int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_EC
- /* See if we support any ECC ciphersuites */
+ const unsigned char *pcurves = NULL;
+ size_t num_curves = 0;
int using_ecc = 0;
- if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
+
+ /* See if we support any ECC ciphersuites */
+ if ((s->version >= TLS1_VERSION && s->version <= TLS1_2_VERSION)
+ || SSL_IS_DTLS(s)) {
int i;
unsigned long alg_k, alg_a;
STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
break;
}
}
+ } else if (s->version >= TLS1_3_VERSION) {
+ /*
+ * TODO(TLS1.3): We always use ECC for TLSv1.3 at the moment. This will
+ * change if we implement DH key shares
+ */
+ using_ecc = 1;
+ }
+#else
+ if (s->version >= TLS1_3_VERSION) {
+ /* Shouldn't happen! */
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
}
#endif
/*
* Add TLS extension ECPointFormats to the ClientHello message
*/
- const unsigned char *pcurves, *pformats;
- size_t num_curves, num_formats;
+ const unsigned char *pformats, *pcurvestmp;
+ size_t num_formats;
size_t i;
tls1_get_formatlist(s, &pformats, &num_formats);
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return 0;
}
+ pcurvestmp = pcurves;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
/* Sub-packet for supported_groups extension */
return 0;
}
/* Copy curve ID if supported */
- for (i = 0; i < num_curves; i++, pcurves += 2) {
+ for (i = 0; i < num_curves; i++, pcurvestmp += 2) {
if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
- if (!WPACKET_put_bytes_u8(pkt, pcurves[0])
- || !WPACKET_put_bytes_u8(pkt, pcurves[1])) {
+ if (!WPACKET_put_bytes_u8(pkt, pcurvestmp[0])
+ || !WPACKET_put_bytes_u8(pkt, pcurvestmp[1])) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
ERR_R_INTERNAL_ERROR);
return 0;
return 0;
}
+ /* TLS1.3 specific extensions */
if (SSL_IS_TLS13(s)) {
int min_version, max_version, reason, currv;
+ size_t i, sharessent = 0;
+
+ /* TODO(TLS1.3): Should we add this extension for versions < TLS1.3? */
+ /* supported_versions extension */
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_start_sub_packet_u8(pkt)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return 0;
}
+
+
+ /* key_share extension */
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
+ /* Extension data sub-packet */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ /* KeyShare list sub-packet */
+ || !WPACKET_start_sub_packet_u16(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ /*
+ * TODO(TLS1.3): Make the number of key_shares sent configurable. For
+ * now, just send one
+ */
+ for (i = 0; i < num_curves && sharessent < 1; i++, pcurves += 2) {
+ if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
+ unsigned char *encodedPoint = NULL;
+ unsigned int curve_id = 0;
+ EVP_PKEY *key_share_key = NULL;
+ size_t encodedlen;
+
+ if (s->s3->tmp.pkey != NULL) {
+ /* Shouldn't happen! */
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ /* Generate a key for this key_share */
+ curve_id = (pcurves[0] << 8) | pcurves[1];
+ key_share_key = ssl_generate_pkey_curve(curve_id);
+ if (key_share_key == NULL) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_EVP_LIB);
+ return 0;
+ }
+
+ /* Encode the public key. */
+ encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key,
+ &encodedPoint);
+ if (encodedlen == 0) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_EC_LIB);
+ EVP_PKEY_free(key_share_key);
+ return 0;
+ }
+
+ /* Create KeyShareEntry */
+ if (!WPACKET_put_bytes_u16(pkt, curve_id)
+ || !WPACKET_sub_memcpy_u16(pkt, encodedPoint,
+ encodedlen)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+ ERR_R_INTERNAL_ERROR);
+ EVP_PKEY_free(key_share_key);
+ OPENSSL_free(encodedPoint);
+ return 0;
+ }
+
+ /*
+ * TODO(TLS1.3): When changing to send more than one key_share
+ * we're going to need to be able to save more than one EVP_PKEY
+ * For now we reuse the existing tmp.pkey
+ */
+ s->s3->group_id = curve_id;
+ s->s3->tmp.pkey = key_share_key;
+ sharessent++;
+ OPENSSL_free(encodedPoint);
+ }
+ }
+ if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
/*
}
}
#endif
+
+ if (s->version == TLS1_3_VERSION && !s->hit) {
+ unsigned char *encodedPoint;
+ size_t encoded_pt_len = 0;
+ EVP_PKEY *ckey = NULL, *skey = NULL;
+
+ ckey = s->s3->peer_tmp;
+ if (ckey == NULL) {
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ skey = ssl_generate_pkey(ckey);
+
+ /* Generate encoding of server key */
+ encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
+ if (encoded_pt_len == 0) {
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_EC_LIB);
+ EVP_PKEY_free(skey);
+ return 0;
+ }
+
+ if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ EVP_PKEY_free(skey);
+ OPENSSL_free(encodedPoint);
+ return 0;
+ }
+ OPENSSL_free(encodedPoint);
+
+ s->s3->tmp.pkey = skey;
+
+ if (ssl_derive(s, skey, ckey, 1) == 0) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+
if (!custom_ext_add(s, 1, pkt, al)) {
SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
return 0;
}
#endif /* !OPENSSL_NO_EC */
+
+/*
+ * Process the supported_groups extension if present. Returns success if the
+ * extension is absent, or if it has been successfully processed.
