Google Git
Sign in
flutter / third_party / openssl / a2880aec7314823ce1df48c501d8c5c2a0456918 / . / ssl / statem / extensions_srvr.c
blob: ab3ad468fb99bf2f9f442d7e23c76ddc234c718d [file] [log] [blame]
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_locl.h"
12#include "statem_locl.h"
13
14/*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]17int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]19{
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51}
52
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]53/*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]76int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]78{
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]92 * syntax inextensibly and OpenSSL 1.0.x parses it as
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]93 * such.
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
97 *
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
100 */
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
105 return 0;
106 }
107
108 if (!s->hit) {
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
111 return 0;
112 }
113
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
116 return 0;
117 }
118
Matt Caswell7d061fc2017-01-30 16:16:28 +0000[diff] [blame]119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]122 *al = TLS1_AD_INTERNAL_ERROR;
123 return 0;
124 }
125
126 s->servername_done = 1;
127 } else {
128 /*
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
131 */
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]135 }
136
137 return 1;
138}
139
140#ifndef OPENSSL_NO_SRP
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]141int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]143{
144 PACKET srp_I;
145
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
149 return 0;
150 }
151
152 /*
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
155 */
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
157 *al = TLS1_AD_INTERNAL_ERROR;
158 return 0;
159 }
160
161 return 1;
162}
163#endif
164
165#ifndef OPENSSL_NO_EC
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]166int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]168{
169 PACKET ec_point_format_list;
170
171 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
172 || PACKET_remaining(&ec_point_format_list) == 0) {
173 *al = SSL_AD_DECODE_ERROR;
174 return 0;
175 }
176
177 if (!s->hit) {
178 if (!PACKET_memdup(&ec_point_format_list,
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]179 &s->session->ext.ecpointformats,
180 &s->session->ext.ecpointformats_len)) {
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]181 *al = TLS1_AD_INTERNAL_ERROR;
182 return 0;
183 }
184 }
185
186 return 1;
187}
188#endif /* OPENSSL_NO_EC */
189
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]190int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]192{
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]193 if (s->ext.session_ticket_cb &&
194 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
195 PACKET_remaining(pkt),
196 s->ext.session_ticket_cb_arg)) {
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]197 *al = TLS1_AD_INTERNAL_ERROR;
198 return 0;
199 }
200
201 return 1;
202}
203
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]204int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
205 size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]206{
207 PACKET supported_sig_algs;
208
209 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]210 || PACKET_remaining(&supported_sig_algs) == 0) {
211 *al = SSL_AD_DECODE_ERROR;
212 return 0;
213 }
214
Matt Caswell703bcee2016-12-14 14:31:21 +0000[diff] [blame]215 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
216 *al = TLS1_AD_DECODE_ERROR;
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]217 return 0;
218 }
219
220 return 1;
221}
222
Matt Caswellab83e312016-11-25 16:28:02 +0000[diff] [blame]223#ifndef OPENSSL_NO_OCSP
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]224int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
225 X509 *x, size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]226{
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]227 PACKET responder_id_list, exts;
228
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]229 /* Not defined if we get one of these in a client Certificate */
230 if (x != NULL)
231 return 1;
232
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]233 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]234 *al = SSL_AD_DECODE_ERROR;
235 return 0;
236 }
Matt Caswellab83e312016-11-25 16:28:02 +0000[diff] [blame]237
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]238 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]239 /*
240 * We don't know what to do with any other type so ignore it.
