, version, key_share;
702 PACKET cookie, raw, chhash, appcookie;
704 const unsigned char *data, *mdin, *ciphdata;
705 unsigned char hmac[SHA256_DIGEST_LENGTH];
706 unsigned char hrr[MAX_HRR_SIZE];
707 size_t rawlen, hmaclen, hrrlen, ciphlen;
709 /* Ignore any cookie if we're not set up to verify it */
710 if (s->ctx->app_verify_cookie_cb == NULL
711 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
714 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
715 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
716 SSL_R_LENGTH_MISMATCH);
721 data = PACKET_data(&raw);
722 rawlen = PACKET_remaining(&raw);
723 if (rawlen < SHA256_DIGEST_LENGTH
724 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
725 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
726 SSL_R_LENGTH_MISMATCH);
729 mdin = PACKET_data(&raw);
731 /* Verify the HMAC of the cookie */
732 hctx = EVP_MD_CTX_create();
733 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
734 s->session_ctx->ext.cookie_hmac_key,
735 sizeof(s->session_ctx->ext.cookie_hmac_key));
736 if (hctx == NULL || pkey == NULL) {
737 EVP_MD_CTX_free(hctx);
739 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
740 ERR_R_MALLOC_FAILURE);
744 hmaclen = sizeof(s->session_ctx->ext.cookie_hmac_key);
745 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
746 || EVP_DigestSignUpdate(hctx, data,
747 rawlen - SHA256_DIGEST_LENGTH) <= 0
748 || EVP_DigestSignFinal(hctx, hmac, &hmaclen) <= 0
749 || hmaclen != SHA256_DIGEST_LENGTH) {
750 EVP_MD_CTX_free(hctx);
752 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
753 ERR_R_INTERNAL_ERROR);
757 EVP_MD_CTX_free(hctx);
760 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
761 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
762 SSL_R_COOKIE_MISMATCH);
766 if (!PACKET_get_net_2(&cookie, &format)) {
767 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
768 SSL_R_LENGTH_MISMATCH);
771 /* Check the cookie format is something we recognise. Ignore it if not */
772 if (format != COOKIE_STATE_FORMAT_VERSION)
776 * The rest of these checks really shouldn't fail since we have verified the
780 /* Check the version number is sane */
781 if (!PACKET_get_net_2(&cookie, &version)) {
782 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
783 SSL_R_LENGTH_MISMATCH);
786 if (version != TLS1_3_VERSION) {
787 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
788 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
792 if (!PACKET_get_net_2(&cookie, &s->s3->group_id)) {
793 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
794 SSL_R_LENGTH_MISMATCH);
797 ciphdata = PACKET_data(&cookie);
798 if (!PACKET_forward(&cookie, 2)) {
799 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
800 SSL_R_LENGTH_MISMATCH);
803 s->s3->tmp.new_cipher = ssl_get_cipher_by_char(s, ciphdata, 0);
804 if (s->s3->tmp.new_cipher == NULL) {
805 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
806 ERR_R_INTERNAL_ERROR);
810 if (!PACKET_get_1(&cookie, &key_share)
811 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
812 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
813 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
814 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
815 SSL_R_LENGTH_MISMATCH);
819 /* Verify the app cookie */
820 if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&appcookie),
821 PACKET_remaining(&appcookie)) == 0) {
822 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
823 SSL_R_COOKIE_MISMATCH);
828 * Reconstruct the HRR that we would have sent in response to the original
829 * ClientHello so we can add it to the transcript hash.