+ *
+ * Returns
+ * 1 on success
+ * 0 on failure
+ */
+static int tls_process_supported_groups(SSL *s, CLIENTHELLO_MSG *hello)
+{
+#ifndef OPENSSL_NO_EC
+ PACKET supported_groups_list;
+ RAW_EXTENSION *suppgroups = tls_get_extension_by_type(hello->pre_proc_exts,
+ hello->num_extensions,
+ TLSEXT_TYPE_supported_groups);
+
+ if (suppgroups == NULL)
+ return 1;
+
+ /* Each group is 2 bytes and we must have at least 1. */
+ if (!PACKET_as_length_prefixed_2(&suppgroups->data,
+ &supported_groups_list)
+ || PACKET_remaining(&supported_groups_list) == 0
+ || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
+ return 0;
+ }
+
+ if (!s->hit
+ && !PACKET_memdup(&supported_groups_list,
+ &s->session->tlsext_supportedgroupslist,
+ &s->session->tlsext_supportedgroupslist_length)) {
+ return 0;
+ }
+#endif
+ return 1;
+}
+
+/*
+ * Checks a list of |groups| to determine if the |group_id| is in it. If it is
+ * and |checkallow| is 1 then additionally check if the group is allowed to be
+ * used.
+ *
+ * Returns:
+ * 1 if the group is in the list (and allowed if |checkallow| is 1)
+ * 0 otherwise
+ */
+static int check_in_list(SSL *s, unsigned int group_id,
+ const unsigned char *groups, size_t num_groups,
+ int checkallow)
+{
+ size_t i;
+
+ if (groups == NULL || num_groups == 0)
+ return 0;
+
+ for (i = 0; i < num_groups; i++, groups += 2) {
+ unsigned int share_id = (groups[0] << 8) | (groups[1]);
+ if (group_id == share_id
+ && (!checkallow || tls_curve_allowed(s, groups,
+ SSL_SECOP_CURVE_CHECK))) {
+ break;
+ }
+ }
+
+ if (i == num_groups) {
+ /* Not in list */
+ return 0;
+ }
+
+ return 1;
+}
+
/*
* Loop through all remaining ClientHello extensions that we collected earlier
* and haven't already processed. For each one parse it and update the SSL
s->srtp_profile = NULL;
+ /*
+ * We process the supported_groups extension first so that is done before
+ * we get to key_share which needs to use the information in it.