241 */
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]242 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]243 return 1;
244 }
245
246 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
247 *al = SSL_AD_DECODE_ERROR;
248 return 0;
249 }
250
251 /*
252 * We remove any OCSP_RESPIDs from a previous handshake
253 * to prevent unbounded memory growth - CVE-2016-6304
254 */
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]255 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]256 if (PACKET_remaining(&responder_id_list) > 0) {
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]257 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
258 if (s->ext.ocsp.ids == NULL) {
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]259 *al = SSL_AD_INTERNAL_ERROR;
260 return 0;
261 }
262 } else {
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]263 s->ext.ocsp.ids = NULL;
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]264 }
265
266 while (PACKET_remaining(&responder_id_list) > 0) {
267 OCSP_RESPID *id;
268 PACKET responder_id;
269 const unsigned char *id_data;
270
271 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
272 || PACKET_remaining(&responder_id) == 0) {
273 *al = SSL_AD_DECODE_ERROR;
274 return 0;
275 }
276
277 id_data = PACKET_data(&responder_id);
278 /* TODO(size_t): Convert d2i_* to size_t */
279 id = d2i_OCSP_RESPID(NULL, &id_data,
280 (int)PACKET_remaining(&responder_id));
281 if (id == NULL) {
282 *al = SSL_AD_DECODE_ERROR;
283 return 0;
284 }
285
286 if (id_data != PACKET_end(&responder_id)) {
287 OCSP_RESPID_free(id);
288 *al = SSL_AD_DECODE_ERROR;
289 return 0;
290 }
291
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]292 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]293 OCSP_RESPID_free(id);
294 *al = SSL_AD_INTERNAL_ERROR;
295 return 0;
296 }
297 }
298
299 /* Read in request_extensions */
300 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
301 *al = SSL_AD_DECODE_ERROR;
302 return 0;
303 }
304
305 if (PACKET_remaining(&exts) > 0) {
306 const unsigned char *ext_data = PACKET_data(&exts);
307
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]308 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]309 X509_EXTENSION_free);
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]310 s->ext.ocsp.exts =
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]311 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]312 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]313 *al = SSL_AD_DECODE_ERROR;
314 return 0;
315 }
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]316 }
317
318 return 1;
319}
Matt Caswellab83e312016-11-25 16:28:02 +0000[diff] [blame]320#endif
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]321
322#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]323int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
324 size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]325{
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]326 /*
327 * We shouldn't accept this extension on a
328 * renegotiation.
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]329 */
Matt Caswellc7f47782017-01-10 23:02:28 +0000[diff] [blame]330 if (SSL_IS_FIRST_HANDSHAKE(s))
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]331 s->s3->npn_seen = 1;
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]332
333 return 1;
334}
335#endif
336
337/*
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]338 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
339 * extension, not including type and length. |al| is a pointer to the alert
340 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]341 */
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]342int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]344{
345 PACKET protocol_list, save_protocol_list, protocol;
346
Matt Caswellc7f47782017-01-10 23:02:28 +0000[diff] [blame]347 if (!SSL_IS_FIRST_HANDSHAKE(s))
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]348 return 1;
349
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
353 return 0;
354 }
355
356 save_protocol_list = protocol_list;
357 do {
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
362 return 0;
363 }
364 } while (PACKET_remaining(&protocol_list) != 0);
365
Matt Caswell7d061fc2017-01-30 16:16:28 +0000[diff] [blame]366 OPENSSL_free(s->s3->alpn_proposed);
367 s->s3->alpn_proposed = NULL;
368 s->s3->alpn_proposed_len = 0;
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
371 *al = TLS1_AD_INTERNAL_ERROR;
372 return 0;
373 }
374
375 return 1;
376}
377
378#ifndef OPENSSL_NO_SRTP
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]379int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
380 size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]381{
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
384 int i, srtp_pref;
385 PACKET subpkt;
386
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
389 return 1;
390
391 /* Pull off the length of the cipher suite list and check it is even */
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]392 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
393 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]394 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
397 return 0;
398 }
399
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
404
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]407 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
410 return 0;
411 }
412
413 /*
414 * Only look for match in profiles of higher preference than
415 * current match.
416 * If no profiles have been have been configured then this
417 * does nothing.
418 */
419 for (i = 0; i < srtp_pref; i++) {
Matt Caswelld270de32016-12-07 17:21:48 +0000[diff] [blame]420 SRTP_PROTECTION_PROFILE *sprof =
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]421 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
422
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]423 if (sprof->id == id) {
424 s->srtp_profile = sprof;
425 srtp_pref = i;
426 break;
427 }
428 }
429 }
430
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]431 /* Now extract the MKI value as a sanity check, but discard it for now */
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]432 if (!PACKET_get_1(pkt, &mki_len)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
436 return 0;
437 }
438
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]441 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]442 *al = SSL_AD_DECODE_ERROR;
443 return 0;
444 }
445
446 return 1;
447}
448#endif
449
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]450int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]452{
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
Matt Caswell28a31a02017-02-03 14:06:20 +0000[diff] [blame]454 s->ext.use_etm = 1;
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]455
456 return 1;
457}
458
459/*
Matt Caswellb2f7e8c2017-01-12 15:28:48 +0000[diff] [blame]460 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
461 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
462 * If a failure occurs then |*al| is set to an appropriate alert value.
