| 1 | /* |
|---|---|
| 2 | * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | #include <openssl/ocsp.h> |
| 11 | #include "../ssl_local.h" |
| 12 | #include "internal/cryptlib.h" |
| 13 | #include "statem_local.h" |
| 14 | |
| 15 | EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, |
| 16 | unsigned int context, X509 *x, |
| 17 | size_t chainidx) |
| 18 | { |
| 19 | /* Add RI if renegotiating */ |
| 20 | if (!s->renegotiate) |
| 21 | return EXT_RETURN_NOT_SENT; |
| 22 | |
| 23 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) |
| 24 | || !WPACKET_start_sub_packet_u16(pkt) |
| 25 | || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished, |
| 26 | s->s3.previous_client_finished_len) |
| 27 | || !WPACKET_close(pkt)) { |
| 28 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_RENEGOTIATE, |
| 29 | ERR_R_INTERNAL_ERROR); |
| 30 | return EXT_RETURN_FAIL; |
| 31 | } |
| 32 | |
| 33 | return EXT_RETURN_SENT; |
| 34 | } |
| 35 | |
| 36 | EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, |
| 37 | unsigned int context, X509 *x, |
| 38 | size_t chainidx) |
| 39 | { |
| 40 | if (s->ext.hostname == NULL) |
| 41 | return EXT_RETURN_NOT_SENT; |
| 42 | |
| 43 | /* Add TLS extension servername to the Client Hello message */ |
| 44 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) |
| 45 | /* Sub-packet for server_name extension */ |
| 46 | || !WPACKET_start_sub_packet_u16(pkt) |
| 47 | /* Sub-packet for servername list (always 1 hostname)*/ |
| 48 | || !WPACKET_start_sub_packet_u16(pkt) |
| 49 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) |
| 50 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, |
| 51 | strlen(s->ext.hostname)) |
| 52 | || !WPACKET_close(pkt) |
| 53 | || !WPACKET_close(pkt)) { |
| 54 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, |
| 55 | ERR_R_INTERNAL_ERROR); |
| 56 | return EXT_RETURN_FAIL; |
| 57 | } |
| 58 | |
| 59 | return EXT_RETURN_SENT; |
| 60 | } |
| 61 | |
| 62 | /* Push a Max Fragment Len extension into ClientHello */ |
| 63 | EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt, |
| 64 | unsigned int context, X509 *x, |
| 65 | size_t chainidx) |
| 66 | { |
| 67 | if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) |
| 68 | return EXT_RETURN_NOT_SENT; |
| 69 | |
| 70 | /* Add Max Fragment Length extension if client enabled it. */ |
| 71 | /*- |
| 72 | * 4 bytes for this extension type and extension length |
| 73 | * 1 byte for the Max Fragment Length code value. |
| 74 | */ |
| 75 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) |
| 76 | /* Sub-packet for Max Fragment Length extension (1 byte) */ |
| 77 | || !WPACKET_start_sub_packet_u16(pkt) |
| 78 | || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) |
| 79 | || !WPACKET_close(pkt)) { |
| 80 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 81 | SSL_F_TLS_CONSTRUCT_CTOS_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR); |
| 82 | return EXT_RETURN_FAIL; |
| 83 | } |
| 84 | |
| 85 | return EXT_RETURN_SENT; |
| 86 | } |
| 87 | |
| 88 | #ifndef OPENSSL_NO_SRP |
| 89 | EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, |
| 90 | X509 *x, size_t chainidx) |
| 91 | { |
| 92 | /* Add SRP username if there is one */ |
| 93 | if (s->srp_ctx.login == NULL) |
| 94 | return EXT_RETURN_NOT_SENT; |
| 95 | |
| 96 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) |
| 97 | /* Sub-packet for SRP extension */ |
| 98 | || !WPACKET_start_sub_packet_u16(pkt) |
| 99 | || !WPACKET_start_sub_packet_u8(pkt) |
| 100 | /* login must not be zero...internal error if so */ |
| 101 | || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) |
| 102 | || !WPACKET_memcpy(pkt, s->srp_ctx.login, |
| 103 | strlen(s->srp_ctx.login)) |
| 104 | || !WPACKET_close(pkt) |
| 105 | || !WPACKET_close(pkt)) { |
| 106 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SRP, |
| 107 | ERR_R_INTERNAL_ERROR); |
| 108 | return EXT_RETURN_FAIL; |
| 109 | } |
| 110 | |
| 111 | return EXT_RETURN_SENT; |
| 112 | } |
| 113 | #endif |
| 114 | |
| 115 | #ifndef OPENSSL_NO_EC |
| 116 | static int use_ecc(SSL *s, int max_version) |
| 117 | { |
| 118 | int i, end, ret = 0; |
| 119 | unsigned long alg_k, alg_a; |
| 120 | STACK_OF(SSL_CIPHER) *cipher_stack = NULL; |
| 121 | const uint16_t *pgroups = NULL; |
| 122 | size_t num_groups, j; |
| 123 | |
| 124 | /* See if we support any ECC ciphersuites */ |
| 125 | if (s->version == SSL3_VERSION) |
| 126 | return 0; |
| 127 | |
| 128 | cipher_stack = SSL_get1_supported_ciphers(s); |
| 129 | end = sk_SSL_CIPHER_num(cipher_stack); |
| 130 | for (i = 0; i < end; i++) { |
| 131 | const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); |
| 132 | |
| 133 | alg_k = c->algorithm_mkey; |
| 134 | alg_a = c->algorithm_auth; |
| 135 | if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) |
| 136 | || (alg_a & SSL_aECDSA) |
| 137 | || c->min_tls >= TLS1_3_VERSION) { |
| 138 | ret = 1; |
| 139 | break; |
| 140 | } |
| 141 | } |
| 142 | sk_SSL_CIPHER_free(cipher_stack); |
| 143 | if (!ret) |
| 144 | return 0; |
| 145 | |
| 146 | /* Check we have at least one EC supported group */ |
| 147 | tls1_get_supported_groups(s, &pgroups, &num_groups); |
| 148 | for (j = 0; j < num_groups; j++) { |
| 149 | uint16_t ctmp = pgroups[j]; |
| 150 | |
| 151 | if (tls_valid_group(s, ctmp, max_version) |
| 152 | && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) |
| 153 | return 1; |
| 154 | } |
| 155 | |
| 156 | return 0; |
| 157 | } |
| 158 | |
| 159 | EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, |
| 160 | unsigned int context, X509 *x, |
| 161 | size_t chainidx) |
| 162 | { |
| 163 | const unsigned char *pformats; |
| 164 | size_t num_formats; |
| 165 | int reason, min_version, max_version; |
| 166 | |
| 167 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); |
| 168 | if (reason != 0) { |
| 169 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 170 | SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, reason); |
| 171 | return EXT_RETURN_FAIL; |
| 172 | } |
| 173 | if (!use_ecc(s, max_version)) |
| 174 | return EXT_RETURN_NOT_SENT; |
| 175 | |
| 176 | /* Add TLS extension ECPointFormats to the ClientHello message */ |
| 177 | tls1_get_formatlist(s, &pformats, &num_formats); |
| 178 | |
| 179 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) |
| 180 | /* Sub-packet for formats extension */ |
| 181 | || !WPACKET_start_sub_packet_u16(pkt) |
| 182 | || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) |
| 183 | || !WPACKET_close(pkt)) { |
| 184 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 185 | SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); |
| 186 | return EXT_RETURN_FAIL; |
| 187 | } |
| 188 | |
| 189 | return EXT_RETURN_SENT; |
| 190 | } |
| 191 | #endif |
| 192 | |
| 193 | #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) |
| 194 | EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, |
| 195 | unsigned int context, X509 *x, |
| 196 | size_t chainidx) |
| 197 | { |
| 198 | const uint16_t *pgroups = NULL; |
| 199 | size_t num_groups = 0, i; |
| 200 | int min_version, max_version, reason; |
| 201 | |
| 202 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); |
| 203 | if (reason != 0) { |
| 204 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 205 | SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, reason); |
| 206 | return EXT_RETURN_FAIL; |
| 207 | } |
| 208 | |
| 209 | #if defined(OPENSSL_NO_EC) |
| 210 | if (max_version < TLS1_3_VERSION) |
| 211 | return EXT_RETURN_NOT_SENT; |
| 212 | #else |
| 213 | if (!use_ecc(s, max_version) && max_version < TLS1_3_VERSION) |
| 214 | return EXT_RETURN_NOT_SENT; |
| 215 | #endif |
| 216 | |
| 217 | /* |
| 218 | * Add TLS extension supported_groups to the ClientHello message |
| 219 | */ |
| 220 | tls1_get_supported_groups(s, &pgroups, &num_groups); |
| 221 | |
| 222 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) |
| 223 | /* Sub-packet for supported_groups extension */ |
| 224 | || !WPACKET_start_sub_packet_u16(pkt) |
| 225 | || !WPACKET_start_sub_packet_u16(pkt) |
| 226 | || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { |
| 227 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 228 | SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, |
| 229 | ERR_R_INTERNAL_ERROR); |
| 230 | return EXT_RETURN_FAIL; |
| 231 | } |
| 232 | /* Copy group ID if supported */ |
| 233 | for (i = 0; i < num_groups; i++) { |
| 234 | uint16_t ctmp = pgroups[i]; |
| 235 | |
| 236 | if (tls_valid_group(s, ctmp, max_version) |
| 237 | && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { |
| 238 | if (!WPACKET_put_bytes_u16(pkt, ctmp)) { |
| 239 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 240 | SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, |
| 241 | ERR_R_INTERNAL_ERROR); |
| 242 | return EXT_RETURN_FAIL; |
| 243 | } |
| 244 | } |
| 245 | } |
| 246 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { |
| 247 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 248 | SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, |
| 249 | ERR_R_INTERNAL_ERROR); |
| 250 | return EXT_RETURN_FAIL; |
| 251 | } |
| 252 | |
| 253 | return EXT_RETURN_SENT; |
| 254 | } |
| 255 | #endif |
| 256 | |
