2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the intent was for server_name to be extensible, RFC 4366
91 * was not clear about it; and so OpenSSL among other implementations,
92 * always and only allows a 'host_name' name types.
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
118 OPENSSL_free(s->session->ext.hostname);
119 s->session->ext.hostname = NULL;
120 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
121 *al = TLS1_AD_INTERNAL_ERROR;
125 s->servername_done = 1;
128 * TODO(openssl-team): if the SNI doesn't match, we MUST
129 * fall back to a full handshake.
131 s->servername_done = s->session->ext.hostname
132 && PACKET_equal(&hostname, s->session->ext.hostname,
133 strlen(s->session->ext.hostname));
135 if (!s->servername_done && s->session->ext.hostname != NULL)
136 s->ext.early_data_ok = 0;
142 #ifndef OPENSSL_NO_SRP
143 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
144 size_t chainidx, int *al)
148 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
149 || PACKET_contains_zero_byte(&srp_I)) {
150 *al = SSL_AD_DECODE_ERROR;
155 * TODO(openssl-team): currently, we re-authenticate the user
156 * upon resumption. Instead, we MUST ignore the login.
158 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
159 *al = SSL_AD_INTERNAL_ERROR;
167 #ifndef OPENSSL_NO_EC
168 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
169 X509 *x, size_t chainidx, int *al)
171 PACKET ec_point_format_list;
173 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
174 || PACKET_remaining(&ec_point_format_list) == 0) {
175 *al = SSL_AD_DECODE_ERROR;
180 if (!PACKET_memdup(&ec_point_format_list,
181 &s->session->ext.ecpointformats,
182 &s->session->ext.ecpointformats_len)) {
183 *al = SSL_AD_INTERNAL_ERROR;
190 #endif /* OPENSSL_NO_EC */
192 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
193 X509 *x, size_t chainidx, int *al)
195 if (s->ext.session_ticket_cb &&
196 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
197 PACKET_remaining(pkt),
198 s->ext.session_ticket_cb_arg)) {
199 *al = SSL_AD_INTERNAL_ERROR;
206 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
207 size_t chainidx, int *al)
209 PACKET supported_sig_algs;
211 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
212 || PACKET_remaining(&supported_sig_algs) == 0) {
213 *al = SSL_AD_DECODE_ERROR;
217 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
218 *al = SSL_AD_DECODE_ERROR;
225 #ifndef OPENSSL_NO_OCSP
226 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
227 X509 *x, size_t chainidx, int *al)
229 PACKET responder_id_list, exts;
231 /* Not defined if we get one of these in a client Certificate */
235 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
236 *al = SSL_AD_DECODE_ERROR;
240 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
242 * We don't know what to do with any other type so ignore it.
244 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
248 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
249 *al = SSL_AD_DECODE_ERROR;
254 * We remove any OCSP_RESPIDs from a previous handshake
255 * to prevent unbounded memory growth - CVE-2016-6304
257 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
258 if (PACKET_remaining(&responder_id_list) > 0) {
259 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
260 if (s->ext.ocsp.ids == NULL) {
261 *al = SSL_AD_INTERNAL_ERROR;
265 s->ext.ocsp.ids = NULL;
268 while (PACKET_remaining(&responder_id_list) > 0) {
271 const unsigned char *id_data;
273 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
274 || PACKET_remaining(&responder_id) == 0) {
275 *al = SSL_AD_DECODE_ERROR;
279 id_data = PACKET_data(&responder_id);
280 /* TODO(size_t): Convert d2i_* to size_t */
281 id = d2i_OCSP_RESPID(NULL, &id_data,
282 (int)PACKET_remaining(&responder_id));
284 *al = SSL_AD_DECODE_ERROR;
288 if (id_data != PACKET_end(&responder_id)) {
289 OCSP_RESPID_free(id);
290 *al = SSL_AD_DECODE_ERROR;
294 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
295 OCSP_RESPID_free(id);
296 *al = SSL_AD_INTERNAL_ERROR;
301 /* Read in request_extensions */
302 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
303 *al = SSL_AD_DECODE_ERROR;
307 if (PACKET_remaining(&exts) > 0) {
308 const unsigned char *ext_data = PACKET_data(&exts);
310 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
311 X509_EXTENSION_free);
313 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
314 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
315 *al = SSL_AD_DECODE_ERROR;
324 #ifndef OPENSSL_NO_NEXTPROTONEG
325 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
326 size_t chainidx, int *al)
329 * We shouldn't accept this extension on a
332 if (SSL_IS_FIRST_HANDSHAKE(s))
340 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
341 * extension, not including type and length. |al| is a pointer to the alert
342 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
344 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
345 size_t chainidx, int *al)
347 PACKET protocol_list, save_protocol_list, protocol;
349 if (!SSL_IS_FIRST_HANDSHAKE(s))
352 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
353 || PACKET_remaining(&protocol_list) < 2) {
354 *al = SSL_AD_DECODE_ERROR;