+ */
+ if (!tls_process_supported_groups(s, hello)) {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
+
/*
* We parse all extensions to ensure the ClientHello is well-formed but,
* unless an extension specifies otherwise, we ignore extensions upon
return 0;
}
}
- } else if (currext->type == TLSEXT_TYPE_supported_groups) {
- PACKET supported_groups_list;
-
- /* Each group is 2 bytes and we must have at least 1. */
- if (!PACKET_as_length_prefixed_2(&currext->data,
- &supported_groups_list)
- || PACKET_remaining(&supported_groups_list) == 0
- || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
- return 0;
- }
-
- if (!s->hit) {
- if (!PACKET_memdup(&supported_groups_list,
- &s->session->tlsext_supportedgroupslist,
- &s->
- session->tlsext_supportedgroupslist_length)) {
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
- }
- }
}
#endif /* OPENSSL_NO_EC */
else if (currext->type == TLSEXT_TYPE_session_ticket) {
}
#endif
else if (currext->type == TLSEXT_TYPE_encrypt_then_mac
- && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
+ && !(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) {
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ } else if (currext->type == TLSEXT_TYPE_key_share
+ && s->version == TLS1_3_VERSION && !s->hit) {
+ unsigned int group_id;
+ PACKET key_share_list, encoded_pt;
+ const unsigned char *curves;
+ size_t num_curves;
+ int group_nid;
+ unsigned int curve_flags;
+
+ /* Sanity check */
+ if (s->s3->peer_tmp != NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ if (!PACKET_as_length_prefixed_2(&currext->data, &key_share_list)) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+
+ while (PACKET_remaining(&key_share_list) > 0) {
+ if (!PACKET_get_net_2(&key_share_list, &group_id)
+ || !PACKET_get_length_prefixed_2(&key_share_list,
+ &encoded_pt)) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+
+ /* Check this share is in supported_groups */
+ if (!tls1_get_curvelist(s, 1, &curves, &num_curves)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if (!check_in_list(s, group_id, curves, num_curves, 0)) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
+ SSL_R_BAD_KEY_SHARE);
+ return 0;
+ }
+
+ /* Find a share that we can use */
+ if (!tls1_get_curvelist(s, 0, &curves, &num_curves)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if (!check_in_list(s, group_id, curves, num_curves, 1)) {
+ /* Share not suitable */
+ continue;
+ }
+
+ group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
+
+ if (group_nid == 0) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
+ SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
+ return 0;
+ }
+
+ if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
+ /* Can happen for some curves, e.g. X25519 */
+ EVP_PKEY *key = EVP_PKEY_new();
+
+ if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, ERR_R_EVP_LIB);
+ EVP_PKEY_free(key);
+ return 0;
+ }
+ s->s3->peer_tmp = key;
+ } else {
+ /* Set up EVP_PKEY with named curve as parameters */
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
+ if (pctx == NULL
+ || EVP_PKEY_paramgen_init(pctx) <= 0
+ || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
+ group_nid) <= 0
+ || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, ERR_R_EVP_LIB);
+ EVP_PKEY_CTX_free(pctx);
+ return 0;
+ }
+ EVP_PKEY_CTX_free(pctx);
+ pctx = NULL;
+ }
+ s->s3->group_id = group_id;
+
+ if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
+ PACKET_data(&encoded_pt),
+ PACKET_remaining(&encoded_pt))) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, SSL_R_BAD_ECPOINT);
+ return 0;
+ }
+ }
+ }
/*
* Note: extended master secret extension handled in
* tls_check_client_ems_support()
s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
- } else if (type == TLSEXT_TYPE_extended_master_secret) {
+ } else if (type == TLSEXT_TYPE_extended_master_secret &&
+ (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION)) {
s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
if (!s->hit)
s->session->flags |= SSL_SESS_FLAG_EXTMS;
- }
+ } else if (type == TLSEXT_TYPE_key_share
+ && s->version == TLS1_3_VERSION) {
+ unsigned int group_id;
+ PACKET encoded_pt;
+ EVP_PKEY *ckey = s->s3->tmp.pkey, *skey = NULL;
+
+ /* Sanity check */
+ if (ckey == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ if (!PACKET_get_net_2(&spkt, &group_id)) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+
+ if (group_id != s->s3->group_id) {
+ /*
+ * This isn't for the group that we sent in the original
+ * key_share!
+ */
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
+ SSL_R_BAD_KEY_SHARE);
+ return 0;
+ }
+
+ skey = ssl_generate_pkey(ckey);
+
+ if (!PACKET_as_length_prefixed_2(&spkt, &encoded_pt)) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
+ SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+
+ if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt),
+ PACKET_remaining(&encoded_pt))) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, SSL_R_BAD_ECPOINT);
+ return 0;
+ }
+
+ if (ssl_derive(s, ckey, skey, 1) == 0) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ EVP_PKEY_free(skey);
+ return 0;
+ }
+ EVP_PKEY_free(skey);
/*
* If this extension type was not otherwise handled, but matches a
* custom_cli_ext_record, then send it to the c callback
*/
- else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
+ } else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
return 0;
}
/*
* Sets the extended master secret flag if the extension is present in the
- * ClientHello
+ * ClientHello and we can support it
* Returns:
* 1 on success
* 0 on error
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
- if (s->version <= SSL3_VERSION)
+ if (!SSL_IS_DTLS(s) && (s->version < TLS1_VERSION
+ || s->version > TLS1_2_VERSION))
return 1;
emsext = tls_get_extension_by_type(hello->pre_proc_exts,