1*4724848cSchristos /*
2*4724848cSchristos * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3*4724848cSchristos *
4*4724848cSchristos * Licensed under the OpenSSL license (the "License"). You may not use
5*4724848cSchristos * this file except in compliance with the License. You can obtain a copy
6*4724848cSchristos * in the file LICENSE in the source distribution or at
7*4724848cSchristos * https://www.openssl.org/source/license.html
8*4724848cSchristos */
9*4724848cSchristos
10*4724848cSchristos #include <openssl/ocsp.h>
11*4724848cSchristos #include "../ssl_local.h"
12*4724848cSchristos #include "statem_local.h"
13*4724848cSchristos #include "internal/cryptlib.h"
14*4724848cSchristos
15*4724848cSchristos #define COOKIE_STATE_FORMAT_VERSION 1
16*4724848cSchristos
17*4724848cSchristos /*
18*4724848cSchristos * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19*4724848cSchristos * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20*4724848cSchristos * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
21*4724848cSchristos * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22*4724848cSchristos * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23*4724848cSchristos */
24*4724848cSchristos #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
25*4724848cSchristos + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26*4724848cSchristos
27*4724848cSchristos /*
28*4724848cSchristos * Message header + 2 bytes for protocol version + number of random bytes +
29*4724848cSchristos * + 1 byte for legacy session id length + number of bytes in legacy session id
30*4724848cSchristos * + 2 bytes for ciphersuite + 1 byte for legacy compression
31*4724848cSchristos * + 2 bytes for extension block length + 6 bytes for key_share extension
32*4724848cSchristos * + 4 bytes for cookie extension header + the number of bytes in the cookie
33*4724848cSchristos */
34*4724848cSchristos #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35*4724848cSchristos + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36*4724848cSchristos + MAX_COOKIE_SIZE)
37*4724848cSchristos
38*4724848cSchristos /*
39*4724848cSchristos * Parse the client's renegotiation binding and abort if it's not right
40*4724848cSchristos */
tls_parse_ctos_renegotiate(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)41*4724848cSchristos int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42*4724848cSchristos X509 *x, size_t chainidx)
43*4724848cSchristos {
44*4724848cSchristos unsigned int ilen;
45*4724848cSchristos const unsigned char *data;
46*4724848cSchristos
47*4724848cSchristos /* Parse the length byte */
48*4724848cSchristos if (!PACKET_get_1(pkt, &ilen)
49*4724848cSchristos || !PACKET_get_bytes(pkt, &data, ilen)) {
50*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51*4724848cSchristos SSL_R_RENEGOTIATION_ENCODING_ERR);
52*4724848cSchristos return 0;
53*4724848cSchristos }
54*4724848cSchristos
55*4724848cSchristos /* Check that the extension matches */
56*4724848cSchristos if (ilen != s->s3->previous_client_finished_len) {
57*4724848cSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58*4724848cSchristos SSL_R_RENEGOTIATION_MISMATCH);
59*4724848cSchristos return 0;
60*4724848cSchristos }
61*4724848cSchristos
62*4724848cSchristos if (memcmp(data, s->s3->previous_client_finished,
63*4724848cSchristos s->s3->previous_client_finished_len)) {
64*4724848cSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65*4724848cSchristos SSL_R_RENEGOTIATION_MISMATCH);
66*4724848cSchristos return 0;
67*4724848cSchristos }
68*4724848cSchristos
69*4724848cSchristos s->s3->send_connection_binding = 1;
70*4724848cSchristos
71*4724848cSchristos return 1;
72*4724848cSchristos }
73*4724848cSchristos
74*4724848cSchristos /*-
75*4724848cSchristos * The servername extension is treated as follows:
76*4724848cSchristos *
77*4724848cSchristos * - Only the hostname type is supported with a maximum length of 255.
78*4724848cSchristos * - The servername is rejected if too long or if it contains zeros,
79*4724848cSchristos * in which case an fatal alert is generated.
80*4724848cSchristos * - The servername field is maintained together with the session cache.
81*4724848cSchristos * - When a session is resumed, the servername call back invoked in order
82*4724848cSchristos * to allow the application to position itself to the right context.
83*4724848cSchristos * - The servername is acknowledged if it is new for a session or when
84*4724848cSchristos * it is identical to a previously used for the same session.
85*4724848cSchristos * Applications can control the behaviour. They can at any time
86*4724848cSchristos * set a 'desirable' servername for a new SSL object. This can be the
87*4724848cSchristos * case for example with HTTPS when a Host: header field is received and
88*4724848cSchristos * a renegotiation is requested. In this case, a possible servername
89*4724848cSchristos * presented in the new client hello is only acknowledged if it matches
90*4724848cSchristos * the value of the Host: field.
91*4724848cSchristos * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92*4724848cSchristos * if they provide for changing an explicit servername context for the
93*4724848cSchristos * session, i.e. when the session has been established with a servername
94*4724848cSchristos * extension.
95*4724848cSchristos * - On session reconnect, the servername extension may be absent.
