2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + number of bytes in legacy session id + 2 bytes for ciphersuite
30 * + 1 byte for legacy compression + 2 bytes for extension block length
31 * + 6 bytes for key_share extension + 4 bytes for cookie extension header
32 * + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
45 const unsigned char *data;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
55 /* Check that the extension matches */
56 if (ilen != s->s3->previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
62 if (memcmp(data, s->s3->previous_client_finished,
63 s->s3->previous_client_finished_len)) {
64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
69 s->s3->send_connection_binding = 1;
75 * The servername extension is treated as follows:
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
95 * - On session reconnect, the servername extension may be absent.
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98 X509 *x, size_t chainidx)
100 unsigned int servname_type;
101 PACKET sni, hostname;
103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
133 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
134 SSL_R_BAD_EXTENSION);
138 if (PACKET_contains_zero_byte(&hostname)) {
139 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
140 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
141 SSL_R_BAD_EXTENSION);
145 OPENSSL_free(s->session->ext.hostname);
146 s->session->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 ERR_R_INTERNAL_ERROR);
153 s->servername_done = 1;
156 * TODO(openssl-team): if the SNI doesn't match, we MUST
157 * fall back to a full handshake.
159 s->servername_done = s->session->ext.hostname
160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
163 if (!s->servername_done && s->session->ext.hostname != NULL)
164 s->ext.early_data_ok = 0;
170 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
171 X509 *x, size_t chainidx)
175 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
176 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
177 SSL_R_BAD_EXTENSION);
181 /* Received |value| should be a valid max-fragment-length code. */
182 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
183 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
184 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
185 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
190 * RFC 6066: The negotiated length applies for the duration of the session
191 * including session resumptions.
192 * We should receive the same code as in resumed session !
194 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
195 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
196 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
197 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
202 * Store it in session, so it'll become binding for us
203 * and we'll include it in a next Server Hello.
205 s->session->ext.max_fragment_len_mode = value;
209 #ifndef OPENSSL_NO_SRP
210 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
215 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
216 || PACKET_contains_zero_byte(&srp_I)) {
217 SSLfatal(s, SSL_AD_DECODE_ERROR,
218 SSL_F_TLS_PARSE_CTOS_SRP,
219 SSL_R_BAD_EXTENSION);
224 * TODO(openssl-team): currently, we re-authenticate the user
225 * upon resumption. Instead, we MUST ignore the login.
227 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
229 ERR_R_INTERNAL_ERROR);
237 #ifndef OPENSSL_NO_EC
238 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
239 X509 *x, size_t chainidx)
241 PACKET ec_point_format_list;
243 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
244 || PACKET_remaining(&ec_point_format_list) == 0) {
245 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
246 SSL_R_BAD_EXTENSION);
251 if (!PACKET_memdup(&ec_point_format_list,
252 &s->session->ext.ecpointformats,
253 &s->session->ext.ecpointformats_len)) {
254 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
255 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
262 #endif /* OPENSSL_NO_EC */
264 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
265 X509 *x, size_t chainidx)
267 if (s->ext.session_ticket_cb &&
268 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
269 PACKET_remaining(pkt),
270 s->ext.session_ticket_cb_arg)) {
271 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
272 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
279 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
282 PACKET supported_sig_algs;
284 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
285 || PACKET_remaining(&supported_sig_algs) == 0) {
286 SSLfatal(s, SSL_AD_DECODE_ERROR,
287 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
291 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR,
293 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
300 #ifndef OPENSSL_NO_OCSP
301 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
302 X509 *x, size_t chainidx)
304 PACKET responder_id_list, exts;
306 /* Not defined if we get one of these in a client Certificate */
310 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
311 SSLfatal(s, SSL_AD_DECODE_ERROR,
312 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
316 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
318 * We don't know what to do with any other type so ignore it.