358 save_protocol_list = protocol_list;
360 /* Protocol names can't be empty. */
361 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
362 || PACKET_remaining(&protocol) == 0) {
363 *al = SSL_AD_DECODE_ERROR;
366 } while (PACKET_remaining(&protocol_list) != 0);
368 OPENSSL_free(s->s3->alpn_proposed);
369 s->s3->alpn_proposed = NULL;
370 s->s3->alpn_proposed_len = 0;
371 if (!PACKET_memdup(&save_protocol_list,
372 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
373 *al = SSL_AD_INTERNAL_ERROR;
380 #ifndef OPENSSL_NO_SRTP
381 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
382 size_t chainidx, int *al)
384 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
385 unsigned int ct, mki_len, id;
389 /* Ignore this if we have no SRTP profiles */
390 if (SSL_get_srtp_profiles(s) == NULL)
393 /* Pull off the length of the cipher suite list and check it is even */
394 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
395 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
396 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
397 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
398 *al = SSL_AD_DECODE_ERROR;
402 srvr = SSL_get_srtp_profiles(s);
403 s->srtp_profile = NULL;
404 /* Search all profiles for a match initially */
405 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
407 while (PACKET_remaining(&subpkt)) {
408 if (!PACKET_get_net_2(&subpkt, &id)) {
409 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
410 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
411 *al = SSL_AD_DECODE_ERROR;
416 * Only look for match in profiles of higher preference than
418 * If no profiles have been have been configured then this
421 for (i = 0; i < srtp_pref; i++) {
422 SRTP_PROTECTION_PROFILE *sprof =
423 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
425 if (sprof->id == id) {
426 s->srtp_profile = sprof;
433 /* Now extract the MKI value as a sanity check, but discard it for now */
434 if (!PACKET_get_1(pkt, &mki_len)) {
435 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
436 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
437 *al = SSL_AD_DECODE_ERROR;
441 if (!PACKET_forward(pkt, mki_len)
442 || PACKET_remaining(pkt)) {
443 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
444 *al = SSL_AD_DECODE_ERROR;
452 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
453 size_t chainidx, int *al)
455 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
462 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
463 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
464 * If a failure occurs then |*al| is set to an appropriate alert value.
466 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
467 X509 *x, size_t chainidx, int *al)
469 #ifndef OPENSSL_NO_TLS1_3
470 PACKET psk_kex_modes;
473 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
474 || PACKET_remaining(&psk_kex_modes) == 0) {
475 *al = SSL_AD_DECODE_ERROR;
479 while (PACKET_get_1(&psk_kex_modes, &mode)) {
480 if (mode == TLSEXT_KEX_MODE_KE_DHE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
482 else if (mode == TLSEXT_KEX_MODE_KE
483 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
484 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
492 * Process a key_share extension received in the ClientHello. |pkt| contains
493 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
494 * If a failure occurs then |*al| is set to an appropriate alert value.
496 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
497 size_t chainidx, int *al)
499 #ifndef OPENSSL_NO_TLS1_3
500 unsigned int group_id;
501 PACKET key_share_list, encoded_pt;
502 const uint16_t *clntcurves, *srvrcurves;
503 size_t clnt_num_curves, srvr_num_curves;
505 const TLS_GROUP_INFO *ginf;
507 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
511 if (s->s3->peer_tmp != NULL) {
512 *al = SSL_AD_INTERNAL_ERROR;
513 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
517 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
518 *al = SSL_AD_DECODE_ERROR;
519 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
523 /* Get our list of supported curves */
524 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
525 *al = SSL_AD_INTERNAL_ERROR;
526 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
530 /* Get the clients list of supported curves. */
531 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
532 *al = SSL_AD_INTERNAL_ERROR;
533 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
536 if (clnt_num_curves == 0) {
538 * This can only happen if the supported_groups extension was not sent,
539 * because we verify that the length is non-zero when we process that
542 *al = SSL_AD_MISSING_EXTENSION;
543 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
544 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
548 while (PACKET_remaining(&key_share_list) > 0) {
549 if (!PACKET_get_net_2(&key_share_list, &group_id)
550 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
551 || PACKET_remaining(&encoded_pt) == 0) {
552 *al = SSL_AD_DECODE_ERROR;
553 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
554 SSL_R_LENGTH_MISMATCH);
559 * If we already found a suitable key_share we loop through the
560 * rest to verify the structure, but don't process them.