96*4724848cSchristos */
tls_parse_ctos_server_name(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)97*4724848cSchristos int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98*4724848cSchristos X509 *x, size_t chainidx)
99*4724848cSchristos {
100*4724848cSchristos unsigned int servname_type;
101*4724848cSchristos PACKET sni, hostname;
102*4724848cSchristos
103*4724848cSchristos if (!PACKET_as_length_prefixed_2(pkt, &sni)
104*4724848cSchristos /* ServerNameList must be at least 1 byte long. */
105*4724848cSchristos || PACKET_remaining(&sni) == 0) {
106*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107*4724848cSchristos SSL_R_BAD_EXTENSION);
108*4724848cSchristos return 0;
109*4724848cSchristos }
110*4724848cSchristos
111*4724848cSchristos /*
112*4724848cSchristos * Although the intent was for server_name to be extensible, RFC 4366
113*4724848cSchristos * was not clear about it; and so OpenSSL among other implementations,
114*4724848cSchristos * always and only allows a 'host_name' name types.
115*4724848cSchristos * RFC 6066 corrected the mistake but adding new name types
116*4724848cSchristos * is nevertheless no longer feasible, so act as if no other
117*4724848cSchristos * SNI types can exist, to simplify parsing.
118*4724848cSchristos *
119*4724848cSchristos * Also note that the RFC permits only one SNI value per type,
120*4724848cSchristos * i.e., we can only have a single hostname.
121*4724848cSchristos */
122*4724848cSchristos if (!PACKET_get_1(&sni, &servname_type)
123*4724848cSchristos || servname_type != TLSEXT_NAMETYPE_host_name
124*4724848cSchristos || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126*4724848cSchristos SSL_R_BAD_EXTENSION);
127*4724848cSchristos return 0;
128*4724848cSchristos }
129*4724848cSchristos
130*4724848cSchristos /*
131*4724848cSchristos * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
132*4724848cSchristos * we always use the SNI value from the handshake.
133*4724848cSchristos */
134*4724848cSchristos if (!s->hit || SSL_IS_TLS13(s)) {
135*4724848cSchristos if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
136*4724848cSchristos SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
137*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
138*4724848cSchristos SSL_R_BAD_EXTENSION);
139*4724848cSchristos return 0;
140*4724848cSchristos }
141*4724848cSchristos
142*4724848cSchristos if (PACKET_contains_zero_byte(&hostname)) {
143*4724848cSchristos SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
144*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
145*4724848cSchristos SSL_R_BAD_EXTENSION);
146*4724848cSchristos return 0;
147*4724848cSchristos }
148*4724848cSchristos
149*4724848cSchristos /*
150*4724848cSchristos * Store the requested SNI in the SSL as temporary storage.
151*4724848cSchristos * If we accept it, it will get stored in the SSL_SESSION as well.
152*4724848cSchristos */
153*4724848cSchristos OPENSSL_free(s->ext.hostname);
154*4724848cSchristos s->ext.hostname = NULL;
155*4724848cSchristos if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
156*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
157*4724848cSchristos ERR_R_INTERNAL_ERROR);
158*4724848cSchristos return 0;
159*4724848cSchristos }
160*4724848cSchristos
161*4724848cSchristos s->servername_done = 1;
162*4724848cSchristos } else {
163*4724848cSchristos /*
164*4724848cSchristos * In TLSv1.2 and below we should check if the SNI is consistent between
165*4724848cSchristos * the initial handshake and the resumption. In TLSv1.3 SNI is not
166*4724848cSchristos * associated with the session.
167*4724848cSchristos */
168*4724848cSchristos /*
169*4724848cSchristos * TODO(openssl-team): if the SNI doesn't match, we MUST
170*4724848cSchristos * fall back to a full handshake.
171*4724848cSchristos */
172*4724848cSchristos s->servername_done = (s->session->ext.hostname != NULL)
173*4724848cSchristos && PACKET_equal(&hostname, s->session->ext.hostname,
174*4724848cSchristos strlen(s->session->ext.hostname));
175*4724848cSchristos }
176*4724848cSchristos
177*4724848cSchristos return 1;
178*4724848cSchristos }
179*4724848cSchristos
tls_parse_ctos_maxfragmentlen(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)180*4724848cSchristos int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
181*4724848cSchristos X509 *x, size_t chainidx)
182*4724848cSchristos {
183*4724848cSchristos unsigned int value;
184*4724848cSchristos
185*4724848cSchristos if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
186*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
187*4724848cSchristos SSL_R_BAD_EXTENSION);
188*4724848cSchristos return 0;
189*4724848cSchristos }
190*4724848cSchristos
191*4724848cSchristos /* Received |value| should be a valid max-fragment-length code. */
192*4724848cSchristos if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
193*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
194*4724848cSchristos SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
195*4724848cSchristos SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
196*4724848cSchristos return 0;
197*4724848cSchristos }
198*4724848cSchristos
199*4724848cSchristos /*
200*4724848cSchristos * RFC 6066: The negotiated length applies for the duration of the session
201*4724848cSchristos * including session resumptions.
