2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the intent was for server_name to be extensible, RFC 4366
91 * was not clear about it; and so OpenSSL among other implementations,
92 * always and only allows a 'host_name' name types.
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
118 OPENSSL_free(s->session->ext.hostname);
119 s->session->ext.hostname = NULL;
120 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
121 *al = TLS1_AD_INTERNAL_ERROR;
125 s->servername_done = 1;
128 * TODO(openssl-team): if the SNI doesn't match, we MUST
129 * fall back to a full handshake.
131 s->servername_done = s->session->ext.hostname
132 && PACKET_equal(&hostname, s->session->ext.hostname,
133 strlen(s->session->ext.hostname));
139 #ifndef OPENSSL_NO_SRP
140 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
141 size_t chainidx, int *al)
145 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
146 || PACKET_contains_zero_byte(&srp_I)) {
147 *al = SSL_AD_DECODE_ERROR;
152 * TODO(openssl-team): currently, we re-authenticate the user
153 * upon resumption. Instead, we MUST ignore the login.
155 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
156 *al = SSL_AD_INTERNAL_ERROR;
164 #ifndef OPENSSL_NO_EC
165 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
166 X509 *x, size_t chainidx, int *al)
168 PACKET ec_point_format_list;
170 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
171 || PACKET_remaining(&ec_point_format_list) == 0) {
172 *al = SSL_AD_DECODE_ERROR;
177 if (!PACKET_memdup(&ec_point_format_list,
178 &s->session->ext.ecpointformats,
179 &s->session->ext.ecpointformats_len)) {
180 *al = SSL_AD_INTERNAL_ERROR;
187 #endif /* OPENSSL_NO_EC */
189 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
190 X509 *x, size_t chainidx, int *al)
192 if (s->ext.session_ticket_cb &&
193 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
194 PACKET_remaining(pkt),
195 s->ext.session_ticket_cb_arg)) {
196 *al = SSL_AD_INTERNAL_ERROR;
203 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
204 size_t chainidx, int *al)
206 PACKET supported_sig_algs;
208 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
209 || PACKET_remaining(&supported_sig_algs) == 0) {
210 *al = SSL_AD_DECODE_ERROR;
214 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
215 *al = SSL_AD_DECODE_ERROR;
222 #ifndef OPENSSL_NO_OCSP
223 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
224 X509 *x, size_t chainidx, int *al)
226 PACKET responder_id_list, exts;
228 /* Not defined if we get one of these in a client Certificate */
232 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
233 *al = SSL_AD_DECODE_ERROR;
237 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
239 * We don't know what to do with any other type so ignore it.
241 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
245 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
246 *al = SSL_AD_DECODE_ERROR;
251 * We remove any OCSP_RESPIDs from a previous handshake
252 * to prevent unbounded memory growth - CVE-2016-6304
254 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
255 if (PACKET_remaining(&responder_id_list) > 0) {
256 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
257 if (s->ext.ocsp.ids == NULL) {
258 *al = SSL_AD_INTERNAL_ERROR;
262 s->ext.ocsp.ids = NULL;
265 while (PACKET_remaining(&responder_id_list) > 0) {
268 const unsigned char *id_data;
270 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
271 || PACKET_remaining(&responder_id) == 0) {
272 *al = SSL_AD_DECODE_ERROR;
276 id_data = PACKET_data(&responder_id);
277 /* TODO(size_t): Convert d2i_* to size_t */
278 id = d2i_OCSP_RESPID(NULL, &id_data,
279 (int)PACKET_remaining(&responder_id));
281 *al = SSL_AD_DECODE_ERROR;
285 if (id_data != PACKET_end(&responder_id)) {
286 OCSP_RESPID_free(id);
287 *al = SSL_AD_DECODE_ERROR;
291 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
292 OCSP_RESPID_free(id);
293 *al = SSL_AD_INTERNAL_ERROR;
298 /* Read in request_extensions */
299 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
300 *al = SSL_AD_DECODE_ERROR;
304 if (PACKET_remaining(&exts) > 0) {
305 const unsigned char *ext_data = PACKET_data(&exts);
307 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
308 X509_EXTENSION_free);
310 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
311 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
312 *al = SSL_AD_DECODE_ERROR;
321 #ifndef OPENSSL_NO_NEXTPROTONEG
322 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
323 size_t chainidx, int *al)
326 * We shouldn't accept this extension on a
329 if (SSL_IS_FIRST_HANDSHAKE(s))
337 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
338 * extension, not including type and length. |al| is a pointer to the alert
339 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
341 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
342 size_t chainidx, int *al)
344 PACKET protocol_list, save_protocol_list, protocol;
346 if (!SSL_IS_FIRST_HANDSHAKE(s))
349 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
350 || PACKET_remaining(&protocol_list) < 2) {
351 *al = SSL_AD_DECODE_ERROR;
355 save_protocol_list = protocol_list;