| 257 | EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, |
| 258 | unsigned int context, X509 *x, |
| 259 | size_t chainidx) |
| 260 | { |
| 261 | size_t ticklen; |
| 262 | |
| 263 | if (!tls_use_ticket(s)) |
| 264 | return EXT_RETURN_NOT_SENT; |
| 265 | |
| 266 | if (!s->new_session && s->session != NULL |
| 267 | && s->session->ext.tick != NULL |
| 268 | && s->session->ssl_version != TLS1_3_VERSION) { |
| 269 | ticklen = s->session->ext.ticklen; |
| 270 | } else if (s->session && s->ext.session_ticket != NULL |
| 271 | && s->ext.session_ticket->data != NULL) { |
| 272 | ticklen = s->ext.session_ticket->length; |
| 273 | s->session->ext.tick = OPENSSL_malloc(ticklen); |
| 274 | if (s->session->ext.tick == NULL) { |
| 275 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 276 | SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, |
| 277 | ERR_R_INTERNAL_ERROR); |
| 278 | return EXT_RETURN_FAIL; |
| 279 | } |
| 280 | memcpy(s->session->ext.tick, |
| 281 | s->ext.session_ticket->data, ticklen); |
| 282 | s->session->ext.ticklen = ticklen; |
| 283 | } else { |
| 284 | ticklen = 0; |
| 285 | } |
| 286 | |
| 287 | if (ticklen == 0 && s->ext.session_ticket != NULL && |
| 288 | s->ext.session_ticket->data == NULL) |
| 289 | return EXT_RETURN_NOT_SENT; |
| 290 | |
| 291 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) |
| 292 | || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { |
| 293 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 294 | SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR); |
| 295 | return EXT_RETURN_FAIL; |
| 296 | } |
| 297 | |
| 298 | return EXT_RETURN_SENT; |
| 299 | } |
| 300 | |
| 301 | EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, |
| 302 | unsigned int context, X509 *x, |
| 303 | size_t chainidx) |
| 304 | { |
| 305 | size_t salglen; |
| 306 | const uint16_t *salg; |
| 307 | |
| 308 | if (!SSL_CLIENT_USE_SIGALGS(s)) |
| 309 | return EXT_RETURN_NOT_SENT; |
| 310 | |
| 311 | salglen = tls12_get_psigalgs(s, 1, &salg); |
| 312 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) |
| 313 | /* Sub-packet for sig-algs extension */ |
| 314 | || !WPACKET_start_sub_packet_u16(pkt) |
| 315 | /* Sub-packet for the actual list */ |
| 316 | || !WPACKET_start_sub_packet_u16(pkt) |
| 317 | || !tls12_copy_sigalgs(s, pkt, salg, salglen) |
| 318 | || !WPACKET_close(pkt) |
| 319 | || !WPACKET_close(pkt)) { |
| 320 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SIG_ALGS, |
| 321 | ERR_R_INTERNAL_ERROR); |
| 322 | return EXT_RETURN_FAIL; |
| 323 | } |
| 324 | |
| 325 | return EXT_RETURN_SENT; |
| 326 | } |
| 327 | |
| 328 | #ifndef OPENSSL_NO_OCSP |
| 329 | EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, |
| 330 | unsigned int context, X509 *x, |
| 331 | size_t chainidx) |
| 332 | { |
| 333 | int i; |
| 334 | |
| 335 | /* This extension isn't defined for client Certificates */ |
| 336 | if (x != NULL) |
| 337 | return EXT_RETURN_NOT_SENT; |
| 338 | |
| 339 | if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) |
| 340 | return EXT_RETURN_NOT_SENT; |
| 341 | |
| 342 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) |
| 343 | /* Sub-packet for status request extension */ |
| 344 | || !WPACKET_start_sub_packet_u16(pkt) |
| 345 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) |
| 346 | /* Sub-packet for the ids */ |
| 347 | || !WPACKET_start_sub_packet_u16(pkt)) { |
| 348 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 349 | SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); |
| 350 | return EXT_RETURN_FAIL; |
| 351 | } |
| 352 | for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { |
| 353 | unsigned char *idbytes; |
| 354 | OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); |
| 355 | int idlen = i2d_OCSP_RESPID(id, NULL); |
| 356 | |
| 357 | if (idlen <= 0 |
| 358 | /* Sub-packet for an individual id */ |
| 359 | || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) |
| 360 | || i2d_OCSP_RESPID(id, &idbytes) != idlen) { |
| 361 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 362 | SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, |
| 363 | ERR_R_INTERNAL_ERROR); |
| 364 | return EXT_RETURN_FAIL; |
| 365 | } |
| 366 | } |
| 367 | if (!WPACKET_close(pkt) |
| 368 | || !WPACKET_start_sub_packet_u16(pkt)) { |
| 369 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 370 | SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); |
| 371 | return EXT_RETURN_FAIL; |
| 372 | } |
| 373 | if (s->ext.ocsp.exts) { |
| 374 | unsigned char *extbytes; |
| 375 | int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); |
| 376 | |
| 377 | if (extlen < 0) { |
| 378 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 379 | SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, |
| 380 | ERR_R_INTERNAL_ERROR); |
| 381 | return EXT_RETURN_FAIL; |
| 382 | } |
| 383 | if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) |
| 384 | || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) |
| 385 | != extlen) { |
| 386 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 387 | SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, |
| 388 | ERR_R_INTERNAL_ERROR); |
| 389 | return EXT_RETURN_FAIL; |
| 390 | } |
| 391 | } |
| 392 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { |
| 393 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 394 | SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR); |
| 395 | return EXT_RETURN_FAIL; |
| 396 | } |
| 397 | |
| 398 | return EXT_RETURN_SENT; |
| 399 | } |
| 400 | #endif |
| 401 | |
| 402 | #ifndef OPENSSL_NO_NEXTPROTONEG |
| 403 | EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, |
| 404 | X509 *x, size_t chainidx) |
| 405 | { |
| 406 | if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) |
| 407 | return EXT_RETURN_NOT_SENT; |
| 408 | |
| 409 | /* |
| 410 | * The client advertises an empty extension to indicate its support |
| 411 | * for Next Protocol Negotiation |
| 412 | */ |
| 413 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) |
| 414 | || !WPACKET_put_bytes_u16(pkt, 0)) { |
| 415 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_NPN, |
| 416 | ERR_R_INTERNAL_ERROR); |
| 417 | return EXT_RETURN_FAIL; |
| 418 | } |
| 419 | |
| 420 | return EXT_RETURN_SENT; |
| 421 | } |
| 422 | #endif |
| 423 | |
| 424 | EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, |
| 425 | X509 *x, size_t chainidx) |
| 426 | { |
| 427 | s->s3.alpn_sent = 0; |
| 428 | |
| 429 | if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) |
| 430 | return EXT_RETURN_NOT_SENT; |
| 431 | |
| 432 | if (!WPACKET_put_bytes_u16(pkt, |
| 433 | TLSEXT_TYPE_application_layer_protocol_negotiation) |
| 434 | /* Sub-packet ALPN extension */ |
| 435 | || !WPACKET_start_sub_packet_u16(pkt) |
| 436 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) |
| 437 | || !WPACKET_close(pkt)) { |
| 438 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ALPN, |
| 439 | ERR_R_INTERNAL_ERROR); |
| 440 | return EXT_RETURN_FAIL; |
| 441 | } |
| 442 | s->s3.alpn_sent = 1; |
| 443 | |
| 444 | return EXT_RETURN_SENT; |
| 445 | } |
| 446 | |
| 447 | |
| 448 | #ifndef OPENSSL_NO_SRTP |
| 449 | EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, |
| 450 | unsigned int context, X509 *x, |
| 451 | size_t chainidx) |
| 452 | { |
| 453 | STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s); |
| 454 | int i, end; |
| 455 | |
| 456 | if (clnt == NULL) |
| 457 | return EXT_RETURN_NOT_SENT; |
| 458 | |
| 459 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) |
| 460 | /* Sub-packet for SRTP extension */ |
| 461 | || !WPACKET_start_sub_packet_u16(pkt) |
| 462 | /* Sub-packet for the protection profile list */ |
| 463 | || !WPACKET_start_sub_packet_u16(pkt)) { |
| 464 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, |
| 465 | ERR_R_INTERNAL_ERROR); |
| 466 | return EXT_RETURN_FAIL; |
| 467 | } |
| 468 | |
| 469 | end = sk_SRTP_PROTECTION_PROFILE_num(clnt); |
| 470 | for (i = 0; i < end; i++) { |
| 471 | const SRTP_PROTECTION_PROFILE *prof = |
| 472 | sk_SRTP_PROTECTION_PROFILE_value(clnt, i); |
| 473 | |
| 474 | if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { |
| 475 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 476 | SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, ERR_R_INTERNAL_ERROR); |
| 477 | return EXT_RETURN_FAIL; |
| 478 | } |
| 479 | } |
| 480 | if (!WPACKET_close(pkt) |
| 481 | /* Add an empty use_mki value */ |
| 482 | || !WPACKET_put_bytes_u8(pkt, 0) |
| 483 | || !WPACKET_close(pkt)) { |
| 484 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_USE_SRTP, |
| 485 | ERR_R_INTERNAL_ERROR); |
| 486 | return EXT_RETURN_FAIL; |
| 487 | } |
| 488 | |
| 489 | return EXT_RETURN_SENT; |
| 490 | } |
| 491 | #endif |
| 492 | |
| 493 | EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, |
| 494 | X509 *x, size_t chainidx) |
| 495 | { |
| 496 | if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) |
| 497 | return EXT_RETURN_NOT_SENT; |
| 498 | |
| 499 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) |
| 500 | || !WPACKET_put_bytes_u16(pkt, 0)) { |
| 501 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_ETM, |
| 502 | ERR_R_INTERNAL_ERROR); |
| 503 | return EXT_RETURN_FAIL; |
| 504 | } |
| 505 | |
| 506 | return EXT_RETURN_SENT; |