202*4724848cSchristos * We should receive the same code as in resumed session !
203*4724848cSchristos */
204*4724848cSchristos if (s->hit && s->session->ext.max_fragment_len_mode != value) {
205*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
206*4724848cSchristos SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
207*4724848cSchristos SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
208*4724848cSchristos return 0;
209*4724848cSchristos }
210*4724848cSchristos
211*4724848cSchristos /*
212*4724848cSchristos * Store it in session, so it'll become binding for us
213*4724848cSchristos * and we'll include it in a next Server Hello.
214*4724848cSchristos */
215*4724848cSchristos s->session->ext.max_fragment_len_mode = value;
216*4724848cSchristos return 1;
217*4724848cSchristos }
218*4724848cSchristos
219*4724848cSchristos #ifndef OPENSSL_NO_SRP
tls_parse_ctos_srp(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)220*4724848cSchristos int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
221*4724848cSchristos size_t chainidx)
222*4724848cSchristos {
223*4724848cSchristos PACKET srp_I;
224*4724848cSchristos
225*4724848cSchristos if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
226*4724848cSchristos || PACKET_contains_zero_byte(&srp_I)) {
227*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
228*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SRP,
229*4724848cSchristos SSL_R_BAD_EXTENSION);
230*4724848cSchristos return 0;
231*4724848cSchristos }
232*4724848cSchristos
233*4724848cSchristos /*
234*4724848cSchristos * TODO(openssl-team): currently, we re-authenticate the user
235*4724848cSchristos * upon resumption. Instead, we MUST ignore the login.
236*4724848cSchristos */
237*4724848cSchristos if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
238*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
239*4724848cSchristos ERR_R_INTERNAL_ERROR);
240*4724848cSchristos return 0;
241*4724848cSchristos }
242*4724848cSchristos
243*4724848cSchristos return 1;
244*4724848cSchristos }
245*4724848cSchristos #endif
246*4724848cSchristos
247*4724848cSchristos #ifndef OPENSSL_NO_EC
tls_parse_ctos_ec_pt_formats(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)248*4724848cSchristos int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
249*4724848cSchristos X509 *x, size_t chainidx)
250*4724848cSchristos {
251*4724848cSchristos PACKET ec_point_format_list;
252*4724848cSchristos
253*4724848cSchristos if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
254*4724848cSchristos || PACKET_remaining(&ec_point_format_list) == 0) {
255*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
256*4724848cSchristos SSL_R_BAD_EXTENSION);
257*4724848cSchristos return 0;
258*4724848cSchristos }
259*4724848cSchristos
260*4724848cSchristos if (!s->hit) {
261*4724848cSchristos if (!PACKET_memdup(&ec_point_format_list,
262*4724848cSchristos &s->ext.peer_ecpointformats,
263*4724848cSchristos &s->ext.peer_ecpointformats_len)) {
264*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
265*4724848cSchristos SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
266*4724848cSchristos return 0;
267*4724848cSchristos }
268*4724848cSchristos }
269*4724848cSchristos
270*4724848cSchristos return 1;
271*4724848cSchristos }
272*4724848cSchristos #endif /* OPENSSL_NO_EC */
273*4724848cSchristos
tls_parse_ctos_session_ticket(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)274*4724848cSchristos int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
275*4724848cSchristos X509 *x, size_t chainidx)
276*4724848cSchristos {
277*4724848cSchristos if (s->ext.session_ticket_cb &&
278*4724848cSchristos !s->ext.session_ticket_cb(s, PACKET_data(pkt),
279*4724848cSchristos PACKET_remaining(pkt),
280*4724848cSchristos s->ext.session_ticket_cb_arg)) {
281*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
282*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
283*4724848cSchristos return 0;
284*4724848cSchristos }
285*4724848cSchristos
286*4724848cSchristos return 1;
287*4724848cSchristos }
288*4724848cSchristos
tls_parse_ctos_sig_algs_cert(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)289*4724848cSchristos int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
290*4724848cSchristos X509 *x, size_t chainidx)
291*4724848cSchristos {
292*4724848cSchristos PACKET supported_sig_algs;
293*4724848cSchristos
294*4724848cSchristos if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
295*4724848cSchristos || PACKET_remaining(&supported_sig_algs) == 0) {
296*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
297*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
298*4724848cSchristos return 0;
299*4724848cSchristos }
300*4724848cSchristos
301*4724848cSchristos if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
302*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
303*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
304*4724848cSchristos return 0;
305*4724848cSchristos }
306*4724848cSchristos
307*4724848cSchristos return 1;
308*4724848cSchristos }
309*4724848cSchristos
tls_parse_ctos_sig_algs(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)310*4724848cSchristos int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
311*4724848cSchristos size_t chainidx)
312*4724848cSchristos {
313*4724848cSchristos PACKET supported_sig_algs;
314*4724848cSchristos
315*4724848cSchristos if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
316*4724848cSchristos || PACKET_remaining(&supported_sig_algs) == 0) {
317*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
318*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
319*4724848cSchristos return 0;
320*4724848cSchristos }
321*4724848cSchristos
322*4724848cSchristos if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
323*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
324*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
325*4724848cSchristos return 0;
326*4724848cSchristos }
327*4724848cSchristos
328*4724848cSchristos return 1;
329*4724848cSchristos }
330*4724848cSchristos
331*4724848cSchristos #ifndef OPENSSL_NO_OCSP
tls_parse_ctos_status_request(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)332*4724848cSchristos int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
333*4724848cSchristos X509 *x, size_t chainidx)
334*4724848cSchristos {
335*4724848cSchristos PACKET responder_id_list, exts;
336*4724848cSchristos
337*4724848cSchristos /* We ignore this in a resumption handshake */
338*4724848cSchristos if (s->hit)
339*4724848cSchristos return 1;
340*4724848cSchristos
341*4724848cSchristos /* Not defined if we get one of these in a client Certificate */
342*4724848cSchristos if (x != NULL)
343*4724848cSchristos return 1;
344*4724848cSchristos
345*4724848cSchristos if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
346*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
347*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
348*4724848cSchristos return 0;
349*4724848cSchristos }
350*4724848cSchristos
351*4724848cSchristos if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
352*4724848cSchristos /*
353*4724848cSchristos * We don't know what to do with any other type so ignore it.