830 * Note: This won't work with custom HRR extensions
832 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
833 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
834 ERR_R_INTERNAL_ERROR);
837 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
838 || !WPACKET_start_sub_packet_u24(&hrrpkt)
839 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
840 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
841 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
842 s->tmp_session_id_len)
843 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
845 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
846 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
847 WPACKET_cleanup(&hrrpkt);
848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
849 ERR_R_INTERNAL_ERROR);
852 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
853 || !WPACKET_start_sub_packet_u16(&hrrpkt)
854 /* TODO(TLS1.3): Fix this before release */
855 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
856 || !WPACKET_close(&hrrpkt)) {
857 WPACKET_cleanup(&hrrpkt);
858 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
859 ERR_R_INTERNAL_ERROR);
863 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
864 || !WPACKET_start_sub_packet_u16(&hrrpkt)
865 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
866 || !WPACKET_close(&hrrpkt)) {
867 WPACKET_cleanup(&hrrpkt);
868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
869 ERR_R_INTERNAL_ERROR);
873 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
874 || !WPACKET_start_sub_packet_u16(&hrrpkt)
875 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
876 || !WPACKET_close(&hrrpkt) /* cookie extension */
877 || !WPACKET_close(&hrrpkt) /* extension block */
878 || !WPACKET_close(&hrrpkt) /* message */
879 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
880 || !WPACKET_finish(&hrrpkt)) {
881 WPACKET_cleanup(&hrrpkt);
882 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
883 ERR_R_INTERNAL_ERROR);
887 /* Reconstruct the transcript hash */
888 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
889 PACKET_remaining(&chhash), hrr,
891 /* SSLfatal() already called */
895 /* Act as if this ClientHello came after a HelloRetryRequest */
896 s->hello_retry_request = 1;
903 #ifndef OPENSSL_NO_EC
904 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
905 X509 *x, size_t chainidx)
907 PACKET supported_groups_list;
909 /* Each group is 2 bytes and we must have at least 1. */
910 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
911 || PACKET_remaining(&supported_groups_list) == 0
912 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
913 SSLfatal(s, SSL_AD_DECODE_ERROR,
914 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
918 if (!s->hit || SSL_IS_TLS13(s)) {
919 OPENSSL_free(s->session->ext.supportedgroups);
920 s->session->ext.supportedgroups = NULL;
921 s->session->ext.supportedgroups_len = 0;
922 if (!tls1_save_u16(&supported_groups_list,
923 &s->session->ext.supportedgroups,
924 &s->session->ext.supportedgroups_len)) {
925 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
926 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
927 ERR_R_INTERNAL_ERROR);
936 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
939 /* The extension must always be empty */
940 if (PACKET_remaining(pkt) != 0) {
941 SSLfatal(s, SSL_AD_DECODE_ERROR,
942 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
946 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
952 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
953 X509 *x, size_t chainidx)
955 if (PACKET_remaining(pkt) != 0) {
956 SSLfatal(s, SSL_AD_DECODE_ERROR,
957 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
961 if (s->hello_retry_request != SSL_HRR_NONE) {
962 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
963 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
970 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
973 PACKET identities, binders, binder;
974 size_t binderoffset, hashsize;
975 SSL_SESSION *sess = NULL;
976 unsigned int id, i, ext = 0;
977 const EVP_MD *md = NULL;
980 * If we have no PSK kex mode that we recognise then we can't resume so
981 * ignore this extension
983 if ((s->ext.psk_kex_mode
984 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
987 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
988 SSLfatal(s, SSL_AD_DECODE_ERROR,
989 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
993 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
995 unsigned long ticket_agel;
997 if (!PACKET_get_length_prefixed_2(&identities, &identity)
998 || !PACKET_get_net_4(&identities, &ticket_agel)) {
999 SSLfatal(s, SSL_AD_DECODE_ERROR,
1000 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1004 if (s->psk_find_session_cb != NULL
1005 && !s->psk_find_session_cb(s, PACKET_data(&identity),
1006 PACKET_remaining(&identity),
1008 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1009 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1014 /* We found a PSK */
1015 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1017 if (sesstmp == NULL) {
1018 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1019 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1022 SSL_SESSION_free(sess);
1026 * We've just been told to use this session for this context so
1027 * make sure the sid_ctx matches up.
1029 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1030 sess->sid_ctx_length = s->sid_ctx_length;
1033 s->ext.early_data_ok = 1;
1035 uint32_t ticket_age = 0, now, agesec, agems;
1036 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1037 PACKET_remaining(&identity), NULL, 0,
1040 if (ret == TICKET_FATAL_ERR_MALLOC
1041 || ret == TICKET_FATAL_ERR_OTHER) {
1042 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1043 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1046 if (ret == TICKET_NO_DECRYPT)
1049 ticket_age = (uint32_t)ticket_agel;
1050 now = (uint32_t)time(NULL);
1051 agesec = now - (uint32_t)sess->time;
1052 agems = agesec * (uint32_t)1000;
1053 ticket_age -= sess->ext.tick_age_add;
1056 * For simplicity we do our age calculations in seconds. If the
1057 * client does it in ms then it could appear that their ticket age
1058 * is longer than ours (our ticket age calculation should always be
1059 * slightly longer than the client's due to the network latency).