| 507 | } |
| 508 | |
| 509 | #ifndef OPENSSL_NO_CT |
| 510 | EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, |
| 511 | X509 *x, size_t chainidx) |
| 512 | { |
| 513 | if (s->ct_validation_callback == NULL) |
| 514 | return EXT_RETURN_NOT_SENT; |
| 515 | |
| 516 | /* Not defined for client Certificates */ |
| 517 | if (x != NULL) |
| 518 | return EXT_RETURN_NOT_SENT; |
| 519 | |
| 520 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) |
| 521 | || !WPACKET_put_bytes_u16(pkt, 0)) { |
| 522 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SCT, |
| 523 | ERR_R_INTERNAL_ERROR); |
| 524 | return EXT_RETURN_FAIL; |
| 525 | } |
| 526 | |
| 527 | return EXT_RETURN_SENT; |
| 528 | } |
| 529 | #endif |
| 530 | |
| 531 | EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, |
| 532 | X509 *x, size_t chainidx) |
| 533 | { |
| 534 | if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) |
| 535 | return EXT_RETURN_NOT_SENT; |
| 536 | |
| 537 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) |
| 538 | || !WPACKET_put_bytes_u16(pkt, 0)) { |
| 539 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EMS, |
| 540 | ERR_R_INTERNAL_ERROR); |
| 541 | return EXT_RETURN_FAIL; |
| 542 | } |
| 543 | |
| 544 | return EXT_RETURN_SENT; |
| 545 | } |
| 546 | |
| 547 | EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt, |
| 548 | unsigned int context, X509 *x, |
| 549 | size_t chainidx) |
| 550 | { |
| 551 | int currv, min_version, max_version, reason; |
| 552 | |
| 553 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); |
| 554 | if (reason != 0) { |
| 555 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 556 | SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason); |
| 557 | return EXT_RETURN_FAIL; |
| 558 | } |
| 559 | |
| 560 | /* |
| 561 | * Don't include this if we can't negotiate TLSv1.3. We can do a straight |
| 562 | * comparison here because we will never be called in DTLS. |
| 563 | */ |
| 564 | if (max_version < TLS1_3_VERSION) |
| 565 | return EXT_RETURN_NOT_SENT; |
| 566 | |
| 567 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) |
| 568 | || !WPACKET_start_sub_packet_u16(pkt) |
| 569 | || !WPACKET_start_sub_packet_u8(pkt)) { |
| 570 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 571 | SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, |
| 572 | ERR_R_INTERNAL_ERROR); |
| 573 | return EXT_RETURN_FAIL; |
| 574 | } |
| 575 | |
| 576 | for (currv = max_version; currv >= min_version; currv--) { |
| 577 | if (!WPACKET_put_bytes_u16(pkt, currv)) { |
| 578 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 579 | SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, |
| 580 | ERR_R_INTERNAL_ERROR); |
| 581 | return EXT_RETURN_FAIL; |
| 582 | } |
| 583 | } |
| 584 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { |
| 585 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 586 | SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, |
| 587 | ERR_R_INTERNAL_ERROR); |
| 588 | return EXT_RETURN_FAIL; |
| 589 | } |
| 590 | |
| 591 | return EXT_RETURN_SENT; |
| 592 | } |
| 593 | |
| 594 | /* |
| 595 | * Construct a psk_kex_modes extension. |
| 596 | */ |
| 597 | EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, |
| 598 | unsigned int context, X509 *x, |
| 599 | size_t chainidx) |
| 600 | { |
| 601 | #ifndef OPENSSL_NO_TLS1_3 |
| 602 | int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; |
| 603 | |
| 604 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) |
| 605 | || !WPACKET_start_sub_packet_u16(pkt) |
| 606 | || !WPACKET_start_sub_packet_u8(pkt) |
| 607 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) |
| 608 | || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) |
| 609 | || !WPACKET_close(pkt) |
| 610 | || !WPACKET_close(pkt)) { |
| 611 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 612 | SSL_F_TLS_CONSTRUCT_CTOS_PSK_KEX_MODES, ERR_R_INTERNAL_ERROR); |
| 613 | return EXT_RETURN_FAIL; |
| 614 | } |
| 615 | |
| 616 | s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; |
| 617 | if (nodhe) |
| 618 | s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; |
| 619 | #endif |
| 620 | |
| 621 | return EXT_RETURN_SENT; |
| 622 | } |
| 623 | |
| 624 | #ifndef OPENSSL_NO_TLS1_3 |
| 625 | static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id) |
| 626 | { |
| 627 | unsigned char *encoded_point = NULL; |
| 628 | EVP_PKEY *key_share_key = NULL; |
| 629 | size_t encodedlen; |
| 630 | |
| 631 | if (s->s3.tmp.pkey != NULL) { |
| 632 | if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) { |
| 633 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, |
| 634 | ERR_R_INTERNAL_ERROR); |
| 635 | return 0; |
| 636 | } |
| 637 | /* |
| 638 | * Could happen if we got an HRR that wasn't requesting a new key_share |
| 639 | */ |
| 640 | key_share_key = s->s3.tmp.pkey; |
| 641 | } else { |
| 642 | key_share_key = ssl_generate_pkey_group(s, curve_id); |
| 643 | if (key_share_key == NULL) { |
| 644 | /* SSLfatal() already called */ |
| 645 | return 0; |
| 646 | } |
| 647 | } |
| 648 | |
| 649 | /* Encode the public key. */ |
| 650 | encodedlen = EVP_PKEY_get1_tls_encodedpoint(key_share_key, |
| 651 | &encoded_point); |
| 652 | if (encodedlen == 0) { |
| 653 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, ERR_R_EC_LIB); |
| 654 | goto err; |
| 655 | } |
| 656 | |
| 657 | /* Create KeyShareEntry */ |
| 658 | if (!WPACKET_put_bytes_u16(pkt, curve_id) |
| 659 | || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { |
| 660 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_ADD_KEY_SHARE, |
| 661 | ERR_R_INTERNAL_ERROR); |
| 662 | goto err; |
| 663 | } |
| 664 | |
| 665 | /* |
| 666 | * TODO(TLS1.3): When changing to send more than one key_share we're |
| 667 | * going to need to be able to save more than one EVP_PKEY. For now |
| 668 | * we reuse the existing tmp.pkey |
| 669 | */ |
| 670 | s->s3.tmp.pkey = key_share_key; |
| 671 | s->s3.group_id = curve_id; |
| 672 | OPENSSL_free(encoded_point); |
| 673 | |
| 674 | return 1; |
| 675 | err: |
| 676 | if (s->s3.tmp.pkey == NULL) |
| 677 | EVP_PKEY_free(key_share_key); |
| 678 | OPENSSL_free(encoded_point); |
| 679 | return 0; |
| 680 | } |
| 681 | #endif |
| 682 | |
| 683 | EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, |
| 684 | unsigned int context, X509 *x, |
| 685 | size_t chainidx) |
| 686 | { |
| 687 | #ifndef OPENSSL_NO_TLS1_3 |
| 688 | size_t i, num_groups = 0; |
| 689 | const uint16_t *pgroups = NULL; |
| 690 | uint16_t curve_id = 0; |
| 691 | |
| 692 | /* key_share extension */ |
| 693 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) |
| 694 | /* Extension data sub-packet */ |
| 695 | || !WPACKET_start_sub_packet_u16(pkt) |
| 696 | /* KeyShare list sub-packet */ |
| 697 | || !WPACKET_start_sub_packet_u16(pkt)) { |
| 698 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, |
| 699 | ERR_R_INTERNAL_ERROR); |
| 700 | return EXT_RETURN_FAIL; |
| 701 | } |
| 702 | |
| 703 | tls1_get_supported_groups(s, &pgroups, &num_groups); |
| 704 | |
| 705 | /* |
| 706 | * TODO(TLS1.3): Make the number of key_shares sent configurable. For |
| 707 | * now, just send one |
| 708 | */ |
| 709 | if (s->s3.group_id != 0) { |
| 710 | curve_id = s->s3.group_id; |
| 711 | } else { |
| 712 | for (i = 0; i < num_groups; i++) { |
| 713 | |
| 714 | if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) |
| 715 | continue; |
| 716 | |
| 717 | curve_id = pgroups[i]; |
| 718 | break; |
| 719 | } |
| 720 | } |
| 721 | |
| 722 | if (curve_id == 0) { |
| 723 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, |
| 724 | SSL_R_NO_SUITABLE_KEY_SHARE); |
| 725 | return EXT_RETURN_FAIL; |
| 726 | } |
| 727 | |
| 728 | if (!add_key_share(s, pkt, curve_id)) { |
| 729 | /* SSLfatal() already called */ |
| 730 | return EXT_RETURN_FAIL; |
| 731 | } |
| 732 | |
| 733 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { |
| 734 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, |
| 735 | ERR_R_INTERNAL_ERROR); |
| 736 | return EXT_RETURN_FAIL; |
| 737 | } |
| 738 | return EXT_RETURN_SENT; |
| 739 | #else |
| 740 | return EXT_RETURN_NOT_SENT; |
| 741 | #endif |
| 742 | } |
| 743 | |
| 744 | EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context, |
| 745 | X509 *x, size_t chainidx) |
| 746 | { |
| 747 | EXT_RETURN ret = EXT_RETURN_FAIL; |
| 748 | |
| 749 | /* Should only be set if we've had an HRR */ |
| 750 | if (s->ext.tls13_cookie_len == 0) |
| 751 | return EXT_RETURN_NOT_SENT; |
| 752 | |
| 753 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) |
| 754 | /* Extension data sub-packet */ |
| 755 | || !WPACKET_start_sub_packet_u16(pkt) |
| 756 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, |
| 757 | s->ext.tls13_cookie_len) |
| 758 | || !WPACKET_close(pkt)) { |
| 759 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_COOKIE, |
| 760 | ERR_R_INTERNAL_ERROR); |
| 761 | goto end; |
| 762 | } |
| 763 | |
| 764 | ret = EXT_RETURN_SENT; |
| 765 | end: |
| 766 | OPENSSL_free(s->ext.tls13_cookie); |
| 767 | s->ext.tls13_cookie = NULL; |
| 768 | s->ext.tls13_cookie_len = 0; |
| 769 | |
| 770 | return ret; |
| 771 | } |
| 772 | |
| 773 | EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, |
| 774 | unsigned int context, X509 *x, |