354*4724848cSchristos */
355*4724848cSchristos s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
356*4724848cSchristos return 1;
357*4724848cSchristos }
358*4724848cSchristos
359*4724848cSchristos if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
360*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
361*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
362*4724848cSchristos return 0;
363*4724848cSchristos }
364*4724848cSchristos
365*4724848cSchristos /*
366*4724848cSchristos * We remove any OCSP_RESPIDs from a previous handshake
367*4724848cSchristos * to prevent unbounded memory growth - CVE-2016-6304
368*4724848cSchristos */
369*4724848cSchristos sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
370*4724848cSchristos if (PACKET_remaining(&responder_id_list) > 0) {
371*4724848cSchristos s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
372*4724848cSchristos if (s->ext.ocsp.ids == NULL) {
373*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
374*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
375*4724848cSchristos return 0;
376*4724848cSchristos }
377*4724848cSchristos } else {
378*4724848cSchristos s->ext.ocsp.ids = NULL;
379*4724848cSchristos }
380*4724848cSchristos
381*4724848cSchristos while (PACKET_remaining(&responder_id_list) > 0) {
382*4724848cSchristos OCSP_RESPID *id;
383*4724848cSchristos PACKET responder_id;
384*4724848cSchristos const unsigned char *id_data;
385*4724848cSchristos
386*4724848cSchristos if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
387*4724848cSchristos || PACKET_remaining(&responder_id) == 0) {
388*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
389*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
390*4724848cSchristos return 0;
391*4724848cSchristos }
392*4724848cSchristos
393*4724848cSchristos id_data = PACKET_data(&responder_id);
394*4724848cSchristos /* TODO(size_t): Convert d2i_* to size_t */
395*4724848cSchristos id = d2i_OCSP_RESPID(NULL, &id_data,
396*4724848cSchristos (int)PACKET_remaining(&responder_id));
397*4724848cSchristos if (id == NULL) {
398*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
399*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
400*4724848cSchristos return 0;
401*4724848cSchristos }
402*4724848cSchristos
403*4724848cSchristos if (id_data != PACKET_end(&responder_id)) {
404*4724848cSchristos OCSP_RESPID_free(id);
405*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
406*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
407*4724848cSchristos
408*4724848cSchristos return 0;
409*4724848cSchristos }
410*4724848cSchristos
411*4724848cSchristos if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
412*4724848cSchristos OCSP_RESPID_free(id);
413*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
414*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
415*4724848cSchristos
416*4724848cSchristos return 0;
417*4724848cSchristos }
418*4724848cSchristos }
419*4724848cSchristos
420*4724848cSchristos /* Read in request_extensions */
421*4724848cSchristos if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
422*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
423*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
424*4724848cSchristos return 0;
425*4724848cSchristos }
426*4724848cSchristos
427*4724848cSchristos if (PACKET_remaining(&exts) > 0) {
428*4724848cSchristos const unsigned char *ext_data = PACKET_data(&exts);
429*4724848cSchristos
430*4724848cSchristos sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
431*4724848cSchristos X509_EXTENSION_free);
432*4724848cSchristos s->ext.ocsp.exts =
433*4724848cSchristos d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
434*4724848cSchristos if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
435*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
436*4724848cSchristos SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
437*4724848cSchristos return 0;
438*4724848cSchristos }
439*4724848cSchristos }
440*4724848cSchristos
441*4724848cSchristos return 1;
442*4724848cSchristos }
443*4724848cSchristos #endif
444*4724848cSchristos
445*4724848cSchristos #ifndef OPENSSL_NO_NEXTPROTONEG
tls_parse_ctos_npn(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)446*4724848cSchristos int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
447*4724848cSchristos size_t chainidx)
448*4724848cSchristos {
449*4724848cSchristos /*
450*4724848cSchristos * We shouldn't accept this extension on a
451*4724848cSchristos * renegotiation.