1060 * Therefore we add 1000ms to our age calculation to adjust for
1064 && sess->timeout >= (long)agesec
1065 && agems / (uint32_t)1000 == agesec
1066 && ticket_age <= agems + 1000
1067 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1069 * Ticket age is within tolerance and not expired. We allow it
1072 s->ext.early_data_ok = 1;
1076 md = ssl_md(sess->cipher->algorithm2);
1077 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1078 /* The ciphersuite is not compatible with this session. */
1079 SSL_SESSION_free(sess);
1081 s->ext.early_data_ok = 0;
1090 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1091 hashsize = EVP_MD_size(md);
1093 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1094 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1095 SSL_R_BAD_EXTENSION);
1099 for (i = 0; i <= id; i++) {
1100 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1101 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1102 SSL_R_BAD_EXTENSION);
1107 if (PACKET_remaining(&binder) != hashsize) {
1108 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1109 SSL_R_BAD_EXTENSION);
1112 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1113 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1115 /* SSLfatal() already called */
1119 sess->ext.tick_identity = id;
1121 SSL_SESSION_free(s->session);
1125 SSL_SESSION_free(sess);
1130 * Add the server's renegotiation binding
1132 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1133 unsigned int context, X509 *x,
1136 if (!s->s3->send_connection_binding)
1137 return EXT_RETURN_NOT_SENT;
1139 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1140 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1141 || !WPACKET_start_sub_packet_u16(pkt)
1142 || !WPACKET_start_sub_packet_u8(pkt)
1143 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1144 s->s3->previous_client_finished_len)
1145 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1146 s->s3->previous_server_finished_len)
1147 || !WPACKET_close(pkt)
1148 || !WPACKET_close(pkt)) {
1149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1150 ERR_R_INTERNAL_ERROR);
1151 return EXT_RETURN_FAIL;
1154 return EXT_RETURN_SENT;
1157 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1158 unsigned int context, X509 *x,
1161 if (s->hit || s->servername_done != 1
1162 || s->session->ext.hostname == NULL)
1163 return EXT_RETURN_NOT_SENT;
1165 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1166 || !WPACKET_put_bytes_u16(pkt, 0)) {
1167 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1168 ERR_R_INTERNAL_ERROR);
1169 return EXT_RETURN_FAIL;
1172 return EXT_RETURN_SENT;
1175 /* Add/include the server's max fragment len extension into ServerHello */
1176 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1177 unsigned int context, X509 *x,
1180 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1181 return EXT_RETURN_NOT_SENT;
1184 * 4 bytes for this extension type and extension length
1185 * 1 byte for the Max Fragment Length code value.