463 */
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]464int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
465 X509 *x, size_t chainidx, int *al)
Matt Caswellb2f7e8c2017-01-12 15:28:48 +0000[diff] [blame]466{
467#ifndef OPENSSL_NO_TLS1_3
468 PACKET psk_kex_modes;
469 unsigned int mode;
470
471 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
472 || PACKET_remaining(&psk_kex_modes) == 0) {
473 *al = SSL_AD_DECODE_ERROR;
474 return 0;
475 }
476
477 while (PACKET_get_1(&psk_kex_modes, &mode)) {
478 if (mode == TLSEXT_KEX_MODE_KE_DHE)
479 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
480 else if (mode == TLSEXT_KEX_MODE_KE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
482 }
483#endif
484
485 return 1;
486}
487
488/*
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]489 * Process a key_share extension received in the ClientHello. |pkt| contains
490 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
491 * If a failure occurs then |*al| is set to an appropriate alert value.
492 */
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]493int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
494 size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]495{
Matt Caswell3cf96e82016-12-28 15:32:39 +0000[diff] [blame]496#ifndef OPENSSL_NO_TLS1_3
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]497 unsigned int group_id;
498 PACKET key_share_list, encoded_pt;
499 const unsigned char *clntcurves, *srvrcurves;
500 size_t clnt_num_curves, srvr_num_curves;
501 int group_nid, found = 0;
502 unsigned int curve_flags;
503
Matt Caswellf4bbb372017-01-18 11:31:37 +0000[diff] [blame]504 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]505 return 1;
506
507 /* Sanity check */
508 if (s->s3->peer_tmp != NULL) {
509 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]510 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]511 return 0;
512 }
513
514 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
515 *al = SSL_AD_HANDSHAKE_FAILURE;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]517 return 0;
518 }
519
520 /* Get our list of supported curves */
521 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
522 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]523 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]524 return 0;
525 }
526
Matt Caswell24b8e4b2016-11-26 11:45:02 +0000[diff] [blame]527 /*
Matt Caswell70af3d82016-11-28 09:31:59 +0000[diff] [blame]528 * Get the clients list of supported curves.
Matt Caswell24b8e4b2016-11-26 11:45:02 +0000[diff] [blame]529 * TODO(TLS1.3): We should validate that we actually received
530 * supported_groups!
531 */
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]532 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
533 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]534 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]535 return 0;
536 }
537
538 while (PACKET_remaining(&key_share_list) > 0) {
539 if (!PACKET_get_net_2(&key_share_list, &group_id)
540 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
541 || PACKET_remaining(&encoded_pt) == 0) {
542 *al = SSL_AD_HANDSHAKE_FAILURE;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]543 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]544 SSL_R_LENGTH_MISMATCH);
545 return 0;
546 }
547
548 /*
549 * If we already found a suitable key_share we loop through the
550 * rest to verify the structure, but don't process them.
551 */
552 if (found)
553 continue;
554
555 /* Check if this share is in supported_groups sent from client */
556 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
557 *al = SSL_AD_HANDSHAKE_FAILURE;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]558 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]559 return 0;
560 }
561
562 /* Check if this share is for a group we can use */
563 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
564 /* Share not suitable */
565 continue;
566 }
567
568 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
569
570 if (group_nid == 0) {
571 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]572 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]573 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
574 return 0;
575 }
576
577 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
578 /* Can happen for some curves, e.g. X25519 */
579 EVP_PKEY *key = EVP_PKEY_new();
580
581 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
582 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]583 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]584 EVP_PKEY_free(key);
585 return 0;
586 }
587 s->s3->peer_tmp = key;
588 } else {
589 /* Set up EVP_PKEY with named curve as parameters */
590 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]591
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]592 if (pctx == NULL
593 || EVP_PKEY_paramgen_init(pctx) <= 0
594 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