452*4724848cSchristos */
453*4724848cSchristos if (SSL_IS_FIRST_HANDSHAKE(s))
454*4724848cSchristos s->s3->npn_seen = 1;
455*4724848cSchristos
456*4724848cSchristos return 1;
457*4724848cSchristos }
458*4724848cSchristos #endif
459*4724848cSchristos
460*4724848cSchristos /*
461*4724848cSchristos * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
462*4724848cSchristos * extension, not including type and length. Returns: 1 on success, 0 on error.
463*4724848cSchristos */
tls_parse_ctos_alpn(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)464*4724848cSchristos int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
465*4724848cSchristos size_t chainidx)
466*4724848cSchristos {
467*4724848cSchristos PACKET protocol_list, save_protocol_list, protocol;
468*4724848cSchristos
469*4724848cSchristos if (!SSL_IS_FIRST_HANDSHAKE(s))
470*4724848cSchristos return 1;
471*4724848cSchristos
472*4724848cSchristos if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
473*4724848cSchristos || PACKET_remaining(&protocol_list) < 2) {
474*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
475*4724848cSchristos SSL_R_BAD_EXTENSION);
476*4724848cSchristos return 0;
477*4724848cSchristos }
478*4724848cSchristos
479*4724848cSchristos save_protocol_list = protocol_list;
480*4724848cSchristos do {
481*4724848cSchristos /* Protocol names can't be empty. */
482*4724848cSchristos if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
483*4724848cSchristos || PACKET_remaining(&protocol) == 0) {
484*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
485*4724848cSchristos SSL_R_BAD_EXTENSION);
486*4724848cSchristos return 0;
487*4724848cSchristos }
488*4724848cSchristos } while (PACKET_remaining(&protocol_list) != 0);
489*4724848cSchristos
490*4724848cSchristos OPENSSL_free(s->s3->alpn_proposed);
491*4724848cSchristos s->s3->alpn_proposed = NULL;
492*4724848cSchristos s->s3->alpn_proposed_len = 0;
493*4724848cSchristos if (!PACKET_memdup(&save_protocol_list,
494*4724848cSchristos &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
495*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
496*4724848cSchristos ERR_R_INTERNAL_ERROR);
497*4724848cSchristos return 0;
498*4724848cSchristos }
499*4724848cSchristos
500*4724848cSchristos return 1;
501*4724848cSchristos }
502*4724848cSchristos
503*4724848cSchristos #ifndef OPENSSL_NO_SRTP
tls_parse_ctos_use_srtp(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)504*4724848cSchristos int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
505*4724848cSchristos size_t chainidx)
506*4724848cSchristos {
507*4724848cSchristos STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
508*4724848cSchristos unsigned int ct, mki_len, id;
509*4724848cSchristos int i, srtp_pref;
510*4724848cSchristos PACKET subpkt;
511*4724848cSchristos
512*4724848cSchristos /* Ignore this if we have no SRTP profiles */
513*4724848cSchristos if (SSL_get_srtp_profiles(s) == NULL)
514*4724848cSchristos return 1;
515*4724848cSchristos
516*4724848cSchristos /* Pull off the length of the cipher suite list and check it is even */
517*4724848cSchristos if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
518*4724848cSchristos || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
519*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
520*4724848cSchristos SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
521*4724848cSchristos return 0;
522*4724848cSchristos }
523*4724848cSchristos
524*4724848cSchristos srvr = SSL_get_srtp_profiles(s);
525*4724848cSchristos s->srtp_profile = NULL;
526*4724848cSchristos /* Search all profiles for a match initially */
527*4724848cSchristos srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
528*4724848cSchristos
529*4724848cSchristos while (PACKET_remaining(&subpkt)) {
530*4724848cSchristos if (!PACKET_get_net_2(&subpkt, &id)) {
531*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
532*4724848cSchristos SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
533*4724848cSchristos return 0;
534*4724848cSchristos }
535*4724848cSchristos
536*4724848cSchristos /*
537*4724848cSchristos * Only look for match in profiles of higher preference than
538*4724848cSchristos * current match.
539*4724848cSchristos * If no profiles have been have been configured then this
540*4724848cSchristos * does nothing.