357 /* Protocol names can't be empty. */
358 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
359 || PACKET_remaining(&protocol) == 0) {
360 *al = SSL_AD_DECODE_ERROR;
363 } while (PACKET_remaining(&protocol_list) != 0);
365 OPENSSL_free(s->s3->alpn_proposed);
366 s->s3->alpn_proposed = NULL;
367 s->s3->alpn_proposed_len = 0;
368 if (!PACKET_memdup(&save_protocol_list,
369 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
370 *al = SSL_AD_INTERNAL_ERROR;
377 #ifndef OPENSSL_NO_SRTP
378 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
379 size_t chainidx, int *al)
381 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
382 unsigned int ct, mki_len, id;
386 /* Ignore this if we have no SRTP profiles */
387 if (SSL_get_srtp_profiles(s) == NULL)
390 /* Pull off the length of the cipher suite list and check it is even */
391 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
392 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
393 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
394 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
395 *al = SSL_AD_DECODE_ERROR;
399 srvr = SSL_get_srtp_profiles(s);
400 s->srtp_profile = NULL;
401 /* Search all profiles for a match initially */
402 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
404 while (PACKET_remaining(&subpkt)) {
405 if (!PACKET_get_net_2(&subpkt, &id)) {
406 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
407 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
408 *al = SSL_AD_DECODE_ERROR;
413 * Only look for match in profiles of higher preference than
415 * If no profiles have been have been configured then this
418 for (i = 0; i < srtp_pref; i++) {
419 SRTP_PROTECTION_PROFILE *sprof =
420 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
422 if (sprof->id == id) {
423 s->srtp_profile = sprof;
430 /* Now extract the MKI value as a sanity check, but discard it for now */
431 if (!PACKET_get_1(pkt, &mki_len)) {
432 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
433 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
434 *al = SSL_AD_DECODE_ERROR;
438 if (!PACKET_forward(pkt, mki_len)
439 || PACKET_remaining(pkt)) {
440 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
441 *al = SSL_AD_DECODE_ERROR;
449 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
450 size_t chainidx, int *al)
452 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
459 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
460 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
461 * If a failure occurs then |*al| is set to an appropriate alert value.
463 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
464 X509 *x, size_t chainidx, int *al)
466 #ifndef OPENSSL_NO_TLS1_3
467 PACKET psk_kex_modes;
470 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
471 || PACKET_remaining(&psk_kex_modes) == 0) {
472 *al = SSL_AD_DECODE_ERROR;
476 while (PACKET_get_1(&psk_kex_modes, &mode)) {
477 if (mode == TLSEXT_KEX_MODE_KE_DHE)
478 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
479 else if (mode == TLSEXT_KEX_MODE_KE
480 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
489 * Process a key_share extension received in the ClientHello. |pkt| contains
490 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
491 * If a failure occurs then |*al| is set to an appropriate alert value.
493 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
494 size_t chainidx, int *al)
496 #ifndef OPENSSL_NO_TLS1_3
497 unsigned int group_id;
498 PACKET key_share_list, encoded_pt;
499 const unsigned char *clntcurves, *srvrcurves;
500 size_t clnt_num_curves, srvr_num_curves;
501 int group_nid, found = 0;
502 unsigned int curve_flags;
504 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
508 if (s->s3->peer_tmp != NULL) {
509 *al = SSL_AD_INTERNAL_ERROR;
510 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
514 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
515 *al = SSL_AD_DECODE_ERROR;
516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
520 /* Get our list of supported curves */
521 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
522 *al = SSL_AD_INTERNAL_ERROR;
523 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
527 /* Get the clients list of supported curves. */
528 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
529 *al = SSL_AD_INTERNAL_ERROR;
530 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
533 if (clnt_num_curves == 0) {
535 * This can only happen if the supported_groups extension was not sent,
536 * because we verify that the length is non-zero when we process that
539 *al = SSL_AD_MISSING_EXTENSION;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
541 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
545 while (PACKET_remaining(&key_share_list) > 0) {
546 if (!PACKET_get_net_2(&key_share_list, &group_id)
547 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
548 || PACKET_remaining(&encoded_pt) == 0) {
549 *al = SSL_AD_DECODE_ERROR;
550 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
551 SSL_R_LENGTH_MISMATCH);
556 * If we already found a suitable key_share we loop through the
557 * rest to verify the structure, but don't process them.