| 775 | size_t chainidx) |
| 776 | { |
| 777 | #ifndef OPENSSL_NO_PSK |
| 778 | char identity[PSK_MAX_IDENTITY_LEN + 1]; |
| 779 | #endif /* OPENSSL_NO_PSK */ |
| 780 | const unsigned char *id = NULL; |
| 781 | size_t idlen = 0; |
| 782 | SSL_SESSION *psksess = NULL; |
| 783 | SSL_SESSION *edsess = NULL; |
| 784 | const EVP_MD *handmd = NULL; |
| 785 | |
| 786 | if (s->hello_retry_request == SSL_HRR_PENDING) |
| 787 | handmd = ssl_handshake_md(s); |
| 788 | |
| 789 | if (s->psk_use_session_cb != NULL |
| 790 | && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess) |
| 791 | || (psksess != NULL |
| 792 | && psksess->ssl_version != TLS1_3_VERSION))) { |
| 793 | SSL_SESSION_free(psksess); |
| 794 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, |
| 795 | SSL_R_BAD_PSK); |
| 796 | return EXT_RETURN_FAIL; |
| 797 | } |
| 798 | |
| 799 | #ifndef OPENSSL_NO_PSK |
| 800 | if (psksess == NULL && s->psk_client_callback != NULL) { |
| 801 | unsigned char psk[PSK_MAX_PSK_LEN]; |
| 802 | size_t psklen = 0; |
| 803 | |
| 804 | memset(identity, 0, sizeof(identity)); |
| 805 | psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1, |
| 806 | psk, sizeof(psk)); |
| 807 | |
| 808 | if (psklen > PSK_MAX_PSK_LEN) { |
| 809 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, |
| 810 | SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); |
| 811 | return EXT_RETURN_FAIL; |
| 812 | } else if (psklen > 0) { |
| 813 | const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; |
| 814 | const SSL_CIPHER *cipher; |
| 815 | |
| 816 | idlen = strlen(identity); |
| 817 | if (idlen > PSK_MAX_IDENTITY_LEN) { |
| 818 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 819 | SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, |
| 820 | ERR_R_INTERNAL_ERROR); |
| 821 | return EXT_RETURN_FAIL; |
| 822 | } |
| 823 | id = (unsigned char *)identity; |
| 824 | |
| 825 | /* |
| 826 | * We found a PSK using an old style callback. We don't know |
| 827 | * the digest so we default to SHA256 as per the TLSv1.3 spec |
| 828 | */ |
| 829 | cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id); |
| 830 | if (cipher == NULL) { |
| 831 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 832 | SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, |
| 833 | ERR_R_INTERNAL_ERROR); |
| 834 | return EXT_RETURN_FAIL; |
| 835 | } |
| 836 | |
| 837 | psksess = SSL_SESSION_new(); |
| 838 | if (psksess == NULL |
| 839 | || !SSL_SESSION_set1_master_key(psksess, psk, psklen) |
| 840 | || !SSL_SESSION_set_cipher(psksess, cipher) |
| 841 | || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { |
| 842 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 843 | SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, |
| 844 | ERR_R_INTERNAL_ERROR); |
| 845 | OPENSSL_cleanse(psk, psklen); |
| 846 | return EXT_RETURN_FAIL; |
| 847 | } |
| 848 | OPENSSL_cleanse(psk, psklen); |
| 849 | } |
| 850 | } |
| 851 | #endif /* OPENSSL_NO_PSK */ |
| 852 | |
| 853 | SSL_SESSION_free(s->psksession); |
| 854 | s->psksession = psksess; |
| 855 | if (psksess != NULL) { |
| 856 | OPENSSL_free(s->psksession_id); |
| 857 | s->psksession_id = OPENSSL_memdup(id, idlen); |
| 858 | if (s->psksession_id == NULL) { |
| 859 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 860 | SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); |
| 861 | return EXT_RETURN_FAIL; |
| 862 | } |
| 863 | s->psksession_id_len = idlen; |
| 864 | } |
| 865 | |
| 866 | if (s->early_data_state != SSL_EARLY_DATA_CONNECTING |
| 867 | || (s->session->ext.max_early_data == 0 |
| 868 | && (psksess == NULL || psksess->ext.max_early_data == 0))) { |
| 869 | s->max_early_data = 0; |
| 870 | return EXT_RETURN_NOT_SENT; |
| 871 | } |
| 872 | edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; |
| 873 | s->max_early_data = edsess->ext.max_early_data; |
| 874 | |
| 875 | if (edsess->ext.hostname != NULL) { |
| 876 | if (s->ext.hostname == NULL |
| 877 | || (s->ext.hostname != NULL |
| 878 | && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { |
| 879 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 880 | SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, |
| 881 | SSL_R_INCONSISTENT_EARLY_DATA_SNI); |
| 882 | return EXT_RETURN_FAIL; |
| 883 | } |
| 884 | } |
| 885 | |
| 886 | if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { |
| 887 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, |
| 888 | SSL_R_INCONSISTENT_EARLY_DATA_ALPN); |
| 889 | return EXT_RETURN_FAIL; |
| 890 | } |
| 891 | |
| 892 | /* |
| 893 | * Verify that we are offering an ALPN protocol consistent with the early |
| 894 | * data. |
| 895 | */ |
| 896 | if (edsess->ext.alpn_selected != NULL) { |
| 897 | PACKET prots, alpnpkt; |
| 898 | int found = 0; |
| 899 | |
| 900 | if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { |
| 901 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 902 | SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, ERR_R_INTERNAL_ERROR); |
| 903 | return EXT_RETURN_FAIL; |
| 904 | } |
| 905 | while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { |
| 906 | if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, |
| 907 | edsess->ext.alpn_selected_len)) { |
| 908 | found = 1; |
| 909 | break; |
| 910 | } |
| 911 | } |
| 912 | if (!found) { |
| 913 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 914 | SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, |
| 915 | SSL_R_INCONSISTENT_EARLY_DATA_ALPN); |
| 916 | return EXT_RETURN_FAIL; |
| 917 | } |
| 918 | } |
| 919 | |
| 920 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) |
| 921 | || !WPACKET_start_sub_packet_u16(pkt) |
| 922 | || !WPACKET_close(pkt)) { |
| 923 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_EARLY_DATA, |
| 924 | ERR_R_INTERNAL_ERROR); |
| 925 | return EXT_RETURN_FAIL; |
| 926 | } |
| 927 | |
| 928 | /* |
| 929 | * We set this to rejected here. Later, if the server acknowledges the |
| 930 | * extension, we set it to accepted. |
| 931 | */ |
| 932 | s->ext.early_data = SSL_EARLY_DATA_REJECTED; |
| 933 | s->ext.early_data_ok = 1; |
| 934 | |
| 935 | return EXT_RETURN_SENT; |
| 936 | } |
| 937 | |
| 938 | #define F5_WORKAROUND_MIN_MSG_LEN 0xff |
| 939 | #define F5_WORKAROUND_MAX_MSG_LEN 0x200 |
| 940 | |
| 941 | /* |
| 942 | * PSK pre binder overhead = |
| 943 | * 2 bytes for TLSEXT_TYPE_psk |
| 944 | * 2 bytes for extension length |
| 945 | * 2 bytes for identities list length |
| 946 | * 2 bytes for identity length |
| 947 | * 4 bytes for obfuscated_ticket_age |
| 948 | * 2 bytes for binder list length |
| 949 | * 1 byte for binder length |
| 950 | * The above excludes the number of bytes for the identity itself and the |
| 951 | * subsequent binder bytes |
| 952 | */ |
| 953 | #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) |
| 954 | |
| 955 | EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt, |
| 956 | unsigned int context, X509 *x, |
| 957 | size_t chainidx) |
| 958 | { |
| 959 | unsigned char *padbytes; |
| 960 | size_t hlen; |
| 961 | |
| 962 | if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) |
| 963 | return EXT_RETURN_NOT_SENT; |
| 964 | |
| 965 | /* |
| 966 | * Add padding to workaround bugs in F5 terminators. See RFC7685. |
| 967 | * This code calculates the length of all extensions added so far but |
| 968 | * excludes the PSK extension (because that MUST be written last). Therefore |
| 969 | * this extension MUST always appear second to last. |
| 970 | */ |
| 971 | if (!WPACKET_get_total_written(pkt, &hlen)) { |
| 972 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, |
| 973 | ERR_R_INTERNAL_ERROR); |
| 974 | return EXT_RETURN_FAIL; |
| 975 | } |
| 976 | |
| 977 | /* |
| 978 | * If we're going to send a PSK then that will be written out after this |
| 979 | * extension, so we need to calculate how long it is going to be. |
| 980 | */ |
| 981 | if (s->session->ssl_version == TLS1_3_VERSION |
| 982 | && s->session->ext.ticklen != 0 |
| 983 | && s->session->cipher != NULL) { |
| 984 | const EVP_MD *md = ssl_md(s->session->cipher->algorithm2); |
| 985 | |
| 986 | if (md != NULL) { |
| 987 | /* |
| 988 | * Add the fixed PSK overhead, the identity length and the binder |
| 989 | * length. |
| 990 | */ |
| 991 | hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen |
| 992 | + EVP_MD_size(md); |
| 993 | } |
| 994 | } |
| 995 | |
| 996 | if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { |
| 997 | /* Calculate the amount of padding we need to add */ |
| 998 | hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; |
| 999 | |
| 1000 | /* |
| 1001 | * Take off the size of extension header itself (2 bytes for type and |
| 1002 | * 2 bytes for length bytes), but ensure that the extension is at least |
| 1003 | * 1 byte long so as not to have an empty extension last (WebSphere 7.x, |
| 1004 | * 8.x are intolerant of that condition) |
| 1005 | */ |
| 1006 | if (hlen > 4) |
| 1007 | hlen -= 4; |
| 1008 | else |
| 1009 | hlen = 1; |
| 1010 | |
| 1011 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) |
| 1012 | || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { |
| 1013 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PADDING, |
| 1014 | ERR_R_INTERNAL_ERROR); |