541*4724848cSchristos */
542*4724848cSchristos for (i = 0; i < srtp_pref; i++) {
543*4724848cSchristos SRTP_PROTECTION_PROFILE *sprof =
544*4724848cSchristos sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
545*4724848cSchristos
546*4724848cSchristos if (sprof->id == id) {
547*4724848cSchristos s->srtp_profile = sprof;
548*4724848cSchristos srtp_pref = i;
549*4724848cSchristos break;
550*4724848cSchristos }
551*4724848cSchristos }
552*4724848cSchristos }
553*4724848cSchristos
554*4724848cSchristos /* Now extract the MKI value as a sanity check, but discard it for now */
555*4724848cSchristos if (!PACKET_get_1(pkt, &mki_len)) {
556*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
557*4724848cSchristos SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
558*4724848cSchristos return 0;
559*4724848cSchristos }
560*4724848cSchristos
561*4724848cSchristos if (!PACKET_forward(pkt, mki_len)
562*4724848cSchristos || PACKET_remaining(pkt)) {
563*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
564*4724848cSchristos SSL_R_BAD_SRTP_MKI_VALUE);
565*4724848cSchristos return 0;
566*4724848cSchristos }
567*4724848cSchristos
568*4724848cSchristos return 1;
569*4724848cSchristos }
570*4724848cSchristos #endif
571*4724848cSchristos
tls_parse_ctos_etm(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)572*4724848cSchristos int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
573*4724848cSchristos size_t chainidx)
574*4724848cSchristos {
575*4724848cSchristos if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
576*4724848cSchristos s->ext.use_etm = 1;
577*4724848cSchristos
578*4724848cSchristos return 1;
579*4724848cSchristos }
580*4724848cSchristos
581*4724848cSchristos /*
582*4724848cSchristos * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
583*4724848cSchristos * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
584*4724848cSchristos */
tls_parse_ctos_psk_kex_modes(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)585*4724848cSchristos int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
586*4724848cSchristos X509 *x, size_t chainidx)
587*4724848cSchristos {
588*4724848cSchristos #ifndef OPENSSL_NO_TLS1_3
589*4724848cSchristos PACKET psk_kex_modes;
590*4724848cSchristos unsigned int mode;
591*4724848cSchristos
592*4724848cSchristos if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
593*4724848cSchristos || PACKET_remaining(&psk_kex_modes) == 0) {
594*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
595*4724848cSchristos SSL_R_BAD_EXTENSION);
596*4724848cSchristos return 0;
597*4724848cSchristos }
598*4724848cSchristos
599*4724848cSchristos while (PACKET_get_1(&psk_kex_modes, &mode)) {
600*4724848cSchristos if (mode == TLSEXT_KEX_MODE_KE_DHE)
601*4724848cSchristos s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
602*4724848cSchristos else if (mode == TLSEXT_KEX_MODE_KE
603*4724848cSchristos && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
604*4724848cSchristos s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
605*4724848cSchristos }
606*4724848cSchristos #endif
607*4724848cSchristos
608*4724848cSchristos return 1;
609*4724848cSchristos }
610*4724848cSchristos
611*4724848cSchristos /*
612*4724848cSchristos * Process a key_share extension received in the ClientHello. |pkt| contains
613*4724848cSchristos * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
614*4724848cSchristos */
tls_parse_ctos_key_share(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)615*4724848cSchristos int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
616*4724848cSchristos size_t chainidx)
617*4724848cSchristos {
618*4724848cSchristos #ifndef OPENSSL_NO_TLS1_3
619*4724848cSchristos unsigned int group_id;
620*4724848cSchristos PACKET key_share_list, encoded_pt;
621*4724848cSchristos const uint16_t *clntgroups, *srvrgroups;
622*4724848cSchristos size_t clnt_num_groups, srvr_num_groups;
623*4724848cSchristos int found = 0;
624*4724848cSchristos
625*4724848cSchristos if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
626*4724848cSchristos return 1;
627*4724848cSchristos
628*4724848cSchristos /* Sanity check */
629*4724848cSchristos if (s->s3->peer_tmp != NULL) {
630*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
631*4724848cSchristos ERR_R_INTERNAL_ERROR);
632*4724848cSchristos return 0;
633*4724848cSchristos }
634*4724848cSchristos
635*4724848cSchristos if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
636*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
637*4724848cSchristos SSL_R_LENGTH_MISMATCH);
638*4724848cSchristos return 0;
639*4724848cSchristos }
640*4724848cSchristos
641*4724848cSchristos /* Get our list of supported groups */
642*4724848cSchristos tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
643*4724848cSchristos /* Get the clients list of supported groups. */
644*4724848cSchristos tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
645*4724848cSchristos if (clnt_num_groups == 0) {
646*4724848cSchristos /*
647*4724848cSchristos * This can only happen if the supported_groups extension was not sent,
648*4724848cSchristos * because we verify that the length is non-zero when we process that
649*4724848cSchristos * extension.