320 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
324 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
325 SSLfatal(s, SSL_AD_DECODE_ERROR,
326 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
331 * We remove any OCSP_RESPIDs from a previous handshake
332 * to prevent unbounded memory growth - CVE-2016-6304
334 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
335 if (PACKET_remaining(&responder_id_list) > 0) {
336 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
337 if (s->ext.ocsp.ids == NULL) {
338 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
339 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
343 s->ext.ocsp.ids = NULL;
346 while (PACKET_remaining(&responder_id_list) > 0) {
349 const unsigned char *id_data;
351 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
352 || PACKET_remaining(&responder_id) == 0) {
353 SSLfatal(s, SSL_AD_DECODE_ERROR,
354 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
358 id_data = PACKET_data(&responder_id);
359 /* TODO(size_t): Convert d2i_* to size_t */
360 id = d2i_OCSP_RESPID(NULL, &id_data,
361 (int)PACKET_remaining(&responder_id));
363 SSLfatal(s, SSL_AD_DECODE_ERROR,
364 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
368 if (id_data != PACKET_end(&responder_id)) {
369 OCSP_RESPID_free(id);
370 SSLfatal(s, SSL_AD_DECODE_ERROR,
371 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
376 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
377 OCSP_RESPID_free(id);
378 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
379 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
385 /* Read in request_extensions */
386 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
387 SSLfatal(s, SSL_AD_DECODE_ERROR,
388 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
396 X509_EXTENSION_free);
398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
400 SSLfatal(s, SSL_AD_DECODE_ERROR,
401 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
410 #ifndef OPENSSL_NO_NEXTPROTONEG
411 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
415 * We shouldn't accept this extension on a
418 if (SSL_IS_FIRST_HANDSHAKE(s))
426 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
427 * extension, not including type and length. Returns: 1 on success, 0 on error.
429 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
432 PACKET protocol_list, save_protocol_list, protocol;
434 if (!SSL_IS_FIRST_HANDSHAKE(s))
437 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
438 || PACKET_remaining(&protocol_list) < 2) {
439 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
440 SSL_R_BAD_EXTENSION);
444 save_protocol_list = protocol_list;
446 /* Protocol names can't be empty. */
447 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
448 || PACKET_remaining(&protocol) == 0) {
449 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
450 SSL_R_BAD_EXTENSION);
453 } while (PACKET_remaining(&protocol_list) != 0);
455 OPENSSL_free(s->s3->alpn_proposed);
456 s->s3->alpn_proposed = NULL;
457 s->s3->alpn_proposed_len = 0;
458 if (!PACKET_memdup(&save_protocol_list,
459 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
461 ERR_R_INTERNAL_ERROR);
468 #ifndef OPENSSL_NO_SRTP
469 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
472 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
473 unsigned int ct, mki_len, id;
477 /* Ignore this if we have no SRTP profiles */
478 if (SSL_get_srtp_profiles(s) == NULL)
481 /* Pull off the length of the cipher suite list and check it is even */
482 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
483 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
484 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
485 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
489 srvr = SSL_get_srtp_profiles(s);
490 s->srtp_profile = NULL;
491 /* Search all profiles for a match initially */
492 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
494 while (PACKET_remaining(&subpkt)) {
495 if (!PACKET_get_net_2(&subpkt, &id)) {
496 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
497 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
502 * Only look for match in profiles of higher preference than
504 * If no profiles have been have been configured then this
507 for (i = 0; i < srtp_pref; i++) {
508 SRTP_PROTECTION_PROFILE *sprof =
509 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
511 if (sprof->id == id) {
512 s->srtp_profile = sprof;
519 /* Now extract the MKI value as a sanity check, but discard it for now */
520 if (!PACKET_get_1(pkt, &mki_len)) {
521 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
522 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
526 if (!PACKET_forward(pkt, mki_len)
527 || PACKET_remaining(pkt)) {
528 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
529 SSL_R_BAD_SRTP_MKI_VALUE);
537 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
540 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
547 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
548 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
550 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
551 X509 *x, size_t chainidx)
553 #ifndef OPENSSL_NO_TLS1_3
554 PACKET psk_kex_modes;
557 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
558 || PACKET_remaining(&psk_kex_modes) == 0) {
559 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
560 SSL_R_BAD_EXTENSION);
564 while (PACKET_get_1(&psk_kex_modes, &mode)) {
565 if (mode == TLSEXT_KEX_MODE_KE_DHE)
566 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
567 else if (mode == TLSEXT_KEX_MODE_KE
568 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
569 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
577 * Process a key_share extension received in the ClientHello. |pkt| contains
578 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
580 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
583 #ifndef OPENSSL_NO_TLS1_3
584 unsigned int group_id;
585 PACKET key_share_list, encoded_pt;
586 const uint16_t *clntgroups, *srvrgroups;
587 size_t clnt_num_groups, srvr_num_groups;
590 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
594 if (s->s3->peer_tmp != NULL) {
595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
596 ERR_R_INTERNAL_ERROR);
600 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
601 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
602 SSL_R_LENGTH_MISMATCH);
606 /* Get our list of supported groups */
607 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
608 /* Get the clients list of supported groups. */
609 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
610 if (clnt_num_groups == 0) {
612 * This can only happen if the supported_groups extension was not sent,
613 * because we verify that the length is non-zero when we process that
616 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
617 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
621 if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
623 * If we set a group_id already, then we must have sent an HRR
624 * requesting a new key_share. If we haven't got one then that is an
627 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
628 SSL_R_BAD_KEY_SHARE);
632 while (PACKET_remaining(&key_share_list) > 0) {
633 if (!PACKET_get_net_2(&key_share_list, &group_id)
634 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
635 || PACKET_remaining(&encoded_pt) == 0) {
636 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
637 SSL_R_LENGTH_MISMATCH);
642 * If we already found a suitable key_share we loop through the
643 * rest to verify the structure, but don't process them.