595 group_nid) <= 0
596 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
597 *al = SSL_AD_INTERNAL_ERROR;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]598 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]599 EVP_PKEY_CTX_free(pctx);
600 return 0;
601 }
602 EVP_PKEY_CTX_free(pctx);
603 pctx = NULL;
604 }
605 s->s3->group_id = group_id;
606
607 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
608 PACKET_data(&encoded_pt),
609 PACKET_remaining(&encoded_pt))) {
610 *al = SSL_AD_DECODE_ERROR;
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]611 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]612 return 0;
613 }
614
615 found = 1;
616 }
Matt Caswell3cf96e82016-12-28 15:32:39 +0000[diff] [blame]617#endif
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]618
619 return 1;
620}
621
622#ifndef OPENSSL_NO_EC
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]623int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
624 X509 *x, size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]625{
626 PACKET supported_groups_list;
627
628 /* Each group is 2 bytes and we must have at least 1. */
629 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
630 || PACKET_remaining(&supported_groups_list) == 0
631 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
632 *al = SSL_AD_DECODE_ERROR;
633 return 0;
634 }
635
Matt Caswell7d061fc2017-01-30 16:16:28 +0000[diff] [blame]636 OPENSSL_free(s->session->ext.supportedgroups);
637 s->session->ext.supportedgroups = NULL;
638 s->session->ext.supportedgroups_len = 0;
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]639 if (!PACKET_memdup(&supported_groups_list,
640 &s->session->ext.supportedgroups,
641 &s->session->ext.supportedgroups_len)) {
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]642 *al = SSL_AD_DECODE_ERROR;
643 return 0;
644 }
645
646 return 1;
647}
648#endif
649
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]650int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
651 size_t chainidx, int *al)
Matt Caswell25670f32016-11-24 22:54:59 +0000[diff] [blame]652{
653 /* The extension must always be empty */
654 if (PACKET_remaining(pkt) != 0) {
655 *al = SSL_AD_DECODE_ERROR;
656 return 0;
657 }
658
659 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
660
661 return 1;
662}
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]663
Matt Caswell38df5a42017-02-24 11:13:25 +0000[diff] [blame]664
665int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
666 X509 *x, size_t chainidx, int *al)
667{
668 if (PACKET_remaining(pkt) != 0) {
669 *al = SSL_AD_DECODE_ERROR;
670 return 0;
671 }
672
673 return 1;
674}
675
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]676int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
677 size_t chainidx, int *al)
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]678{
679 PACKET identities, binders, binder;
680 size_t binderoffset, hashsize;
681 SSL_SESSION *sess = NULL;
682 unsigned int id, i;
683 const EVP_MD *md = NULL;
Matt Caswell30d1bab2017-03-02 23:53:30 +0000[diff] [blame]684 uint32_t ticket_age = 0, now, agesec, agems;
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]685
Matt Caswell1a9f4572017-01-25 11:56:23 +0000[diff] [blame]686 /*
687 * If we have no PSK kex mode that we recognise then we can't resume so
688 * ignore this extension
689 */
690 if ((s->ext.psk_kex_mode
691 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
692 return 1;
693
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]694 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
695 *al = SSL_AD_DECODE_ERROR;
696 return 0;
697 }
698
699 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
700 PACKET identity;
Matt Caswell2c604cb2017-02-24 09:30:54 +0000[diff] [blame]701 unsigned long ticket_agel;
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]702 int ret;
703
704 if (!PACKET_get_length_prefixed_2(&identities, &identity)
Matt Caswell2c604cb2017-02-24 09:30:54 +0000[diff] [blame]705 || !PACKET_get_net_4(&identities, &ticket_agel)) {
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]706 *al = SSL_AD_DECODE_ERROR;
707 return 0;
708 }
709
Matt Caswell2c604cb2017-02-24 09:30:54 +0000[diff] [blame]710 ticket_age = (uint32_t)ticket_agel;
Matt Caswell1b8bacf2017-01-27 15:18:51 +0000[diff] [blame]711
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]712 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
713 PACKET_remaining(&identity), NULL, 0, &sess);
714 if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
715 *al = SSL_AD_INTERNAL_ERROR;
716 return 0;
717 }
718 if (ret == TICKET_NO_DECRYPT)
719 continue;
720
Matt Caswell534a43f2017-01-19 15:01:55 +0000[diff] [blame]721 md = ssl_md(sess->cipher->algorithm2);
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]722 if (md == NULL) {
723 /*
724 * Don't recognise this cipher so we can't use the session.