1187 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1188 || !WPACKET_start_sub_packet_u16(pkt)
1189 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1190 || !WPACKET_close(pkt)) {
1191 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1192 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1193 return EXT_RETURN_FAIL;
1196 return EXT_RETURN_SENT;
1199 #ifndef OPENSSL_NO_EC
1200 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1201 unsigned int context, X509 *x,
1204 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1205 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1206 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1207 && (s->session->ext.ecpointformats != NULL);
1208 const unsigned char *plist;
1212 return EXT_RETURN_NOT_SENT;
1214 tls1_get_formatlist(s, &plist, &plistlen);
1215 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1216 || !WPACKET_start_sub_packet_u16(pkt)
1217 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1218 || !WPACKET_close(pkt)) {
1219 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1220 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1221 return EXT_RETURN_FAIL;
1224 return EXT_RETURN_SENT;
1228 #ifndef OPENSSL_NO_EC
1229 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1230 unsigned int context, X509 *x,
1233 const uint16_t *groups;
1234 size_t numgroups, i, first = 1;
1236 /* s->s3->group_id is non zero if we accepted a key_share */
1237 if (s->s3->group_id == 0)
1238 return EXT_RETURN_NOT_SENT;
1240 /* Get our list of supported groups */
1241 tls1_get_supported_groups(s, &groups, &numgroups);
1242 if (numgroups == 0) {
1243 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1244 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1245 return EXT_RETURN_FAIL;
1248 /* Copy group ID if supported */
1249 for (i = 0; i < numgroups; i++) {
1250 uint16_t group = groups[i];
1252 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1255 * Check if the client is already using our preferred group. If
1256 * so we don't need to add this extension
1258 if (s->s3->group_id == group)
1259 return EXT_RETURN_NOT_SENT;
1261 /* Add extension header */
1262 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1263 /* Sub-packet for supported_groups extension */
1264 || !WPACKET_start_sub_packet_u16(pkt)
1265 || !WPACKET_start_sub_packet_u16(pkt)) {
1266 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1267 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1268 ERR_R_INTERNAL_ERROR);
1269 return EXT_RETURN_FAIL;
1274 if (!WPACKET_put_bytes_u16(pkt, group)) {
1275 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1276 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1277 ERR_R_INTERNAL_ERROR);
1278 return EXT_RETURN_FAIL;
1283 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1284 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1285 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1286 ERR_R_INTERNAL_ERROR);
1287 return EXT_RETURN_FAIL;
1290 return EXT_RETURN_SENT;
1294 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1295 unsigned int context, X509 *x,
1298 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1299 s->ext.ticket_expected = 0;
1300 return EXT_RETURN_NOT_SENT;
1303 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1304 || !WPACKET_put_bytes_u16(pkt, 0)) {
1305 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1306 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1307 return EXT_RETURN_FAIL;
1310 return EXT_RETURN_SENT;
1313 #ifndef OPENSSL_NO_OCSP
1314 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1315 unsigned int context, X509 *x,
1318 if (!s->ext.status_expected)
1319 return EXT_RETURN_NOT_SENT;
1321 if (SSL_IS_TLS13(s) && chainidx != 0)
1322 return EXT_RETURN_NOT_SENT;
1324 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1325 || !WPACKET_start_sub_packet_u16(pkt)) {
1326 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1327 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1328 return EXT_RETURN_FAIL;
1332 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1333 * send back an empty extension, with the certificate status appearing as a
1336 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1337 /* SSLfatal() already called */
1338 return EXT_RETURN_FAIL;
1340 if (!WPACKET_close(pkt)) {
1341 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1342 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1343 return EXT_RETURN_FAIL;
1346 return EXT_RETURN_SENT;
1350 #ifndef OPENSSL_NO_NEXTPROTONEG
1351 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1352 unsigned int context, X509 *x,
1355 const unsigned char *npa;
1356 unsigned int npalen;
1358 int npn_seen = s->s3->npn_seen;
1360 s->s3->npn_seen = 0;
1361 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1362 return EXT_RETURN_NOT_SENT;
1364 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1365 s->ctx->ext.npn_advertised_cb_arg);
1366 if (ret == SSL_TLSEXT_ERR_OK) {
1367 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1368 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1369 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1370 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1371 ERR_R_INTERNAL_ERROR);
1372 return EXT_RETURN_FAIL;
1374 s->s3->npn_seen = 1;
1377 return EXT_RETURN_SENT;
1381 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1382 X509 *x, size_t chainidx)
1384 if (s->s3->alpn_selected == NULL)
1385 return EXT_RETURN_NOT_SENT;
1387 if (!WPACKET_put_bytes_u16(pkt,
1388 TLSEXT_TYPE_application_layer_protocol_negotiation)
1389 || !WPACKET_start_sub_packet_u16(pkt)
1390 || !WPACKET_start_sub_packet_u16(pkt)
1391 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1392 s->s3->alpn_selected_len)
1393 || !WPACKET_close(pkt)
1394 || !WPACKET_close(pkt)) {
1395 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1396 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1397 return EXT_RETURN_FAIL;
1400 return EXT_RETURN_SENT;
1403 #ifndef OPENSSL_NO_SRTP
1404 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1405 unsigned int context, X509 *x,
1408 if (s->srtp_profile == NULL)
1409 return EXT_RETURN_NOT_SENT;
1411 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1412 || !WPACKET_start_sub_packet_u16(pkt)
1413 || !WPACKET_put_bytes_u16(pkt, 2)
1414 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1415 || !WPACKET_put_bytes_u8(pkt, 0)
1416 || !WPACKET_close(pkt)) {
1417 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1418 ERR_R_INTERNAL_ERROR);
1419 return EXT_RETURN_FAIL;
1422 return EXT_RETURN_SENT;
1426 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1427 X509 *x, size_t chainidx)
1429 if (!s->ext.use_etm)
1430 return EXT_RETURN_NOT_SENT;
1433 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1434 * for other cases too.