649 * If we sent an HRR then the key_share sent back MUST be for the group
650 * we requested, and must be the only key_share sent.
652 if (s->s3->group_id != 0
653 && (group_id != s->s3->group_id
654 || PACKET_remaining(&key_share_list) != 0)) {
655 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
656 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
660 /* Check if this share is in supported_groups sent from client */
661 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
662 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
663 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
667 /* Check if this share is for a group we can use */
668 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
669 /* Share not suitable */
673 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
674 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
675 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
679 s->s3->group_id = group_id;
681 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
682 PACKET_data(&encoded_pt),
683 PACKET_remaining(&encoded_pt))) {
684 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
685 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
696 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
699 unsigned int format, version, key_share, group_id;
702 PACKET cookie, raw, chhash, appcookie;
704 const unsigned char *data, *mdin, *ciphdata;
705 unsigned char hmac[SHA256_DIGEST_LENGTH];
706 unsigned char hrr[MAX_HRR_SIZE];
707 size_t rawlen, hmaclen, hrrlen, ciphlen;
708 unsigned long tm, now;
710 /* Ignore any cookie if we're not set up to verify it */
711 if (s->ctx->app_verify_cookie_cb == NULL
712 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
715 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
716 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
717 SSL_R_LENGTH_MISMATCH);
722 data = PACKET_data(&raw);
723 rawlen = PACKET_remaining(&raw);
724 if (rawlen < SHA256_DIGEST_LENGTH
725 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
726 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
727 SSL_R_LENGTH_MISMATCH);
730 mdin = PACKET_data(&raw);
732 /* Verify the HMAC of the cookie */
733 hctx = EVP_MD_CTX_create();
734 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
735 s->session_ctx->ext.cookie_hmac_key,
736 sizeof(s->session_ctx->ext.cookie_hmac_key));
737 if (hctx == NULL || pkey == NULL) {
738 EVP_MD_CTX_free(hctx);
740 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
741 ERR_R_MALLOC_FAILURE);
745 hmaclen = sizeof(s->session_ctx->ext.cookie_hmac_key);
746 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
747 || EVP_DigestSignUpdate(hctx, data,
748 rawlen - SHA256_DIGEST_LENGTH) <= 0
749 || EVP_DigestSignFinal(hctx, hmac, &hmaclen) <= 0
750 || hmaclen != SHA256_DIGEST_LENGTH) {
751 EVP_MD_CTX_free(hctx);
753 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
754 ERR_R_INTERNAL_ERROR);
758 EVP_MD_CTX_free(hctx);
761 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
762 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
763 SSL_R_COOKIE_MISMATCH);
767 if (!PACKET_get_net_2(&cookie, &format)) {
768 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
769 SSL_R_LENGTH_MISMATCH);
772 /* Check the cookie format is something we recognise. Ignore it if not */
773 if (format != COOKIE_STATE_FORMAT_VERSION)
777 * The rest of these checks really shouldn't fail since we have verified the
781 /* Check the version number is sane */
782 if (!PACKET_get_net_2(&cookie, &version)) {
783 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
784 SSL_R_LENGTH_MISMATCH);
787 if (version != TLS1_3_VERSION) {
788 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
789 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
793 if (!PACKET_get_net_2(&cookie, &group_id)) {
794 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
795 SSL_R_LENGTH_MISMATCH);
799 ciphdata = PACKET_data(&cookie);
800 if (!PACKET_forward(&cookie, 2)) {
801 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
802 SSL_R_LENGTH_MISMATCH);
805 if (group_id != s->s3->group_id
806 || s->s3->tmp.new_cipher
807 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
809 * We chose a different cipher or group id this time around to what is
810 * in the cookie. Something must have changed.