725 * Ignore it
726 */
727 SSL_SESSION_free(sess);
728 sess = NULL;
729 continue;
730 }
731
732 /*
733 * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
734 * Ignored for now
735 */
736
737 break;
738 }
739
740 if (sess == NULL)
741 return 1;
742
743 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]744 hashsize = EVP_MD_size(md);
745
746 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
747 *al = SSL_AD_DECODE_ERROR;
748 goto err;
749 }
750
751 for (i = 0; i <= id; i++) {
752 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
753 *al = SSL_AD_DECODE_ERROR;
754 goto err;
755 }
756 }
757
758 if (PACKET_remaining(&binder) != hashsize
759 || tls_psk_do_binder(s, md,
760 (const unsigned char *)s->init_buf->data,
761 binderoffset, PACKET_data(&binder), NULL,
762 sess, 0) != 1) {
763 *al = SSL_AD_DECODE_ERROR;
764 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
765 goto err;
766 }
767
768 sess->ext.tick_identity = id;
Matt Caswell2c604cb2017-02-24 09:30:54 +0000[diff] [blame]769
770 now = (uint32_t)time(NULL);
771 agesec = now - (uint32_t)sess->time;
772 agems = agesec * (uint32_t)1000;
773 ticket_age -= sess->ext.tick_age_add;
774
775
776 /*
777 * For simplicity we do our age calculations in seconds. If the client does
778 * it in ms then it could appear that their ticket age is longer than ours
779 * (our ticket age calculation should always be slightly longer than the
780 * client's due to the network latency). Therefore we add 1000ms to our age
781 * calculation to adjust for rounding errors.
782 */
783 if (sess->timeout >= agesec
784 && agems / (uint32_t)1000 == agesec
785 && ticket_age <= agems + 1000
786 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
787 /*
788 * Ticket age is within tolerance and not expired. We allow it for early
789 * data
790 */
791 s->ext.early_data_ok = 1;
792 }
793
794
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]795 SSL_SESSION_free(s->session);
796 s->session = sess;
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]797 return 1;
798err:
Matt Caswell312e9382017-03-04 15:45:40 +0000[diff] [blame]799 SSL_SESSION_free(sess);
Matt Caswell1053a6e2017-01-18 16:28:23 +0000[diff] [blame]800 return 0;
801}
802
Matt Caswell1266eef2016-12-07 17:04:46 +0000[diff] [blame]803/*
804 * Add the server's renegotiation binding
805 */
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]806int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
807 X509 *x, size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]808{
809 if (!s->s3->send_connection_binding)
810 return 1;
811
812 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
813 || !WPACKET_start_sub_packet_u16(pkt)
814 || !WPACKET_start_sub_packet_u8(pkt)
815 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
816 s->s3->previous_client_finished_len)
817 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
818 s->s3->previous_server_finished_len)
819 || !WPACKET_close(pkt)
820 || !WPACKET_close(pkt)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]821 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]822 return 0;
823 }
824
825 return 1;
826}
827
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]828int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
829 X509 *x, size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]830{
831 if (s->hit || s->servername_done != 1
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]832 || s->session->ext.hostname == NULL)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]833 return 1;
834
835 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
836 || !WPACKET_put_bytes_u16(pkt, 0)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]837 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]838 return 0;
839 }
840
841 return 1;
842}
843
Matt Caswell3fc8d852017-02-17 16:52:12 +0000[diff] [blame]844int tls_construct_stoc_early_data_info(SSL *s, WPACKET *pkt,
845 unsigned int context, X509 *x,
846 size_t chainidx, int *al)
847{
848 if (s->max_early_data == 0)
849 return 1;
850
851 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data_info)
852 || !WPACKET_start_sub_packet_u16(pkt)
853 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
854 || !WPACKET_close(pkt)) {
855 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA_INFO, ERR_R_INTERNAL_ERROR);
856 return 0;
857 }
858
859 return 1;
860}
861
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]862#ifndef OPENSSL_NO_EC
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]863int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
864 X509 *x, size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]865{
866 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
867 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
Matt Caswell89247372016-12-07 12:30:52 +0000[diff] [blame]868 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]869 && (s->session->ext.ecpointformats != NULL);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]870 const unsigned char *plist;
871 size_t plistlen;
872
873 if (!using_ecc)
874 return 1;
875
876 tls1_get_formatlist(s, &plist, &plistlen);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]877 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
878 || !WPACKET_start_sub_packet_u16(pkt)
879 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
880 || !WPACKET_close(pkt)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]881 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]882 return 0;
883 }
884
885 return 1;
886}
887#endif
888