| 1015 | return EXT_RETURN_FAIL; |
| 1016 | } |
| 1017 | memset(padbytes, 0, hlen); |
| 1018 | } |
| 1019 | |
| 1020 | return EXT_RETURN_SENT; |
| 1021 | } |
| 1022 | |
| 1023 | /* |
| 1024 | * Construct the pre_shared_key extension |
| 1025 | */ |
| 1026 | EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, |
| 1027 | X509 *x, size_t chainidx) |
| 1028 | { |
| 1029 | #ifndef OPENSSL_NO_TLS1_3 |
| 1030 | uint32_t now, agesec, agems = 0; |
| 1031 | size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; |
| 1032 | unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; |
| 1033 | const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; |
| 1034 | int dores = 0; |
| 1035 | |
| 1036 | s->ext.tick_identity = 0; |
| 1037 | |
| 1038 | /* |
| 1039 | * Note: At this stage of the code we only support adding a single |
| 1040 | * resumption PSK. If we add support for multiple PSKs then the length |
| 1041 | * calculations in the padding extension will need to be adjusted. |
| 1042 | */ |
| 1043 | |
| 1044 | /* |
| 1045 | * If this is an incompatible or new session then we have nothing to resume |
| 1046 | * so don't add this extension. |
| 1047 | */ |
| 1048 | if (s->session->ssl_version != TLS1_3_VERSION |
| 1049 | || (s->session->ext.ticklen == 0 && s->psksession == NULL)) |
| 1050 | return EXT_RETURN_NOT_SENT; |
| 1051 | |
| 1052 | if (s->hello_retry_request == SSL_HRR_PENDING) |
| 1053 | handmd = ssl_handshake_md(s); |
| 1054 | |
| 1055 | if (s->session->ext.ticklen != 0) { |
| 1056 | /* Get the digest associated with the ciphersuite in the session */ |
| 1057 | if (s->session->cipher == NULL) { |
| 1058 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, |
| 1059 | ERR_R_INTERNAL_ERROR); |
| 1060 | return EXT_RETURN_FAIL; |
| 1061 | } |
| 1062 | mdres = ssl_md(s->session->cipher->algorithm2); |
| 1063 | if (mdres == NULL) { |
| 1064 | /* |
| 1065 | * Don't recognize this cipher so we can't use the session. |
| 1066 | * Ignore it |
| 1067 | */ |
| 1068 | goto dopsksess; |
| 1069 | } |
| 1070 | |
| 1071 | if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { |
| 1072 | /* |
| 1073 | * Selected ciphersuite hash does not match the hash for the session |
| 1074 | * so we can't use it. |
| 1075 | */ |
| 1076 | goto dopsksess; |
| 1077 | } |
| 1078 | |
| 1079 | /* |
| 1080 | * Technically the C standard just says time() returns a time_t and says |
| 1081 | * nothing about the encoding of that type. In practice most |
| 1082 | * implementations follow POSIX which holds it as an integral type in |
| 1083 | * seconds since epoch. We've already made the assumption that we can do |
| 1084 | * this in multiple places in the code, so portability shouldn't be an |
| 1085 | * issue. |
| 1086 | */ |
| 1087 | now = (uint32_t)time(NULL); |
| 1088 | agesec = now - (uint32_t)s->session->time; |
| 1089 | /* |
| 1090 | * We calculate the age in seconds but the server may work in ms. Due to |
| 1091 | * rounding errors we could overestimate the age by up to 1s. It is |
| 1092 | * better to underestimate it. Otherwise, if the RTT is very short, when |
| 1093 | * the server calculates the age reported by the client it could be |
| 1094 | * bigger than the age calculated on the server - which should never |
| 1095 | * happen. |
| 1096 | */ |
| 1097 | if (agesec > 0) |
| 1098 | agesec--; |
| 1099 | |
| 1100 | if (s->session->ext.tick_lifetime_hint < agesec) { |
| 1101 | /* Ticket is too old. Ignore it. */ |
| 1102 | goto dopsksess; |
| 1103 | } |
| 1104 | |
| 1105 | /* |
| 1106 | * Calculate age in ms. We're just doing it to nearest second. Should be |
| 1107 | * good enough. |
| 1108 | */ |
| 1109 | agems = agesec * (uint32_t)1000; |
| 1110 | |
| 1111 | if (agesec != 0 && agems / (uint32_t)1000 != agesec) { |
| 1112 | /* |
| 1113 | * Overflow. Shouldn't happen unless this is a *really* old session. |
| 1114 | * If so we just ignore it. |
| 1115 | */ |
| 1116 | goto dopsksess; |
| 1117 | } |
| 1118 | |
| 1119 | /* |
| 1120 | * Obfuscate the age. Overflow here is fine, this addition is supposed |
| 1121 | * to be mod 2^32. |
| 1122 | */ |
| 1123 | agems += s->session->ext.tick_age_add; |
| 1124 | |
| 1125 | reshashsize = EVP_MD_size(mdres); |
| 1126 | s->ext.tick_identity++; |
| 1127 | dores = 1; |
| 1128 | } |
| 1129 | |
| 1130 | dopsksess: |
| 1131 | if (!dores && s->psksession == NULL) |
| 1132 | return EXT_RETURN_NOT_SENT; |
| 1133 | |
| 1134 | if (s->psksession != NULL) { |
| 1135 | mdpsk = ssl_md(s->psksession->cipher->algorithm2); |
| 1136 | if (mdpsk == NULL) { |
| 1137 | /* |
| 1138 | * Don't recognize this cipher so we can't use the session. |
| 1139 | * If this happens it's an application bug. |
| 1140 | */ |
| 1141 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, |
| 1142 | SSL_R_BAD_PSK); |
| 1143 | return EXT_RETURN_FAIL; |
| 1144 | } |
| 1145 | |
| 1146 | if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { |
| 1147 | /* |
| 1148 | * Selected ciphersuite hash does not match the hash for the PSK |
| 1149 | * session. This is an application bug. |
| 1150 | */ |
| 1151 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, |
| 1152 | SSL_R_BAD_PSK); |
| 1153 | return EXT_RETURN_FAIL; |
| 1154 | } |
| 1155 | |
| 1156 | pskhashsize = EVP_MD_size(mdpsk); |
| 1157 | } |
| 1158 | |
| 1159 | /* Create the extension, but skip over the binder for now */ |
| 1160 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) |
| 1161 | || !WPACKET_start_sub_packet_u16(pkt) |
| 1162 | || !WPACKET_start_sub_packet_u16(pkt)) { |
| 1163 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, |
| 1164 | ERR_R_INTERNAL_ERROR); |
| 1165 | return EXT_RETURN_FAIL; |
| 1166 | } |
| 1167 | |
| 1168 | if (dores) { |
| 1169 | if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, |
| 1170 | s->session->ext.ticklen) |
| 1171 | || !WPACKET_put_bytes_u32(pkt, agems)) { |
| 1172 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, |
| 1173 | ERR_R_INTERNAL_ERROR); |
| 1174 | return EXT_RETURN_FAIL; |
| 1175 | } |
| 1176 | } |
| 1177 | |
| 1178 | if (s->psksession != NULL) { |
| 1179 | if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, |
| 1180 | s->psksession_id_len) |
| 1181 | || !WPACKET_put_bytes_u32(pkt, 0)) { |
| 1182 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, |
| 1183 | ERR_R_INTERNAL_ERROR); |
| 1184 | return EXT_RETURN_FAIL; |
| 1185 | } |
| 1186 | s->ext.tick_identity++; |
| 1187 | } |
| 1188 | |
| 1189 | if (!WPACKET_close(pkt) |
| 1190 | || !WPACKET_get_total_written(pkt, &binderoffset) |
| 1191 | || !WPACKET_start_sub_packet_u16(pkt) |
| 1192 | || (dores |
| 1193 | && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) |
| 1194 | || (s->psksession != NULL |
| 1195 | && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) |
| 1196 | || !WPACKET_close(pkt) |
| 1197 | || !WPACKET_close(pkt) |
| 1198 | || !WPACKET_get_total_written(pkt, &msglen) |
| 1199 | /* |
| 1200 | * We need to fill in all the sub-packet lengths now so we can |
| 1201 | * calculate the HMAC of the message up to the binders |
| 1202 | */ |
| 1203 | || !WPACKET_fill_lengths(pkt)) { |
| 1204 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_PSK, |
| 1205 | ERR_R_INTERNAL_ERROR); |
| 1206 | return EXT_RETURN_FAIL; |
| 1207 | } |
| 1208 | |
| 1209 | msgstart = WPACKET_get_curr(pkt) - msglen; |
| 1210 | |
| 1211 | if (dores |
| 1212 | && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, |
| 1213 | resbinder, s->session, 1, 0) != 1) { |
| 1214 | /* SSLfatal() already called */ |
| 1215 | return EXT_RETURN_FAIL; |
| 1216 | } |
| 1217 | |
| 1218 | if (s->psksession != NULL |
| 1219 | && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, |
| 1220 | pskbinder, s->psksession, 1, 1) != 1) { |
| 1221 | /* SSLfatal() already called */ |
| 1222 | return EXT_RETURN_FAIL; |
| 1223 | } |
| 1224 | |
| 1225 | return EXT_RETURN_SENT; |
| 1226 | #else |
| 1227 | return EXT_RETURN_NOT_SENT; |
| 1228 | #endif |
| 1229 | } |
| 1230 | |
| 1231 | EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, |
| 1232 | unsigned int context, |
| 1233 | X509 *x, size_t chainidx) |
| 1234 | { |
| 1235 | #ifndef OPENSSL_NO_TLS1_3 |
| 1236 | if (!s->pha_enabled) |
| 1237 | return EXT_RETURN_NOT_SENT; |
| 1238 | |
| 1239 | /* construct extension - 0 length, no contents */ |
| 1240 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) |
| 1241 | || !WPACKET_start_sub_packet_u16(pkt) |
| 1242 | || !WPACKET_close(pkt)) { |
| 1243 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 1244 | SSL_F_TLS_CONSTRUCT_CTOS_POST_HANDSHAKE_AUTH, |
| 1245 | ERR_R_INTERNAL_ERROR); |
| 1246 | return EXT_RETURN_FAIL; |
| 1247 | } |
| 1248 | |
| 1249 | s->post_handshake_auth = SSL_PHA_EXT_SENT; |
| 1250 | |
| 1251 | return EXT_RETURN_SENT; |
| 1252 | #else |
| 1253 | return EXT_RETURN_NOT_SENT; |
| 1254 | #endif |
| 1255 | } |
| 1256 | |
| 1257 | |
| 1258 | /* |
| 1259 | * Parse the server's renegotiation binding and abort if it's not right |
| 1260 | */ |
| 1261 | int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context, |
| 1262 | X509 *x, size_t chainidx) |
| 1263 | { |
| 1264 | size_t expected_len = s->s3.previous_client_finished_len |
| 1265 | + s->s3.previous_server_finished_len; |
| 1266 | size_t ilen; |
| 1267 | const unsigned char *data; |