812 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
817 if (!PACKET_get_1(&cookie, &key_share)
818 || !PACKET_get_net_4(&cookie, &tm)
819 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
820 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
821 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
822 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
823 SSL_R_LENGTH_MISMATCH);
827 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
828 now = (unsigned long)time(NULL);
829 if (tm > now || (now - tm) > 600) {
830 /* Cookie is stale. Ignore it */
834 /* Verify the app cookie */
835 if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&appcookie),
836 PACKET_remaining(&appcookie)) == 0) {
837 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
838 SSL_R_COOKIE_MISMATCH);
843 * Reconstruct the HRR that we would have sent in response to the original
844 * ClientHello so we can add it to the transcript hash.
845 * Note: This won't work with custom HRR extensions
847 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
849 ERR_R_INTERNAL_ERROR);
852 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
853 || !WPACKET_start_sub_packet_u24(&hrrpkt)
854 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
855 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
856 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
857 s->tmp_session_id_len)
858 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
860 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
861 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
862 WPACKET_cleanup(&hrrpkt);
863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
864 ERR_R_INTERNAL_ERROR);
867 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
868 || !WPACKET_start_sub_packet_u16(&hrrpkt)
869 /* TODO(TLS1.3): Fix this before release */
870 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
871 || !WPACKET_close(&hrrpkt)) {
872 WPACKET_cleanup(&hrrpkt);
873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
874 ERR_R_INTERNAL_ERROR);
878 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
879 || !WPACKET_start_sub_packet_u16(&hrrpkt)
880 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
881 || !WPACKET_close(&hrrpkt)) {
882 WPACKET_cleanup(&hrrpkt);
883 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
884 ERR_R_INTERNAL_ERROR);
888 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
889 || !WPACKET_start_sub_packet_u16(&hrrpkt)
890 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
891 || !WPACKET_close(&hrrpkt) /* cookie extension */
892 || !WPACKET_close(&hrrpkt) /* extension block */
893 || !WPACKET_close(&hrrpkt) /* message */
894 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
895 || !WPACKET_finish(&hrrpkt)) {
896 WPACKET_cleanup(&hrrpkt);
897 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
898 ERR_R_INTERNAL_ERROR);
902 /* Reconstruct the transcript hash */
903 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
904 PACKET_remaining(&chhash), hrr,
906 /* SSLfatal() already called */
910 /* Act as if this ClientHello came after a HelloRetryRequest */
911 s->hello_retry_request = 1;
918 #ifndef OPENSSL_NO_EC
919 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
920 X509 *x, size_t chainidx)
922 PACKET supported_groups_list;
924 /* Each group is 2 bytes and we must have at least 1. */
925 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
926 || PACKET_remaining(&supported_groups_list) == 0
927 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
928 SSLfatal(s, SSL_AD_DECODE_ERROR,
929 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
933 if (!s->hit || SSL_IS_TLS13(s)) {
934 OPENSSL_free(s->session->ext.supportedgroups);
935 s->session->ext.supportedgroups = NULL;
936 s->session->ext.supportedgroups_len = 0;
937 if (!tls1_save_u16(&supported_groups_list,
938 &s->session->ext.supportedgroups,
939 &s->session->ext.supportedgroups_len)) {
940 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
941 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
942 ERR_R_INTERNAL_ERROR);
951 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
954 /* The extension must always be empty */
955 if (PACKET_remaining(pkt) != 0) {
956 SSLfatal(s, SSL_AD_DECODE_ERROR,
957 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
961 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
967 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
968 X509 *x, size_t chainidx)
970 if (PACKET_remaining(pkt) != 0) {
971 SSLfatal(s, SSL_AD_DECODE_ERROR,
972 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
976 if (s->hello_retry_request != SSL_HRR_NONE) {
977 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
978 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
985 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
988 PACKET identities, binders, binder;
989 size_t binderoffset, hashsize;
990 SSL_SESSION *sess = NULL;
991 unsigned int id, i, ext = 0;
992 const EVP_MD *md = NULL;
995 * If we have no PSK kex mode that we recognise then we can't resume so
996 * ignore this extension
998 if ((s->ext.psk_kex_mode
999 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1002 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1003 SSLfatal(s, SSL_AD_DECODE_ERROR,
1004 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1008 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1010 unsigned long ticket_agel;
1012 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1013 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1014 SSLfatal(s, SSL_AD_DECODE_ERROR,
1015 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1019 if (s->psk_find_session_cb != NULL
1020 && !s->psk_find_session_cb(s, PACKET_data(&identity),
1021 PACKET_remaining(&identity),
1023 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1024 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1029 /* We found a PSK */
1030 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1032 if (sesstmp == NULL) {
1033 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1034 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1037 SSL_SESSION_free(sess);
1041 * We've just been told to use this session for this context so
1042 * make sure the sid_ctx matches up.