565 /* Check if this share is in supported_groups sent from client */
566 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
567 *al = SSL_AD_ILLEGAL_PARAMETER;
568 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
572 /* Check if this share is for a group we can use */
573 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
574 /* Share not suitable */
578 ginf = tls1_group_id_lookup(group_id);
581 *al = SSL_AD_INTERNAL_ERROR;
582 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
583 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
587 if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
588 /* Can happen for some curves, e.g. X25519 */
589 EVP_PKEY *key = EVP_PKEY_new();
591 if (key == NULL || !EVP_PKEY_set_type(key, ginf->nid)) {
592 *al = SSL_AD_INTERNAL_ERROR;
593 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
597 s->s3->peer_tmp = key;
599 /* Set up EVP_PKEY with named curve as parameters */
600 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
603 || EVP_PKEY_paramgen_init(pctx) <= 0
604 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
606 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
607 *al = SSL_AD_INTERNAL_ERROR;
608 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
609 EVP_PKEY_CTX_free(pctx);
612 EVP_PKEY_CTX_free(pctx);
615 s->s3->group_id = group_id;
617 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
618 PACKET_data(&encoded_pt),
619 PACKET_remaining(&encoded_pt))) {
620 *al = SSL_AD_ILLEGAL_PARAMETER;
621 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
632 #ifndef OPENSSL_NO_EC
633 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
634 X509 *x, size_t chainidx, int *al)
636 PACKET supported_groups_list;
638 /* Each group is 2 bytes and we must have at least 1. */
639 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
640 || PACKET_remaining(&supported_groups_list) == 0
641 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
642 *al = SSL_AD_DECODE_ERROR;
646 if (!s->hit || SSL_IS_TLS13(s)) {
647 OPENSSL_free(s->session->ext.supportedgroups);
648 s->session->ext.supportedgroups = NULL;
649 s->session->ext.supportedgroups_len = 0;
650 if (!tls1_save_u16(&supported_groups_list,
651 &s->session->ext.supportedgroups,
652 &s->session->ext.supportedgroups_len)) {
653 *al = SSL_AD_INTERNAL_ERROR;
662 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
663 size_t chainidx, int *al)
665 /* The extension must always be empty */
666 if (PACKET_remaining(pkt) != 0) {
667 *al = SSL_AD_DECODE_ERROR;
671 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
677 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
678 X509 *x, size_t chainidx, int *al)
680 if (PACKET_remaining(pkt) != 0) {
681 *al = SSL_AD_DECODE_ERROR;
685 if (s->hello_retry_request) {
686 *al = SSL_AD_ILLEGAL_PARAMETER;
693 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
694 size_t chainidx, int *al)
696 PACKET identities, binders, binder;
697 size_t binderoffset, hashsize;
698 SSL_SESSION *sess = NULL;
699 unsigned int id, i, ext = 0;
700 const EVP_MD *md = NULL;
703 * If we have no PSK kex mode that we recognise then we can't resume so
704 * ignore this extension
706 if ((s->ext.psk_kex_mode
707 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
710 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
711 *al = SSL_AD_DECODE_ERROR;
715 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
717 unsigned long ticket_agel;
719 if (!PACKET_get_length_prefixed_2(&identities, &identity)
720 || !PACKET_get_net_4(&identities, &ticket_agel)) {
721 *al = SSL_AD_DECODE_ERROR;
725 if (s->psk_find_session_cb != NULL
726 && !s->psk_find_session_cb(s, PACKET_data(&identity),
727 PACKET_remaining(&identity),
729 *al = SSL_AD_INTERNAL_ERROR;
735 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
737 if (sesstmp == NULL) {
738 *al = SSL_AD_INTERNAL_ERROR;
741 SSL_SESSION_free(sess);
745 * We've just been told to use this session for this context so
746 * make sure the sid_ctx matches up.