| 1268 | |
| 1269 | /* Check for logic errors */ |
| 1270 | if (!ossl_assert(expected_len == 0 |
| 1271 | || s->s3.previous_client_finished_len != 0) |
| 1272 | || !ossl_assert(expected_len == 0 |
| 1273 | || s->s3.previous_server_finished_len != 0)) { |
| 1274 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
| 1275 | ERR_R_INTERNAL_ERROR); |
| 1276 | return 0; |
| 1277 | } |
| 1278 | |
| 1279 | /* Parse the length byte */ |
| 1280 | if (!PACKET_get_1_len(pkt, &ilen)) { |
| 1281 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
| 1282 | SSL_R_RENEGOTIATION_ENCODING_ERR); |
| 1283 | return 0; |
| 1284 | } |
| 1285 | |
| 1286 | /* Consistency check */ |
| 1287 | if (PACKET_remaining(pkt) != ilen) { |
| 1288 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
| 1289 | SSL_R_RENEGOTIATION_ENCODING_ERR); |
| 1290 | return 0; |
| 1291 | } |
| 1292 | |
| 1293 | /* Check that the extension matches */ |
| 1294 | if (ilen != expected_len) { |
| 1295 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
| 1296 | SSL_R_RENEGOTIATION_MISMATCH); |
| 1297 | return 0; |
| 1298 | } |
| 1299 | |
| 1300 | if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len) |
| 1301 | || memcmp(data, s->s3.previous_client_finished, |
| 1302 | s->s3.previous_client_finished_len) != 0) { |
| 1303 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
| 1304 | SSL_R_RENEGOTIATION_MISMATCH); |
| 1305 | return 0; |
| 1306 | } |
| 1307 | |
| 1308 | if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len) |
| 1309 | || memcmp(data, s->s3.previous_server_finished, |
| 1310 | s->s3.previous_server_finished_len) != 0) { |
| 1311 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_RENEGOTIATE, |
| 1312 | SSL_R_RENEGOTIATION_MISMATCH); |
| 1313 | return 0; |
| 1314 | } |
| 1315 | s->s3.send_connection_binding = 1; |
| 1316 | |
| 1317 | return 1; |
| 1318 | } |
| 1319 | |
| 1320 | /* Parse the server's max fragment len extension packet */ |
| 1321 | int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context, |
| 1322 | X509 *x, size_t chainidx) |
| 1323 | { |
| 1324 | unsigned int value; |
| 1325 | |
| 1326 | if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { |
| 1327 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, |
| 1328 | SSL_R_BAD_EXTENSION); |
| 1329 | return 0; |
| 1330 | } |
| 1331 | |
| 1332 | /* |value| should contains a valid max-fragment-length code. */ |
| 1333 | if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { |
| 1334 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
| 1335 | SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, |
| 1336 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); |
| 1337 | return 0; |
| 1338 | } |
| 1339 | |
| 1340 | /* Must be the same value as client-configured one who was sent to server */ |
| 1341 | /*- |
| 1342 | * RFC 6066: if a client receives a maximum fragment length negotiation |
| 1343 | * response that differs from the length it requested, ... |
| 1344 | * It must abort with SSL_AD_ILLEGAL_PARAMETER alert |
| 1345 | */ |
| 1346 | if (value != s->ext.max_fragment_len_mode) { |
| 1347 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
| 1348 | SSL_F_TLS_PARSE_STOC_MAXFRAGMENTLEN, |
| 1349 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); |
| 1350 | return 0; |
| 1351 | } |
| 1352 | |
| 1353 | /* |
| 1354 | * Maximum Fragment Length Negotiation succeeded. |
| 1355 | * The negotiated Maximum Fragment Length is binding now. |
| 1356 | */ |
| 1357 | s->session->ext.max_fragment_len_mode = value; |
| 1358 | |
| 1359 | return 1; |
| 1360 | } |
| 1361 | |
| 1362 | int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context, |
| 1363 | X509 *x, size_t chainidx) |
| 1364 | { |
| 1365 | if (s->ext.hostname == NULL) { |
| 1366 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, |
| 1367 | ERR_R_INTERNAL_ERROR); |
| 1368 | return 0; |
| 1369 | } |
| 1370 | |
| 1371 | if (PACKET_remaining(pkt) > 0) { |
| 1372 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, |
| 1373 | SSL_R_BAD_EXTENSION); |
| 1374 | return 0; |
| 1375 | } |
| 1376 | |
| 1377 | if (!s->hit) { |
| 1378 | if (s->session->ext.hostname != NULL) { |
| 1379 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, |
| 1380 | ERR_R_INTERNAL_ERROR); |
| 1381 | return 0; |
| 1382 | } |
| 1383 | s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); |
| 1384 | if (s->session->ext.hostname == NULL) { |
| 1385 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SERVER_NAME, |
| 1386 | ERR_R_INTERNAL_ERROR); |
| 1387 | return 0; |
| 1388 | } |
| 1389 | } |
| 1390 | |
| 1391 | return 1; |
| 1392 | } |
| 1393 | |
| 1394 | #ifndef OPENSSL_NO_EC |
| 1395 | int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, |
| 1396 | X509 *x, size_t chainidx) |
| 1397 | { |
| 1398 | size_t ecpointformats_len; |
| 1399 | PACKET ecptformatlist; |
| 1400 | |
| 1401 | if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { |
| 1402 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, |
| 1403 | SSL_R_BAD_EXTENSION); |
| 1404 | return 0; |
| 1405 | } |
| 1406 | if (!s->hit) { |
| 1407 | ecpointformats_len = PACKET_remaining(&ecptformatlist); |
| 1408 | if (ecpointformats_len == 0) { |
| 1409 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
| 1410 | SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, SSL_R_BAD_LENGTH); |
| 1411 | return 0; |
| 1412 | } |
| 1413 | |
| 1414 | s->ext.peer_ecpointformats_len = 0; |
| 1415 | OPENSSL_free(s->ext.peer_ecpointformats); |
| 1416 | s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); |
| 1417 | if (s->ext.peer_ecpointformats == NULL) { |
| 1418 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 1419 | SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); |
| 1420 | return 0; |
| 1421 | } |
| 1422 | |
| 1423 | s->ext.peer_ecpointformats_len = ecpointformats_len; |
| 1424 | |
| 1425 | if (!PACKET_copy_bytes(&ecptformatlist, |
| 1426 | s->ext.peer_ecpointformats, |
| 1427 | ecpointformats_len)) { |
| 1428 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 1429 | SSL_F_TLS_PARSE_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR); |
| 1430 | return 0; |
| 1431 | } |
| 1432 | } |
| 1433 | |
| 1434 | return 1; |
| 1435 | } |
| 1436 | #endif |
| 1437 | |
| 1438 | int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context, |
| 1439 | X509 *x, size_t chainidx) |
| 1440 | { |
| 1441 | if (s->ext.session_ticket_cb != NULL && |
| 1442 | !s->ext.session_ticket_cb(s, PACKET_data(pkt), |
| 1443 | PACKET_remaining(pkt), |
| 1444 | s->ext.session_ticket_cb_arg)) { |
| 1445 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, |
| 1446 | SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); |
| 1447 | return 0; |
| 1448 | } |
| 1449 | |
| 1450 | if (!tls_use_ticket(s)) { |
| 1451 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, |
| 1452 | SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); |
| 1453 | return 0; |
| 1454 | } |
| 1455 | if (PACKET_remaining(pkt) > 0) { |
| 1456 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
| 1457 | SSL_F_TLS_PARSE_STOC_SESSION_TICKET, SSL_R_BAD_EXTENSION); |
| 1458 | return 0; |
| 1459 | } |
| 1460 | |
| 1461 | s->ext.ticket_expected = 1; |
| 1462 | |
| 1463 | return 1; |
| 1464 | } |
| 1465 | |
| 1466 | #ifndef OPENSSL_NO_OCSP |
| 1467 | int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, |
| 1468 | X509 *x, size_t chainidx) |
| 1469 | { |
| 1470 | if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { |
| 1471 | /* We ignore this if the server sends a CertificateRequest */ |
| 1472 | /* TODO(TLS1.3): Add support for this */ |
| 1473 | return 1; |
| 1474 | } |
| 1475 | |
| 1476 | /* |
| 1477 | * MUST only be sent if we've requested a status |
| 1478 | * request message. In TLS <= 1.2 it must also be empty. |
| 1479 | */ |
| 1480 | if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { |
| 1481 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, |
| 1482 | SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); |
| 1483 | return 0; |
| 1484 | } |
| 1485 | if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { |
| 1486 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
| 1487 | SSL_F_TLS_PARSE_STOC_STATUS_REQUEST, SSL_R_BAD_EXTENSION); |
| 1488 | return 0; |
| 1489 | } |
| 1490 | |
| 1491 | if (SSL_IS_TLS13(s)) { |
| 1492 | /* We only know how to handle this if it's for the first Certificate in |
| 1493 | * the chain. We ignore any other responses. |
| 1494 | */ |
| 1495 | if (chainidx != 0) |
| 1496 | return 1; |
| 1497 | |
| 1498 | /* SSLfatal() already called */ |
| 1499 | return tls_process_cert_status_body(s, pkt); |
| 1500 | } |
| 1501 | |
| 1502 | /* Set flag to expect CertificateStatus message */ |
| 1503 | s->ext.status_expected = 1; |
| 1504 | |
| 1505 | return 1; |
| 1506 | } |
| 1507 | #endif |
| 1508 | |
| 1509 | |
| 1510 | #ifndef OPENSSL_NO_CT |
| 1511 | int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1512 | size_t chainidx) |
| 1513 | { |
| 1514 | if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { |
| 1515 | /* We ignore this if the server sends it in a CertificateRequest */ |
| 1516 | /* TODO(TLS1.3): Add support for this */ |
| 1517 | return 1; |
| 1518 | } |
| 1519 | |
| 1520 | /* |