1044 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1045 sess->sid_ctx_length = s->sid_ctx_length;
1048 s->ext.early_data_ok = 1;
1050 uint32_t ticket_age = 0, now, agesec, agems;
1051 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1052 PACKET_remaining(&identity), NULL, 0,
1055 if (ret == TICKET_FATAL_ERR_MALLOC
1056 || ret == TICKET_FATAL_ERR_OTHER) {
1057 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1058 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1061 if (ret == TICKET_NO_DECRYPT)
1064 ticket_age = (uint32_t)ticket_agel;
1065 now = (uint32_t)time(NULL);
1066 agesec = now - (uint32_t)sess->time;
1067 agems = agesec * (uint32_t)1000;
1068 ticket_age -= sess->ext.tick_age_add;
1071 * For simplicity we do our age calculations in seconds. If the
1072 * client does it in ms then it could appear that their ticket age
1073 * is longer than ours (our ticket age calculation should always be
1074 * slightly longer than the client's due to the network latency).
1075 * Therefore we add 1000ms to our age calculation to adjust for
1079 && sess->timeout >= (long)agesec
1080 && agems / (uint32_t)1000 == agesec
1081 && ticket_age <= agems + 1000
1082 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1084 * Ticket age is within tolerance and not expired. We allow it
1087 s->ext.early_data_ok = 1;
1091 md = ssl_md(sess->cipher->algorithm2);
1092 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1093 /* The ciphersuite is not compatible with this session. */
1094 SSL_SESSION_free(sess);
1096 s->ext.early_data_ok = 0;
1105 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1106 hashsize = EVP_MD_size(md);
1108 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1109 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1110 SSL_R_BAD_EXTENSION);
1114 for (i = 0; i <= id; i++) {
1115 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1116 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1117 SSL_R_BAD_EXTENSION);
1122 if (PACKET_remaining(&binder) != hashsize) {
1123 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1124 SSL_R_BAD_EXTENSION);
1127 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1128 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1130 /* SSLfatal() already called */
1134 sess->ext.tick_identity = id;
1136 SSL_SESSION_free(s->session);
1140 SSL_SESSION_free(sess);
1145 * Add the server's renegotiation binding
1147 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1148 unsigned int context, X509 *x,
1151 if (!s->s3->send_connection_binding)
1152 return EXT_RETURN_NOT_SENT;
1154 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1155 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1156 || !WPACKET_start_sub_packet_u16(pkt)
1157 || !WPACKET_start_sub_packet_u8(pkt)
1158 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1159 s->s3->previous_client_finished_len)
1160 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1161 s->s3->previous_server_finished_len)
1162 || !WPACKET_close(pkt)
1163 || !WPACKET_close(pkt)) {
1164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1165 ERR_R_INTERNAL_ERROR);
1166 return EXT_RETURN_FAIL;
1169 return EXT_RETURN_SENT;
1172 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1173 unsigned int context, X509 *x,
1176 if (s->hit || s->servername_done != 1
1177 || s->session->ext.hostname == NULL)
1178 return EXT_RETURN_NOT_SENT;
1180 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1181 || !WPACKET_put_bytes_u16(pkt, 0)) {
1182 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1183 ERR_R_INTERNAL_ERROR);
1184 return EXT_RETURN_FAIL;
1187 return EXT_RETURN_SENT;
1190 /* Add/include the server's max fragment len extension into ServerHello */
1191 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1192 unsigned int context, X509 *x,
1195 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1196 return EXT_RETURN_NOT_SENT;
1199 * 4 bytes for this extension type and extension length
1200 * 1 byte for the Max Fragment Length code value.