562 /* Check if this share is in supported_groups sent from client */
563 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
564 *al = SSL_AD_ILLEGAL_PARAMETER;
565 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
569 /* Check if this share is for a group we can use */
570 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
571 /* Share not suitable */
575 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
577 if (group_nid == 0) {
578 *al = SSL_AD_INTERNAL_ERROR;
579 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
580 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
584 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
585 /* Can happen for some curves, e.g. X25519 */
586 EVP_PKEY *key = EVP_PKEY_new();
588 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
589 *al = SSL_AD_INTERNAL_ERROR;
590 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
594 s->s3->peer_tmp = key;
596 /* Set up EVP_PKEY with named curve as parameters */
597 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
600 || EVP_PKEY_paramgen_init(pctx) <= 0
601 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
603 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
604 *al = SSL_AD_INTERNAL_ERROR;
605 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
606 EVP_PKEY_CTX_free(pctx);
609 EVP_PKEY_CTX_free(pctx);
612 s->s3->group_id = group_id;
614 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
615 PACKET_data(&encoded_pt),
616 PACKET_remaining(&encoded_pt))) {
617 *al = SSL_AD_ILLEGAL_PARAMETER;
618 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
629 #ifndef OPENSSL_NO_EC
630 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
631 X509 *x, size_t chainidx, int *al)
633 PACKET supported_groups_list;
635 /* Each group is 2 bytes and we must have at least 1. */
636 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
637 || PACKET_remaining(&supported_groups_list) == 0
638 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
639 *al = SSL_AD_DECODE_ERROR;
643 if (!s->hit || SSL_IS_TLS13(s)) {
644 OPENSSL_free(s->session->ext.supportedgroups);
645 s->session->ext.supportedgroups = NULL;
646 s->session->ext.supportedgroups_len = 0;
647 if (!PACKET_memdup(&supported_groups_list,
648 &s->session->ext.supportedgroups,
649 &s->session->ext.supportedgroups_len)) {
650 *al = SSL_AD_INTERNAL_ERROR;
659 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
660 size_t chainidx, int *al)
662 /* The extension must always be empty */
663 if (PACKET_remaining(pkt) != 0) {
664 *al = SSL_AD_DECODE_ERROR;
668 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
674 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
675 X509 *x, size_t chainidx, int *al)
677 if (PACKET_remaining(pkt) != 0) {
678 *al = SSL_AD_DECODE_ERROR;
682 if (s->hello_retry_request) {
683 *al = SSL_AD_ILLEGAL_PARAMETER;
690 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
691 size_t chainidx, int *al)
693 PACKET identities, binders, binder;
694 size_t binderoffset, hashsize;
695 SSL_SESSION *sess = NULL;
696 unsigned int id, i, ext = 0;
697 const EVP_MD *md = NULL;
700 * If we have no PSK kex mode that we recognise then we can't resume so
701 * ignore this extension
703 if ((s->ext.psk_kex_mode
704 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
707 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
708 *al = SSL_AD_DECODE_ERROR;
712 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
714 unsigned long ticket_agel;
716 if (!PACKET_get_length_prefixed_2(&identities, &identity)
717 || !PACKET_get_net_4(&identities, &ticket_agel)) {
718 *al = SSL_AD_DECODE_ERROR;
722 if (s->psk_find_session_cb != NULL
723 && !s->psk_find_session_cb(s, PACKET_data(&identity),
724 PACKET_remaining(&identity),
726 *al = SSL_AD_INTERNAL_ERROR;
732 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
734 if (sesstmp == NULL) {
735 *al = SSL_AD_INTERNAL_ERROR;
738 SSL_SESSION_free(sess);
742 * We've just been told to use this session for this context so
743 * make sure the sid_ctx matches up.