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]889int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
890 unsigned int context, X509 *x,
Matt Caswell8521ced2017-01-05 16:12:56 +0000[diff] [blame]891 size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]892{
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]893 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
894 s->ext.ticket_expected = 0;
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]895 return 1;
896 }
897
898 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
899 || !WPACKET_put_bytes_u16(pkt, 0)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]900 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]901 return 0;
902 }
903
904 return 1;
905}
906
Matt Caswellab83e312016-11-25 16:28:02 +0000[diff] [blame]907#ifndef OPENSSL_NO_OCSP
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]908int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
909 unsigned int context, X509 *x,
910 size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]911{
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]912 if (!s->ext.status_expected)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]913 return 1;
914
Matt Caswell8521ced2017-01-05 16:12:56 +0000[diff] [blame]915 if (SSL_IS_TLS13(s) && chainidx != 0)
Matt Caswelle96e0f82016-12-02 09:14:15 +0000[diff] [blame]916 return 1;
917
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]918 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
Matt Caswellf63e4282016-12-02 14:46:54 +0000[diff] [blame]919 || !WPACKET_start_sub_packet_u16(pkt)) {
920 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
921 return 0;
922 }
923
924 /*
925 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
926 * send back an empty extension, with the certificate status appearing as a
927 * separate message
928 */
929 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
930 || !WPACKET_close(pkt)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]931 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]932 return 0;
933 }
934
935 return 1;
936}
Matt Caswellab83e312016-11-25 16:28:02 +0000[diff] [blame]937#endif
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]938
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]939#ifndef OPENSSL_NO_NEXTPROTONEG
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]940int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
941 unsigned int context, X509 *x,
Matt Caswell8521ced2017-01-05 16:12:56 +0000[diff] [blame]942 size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]943{
944 const unsigned char *npa;
945 unsigned int npalen;
946 int ret;
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]947 int npn_seen = s->s3->npn_seen;
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]948
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]949 s->s3->npn_seen = 0;
950 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]951 return 1;
952
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]953 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
954 s->ctx->ext.npn_advertised_cb_arg);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]955 if (ret == SSL_TLSEXT_ERR_OK) {
956 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
957 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]958 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]959 ERR_R_INTERNAL_ERROR);
960 return 0;
961 }
Rich Salzaff8c122016-12-08 14:18:40 -0500[diff] [blame]962 s->s3->npn_seen = 1;
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]963 }
964
965 return 1;
966}
967#endif
968
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]969int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
970 size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]971{
972 if (s->s3->alpn_selected == NULL)
973 return 1;
974
975 if (!WPACKET_put_bytes_u16(pkt,
976 TLSEXT_TYPE_application_layer_protocol_negotiation)
977 || !WPACKET_start_sub_packet_u16(pkt)
978 || !WPACKET_start_sub_packet_u16(pkt)
979 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
980 s->s3->alpn_selected_len)
981 || !WPACKET_close(pkt)
982 || !WPACKET_close(pkt)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]983 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]984 return 0;
985 }
986
987 return 1;
988}
989
990#ifndef OPENSSL_NO_SRTP
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]991int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
992 X509 *x, size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]993{
994 if (s->srtp_profile == NULL)
995 return 1;
Matt Caswella1448c22016-11-30 13:46:11 +0000[diff] [blame]996
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]997 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
998 || !WPACKET_start_sub_packet_u16(pkt)
999 || !WPACKET_put_bytes_u16(pkt, 2)
1000 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1001 || !WPACKET_put_bytes_u8(pkt, 0)
1002 || !WPACKET_close(pkt)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1003 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1004 return 0;
1005 }
1006
1007 return 1;
1008}
1009#endif
1010
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]1011int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1012 size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1013{
Matt Caswell28a31a02017-02-03 14:06:20 +0000[diff] [blame]1014 if (!s->ext.use_etm)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1015 return 1;
1016
1017 /*
1018 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1019 * for other cases too.