1202 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1203 || !WPACKET_start_sub_packet_u16(pkt)
1204 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1205 || !WPACKET_close(pkt)) {
1206 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1207 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1208 return EXT_RETURN_FAIL;
1211 return EXT_RETURN_SENT;
1214 #ifndef OPENSSL_NO_EC
1215 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1216 unsigned int context, X509 *x,
1219 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1220 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1221 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1222 && (s->session->ext.ecpointformats != NULL);
1223 const unsigned char *plist;
1227 return EXT_RETURN_NOT_SENT;
1229 tls1_get_formatlist(s, &plist, &plistlen);
1230 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1231 || !WPACKET_start_sub_packet_u16(pkt)
1232 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1233 || !WPACKET_close(pkt)) {
1234 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1235 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1236 return EXT_RETURN_FAIL;
1239 return EXT_RETURN_SENT;
1243 #ifndef OPENSSL_NO_EC
1244 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1245 unsigned int context, X509 *x,
1248 const uint16_t *groups;
1249 size_t numgroups, i, first = 1;
1251 /* s->s3->group_id is non zero if we accepted a key_share */
1252 if (s->s3->group_id == 0)
1253 return EXT_RETURN_NOT_SENT;
1255 /* Get our list of supported groups */
1256 tls1_get_supported_groups(s, &groups, &numgroups);
1257 if (numgroups == 0) {
1258 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1259 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1260 return EXT_RETURN_FAIL;
1263 /* Copy group ID if supported */
1264 for (i = 0; i < numgroups; i++) {
1265 uint16_t group = groups[i];
1267 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1270 * Check if the client is already using our preferred group. If
1271 * so we don't need to add this extension
1273 if (s->s3->group_id == group)
1274 return EXT_RETURN_NOT_SENT;
1276 /* Add extension header */
1277 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1278 /* Sub-packet for supported_groups extension */
1279 || !WPACKET_start_sub_packet_u16(pkt)
1280 || !WPACKET_start_sub_packet_u16(pkt)) {
1281 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1282 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1283 ERR_R_INTERNAL_ERROR);
1284 return EXT_RETURN_FAIL;
1289 if (!WPACKET_put_bytes_u16(pkt, group)) {
1290 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1291 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1292 ERR_R_INTERNAL_ERROR);
1293 return EXT_RETURN_FAIL;
1298 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1299 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1300 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1301 ERR_R_INTERNAL_ERROR);
1302 return EXT_RETURN_FAIL;
1305 return EXT_RETURN_SENT;
1309 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1310 unsigned int context, X509 *x,
1313 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1314 s->ext.ticket_expected = 0;
1315 return EXT_RETURN_NOT_SENT;
1318 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1319 || !WPACKET_put_bytes_u16(pkt, 0)) {
1320 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1321 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1322 return EXT_RETURN_FAIL;
1325 return EXT_RETURN_SENT;
1328 #ifndef OPENSSL_NO_OCSP
1329 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1330 unsigned int context, X509 *x,
1333 if (!s->ext.status_expected)
1334 return EXT_RETURN_NOT_SENT;
1336 if (SSL_IS_TLS13(s) && chainidx != 0)
1337 return EXT_RETURN_NOT_SENT;
1339 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1340 || !WPACKET_start_sub_packet_u16(pkt)) {
1341 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1342 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1343 return EXT_RETURN_FAIL;
1347 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1348 * send back an empty extension, with the certificate status appearing as a
1351 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1352 /* SSLfatal() already called */
1353 return EXT_RETURN_FAIL;
1355 if (!WPACKET_close(pkt)) {
1356 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1357 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1358 return EXT_RETURN_FAIL;
1361 return EXT_RETURN_SENT;
1365 #ifndef OPENSSL_NO_NEXTPROTONEG
1366 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1367 unsigned int context, X509 *x,
1370 const unsigned char *npa;
1371 unsigned int npalen;
1373 int npn_seen = s->s3->npn_seen;
1375 s->s3->npn_seen = 0;
1376 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1377 return EXT_RETURN_NOT_SENT;
1379 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1380 s->ctx->ext.npn_advertised_cb_arg);
1381 if (ret == SSL_TLSEXT_ERR_OK) {
1382 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1383 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1384 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1385 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1386 ERR_R_INTERNAL_ERROR);
1387 return EXT_RETURN_FAIL;
1389 s->s3->npn_seen = 1;
1392 return EXT_RETURN_SENT;
1396 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1397 X509 *x, size_t chainidx)
1399 if (s->s3->alpn_selected == NULL)
1400 return EXT_RETURN_NOT_SENT;
1402 if (!WPACKET_put_bytes_u16(pkt,
1403 TLSEXT_TYPE_application_layer_protocol_negotiation)
1404 || !WPACKET_start_sub_packet_u16(pkt)
1405 || !WPACKET_start_sub_packet_u16(pkt)
1406 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1407 s->s3->alpn_selected_len)
1408 || !WPACKET_close(pkt)
1409 || !WPACKET_close(pkt)) {
1410 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1411 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1412 return EXT_RETURN_FAIL;
1415 return EXT_RETURN_SENT;
1418 #ifndef OPENSSL_NO_SRTP
1419 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1420 unsigned int context, X509 *x,
1423 if (s->srtp_profile == NULL)
1424 return EXT_RETURN_NOT_SENT;
1426 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1427 || !WPACKET_start_sub_packet_u16(pkt)
1428 || !WPACKET_put_bytes_u16(pkt, 2)
1429 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1430 || !WPACKET_put_bytes_u8(pkt, 0)
1431 || !WPACKET_close(pkt)) {
1432 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1433 ERR_R_INTERNAL_ERROR);
1434 return EXT_RETURN_FAIL;
1437 return EXT_RETURN_SENT;
1441 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1442 X509 *x, size_t chainidx)
1444 if (!s->ext.use_etm)
1445 return EXT_RETURN_NOT_SENT;
1448 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1449 * for other cases too.