748 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
749 sess->sid_ctx_length = s->sid_ctx_length;
752 s->ext.early_data_ok = 1;
754 uint32_t ticket_age = 0, now, agesec, agems;
755 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
756 PACKET_remaining(&identity), NULL, 0,
759 if (ret == TICKET_FATAL_ERR_MALLOC
760 || ret == TICKET_FATAL_ERR_OTHER) {
761 *al = SSL_AD_INTERNAL_ERROR;
764 if (ret == TICKET_NO_DECRYPT)
767 ticket_age = (uint32_t)ticket_agel;
768 now = (uint32_t)time(NULL);
769 agesec = now - (uint32_t)sess->time;
770 agems = agesec * (uint32_t)1000;
771 ticket_age -= sess->ext.tick_age_add;
774 * For simplicity we do our age calculations in seconds. If the
775 * client does it in ms then it could appear that their ticket age
776 * is longer than ours (our ticket age calculation should always be
777 * slightly longer than the client's due to the network latency).
778 * Therefore we add 1000ms to our age calculation to adjust for
782 && sess->timeout >= (long)agesec
783 && agems / (uint32_t)1000 == agesec
784 && ticket_age <= agems + 1000
785 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
787 * Ticket age is within tolerance and not expired. We allow it
790 s->ext.early_data_ok = 1;
794 md = ssl_md(sess->cipher->algorithm2);
795 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
796 /* The ciphersuite is not compatible with this session. */
797 SSL_SESSION_free(sess);
799 s->ext.early_data_ok = 0;
808 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
809 hashsize = EVP_MD_size(md);
811 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
812 *al = SSL_AD_DECODE_ERROR;
816 for (i = 0; i <= id; i++) {
817 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
818 *al = SSL_AD_DECODE_ERROR;
823 if (PACKET_remaining(&binder) != hashsize
824 || tls_psk_do_binder(s, md,
825 (const unsigned char *)s->init_buf->data,
826 binderoffset, PACKET_data(&binder), NULL,
827 sess, 0, ext) != 1) {
828 *al = SSL_AD_DECODE_ERROR;
829 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
833 sess->ext.tick_identity = id;
835 SSL_SESSION_free(s->session);
839 SSL_SESSION_free(sess);
844 * Add the server's renegotiation binding
846 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
847 unsigned int context, X509 *x,
848 size_t chainidx, int *al)
850 if (!s->s3->send_connection_binding)
851 return EXT_RETURN_NOT_SENT;
853 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
854 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
855 || !WPACKET_start_sub_packet_u16(pkt)
856 || !WPACKET_start_sub_packet_u8(pkt)
857 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
858 s->s3->previous_client_finished_len)
859 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
860 s->s3->previous_server_finished_len)
861 || !WPACKET_close(pkt)
862 || !WPACKET_close(pkt)) {
863 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
864 return EXT_RETURN_FAIL;
867 return EXT_RETURN_SENT;
870 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
871 unsigned int context, X509 *x,
872 size_t chainidx, int *al)
874 if (s->hit || s->servername_done != 1
875 || s->session->ext.hostname == NULL)
876 return EXT_RETURN_NOT_SENT;
878 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
879 || !WPACKET_put_bytes_u16(pkt, 0)) {
880 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
881 return EXT_RETURN_FAIL;
884 return EXT_RETURN_SENT;
887 #ifndef OPENSSL_NO_EC
888 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
889 unsigned int context, X509 *x,
890 size_t chainidx, int *al)
892 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
893 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
894 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
895 && (s->session->ext.ecpointformats != NULL);
896 const unsigned char *plist;
900 return EXT_RETURN_NOT_SENT;
902 tls1_get_formatlist(s, &plist, &plistlen);
903 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
904 || !WPACKET_start_sub_packet_u16(pkt)
905 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
906 || !WPACKET_close(pkt)) {
907 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
908 return EXT_RETURN_FAIL;
911 return EXT_RETURN_SENT;
915 #ifndef OPENSSL_NO_EC
916 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
917 unsigned int context, X509 *x,
918 size_t chainidx, int *al)
920 const uint16_t *groups;
921 size_t numgroups, i, first = 1;
923 /* s->s3->group_id is non zero if we accepted a key_share */
924 if (s->s3->group_id == 0)
925 return EXT_RETURN_NOT_SENT;
927 /* Get our list of supported groups */
928 if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