1436 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1437 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1438 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1439 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1441 return EXT_RETURN_NOT_SENT;
1444 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1445 || !WPACKET_put_bytes_u16(pkt, 0)) {
1446 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1447 ERR_R_INTERNAL_ERROR);
1448 return EXT_RETURN_FAIL;
1451 return EXT_RETURN_SENT;
1454 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1455 X509 *x, size_t chainidx)
1457 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1458 return EXT_RETURN_NOT_SENT;
1460 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1461 || !WPACKET_put_bytes_u16(pkt, 0)) {
1462 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1463 ERR_R_INTERNAL_ERROR);
1464 return EXT_RETURN_FAIL;
1467 return EXT_RETURN_SENT;
1470 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1471 unsigned int context, X509 *x,
1474 if (!SSL_IS_TLS13(s))
1475 return EXT_RETURN_NOT_SENT;
1477 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1478 || !WPACKET_start_sub_packet_u16(pkt)
1479 /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1480 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1481 || !WPACKET_close(pkt)) {
1482 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1483 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1484 ERR_R_INTERNAL_ERROR);
1485 return EXT_RETURN_FAIL;
1488 return EXT_RETURN_SENT;
1491 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1492 unsigned int context, X509 *x,
1495 #ifndef OPENSSL_NO_TLS1_3
1496 unsigned char *encodedPoint;
1497 size_t encoded_pt_len = 0;
1498 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1501 /* No key_share received from client */
1502 if (s->hello_retry_request == SSL_HRR_PENDING) {
1503 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1504 || !WPACKET_start_sub_packet_u16(pkt)
1505 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1506 || !WPACKET_close(pkt)) {
1507 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1508 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1509 ERR_R_INTERNAL_ERROR);
1510 return EXT_RETURN_FAIL;
1513 return EXT_RETURN_SENT;
1516 /* Must be resuming. */
1517 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1518 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1519 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1520 return EXT_RETURN_FAIL;
1522 return EXT_RETURN_NOT_SENT;
1525 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1526 || !WPACKET_start_sub_packet_u16(pkt)
1527 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1528 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1529 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1530 return EXT_RETURN_FAIL;
1533 skey = ssl_generate_pkey(ckey);
1535 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1536 ERR_R_MALLOC_FAILURE);
1537 return EXT_RETURN_FAIL;
1540 /* Generate encoding of server key */
1541 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1542 if (encoded_pt_len == 0) {
1543 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1545 EVP_PKEY_free(skey);
1546 return EXT_RETURN_FAIL;
1549 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1550 || !WPACKET_close(pkt)) {
1551 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1552 ERR_R_INTERNAL_ERROR);
1553 EVP_PKEY_free(skey);
1554 OPENSSL_free(encodedPoint);
1555 return EXT_RETURN_FAIL;
1557 OPENSSL_free(encodedPoint);
1559 /* This causes the crypto state to be updated based on the derived keys */
1560 s->s3->tmp.pkey = skey;
1561 if (ssl_derive(s, skey, ckey, 1) == 0) {
1562 /* SSLfatal() already called */
1563 return EXT_RETURN_FAIL;
1567 return EXT_RETURN_SENT;
1570 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1571 X509 *x, size_t chainidx)
1573 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1574 unsigned char *hmac, *hmac2;
1575 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen;
1576 unsigned int appcookielen;
1579 int ret = EXT_RETURN_FAIL;
1581 if (s->ctx->app_gen_cookie_cb == NULL
1582 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1583 return EXT_RETURN_NOT_SENT;
1585 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1586 || !WPACKET_start_sub_packet_u16(pkt)
1587 || !WPACKET_start_sub_packet_u16(pkt)
1588 || !WPACKET_get_total_written(pkt, &startlen)
1589 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1590 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1591 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1592 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1593 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1595 /* Is there a key_share extension present in this HRR? */
1596 || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
1597 || !WPACKET_start_sub_packet_u16(pkt)