1451 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1452 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1453 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1454 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1456 return EXT_RETURN_NOT_SENT;
1459 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1460 || !WPACKET_put_bytes_u16(pkt, 0)) {
1461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1462 ERR_R_INTERNAL_ERROR);
1463 return EXT_RETURN_FAIL;
1466 return EXT_RETURN_SENT;
1469 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1470 X509 *x, size_t chainidx)
1472 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1473 return EXT_RETURN_NOT_SENT;
1475 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1476 || !WPACKET_put_bytes_u16(pkt, 0)) {
1477 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1478 ERR_R_INTERNAL_ERROR);
1479 return EXT_RETURN_FAIL;
1482 return EXT_RETURN_SENT;
1485 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1486 unsigned int context, X509 *x,
1489 if (!SSL_IS_TLS13(s))
1490 return EXT_RETURN_NOT_SENT;
1492 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1493 || !WPACKET_start_sub_packet_u16(pkt)
1494 /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1495 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1496 || !WPACKET_close(pkt)) {
1497 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1498 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1499 ERR_R_INTERNAL_ERROR);
1500 return EXT_RETURN_FAIL;
1503 return EXT_RETURN_SENT;
1506 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1507 unsigned int context, X509 *x,
1510 #ifndef OPENSSL_NO_TLS1_3
1511 unsigned char *encodedPoint;
1512 size_t encoded_pt_len = 0;
1513 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1515 if (s->hello_retry_request == SSL_HRR_PENDING) {
1517 /* Original key_share was acceptable so don't ask for another one */
1518 return EXT_RETURN_NOT_SENT;
1520 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1521 || !WPACKET_start_sub_packet_u16(pkt)
1522 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1523 || !WPACKET_close(pkt)) {
1524 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1525 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1526 ERR_R_INTERNAL_ERROR);
1527 return EXT_RETURN_FAIL;
1530 return EXT_RETURN_SENT;
1534 /* No key_share received from client - must be resuming */
1535 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1536 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1537 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1538 return EXT_RETURN_FAIL;
1540 return EXT_RETURN_NOT_SENT;
1543 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1544 || !WPACKET_start_sub_packet_u16(pkt)
1545 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1546 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1547 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1548 return EXT_RETURN_FAIL;
1551 skey = ssl_generate_pkey(ckey);
1553 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1554 ERR_R_MALLOC_FAILURE);
1555 return EXT_RETURN_FAIL;
1558 /* Generate encoding of server key */
1559 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1560 if (encoded_pt_len == 0) {
1561 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1563 EVP_PKEY_free(skey);
1564 return EXT_RETURN_FAIL;
1567 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1568 || !WPACKET_close(pkt)) {
1569 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1570 ERR_R_INTERNAL_ERROR);
1571 EVP_PKEY_free(skey);
1572 OPENSSL_free(encodedPoint);
1573 return EXT_RETURN_FAIL;
1575 OPENSSL_free(encodedPoint);
1577 /* This causes the crypto state to be updated based on the derived keys */
1578 s->s3->tmp.pkey = skey;
1579 if (ssl_derive(s, skey, ckey, 1) == 0) {
1580 /* SSLfatal() already called */
1581 return EXT_RETURN_FAIL;
1585 return EXT_RETURN_SENT;
1588 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1589 X509 *x, size_t chainidx)
1591 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1592 unsigned char *hmac, *hmac2;
1593 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen;
1594 unsigned int appcookielen;
1597 int ret = EXT_RETURN_FAIL;
1599 if (s->ctx->app_gen_cookie_cb == NULL
1600 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1601 return EXT_RETURN_NOT_SENT;
1603 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1604 || !WPACKET_start_sub_packet_u16(pkt)
1605 || !WPACKET_start_sub_packet_u16(pkt)
1606 || !WPACKET_get_total_written(pkt, &startlen)
1607 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1608 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1609 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1610 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1611 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1613 /* Is there a key_share extension present in this HRR? */
1614 || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
1615 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1616 || !WPACKET_start_sub_packet_u16(pkt)