929 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
930 return EXT_RETURN_FAIL;
933 /* Copy group ID if supported */
934 for (i = 0; i < numgroups; i++) {
935 uint16_t group = groups[i];
937 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
940 * Check if the client is already using our preferred group. If
941 * so we don't need to add this extension
943 if (s->s3->group_id == group)
944 return EXT_RETURN_NOT_SENT;
946 /* Add extension header */
947 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
948 /* Sub-packet for supported_groups extension */
949 || !WPACKET_start_sub_packet_u16(pkt)
950 || !WPACKET_start_sub_packet_u16(pkt)) {
951 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
952 ERR_R_INTERNAL_ERROR);
953 return EXT_RETURN_FAIL;
958 if (!WPACKET_put_bytes_u16(pkt, group)) {
959 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
960 ERR_R_INTERNAL_ERROR);
961 return EXT_RETURN_FAIL;
966 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
967 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
968 return EXT_RETURN_FAIL;
971 return EXT_RETURN_SENT;
975 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
976 unsigned int context, X509 *x,
977 size_t chainidx, int *al)
979 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
980 s->ext.ticket_expected = 0;
981 return EXT_RETURN_NOT_SENT;
984 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
985 || !WPACKET_put_bytes_u16(pkt, 0)) {
986 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
987 return EXT_RETURN_FAIL;
990 return EXT_RETURN_SENT;
993 #ifndef OPENSSL_NO_OCSP
994 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
995 unsigned int context, X509 *x,
996 size_t chainidx, int *al)
998 if (!s->ext.status_expected)
999 return EXT_RETURN_NOT_SENT;
1001 if (SSL_IS_TLS13(s) && chainidx != 0)
1002 return EXT_RETURN_NOT_SENT;
1004 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1005 || !WPACKET_start_sub_packet_u16(pkt)) {
1006 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1007 return EXT_RETURN_FAIL;
1011 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1012 * send back an empty extension, with the certificate status appearing as a
1015 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
1016 || !WPACKET_close(pkt)) {
1017 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1018 return EXT_RETURN_FAIL;
1021 return EXT_RETURN_SENT;
1025 #ifndef OPENSSL_NO_NEXTPROTONEG
1026 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1027 unsigned int context, X509 *x,
1028 size_t chainidx, int *al)
1030 const unsigned char *npa;
1031 unsigned int npalen;
1033 int npn_seen = s->s3->npn_seen;
1035 s->s3->npn_seen = 0;
1036 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1037 return EXT_RETURN_NOT_SENT;
1039 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1040 s->ctx->ext.npn_advertised_cb_arg);
1041 if (ret == SSL_TLSEXT_ERR_OK) {
1042 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1043 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1044 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1045 ERR_R_INTERNAL_ERROR);
1046 return EXT_RETURN_FAIL;
1048 s->s3->npn_seen = 1;
1051 return EXT_RETURN_SENT;
1055 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1056 X509 *x, size_t chainidx, int *al)
1058 if (s->s3->alpn_selected == NULL)
1059 return EXT_RETURN_NOT_SENT;
1061 if (!WPACKET_put_bytes_u16(pkt,
1062 TLSEXT_TYPE_application_layer_protocol_negotiation)
1063 || !WPACKET_start_sub_packet_u16(pkt)
1064 || !WPACKET_start_sub_packet_u16(pkt)
1065 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1066 s->s3->alpn_selected_len)
1067 || !WPACKET_close(pkt)
1068 || !WPACKET_close(pkt)) {
1069 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1070 return EXT_RETURN_FAIL;
1073 return EXT_RETURN_SENT;
1076 #ifndef OPENSSL_NO_SRTP
1077 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1078 unsigned int context, X509 *x,
1079 size_t chainidx, int *al)
1081 if (s->srtp_profile == NULL)
1082 return EXT_RETURN_NOT_SENT;
1084 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1085 || !WPACKET_start_sub_packet_u16(pkt)
1086 || !WPACKET_put_bytes_u16(pkt, 2)
1087 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1088 || !WPACKET_put_bytes_u8(pkt, 0)
1089 || !WPACKET_close(pkt)) {
1090 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1091 return EXT_RETURN_FAIL;
1094 return EXT_RETURN_SENT;
1098 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1099 X509 *x, size_t chainidx, int *al)
1101 if (!s->ext.use_etm)
1102 return EXT_RETURN_NOT_SENT;
1105 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1106 * for other cases too.