745 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
746 sess->sid_ctx_length = s->sid_ctx_length;
749 uint32_t ticket_age = 0, now, agesec, agems;
750 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
751 PACKET_remaining(&identity), NULL, 0,
754 if (ret == TICKET_FATAL_ERR_MALLOC
755 || ret == TICKET_FATAL_ERR_OTHER) {
756 *al = SSL_AD_INTERNAL_ERROR;
759 if (ret == TICKET_NO_DECRYPT)
762 ticket_age = (uint32_t)ticket_agel;
763 now = (uint32_t)time(NULL);
764 agesec = now - (uint32_t)sess->time;
765 agems = agesec * (uint32_t)1000;
766 ticket_age -= sess->ext.tick_age_add;
769 * For simplicity we do our age calculations in seconds. If the
770 * client does it in ms then it could appear that their ticket age
771 * is longer than ours (our ticket age calculation should always be
772 * slightly longer than the client's due to the network latency).
773 * Therefore we add 1000ms to our age calculation to adjust for
776 if (sess->timeout >= (long)agesec
777 && agems / (uint32_t)1000 == agesec
778 && ticket_age <= agems + 1000
779 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
781 * Ticket age is within tolerance and not expired. We allow it
784 s->ext.early_data_ok = 1;
788 md = ssl_md(sess->cipher->algorithm2);
789 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
790 /* The ciphersuite is not compatible with this session. */
791 SSL_SESSION_free(sess);
801 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
802 hashsize = EVP_MD_size(md);
804 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
805 *al = SSL_AD_DECODE_ERROR;
809 for (i = 0; i <= id; i++) {
810 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
811 *al = SSL_AD_DECODE_ERROR;
816 if (PACKET_remaining(&binder) != hashsize
817 || tls_psk_do_binder(s, md,
818 (const unsigned char *)s->init_buf->data,
819 binderoffset, PACKET_data(&binder), NULL,
820 sess, 0, ext) != 1) {
821 *al = SSL_AD_DECODE_ERROR;
822 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
826 sess->ext.tick_identity = id;
828 SSL_SESSION_free(s->session);
832 SSL_SESSION_free(sess);
837 * Add the server's renegotiation binding
839 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
840 unsigned int context, X509 *x,
841 size_t chainidx, int *al)
843 if (!s->s3->send_connection_binding)
844 return EXT_RETURN_NOT_SENT;
846 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
847 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
848 || !WPACKET_start_sub_packet_u16(pkt)
849 || !WPACKET_start_sub_packet_u8(pkt)
850 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
851 s->s3->previous_client_finished_len)
852 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
853 s->s3->previous_server_finished_len)
854 || !WPACKET_close(pkt)
855 || !WPACKET_close(pkt)) {
856 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
857 return EXT_RETURN_FAIL;
860 return EXT_RETURN_SENT;
863 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
864 unsigned int context, X509 *x,
865 size_t chainidx, int *al)
867 if (s->hit || s->servername_done != 1
868 || s->session->ext.hostname == NULL)
869 return EXT_RETURN_NOT_SENT;
871 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
872 || !WPACKET_put_bytes_u16(pkt, 0)) {
873 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
874 return EXT_RETURN_FAIL;
877 return EXT_RETURN_SENT;
880 #ifndef OPENSSL_NO_EC
881 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
882 unsigned int context, X509 *x,
883 size_t chainidx, int *al)
885 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
886 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
887 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
888 && (s->session->ext.ecpointformats != NULL);
889 const unsigned char *plist;
893 return EXT_RETURN_NOT_SENT;
895 tls1_get_formatlist(s, &plist, &plistlen);
896 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
897 || !WPACKET_start_sub_packet_u16(pkt)
898 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
899 || !WPACKET_close(pkt)) {
900 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
901 return EXT_RETURN_FAIL;
904 return EXT_RETURN_SENT;
908 #ifndef OPENSSL_NO_EC
909 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
910 unsigned int context, X509 *x,
911 size_t chainidx, int *al)
913 const unsigned char *groups;
914 size_t numgroups, i, first = 1;
916 /* s->s3->group_id is non zero if we accepted a key_share */
917 if (s->s3->group_id == 0)
918 return EXT_RETURN_NOT_SENT;
920 /* Get our list of supported groups */
921 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
922 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