| 1521 | * Only take it if we asked for it - i.e if there is no CT validation |
| 1522 | * callback set, then a custom extension MAY be processing it, so we |
| 1523 | * need to let control continue to flow to that. |
| 1524 | */ |
| 1525 | if (s->ct_validation_callback != NULL) { |
| 1526 | size_t size = PACKET_remaining(pkt); |
| 1527 | |
| 1528 | /* Simply copy it off for later processing */ |
| 1529 | OPENSSL_free(s->ext.scts); |
| 1530 | s->ext.scts = NULL; |
| 1531 | |
| 1532 | s->ext.scts_len = (uint16_t)size; |
| 1533 | if (size > 0) { |
| 1534 | s->ext.scts = OPENSSL_malloc(size); |
| 1535 | if (s->ext.scts == NULL |
| 1536 | || !PACKET_copy_bytes(pkt, s->ext.scts, size)) { |
| 1537 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_SCT, |
| 1538 | ERR_R_INTERNAL_ERROR); |
| 1539 | return 0; |
| 1540 | } |
| 1541 | } |
| 1542 | } else { |
| 1543 | ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 |
| 1544 | ? ENDPOINT_CLIENT : ENDPOINT_BOTH; |
| 1545 | |
| 1546 | /* |
| 1547 | * If we didn't ask for it then there must be a custom extension, |
| 1548 | * otherwise this is unsolicited. |
| 1549 | */ |
| 1550 | if (custom_ext_find(&s->cert->custext, role, |
| 1551 | TLSEXT_TYPE_signed_certificate_timestamp, |
| 1552 | NULL) == NULL) { |
| 1553 | SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_SCT, |
| 1554 | SSL_R_BAD_EXTENSION); |
| 1555 | return 0; |
| 1556 | } |
| 1557 | |
| 1558 | if (!custom_ext_parse(s, context, |
| 1559 | TLSEXT_TYPE_signed_certificate_timestamp, |
| 1560 | PACKET_data(pkt), PACKET_remaining(pkt), |
| 1561 | x, chainidx)) { |
| 1562 | /* SSLfatal already called */ |
| 1563 | return 0; |
| 1564 | } |
| 1565 | } |
| 1566 | |
| 1567 | return 1; |
| 1568 | } |
| 1569 | #endif |
| 1570 | |
| 1571 | |
| 1572 | #ifndef OPENSSL_NO_NEXTPROTONEG |
| 1573 | /* |
| 1574 | * ssl_next_proto_validate validates a Next Protocol Negotiation block. No |
| 1575 | * elements of zero length are allowed and the set of elements must exactly |
| 1576 | * fill the length of the block. Returns 1 on success or 0 on failure. |
| 1577 | */ |
| 1578 | static int ssl_next_proto_validate(SSL *s, PACKET *pkt) |
| 1579 | { |
| 1580 | PACKET tmp_protocol; |
| 1581 | |
| 1582 | while (PACKET_remaining(pkt)) { |
| 1583 | if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) |
| 1584 | || PACKET_remaining(&tmp_protocol) == 0) { |
| 1585 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL_NEXT_PROTO_VALIDATE, |
| 1586 | SSL_R_BAD_EXTENSION); |
| 1587 | return 0; |
| 1588 | } |
| 1589 | } |
| 1590 | |
| 1591 | return 1; |
| 1592 | } |
| 1593 | |
| 1594 | int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1595 | size_t chainidx) |
| 1596 | { |
| 1597 | unsigned char *selected; |
| 1598 | unsigned char selected_len; |
| 1599 | PACKET tmppkt; |
| 1600 | |
| 1601 | /* Check if we are in a renegotiation. If so ignore this extension */ |
| 1602 | if (!SSL_IS_FIRST_HANDSHAKE(s)) |
| 1603 | return 1; |
| 1604 | |
| 1605 | /* We must have requested it. */ |
| 1606 | if (s->ctx->ext.npn_select_cb == NULL) { |
| 1607 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_NPN, |
| 1608 | SSL_R_BAD_EXTENSION); |
| 1609 | return 0; |
| 1610 | } |
| 1611 | |
| 1612 | /* The data must be valid */ |
| 1613 | tmppkt = *pkt; |
| 1614 | if (!ssl_next_proto_validate(s, &tmppkt)) { |
| 1615 | /* SSLfatal() already called */ |
| 1616 | return 0; |
| 1617 | } |
| 1618 | if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len, |
| 1619 | PACKET_data(pkt), |
| 1620 | PACKET_remaining(pkt), |
| 1621 | s->ctx->ext.npn_select_cb_arg) != |
| 1622 | SSL_TLSEXT_ERR_OK) { |
| 1623 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN, |
| 1624 | SSL_R_BAD_EXTENSION); |
| 1625 | return 0; |
| 1626 | } |
| 1627 | |
| 1628 | /* |
| 1629 | * Could be non-NULL if server has sent multiple NPN extensions in |
| 1630 | * a single Serverhello |
| 1631 | */ |
| 1632 | OPENSSL_free(s->ext.npn); |
| 1633 | s->ext.npn = OPENSSL_malloc(selected_len); |
| 1634 | if (s->ext.npn == NULL) { |
| 1635 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_NPN, |
| 1636 | ERR_R_INTERNAL_ERROR); |
| 1637 | return 0; |
| 1638 | } |
| 1639 | |
| 1640 | memcpy(s->ext.npn, selected, selected_len); |
| 1641 | s->ext.npn_len = selected_len; |
| 1642 | s->s3.npn_seen = 1; |
| 1643 | |
| 1644 | return 1; |
| 1645 | } |
| 1646 | #endif |
| 1647 | |
| 1648 | int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1649 | size_t chainidx) |
| 1650 | { |
| 1651 | size_t len; |
| 1652 | |
| 1653 | /* We must have requested it. */ |
| 1654 | if (!s->s3.alpn_sent) { |
| 1655 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_F_TLS_PARSE_STOC_ALPN, |
| 1656 | SSL_R_BAD_EXTENSION); |
| 1657 | return 0; |
| 1658 | } |
| 1659 | /*- |
| 1660 | * The extension data consists of: |
| 1661 | * uint16 list_length |
| 1662 | * uint8 proto_length; |
| 1663 | * uint8 proto[proto_length]; |
| 1664 | */ |
| 1665 | if (!PACKET_get_net_2_len(pkt, &len) |
| 1666 | || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) |
| 1667 | || PACKET_remaining(pkt) != len) { |
| 1668 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, |
| 1669 | SSL_R_BAD_EXTENSION); |
| 1670 | return 0; |
| 1671 | } |
| 1672 | OPENSSL_free(s->s3.alpn_selected); |
| 1673 | s->s3.alpn_selected = OPENSSL_malloc(len); |
| 1674 | if (s->s3.alpn_selected == NULL) { |
| 1675 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, |
| 1676 | ERR_R_INTERNAL_ERROR); |
| 1677 | return 0; |
| 1678 | } |
| 1679 | if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) { |
| 1680 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, |
| 1681 | SSL_R_BAD_EXTENSION); |
| 1682 | return 0; |
| 1683 | } |
| 1684 | s->s3.alpn_selected_len = len; |
| 1685 | |
| 1686 | if (s->session->ext.alpn_selected == NULL |
| 1687 | || s->session->ext.alpn_selected_len != len |
| 1688 | || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len) |
| 1689 | != 0) { |
| 1690 | /* ALPN not consistent with the old session so cannot use early_data */ |
| 1691 | s->ext.early_data_ok = 0; |
| 1692 | } |
| 1693 | if (!s->hit) { |
| 1694 | /* |
| 1695 | * This is a new session and so alpn_selected should have been |
| 1696 | * initialised to NULL. We should update it with the selected ALPN. |
| 1697 | */ |
| 1698 | if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { |
| 1699 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, |
| 1700 | ERR_R_INTERNAL_ERROR); |
| 1701 | return 0; |
| 1702 | } |
| 1703 | s->session->ext.alpn_selected = |
| 1704 | OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); |
| 1705 | if (s->session->ext.alpn_selected == NULL) { |
| 1706 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, |
| 1707 | ERR_R_INTERNAL_ERROR); |
| 1708 | return 0; |
| 1709 | } |
| 1710 | s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; |
| 1711 | } |
| 1712 | |
| 1713 | return 1; |
| 1714 | } |
| 1715 | |
| 1716 | #ifndef OPENSSL_NO_SRTP |
| 1717 | int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1718 | size_t chainidx) |
| 1719 | { |
| 1720 | unsigned int id, ct, mki; |
| 1721 | int i; |
| 1722 | STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; |
| 1723 | SRTP_PROTECTION_PROFILE *prof; |
| 1724 | |
| 1725 | if (!PACKET_get_net_2(pkt, &ct) || ct != 2 |
| 1726 | || !PACKET_get_net_2(pkt, &id) |
| 1727 | || !PACKET_get_1(pkt, &mki) |
| 1728 | || PACKET_remaining(pkt) != 0) { |
| 1729 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, |
| 1730 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
| 1731 | return 0; |
| 1732 | } |
| 1733 | |
| 1734 | if (mki != 0) { |
| 1735 | /* Must be no MKI, since we never offer one */ |
| 1736 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_USE_SRTP, |
| 1737 | SSL_R_BAD_SRTP_MKI_VALUE); |
| 1738 | return 0; |
| 1739 | } |
| 1740 | |
| 1741 | /* Throw an error if the server gave us an unsolicited extension */ |
| 1742 | clnt = SSL_get_srtp_profiles(s); |
| 1743 | if (clnt == NULL) { |
| 1744 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, |
| 1745 | SSL_R_NO_SRTP_PROFILES); |
| 1746 | return 0; |
| 1747 | } |
| 1748 | |
| 1749 | /* |
| 1750 | * Check to see if the server gave us something we support (and |
| 1751 | * presumably offered) |
| 1752 | */ |
| 1753 | for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { |
| 1754 | prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); |
| 1755 | |
| 1756 | if (prof->id == id) { |
| 1757 | s->srtp_profile = prof; |
| 1758 | return 1; |
| 1759 | } |
| 1760 | } |
| 1761 | |
| 1762 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_USE_SRTP, |
| 1763 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
| 1764 | return 0; |
| 1765 | } |
| 1766 | #endif |
| 1767 | |
| 1768 | int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1769 | size_t chainidx) |
| 1770 | { |
| 1771 | /* Ignore if inappropriate ciphersuite */ |
| 1772 | if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) |
| 1773 | && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD |
| 1774 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4) |
| 1775 | s->ext.use_etm = 1; |
| 1776 | |
| 1777 | return 1; |
| 1778 | } |
| 1779 | |
| 1780 | int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1781 | size_t chainidx) |