1617 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1618 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1619 ERR_R_INTERNAL_ERROR);
1620 return EXT_RETURN_FAIL;
1624 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1625 * on raw buffers, so we first reserve sufficient bytes (above) and then
1626 * subsequently allocate them (below)
1628 if (!ssl3_digest_cached_records(s, 0)
1629 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1630 /* SSLfatal() already called */
1631 return EXT_RETURN_FAIL;
1634 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1635 || !ossl_assert(hashval1 == hashval2)
1636 || !WPACKET_close(pkt)
1637 || !WPACKET_start_sub_packet_u8(pkt)
1638 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1639 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1640 ERR_R_INTERNAL_ERROR);
1641 return EXT_RETURN_FAIL;
1644 /* Generate the application cookie */
1645 if (s->ctx->app_gen_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1646 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1647 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1648 return EXT_RETURN_FAIL;
1651 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1652 || !ossl_assert(appcookie1 == appcookie2)
1653 || !WPACKET_close(pkt)
1654 || !WPACKET_get_total_written(pkt, &totcookielen)
1655 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1657 ERR_R_INTERNAL_ERROR);
1658 return EXT_RETURN_FAIL;
1660 hmaclen = SHA256_DIGEST_LENGTH;
1662 totcookielen -= startlen;
1663 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1665 ERR_R_INTERNAL_ERROR);
1666 return EXT_RETURN_FAIL;
1669 /* HMAC the cookie */
1670 hctx = EVP_MD_CTX_create();
1671 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
1672 s->session_ctx->ext.cookie_hmac_key,
1673 sizeof(s->session_ctx->ext.cookie_hmac_key));
1674 if (hctx == NULL || pkey == NULL) {
1675 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1676 ERR_R_MALLOC_FAILURE);
1680 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1681 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1682 totcookielen) <= 0) {
1683 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1684 ERR_R_INTERNAL_ERROR);
1688 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1689 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1690 ERR_R_INTERNAL_ERROR);
1694 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1695 || !ossl_assert(hmac == hmac2)
1696 || !ossl_assert(cookie == hmac - totcookielen)
1697 || !WPACKET_close(pkt)
1698 || !WPACKET_close(pkt)) {
1699 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1700 ERR_R_INTERNAL_ERROR);
1704 ret = EXT_RETURN_SENT;
1707 EVP_MD_CTX_free(hctx);
1708 EVP_PKEY_free(pkey);
1712 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1713 unsigned int context, X509 *x,
1716 const unsigned char cryptopro_ext[36] = {
1717 0xfd, 0xe8, /* 65000 */
1718 0x00, 0x20, /* 32 bytes length */
1719 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1720 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1721 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1722 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1725 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1726 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1727 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1728 return EXT_RETURN_NOT_SENT;
1730 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1731 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1732 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1733 return EXT_RETURN_FAIL;
1736 return EXT_RETURN_SENT;
1739 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1740 unsigned int context, X509 *x,
1743 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1744 if (s->max_early_data == 0)
1745 return EXT_RETURN_NOT_SENT;
1747 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1748 || !WPACKET_start_sub_packet_u16(pkt)
1749 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1750 || !WPACKET_close(pkt)) {
1751 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1752 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1753 return EXT_RETURN_FAIL;
1756 return EXT_RETURN_SENT;
1759 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1760 return EXT_RETURN_NOT_SENT;
1762 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1763 || !WPACKET_start_sub_packet_u16(pkt)
1764 || !WPACKET_close(pkt)) {
1765 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1766 ERR_R_INTERNAL_ERROR);
1767 return EXT_RETURN_FAIL;
1770 return EXT_RETURN_SENT;
1773 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1774 X509 *x, size_t chainidx)
1777 return EXT_RETURN_NOT_SENT;
1779 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1780 || !WPACKET_start_sub_packet_u16(pkt)
1781 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1782 || !WPACKET_close(pkt)) {
1783 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1784 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1785 return EXT_RETURN_FAIL;
1788 return EXT_RETURN_SENT;