1598 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1599 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1600 ERR_R_INTERNAL_ERROR);
1601 return EXT_RETURN_FAIL;
1605 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1606 * on raw buffers, so we first reserve sufficient bytes (above) and then
1607 * subsequently allocate them (below)
1609 if (!ssl3_digest_cached_records(s, 0)
1610 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1611 /* SSLfatal() already called */
1612 return EXT_RETURN_FAIL;
1615 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1616 || !ossl_assert(hashval1 == hashval2)
1617 || !WPACKET_close(pkt)
1618 || !WPACKET_start_sub_packet_u8(pkt)
1619 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1621 ERR_R_INTERNAL_ERROR);
1622 return EXT_RETURN_FAIL;
1625 /* Generate the application cookie */
1626 if (s->ctx->app_gen_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1628 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1629 return EXT_RETURN_FAIL;
1632 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1633 || !ossl_assert(appcookie1 == appcookie2)
1634 || !WPACKET_close(pkt)
1635 || !WPACKET_get_total_written(pkt, &totcookielen)
1636 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1638 ERR_R_INTERNAL_ERROR);
1639 return EXT_RETURN_FAIL;
1641 hmaclen = SHA256_DIGEST_LENGTH;
1643 totcookielen -= startlen;
1644 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1645 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1646 ERR_R_INTERNAL_ERROR);
1647 return EXT_RETURN_FAIL;
1650 /* HMAC the cookie */
1651 hctx = EVP_MD_CTX_create();
1652 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
1653 s->session_ctx->ext.cookie_hmac_key,
1654 sizeof(s->session_ctx->ext.cookie_hmac_key));
1655 if (hctx == NULL || pkey == NULL) {
1656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1657 ERR_R_MALLOC_FAILURE);
1661 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1662 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1663 totcookielen) <= 0) {
1664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1665 ERR_R_INTERNAL_ERROR);
1669 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1670 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1671 ERR_R_INTERNAL_ERROR);
1675 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1676 || !ossl_assert(hmac == hmac2)
1677 || !ossl_assert(cookie == hmac - totcookielen)
1678 || !WPACKET_close(pkt)
1679 || !WPACKET_close(pkt)) {
1680 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1681 ERR_R_INTERNAL_ERROR);
1685 ret = EXT_RETURN_SENT;
1688 EVP_MD_CTX_free(hctx);
1689 EVP_PKEY_free(pkey);
1693 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1694 unsigned int context, X509 *x,
1697 const unsigned char cryptopro_ext[36] = {
1698 0xfd, 0xe8, /* 65000 */
1699 0x00, 0x20, /* 32 bytes length */
1700 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1701 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1702 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1703 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1706 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1707 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1708 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1709 return EXT_RETURN_NOT_SENT;
1711 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1712 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1713 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1714 return EXT_RETURN_FAIL;
1717 return EXT_RETURN_SENT;
1720 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1721 unsigned int context, X509 *x,
1724 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1725 if (s->max_early_data == 0)
1726 return EXT_RETURN_NOT_SENT;
1728 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1729 || !WPACKET_start_sub_packet_u16(pkt)
1730 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1731 || !WPACKET_close(pkt)) {
1732 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1733 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1734 return EXT_RETURN_FAIL;
1737 return EXT_RETURN_SENT;
1740 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1741 return EXT_RETURN_NOT_SENT;
1743 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1744 || !WPACKET_start_sub_packet_u16(pkt)
1745 || !WPACKET_close(pkt)) {
1746 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1747 ERR_R_INTERNAL_ERROR);
1748 return EXT_RETURN_FAIL;
1751 return EXT_RETURN_SENT;
1754 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1755 X509 *x, size_t chainidx)
1758 return EXT_RETURN_NOT_SENT;
1760 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1761 || !WPACKET_start_sub_packet_u16(pkt)
1762 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1763 || !WPACKET_close(pkt)) {
1764 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1765 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1766 return EXT_RETURN_FAIL;
1769 return EXT_RETURN_SENT;