923 return EXT_RETURN_FAIL;
926 /* Copy group ID if supported */
927 for (i = 0; i < numgroups; i++, groups += 2) {
928 if (tls_curve_allowed(s, groups, SSL_SECOP_CURVE_SUPPORTED)) {
931 * Check if the client is already using our preferred group. If
932 * so we don't need to add this extension
934 if (s->s3->group_id == GET_GROUP_ID(groups, 0))
935 return EXT_RETURN_NOT_SENT;
937 /* Add extension header */
938 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
939 /* Sub-packet for supported_groups extension */
940 || !WPACKET_start_sub_packet_u16(pkt)
941 || !WPACKET_start_sub_packet_u16(pkt)) {
942 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
943 ERR_R_INTERNAL_ERROR);
944 return EXT_RETURN_FAIL;
949 if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
950 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
951 ERR_R_INTERNAL_ERROR);
952 return EXT_RETURN_FAIL;
957 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
958 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
959 return EXT_RETURN_FAIL;
962 return EXT_RETURN_SENT;
966 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
967 unsigned int context, X509 *x,
968 size_t chainidx, int *al)
970 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
971 s->ext.ticket_expected = 0;
972 return EXT_RETURN_NOT_SENT;
975 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
976 || !WPACKET_put_bytes_u16(pkt, 0)) {
977 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
978 return EXT_RETURN_FAIL;
981 return EXT_RETURN_SENT;
984 #ifndef OPENSSL_NO_OCSP
985 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
986 unsigned int context, X509 *x,
987 size_t chainidx, int *al)
989 if (!s->ext.status_expected)
990 return EXT_RETURN_NOT_SENT;
992 if (SSL_IS_TLS13(s) && chainidx != 0)
993 return EXT_RETURN_NOT_SENT;
995 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
996 || !WPACKET_start_sub_packet_u16(pkt)) {
997 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
998 return EXT_RETURN_FAIL;
1002 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1003 * send back an empty extension, with the certificate status appearing as a
1006 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1007 || !WPACKET_close(pkt)) {
1008 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1009 return EXT_RETURN_FAIL;
1012 return EXT_RETURN_SENT;
1016 #ifndef OPENSSL_NO_NEXTPROTONEG
1017 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1018 unsigned int context, X509 *x,
1019 size_t chainidx, int *al)
1021 const unsigned char *npa;
1022 unsigned int npalen;
1024 int npn_seen = s->s3->npn_seen;
1026 s->s3->npn_seen = 0;
1027 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1028 return EXT_RETURN_NOT_SENT;
1030 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1031 s->ctx->ext.npn_advertised_cb_arg);
1032 if (ret == SSL_TLSEXT_ERR_OK) {
1033 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1034 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1035 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1036 ERR_R_INTERNAL_ERROR);
1037 return EXT_RETURN_FAIL;
1039 s->s3->npn_seen = 1;
1042 return EXT_RETURN_SENT;
1046 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1047 X509 *x, size_t chainidx, int *al)
1049 if (s->s3->alpn_selected == NULL)
1050 return EXT_RETURN_NOT_SENT;
1052 if (!WPACKET_put_bytes_u16(pkt,
1053 TLSEXT_TYPE_application_layer_protocol_negotiation)
1054 || !WPACKET_start_sub_packet_u16(pkt)
1055 || !WPACKET_start_sub_packet_u16(pkt)
1056 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1057 s->s3->alpn_selected_len)
1058 || !WPACKET_close(pkt)
1059 || !WPACKET_close(pkt)) {
1060 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1061 return EXT_RETURN_FAIL;
1064 return EXT_RETURN_SENT;
1067 #ifndef OPENSSL_NO_SRTP
1068 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1069 unsigned int context, X509 *x,
1070 size_t chainidx, int *al)
1072 if (s->srtp_profile == NULL)
1073 return EXT_RETURN_NOT_SENT;
1075 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1076 || !WPACKET_start_sub_packet_u16(pkt)
1077 || !WPACKET_put_bytes_u16(pkt, 2)
1078 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1079 || !WPACKET_put_bytes_u8(pkt, 0)
1080 || !WPACKET_close(pkt)) {
1081 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1082 return EXT_RETURN_FAIL;
1085 return EXT_RETURN_SENT;
1089 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1090 X509 *x, size_t chainidx, int *al)
1092 if (!s->ext.use_etm)
1093 return EXT_RETURN_NOT_SENT;
1096 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1097 * for other cases too.