650*4724848cSchristos */
651*4724848cSchristos SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
652*4724848cSchristos SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
653*4724848cSchristos return 0;
654*4724848cSchristos }
655*4724848cSchristos
656*4724848cSchristos if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
657*4724848cSchristos /*
658*4724848cSchristos * If we set a group_id already, then we must have sent an HRR
659*4724848cSchristos * requesting a new key_share. If we haven't got one then that is an
660*4724848cSchristos * error
661*4724848cSchristos */
662*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
663*4724848cSchristos SSL_R_BAD_KEY_SHARE);
664*4724848cSchristos return 0;
665*4724848cSchristos }
666*4724848cSchristos
667*4724848cSchristos while (PACKET_remaining(&key_share_list) > 0) {
668*4724848cSchristos if (!PACKET_get_net_2(&key_share_list, &group_id)
669*4724848cSchristos || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
670*4724848cSchristos || PACKET_remaining(&encoded_pt) == 0) {
671*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
672*4724848cSchristos SSL_R_LENGTH_MISMATCH);
673*4724848cSchristos return 0;
674*4724848cSchristos }
675*4724848cSchristos
676*4724848cSchristos /*
677*4724848cSchristos * If we already found a suitable key_share we loop through the
678*4724848cSchristos * rest to verify the structure, but don't process them.
679*4724848cSchristos */
680*4724848cSchristos if (found)
681*4724848cSchristos continue;
682*4724848cSchristos
683*4724848cSchristos /*
684*4724848cSchristos * If we sent an HRR then the key_share sent back MUST be for the group
685*4724848cSchristos * we requested, and must be the only key_share sent.
686*4724848cSchristos */
687*4724848cSchristos if (s->s3->group_id != 0
688*4724848cSchristos && (group_id != s->s3->group_id
689*4724848cSchristos || PACKET_remaining(&key_share_list) != 0)) {
690*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
691*4724848cSchristos SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
692*4724848cSchristos return 0;
693*4724848cSchristos }
694*4724848cSchristos
695*4724848cSchristos /* Check if this share is in supported_groups sent from client */
696*4724848cSchristos if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
697*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
698*4724848cSchristos SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
699*4724848cSchristos return 0;
700*4724848cSchristos }
701*4724848cSchristos
702*4724848cSchristos /* Check if this share is for a group we can use */
703*4724848cSchristos if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
704*4724848cSchristos /* Share not suitable */
705*4724848cSchristos continue;
706*4724848cSchristos }
707*4724848cSchristos
708*4724848cSchristos if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
709*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
710*4724848cSchristos SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
711*4724848cSchristos return 0;
712*4724848cSchristos }
713*4724848cSchristos
714*4724848cSchristos s->s3->group_id = group_id;
715*4724848cSchristos
716*4724848cSchristos if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
717*4724848cSchristos PACKET_data(&encoded_pt),
718*4724848cSchristos PACKET_remaining(&encoded_pt))) {
719*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
720*4724848cSchristos SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
721*4724848cSchristos return 0;
722*4724848cSchristos }
723*4724848cSchristos
724*4724848cSchristos found = 1;
725*4724848cSchristos }
726*4724848cSchristos #endif
727*4724848cSchristos
728*4724848cSchristos return 1;
729*4724848cSchristos }
730*4724848cSchristos
tls_parse_ctos_cookie(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)731*4724848cSchristos int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
732*4724848cSchristos size_t chainidx)
733*4724848cSchristos {
734*4724848cSchristos #ifndef OPENSSL_NO_TLS1_3
735*4724848cSchristos unsigned int format, version, key_share, group_id;
736*4724848cSchristos EVP_MD_CTX *hctx;
737*4724848cSchristos EVP_PKEY *pkey;
738*4724848cSchristos PACKET cookie, raw, chhash, appcookie;
739*4724848cSchristos WPACKET hrrpkt;
740*4724848cSchristos const unsigned char *data, *mdin, *ciphdata;
741*4724848cSchristos unsigned char hmac[SHA256_DIGEST_LENGTH];
742*4724848cSchristos unsigned char hrr[MAX_HRR_SIZE];
743*4724848cSchristos size_t rawlen, hmaclen, hrrlen, ciphlen;
744*4724848cSchristos uint64_t tm, now;
745*4724848cSchristos
746*4724848cSchristos /* Ignore any cookie if we're not set up to verify it */
747*4724848cSchristos if (s->ctx->verify_stateless_cookie_cb == NULL
748*4724848cSchristos || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
749*4724848cSchristos return 1;
750*4724848cSchristos
751*4724848cSchristos if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
752*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
753*4724848cSchristos SSL_R_LENGTH_MISMATCH);
754*4724848cSchristos return 0;
755*4724848cSchristos }
756*4724848cSchristos
757*4724848cSchristos raw = cookie;
758*4724848cSchristos data = PACKET_data(&raw);
759*4724848cSchristos rawlen = PACKET_remaining(&raw);
760*4724848cSchristos if (rawlen < SHA256_DIGEST_LENGTH