1108 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1109 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1110 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1111 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1113 return EXT_RETURN_NOT_SENT;
1116 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1117 || !WPACKET_put_bytes_u16(pkt, 0)) {
1118 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1119 return EXT_RETURN_FAIL;
1122 return EXT_RETURN_SENT;
1125 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1126 X509 *x, size_t chainidx, int *al)
1128 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1129 return EXT_RETURN_NOT_SENT;
1131 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1132 || !WPACKET_put_bytes_u16(pkt, 0)) {
1133 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1134 return EXT_RETURN_FAIL;
1137 return EXT_RETURN_SENT;
1140 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1141 unsigned int context, X509 *x,
1142 size_t chainidx, int *al)
1144 #ifndef OPENSSL_NO_TLS1_3
1145 unsigned char *encodedPoint;
1146 size_t encoded_pt_len = 0;
1147 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1150 /* No key_share received from client */
1151 if (s->hello_retry_request) {
1152 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1153 || !WPACKET_start_sub_packet_u16(pkt)
1154 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1155 || !WPACKET_close(pkt)) {
1156 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1157 ERR_R_INTERNAL_ERROR);
1158 return EXT_RETURN_FAIL;
1161 return EXT_RETURN_SENT;
1164 /* Must be resuming. */
1165 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1166 *al = SSL_AD_INTERNAL_ERROR;
1167 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1168 return EXT_RETURN_FAIL;
1170 return EXT_RETURN_NOT_SENT;
1173 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1174 || !WPACKET_start_sub_packet_u16(pkt)
1175 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1176 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1177 return EXT_RETURN_FAIL;
1180 skey = ssl_generate_pkey(ckey);
1182 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1183 return EXT_RETURN_FAIL;
1186 /* Generate encoding of server key */
1187 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1188 if (encoded_pt_len == 0) {
1189 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1190 EVP_PKEY_free(skey);
1191 return EXT_RETURN_FAIL;
1194 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1195 || !WPACKET_close(pkt)) {
1196 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1197 EVP_PKEY_free(skey);
1198 OPENSSL_free(encodedPoint);
1199 return EXT_RETURN_FAIL;
1201 OPENSSL_free(encodedPoint);
1203 /* This causes the crypto state to be updated based on the derived keys */
1204 s->s3->tmp.pkey = skey;
1205 if (ssl_derive(s, skey, ckey, 1) == 0) {
1206 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1207 return EXT_RETURN_FAIL;
1211 return EXT_RETURN_SENT;
1214 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1215 unsigned int context, X509 *x,
1216 size_t chainidx, int *al)
1218 const unsigned char cryptopro_ext[36] = {
1219 0xfd, 0xe8, /* 65000 */
1220 0x00, 0x20, /* 32 bytes length */
1221 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1222 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1223 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1224 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1227 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1228 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1229 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1230 return EXT_RETURN_NOT_SENT;
1232 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1233 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1234 return EXT_RETURN_FAIL;
1237 return EXT_RETURN_SENT;
1240 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1241 unsigned int context, X509 *x,
1242 size_t chainidx, int *al)
1244 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1245 if (s->max_early_data == 0)
1246 return EXT_RETURN_NOT_SENT;
1248 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1249 || !WPACKET_start_sub_packet_u16(pkt)
1250 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1251 || !WPACKET_close(pkt)) {
1252 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1253 return EXT_RETURN_FAIL;
1256 return EXT_RETURN_SENT;
1259 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1260 return EXT_RETURN_NOT_SENT;
1262 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1263 || !WPACKET_start_sub_packet_u16(pkt)
1264 || !WPACKET_close(pkt)) {
1265 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1266 return EXT_RETURN_FAIL;
1269 return EXT_RETURN_SENT;
1272 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1273 X509 *x, size_t chainidx, int *al)
1276 return EXT_RETURN_NOT_SENT;
1278 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1279 || !WPACKET_start_sub_packet_u16(pkt)
1280 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1281 || !WPACKET_close(pkt)) {
1282 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1283 return EXT_RETURN_FAIL;
1286 return EXT_RETURN_SENT;