1099 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1100 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1101 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1102 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1104 return EXT_RETURN_NOT_SENT;
1107 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1108 || !WPACKET_put_bytes_u16(pkt, 0)) {
1109 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1110 return EXT_RETURN_FAIL;
1113 return EXT_RETURN_SENT;
1116 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1117 X509 *x, size_t chainidx, int *al)
1119 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1120 return EXT_RETURN_NOT_SENT;
1122 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1123 || !WPACKET_put_bytes_u16(pkt, 0)) {
1124 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1125 return EXT_RETURN_FAIL;
1128 return EXT_RETURN_SENT;
1131 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1132 unsigned int context, X509 *x,
1133 size_t chainidx, int *al)
1135 #ifndef OPENSSL_NO_TLS1_3
1136 unsigned char *encodedPoint;
1137 size_t encoded_pt_len = 0;
1138 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1141 /* No key_share received from client */
1142 if (s->hello_retry_request) {
1143 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1144 || !WPACKET_start_sub_packet_u16(pkt)
1145 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1146 || !WPACKET_close(pkt)) {
1147 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1148 ERR_R_INTERNAL_ERROR);
1149 return EXT_RETURN_FAIL;
1152 return EXT_RETURN_SENT;
1155 /* Must be resuming. */
1156 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1157 *al = SSL_AD_INTERNAL_ERROR;
1158 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1159 return EXT_RETURN_FAIL;
1161 return EXT_RETURN_NOT_SENT;
1164 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1165 || !WPACKET_start_sub_packet_u16(pkt)
1166 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1167 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1168 return EXT_RETURN_FAIL;
1171 skey = ssl_generate_pkey(ckey);
1173 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1174 return EXT_RETURN_FAIL;
1177 /* Generate encoding of server key */
1178 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1179 if (encoded_pt_len == 0) {
1180 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1181 EVP_PKEY_free(skey);
1182 return EXT_RETURN_FAIL;
1185 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1186 || !WPACKET_close(pkt)) {
1187 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1188 EVP_PKEY_free(skey);
1189 OPENSSL_free(encodedPoint);
1190 return EXT_RETURN_FAIL;
1192 OPENSSL_free(encodedPoint);
1194 /* This causes the crypto state to be updated based on the derived keys */
1195 s->s3->tmp.pkey = skey;
1196 if (ssl_derive(s, skey, ckey, 1) == 0) {
1197 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1198 return EXT_RETURN_FAIL;
1202 return EXT_RETURN_SENT;
1205 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1206 unsigned int context, X509 *x,
1207 size_t chainidx, int *al)
1209 const unsigned char cryptopro_ext[36] = {
1210 0xfd, 0xe8, /* 65000 */
1211 0x00, 0x20, /* 32 bytes length */
1212 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1213 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1214 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1215 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1218 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1219 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1220 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1221 return EXT_RETURN_NOT_SENT;
1223 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1224 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1225 return EXT_RETURN_FAIL;
1228 return EXT_RETURN_SENT;
1231 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1232 unsigned int context, X509 *x,
1233 size_t chainidx, int *al)
1235 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1236 if (s->max_early_data == 0)
1237 return EXT_RETURN_NOT_SENT;
1239 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1240 || !WPACKET_start_sub_packet_u16(pkt)
1241 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1242 || !WPACKET_close(pkt)) {
1243 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1244 return EXT_RETURN_FAIL;
1247 return EXT_RETURN_SENT;
1250 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1251 return EXT_RETURN_NOT_SENT;
1253 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1254 || !WPACKET_start_sub_packet_u16(pkt)
1255 || !WPACKET_close(pkt)) {
1256 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1257 return EXT_RETURN_FAIL;
1260 return EXT_RETURN_SENT;
1263 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1264 X509 *x, size_t chainidx, int *al)
1267 return EXT_RETURN_NOT_SENT;
1269 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1270 || !WPACKET_start_sub_packet_u16(pkt)
1271 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1272 || !WPACKET_close(pkt)) {
1273 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1274 return EXT_RETURN_FAIL;
1277 return EXT_RETURN_SENT;