| 1782 | { |
| 1783 | if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) |
| 1784 | return 1; |
| 1785 | s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; |
| 1786 | if (!s->hit) |
| 1787 | s->session->flags |= SSL_SESS_FLAG_EXTMS; |
| 1788 | |
| 1789 | return 1; |
| 1790 | } |
| 1791 | |
| 1792 | int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context, |
| 1793 | X509 *x, size_t chainidx) |
| 1794 | { |
| 1795 | unsigned int version; |
| 1796 | |
| 1797 | if (!PACKET_get_net_2(pkt, &version) |
| 1798 | || PACKET_remaining(pkt) != 0) { |
| 1799 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
| 1800 | SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, |
| 1801 | SSL_R_LENGTH_MISMATCH); |
| 1802 | return 0; |
| 1803 | } |
| 1804 | |
| 1805 | /* |
| 1806 | * The only protocol version we support which is valid in this extension in |
| 1807 | * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. |
| 1808 | */ |
| 1809 | if (version != TLS1_3_VERSION) { |
| 1810 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
| 1811 | SSL_F_TLS_PARSE_STOC_SUPPORTED_VERSIONS, |
| 1812 | SSL_R_BAD_PROTOCOL_VERSION_NUMBER); |
| 1813 | return 0; |
| 1814 | } |
| 1815 | |
| 1816 | /* We ignore this extension for HRRs except to sanity check it */ |
| 1817 | if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) |
| 1818 | return 1; |
| 1819 | |
| 1820 | /* We just set it here. We validate it in ssl_choose_client_version */ |
| 1821 | s->version = version; |
| 1822 | |
| 1823 | return 1; |
| 1824 | } |
| 1825 | |
| 1826 | int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1827 | size_t chainidx) |
| 1828 | { |
| 1829 | #ifndef OPENSSL_NO_TLS1_3 |
| 1830 | unsigned int group_id; |
| 1831 | PACKET encoded_pt; |
| 1832 | EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; |
| 1833 | |
| 1834 | /* Sanity check */ |
| 1835 | if (ckey == NULL || s->s3.peer_tmp != NULL) { |
| 1836 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, |
| 1837 | ERR_R_INTERNAL_ERROR); |
| 1838 | return 0; |
| 1839 | } |
| 1840 | |
| 1841 | if (!PACKET_get_net_2(pkt, &group_id)) { |
| 1842 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, |
| 1843 | SSL_R_LENGTH_MISMATCH); |
| 1844 | return 0; |
| 1845 | } |
| 1846 | |
| 1847 | if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { |
| 1848 | const uint16_t *pgroups = NULL; |
| 1849 | size_t i, num_groups; |
| 1850 | |
| 1851 | if (PACKET_remaining(pkt) != 0) { |
| 1852 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, |
| 1853 | SSL_R_LENGTH_MISMATCH); |
| 1854 | return 0; |
| 1855 | } |
| 1856 | |
| 1857 | /* |
| 1858 | * It is an error if the HelloRetryRequest wants a key_share that we |
| 1859 | * already sent in the first ClientHello |
| 1860 | */ |
| 1861 | if (group_id == s->s3.group_id) { |
| 1862 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
| 1863 | SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); |
| 1864 | return 0; |
| 1865 | } |
| 1866 | |
| 1867 | /* Validate the selected group is one we support */ |
| 1868 | tls1_get_supported_groups(s, &pgroups, &num_groups); |
| 1869 | for (i = 0; i < num_groups; i++) { |
| 1870 | if (group_id == pgroups[i]) |
| 1871 | break; |
| 1872 | } |
| 1873 | if (i >= num_groups |
| 1874 | || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { |
| 1875 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
| 1876 | SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); |
| 1877 | return 0; |
| 1878 | } |
| 1879 | |
| 1880 | s->s3.group_id = group_id; |
| 1881 | EVP_PKEY_free(s->s3.tmp.pkey); |
| 1882 | s->s3.tmp.pkey = NULL; |
| 1883 | return 1; |
| 1884 | } |
| 1885 | |
| 1886 | if (group_id != s->s3.group_id) { |
| 1887 | /* |
| 1888 | * This isn't for the group that we sent in the original |
| 1889 | * key_share! |
| 1890 | */ |
| 1891 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, |
| 1892 | SSL_R_BAD_KEY_SHARE); |
| 1893 | return 0; |
| 1894 | } |
| 1895 | |
| 1896 | if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) |
| 1897 | || PACKET_remaining(&encoded_pt) == 0) { |
| 1898 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, |
| 1899 | SSL_R_LENGTH_MISMATCH); |
| 1900 | return 0; |
| 1901 | } |
| 1902 | |
| 1903 | skey = EVP_PKEY_new(); |
| 1904 | if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { |
| 1905 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_KEY_SHARE, |
| 1906 | ERR_R_MALLOC_FAILURE); |
| 1907 | return 0; |
| 1908 | } |
| 1909 | if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(&encoded_pt), |
| 1910 | PACKET_remaining(&encoded_pt))) { |
| 1911 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, |
| 1912 | SSL_R_BAD_ECPOINT); |
| 1913 | EVP_PKEY_free(skey); |
| 1914 | return 0; |
| 1915 | } |
| 1916 | |
| 1917 | if (ssl_derive(s, ckey, skey, 1) == 0) { |
| 1918 | /* SSLfatal() already called */ |
| 1919 | EVP_PKEY_free(skey); |
| 1920 | return 0; |
| 1921 | } |
| 1922 | s->s3.peer_tmp = skey; |
| 1923 | #endif |
| 1924 | |
| 1925 | return 1; |
| 1926 | } |
| 1927 | |
| 1928 | int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1929 | size_t chainidx) |
| 1930 | { |
| 1931 | PACKET cookie; |
| 1932 | |
| 1933 | if (!PACKET_as_length_prefixed_2(pkt, &cookie) |
| 1934 | || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, |
| 1935 | &s->ext.tls13_cookie_len)) { |
| 1936 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_COOKIE, |
| 1937 | SSL_R_LENGTH_MISMATCH); |
| 1938 | return 0; |
| 1939 | } |
| 1940 | |
| 1941 | return 1; |
| 1942 | } |
| 1943 | |
| 1944 | int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, |
| 1945 | X509 *x, size_t chainidx) |
| 1946 | { |
| 1947 | if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { |
| 1948 | unsigned long max_early_data; |
| 1949 | |
| 1950 | if (!PACKET_get_net_4(pkt, &max_early_data) |
| 1951 | || PACKET_remaining(pkt) != 0) { |
| 1952 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, |
| 1953 | SSL_R_INVALID_MAX_EARLY_DATA); |
| 1954 | return 0; |
| 1955 | } |
| 1956 | |
| 1957 | s->session->ext.max_early_data = max_early_data; |
| 1958 | |
| 1959 | return 1; |
| 1960 | } |
| 1961 | |
| 1962 | if (PACKET_remaining(pkt) != 0) { |
| 1963 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_EARLY_DATA, |
| 1964 | SSL_R_BAD_EXTENSION); |
| 1965 | return 0; |
| 1966 | } |
| 1967 | |
| 1968 | if (!s->ext.early_data_ok |
| 1969 | || !s->hit) { |
| 1970 | /* |
| 1971 | * If we get here then we didn't send early data, or we didn't resume |
| 1972 | * using the first identity, or the SNI/ALPN is not consistent so the |
| 1973 | * server should not be accepting it. |
| 1974 | */ |
| 1975 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_EARLY_DATA, |
| 1976 | SSL_R_BAD_EXTENSION); |
| 1977 | return 0; |
| 1978 | } |
| 1979 | |
| 1980 | s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; |
| 1981 | |
| 1982 | return 1; |
| 1983 | } |
| 1984 | |
| 1985 | int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
| 1986 | size_t chainidx) |
| 1987 | { |
| 1988 | #ifndef OPENSSL_NO_TLS1_3 |
| 1989 | unsigned int identity; |
| 1990 | |
| 1991 | if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { |
| 1992 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_PSK, |
| 1993 | SSL_R_LENGTH_MISMATCH); |
| 1994 | return 0; |
| 1995 | } |
| 1996 | |
| 1997 | if (identity >= (unsigned int)s->ext.tick_identity) { |
| 1998 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_PSK, |
| 1999 | SSL_R_BAD_PSK_IDENTITY); |
| 2000 | return 0; |
| 2001 | } |
| 2002 | |
| 2003 | /* |
| 2004 | * Session resumption tickets are always sent before PSK tickets. If the |
| 2005 | * ticket index is 0 then it must be for a session resumption ticket if we |
| 2006 | * sent two tickets, or if we didn't send a PSK ticket. |
| 2007 | */ |
| 2008 | if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { |
| 2009 | s->hit = 1; |
| 2010 | SSL_SESSION_free(s->psksession); |
| 2011 | s->psksession = NULL; |
| 2012 | return 1; |
| 2013 | } |
| 2014 | |
| 2015 | if (s->psksession == NULL) { |
| 2016 | /* Should never happen */ |
| 2017 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_PSK, |
| 2018 | ERR_R_INTERNAL_ERROR); |
| 2019 | return 0; |
| 2020 | } |
| 2021 | |
| 2022 | /* |
| 2023 | * If we used the external PSK for sending early_data then s->early_secret |
| 2024 | * is already set up, so don't overwrite it. Otherwise we copy the |
| 2025 | * early_secret across that we generated earlier. |
| 2026 | */ |
| 2027 | if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY |
| 2028 | && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) |
| 2029 | || s->session->ext.max_early_data > 0 |
| 2030 | || s->psksession->ext.max_early_data == 0) |
| 2031 | memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); |
| 2032 | |
| 2033 | SSL_SESSION_free(s->session); |
| 2034 | s->session = s->psksession; |
| 2035 | s->psksession = NULL; |
| 2036 | s->hit = 1; |
| 2037 | /* Early data is only allowed if we used the first ticket */ |
| 2038 | if (identity != 0) |
| 2039 | s->ext.early_data_ok = 0; |
| 2040 | #endif |
| 2041 | |
| 2042 | return 1; |
| 2043 | } |
| 2044 |
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.