1020 */
1021 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1022 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1023 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1024 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
Matt Caswell28a31a02017-02-03 14:06:20 +0000[diff] [blame]1025 s->ext.use_etm = 0;
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1026 return 1;
1027 }
1028
1029 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1030 || !WPACKET_put_bytes_u16(pkt, 0)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1031 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1032 return 0;
1033 }
1034
1035 return 1;
1036}
1037
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]1038int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1039 size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1040{
1041 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1042 return 1;
1043
1044 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1045 || !WPACKET_put_bytes_u16(pkt, 0)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1046 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1047 return 0;
1048 }
1049
1050 return 1;
1051}
1052
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]1053int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
1054 X509 *x, size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1055{
Matt Caswell3cf96e82016-12-28 15:32:39 +0000[diff] [blame]1056#ifndef OPENSSL_NO_TLS1_3
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1057 unsigned char *encodedPoint;
1058 size_t encoded_pt_len = 0;
1059 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1060
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1061 if (ckey == NULL) {
Matt Caswell7d061fc2017-01-30 16:16:28 +0000[diff] [blame]1062 /* No key_share received from client */
1063 if (s->hello_retry_request) {
Matt Caswell7d061fc2017-01-30 16:16:28 +0000[diff] [blame]1064 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
Matt Caswellaff99292017-02-01 17:10:45 +0000[diff] [blame]1065 || !WPACKET_start_sub_packet_u16(pkt)
1066 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1067 || !WPACKET_close(pkt)) {
Matt Caswell7d061fc2017-01-30 16:16:28 +0000[diff] [blame]1068 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1069 ERR_R_INTERNAL_ERROR);
1070 return 0;
1071 }
1072
1073 return 1;
1074 }
1075
1076 /* Must be resuming. */
Matt Caswell02470862017-01-18 17:22:18 +0000[diff] [blame]1077 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1078 *al = SSL_AD_INTERNAL_ERROR;
1079 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1080 return 0;
1081 }
1082 return 1;
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1083 }
1084
1085 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1086 || !WPACKET_start_sub_packet_u16(pkt)
1087 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1088 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1089 return 0;
1090 }
1091
1092 skey = ssl_generate_pkey(ckey);
1093 if (skey == NULL) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1094 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1095 return 0;
1096 }
1097
1098 /* Generate encoding of server key */
1099 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1100 if (encoded_pt_len == 0) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1101 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1102 EVP_PKEY_free(skey);
1103 return 0;
1104 }
1105
1106 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1107 || !WPACKET_close(pkt)) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1108 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1109 EVP_PKEY_free(skey);
1110 OPENSSL_free(encodedPoint);
1111 return 0;
1112 }
1113 OPENSSL_free(encodedPoint);
1114
1115 /* This causes the crypto state to be updated based on the derived keys */
1116 s->s3->tmp.pkey = skey;
1117 if (ssl_derive(s, skey, ckey, 1) == 0) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1118 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1119 return 0;
1120 }
Matt Caswell3cf96e82016-12-28 15:32:39 +0000[diff] [blame]1121#endif
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1122
1123 return 1;
1124}
1125
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]1126int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
1127 X509 *x, size_t chainidx, int *al)
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1128{
1129 const unsigned char cryptopro_ext[36] = {
1130 0xfd, 0xe8, /* 65000 */
1131 0x00, 0x20, /* 32 bytes length */
1132 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1133 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1134 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1135 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1136 };
1137
1138 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1139 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1140 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1141 return 1;
1142
1143 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
Matt Caswell7fe97c02016-12-07 23:50:55 +0000[diff] [blame]1144 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
Matt Caswell7da160b2016-11-25 10:22:02 +0000[diff] [blame]1145 return 0;
1146 }
1147
1148 return 1;
1149}
Matt Caswell02470862017-01-18 17:22:18 +0000[diff] [blame]1150
Matt Caswell38df5a42017-02-24 11:13:25 +0000[diff] [blame]1151int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
1152 X509 *x, size_t chainidx, int *al)
1153{
1154 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1155 return 1;
1156
1157 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1158 || !WPACKET_start_sub_packet_u16(pkt)
1159 || !WPACKET_close(pkt)) {
1160 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1161 return 0;
1162 }
1163
1164 return 1;
1165}
1166
Matt Caswell61138352017-01-31 17:00:12 +0000[diff] [blame]1167int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1168 size_t chainidx, int *al)
Matt Caswell02470862017-01-18 17:22:18 +0000[diff] [blame]1169{
1170 if (!s->hit)
1171 return 1;
1172
1173 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1174 || !WPACKET_start_sub_packet_u16(pkt)
1175 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1176 || !WPACKET_close(pkt)) {
1177 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1178 return 0;
1179 }
1180
1181 return 1;
1182}