761*4724848cSchristos || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
762*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
763*4724848cSchristos SSL_R_LENGTH_MISMATCH);
764*4724848cSchristos return 0;
765*4724848cSchristos }
766*4724848cSchristos mdin = PACKET_data(&raw);
767*4724848cSchristos
768*4724848cSchristos /* Verify the HMAC of the cookie */
769*4724848cSchristos hctx = EVP_MD_CTX_create();
770*4724848cSchristos pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
771*4724848cSchristos s->session_ctx->ext.cookie_hmac_key,
772*4724848cSchristos sizeof(s->session_ctx->ext
773*4724848cSchristos .cookie_hmac_key));
774*4724848cSchristos if (hctx == NULL || pkey == NULL) {
775*4724848cSchristos EVP_MD_CTX_free(hctx);
776*4724848cSchristos EVP_PKEY_free(pkey);
777*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
778*4724848cSchristos ERR_R_MALLOC_FAILURE);
779*4724848cSchristos return 0;
780*4724848cSchristos }
781*4724848cSchristos
782*4724848cSchristos hmaclen = SHA256_DIGEST_LENGTH;
783*4724848cSchristos if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
784*4724848cSchristos || EVP_DigestSign(hctx, hmac, &hmaclen, data,
785*4724848cSchristos rawlen - SHA256_DIGEST_LENGTH) <= 0
786*4724848cSchristos || hmaclen != SHA256_DIGEST_LENGTH) {
787*4724848cSchristos EVP_MD_CTX_free(hctx);
788*4724848cSchristos EVP_PKEY_free(pkey);
789*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
790*4724848cSchristos ERR_R_INTERNAL_ERROR);
791*4724848cSchristos return 0;
792*4724848cSchristos }
793*4724848cSchristos
794*4724848cSchristos EVP_MD_CTX_free(hctx);
795*4724848cSchristos EVP_PKEY_free(pkey);
796*4724848cSchristos
797*4724848cSchristos if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
798*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
799*4724848cSchristos SSL_R_COOKIE_MISMATCH);
800*4724848cSchristos return 0;
801*4724848cSchristos }
802*4724848cSchristos
803*4724848cSchristos if (!PACKET_get_net_2(&cookie, &format)) {
804*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
805*4724848cSchristos SSL_R_LENGTH_MISMATCH);
806*4724848cSchristos return 0;
807*4724848cSchristos }
808*4724848cSchristos /* Check the cookie format is something we recognise. Ignore it if not */
809*4724848cSchristos if (format != COOKIE_STATE_FORMAT_VERSION)
810*4724848cSchristos return 1;
811*4724848cSchristos
812*4724848cSchristos /*
813*4724848cSchristos * The rest of these checks really shouldn't fail since we have verified the
814*4724848cSchristos * HMAC above.
815*4724848cSchristos */
816*4724848cSchristos
817*4724848cSchristos /* Check the version number is sane */
818*4724848cSchristos if (!PACKET_get_net_2(&cookie, &version)) {
819*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
820*4724848cSchristos SSL_R_LENGTH_MISMATCH);
821*4724848cSchristos return 0;
822*4724848cSchristos }
823*4724848cSchristos if (version != TLS1_3_VERSION) {
824*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
825*4724848cSchristos SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
826*4724848cSchristos return 0;
827*4724848cSchristos }
828*4724848cSchristos
829*4724848cSchristos if (!PACKET_get_net_2(&cookie, &group_id)) {
830*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
831*4724848cSchristos SSL_R_LENGTH_MISMATCH);
832*4724848cSchristos return 0;
833*4724848cSchristos }
834*4724848cSchristos
835*4724848cSchristos ciphdata = PACKET_data(&cookie);
836*4724848cSchristos if (!PACKET_forward(&cookie, 2)) {
837*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
838*4724848cSchristos SSL_R_LENGTH_MISMATCH);
839*4724848cSchristos return 0;
840*4724848cSchristos }
841*4724848cSchristos if (group_id != s->s3->group_id
842*4724848cSchristos || s->s3->tmp.new_cipher
843*4724848cSchristos != ssl_get_cipher_by_char(s, ciphdata, 0)) {
844*4724848cSchristos /*
845*4724848cSchristos * We chose a different cipher or group id this time around to what is
846*4724848cSchristos * in the cookie. Something must have changed.
847*4724848cSchristos */
848*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
849*4724848cSchristos SSL_R_BAD_CIPHER);
850*4724848cSchristos return 0;
851*4724848cSchristos }
852*4724848cSchristos
853*4724848cSchristos if (!PACKET_get_1(&cookie, &key_share)
854*4724848cSchristos || !PACKET_get_net_8(&cookie, &tm)
855*4724848cSchristos || !PACKET_get_length_prefixed_2(&cookie, &chhash)
856*4724848cSchristos || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
857*4724848cSchristos || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
858*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
859*4724848cSchristos SSL_R_LENGTH_MISMATCH);
860*4724848cSchristos return 0;
861*4724848cSchristos }
862*4724848cSchristos
863*4724848cSchristos /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
864*4724848cSchristos now = time(NULL);
865*4724848cSchristos if (tm > now || (now - tm) > 600) {
866*4724848cSchristos /* Cookie is stale. Ignore it */
867*4724848cSchristos return 1;
868*4724848cSchristos }
869*4724848cSchristos
870*4724848cSchristos /* Verify the app cookie */
871*4724848cSchristos if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
872*4724848cSchristos PACKET_remaining(&appcookie)) == 0) {
873*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
874*4724848cSchristos SSL_R_COOKIE_MISMATCH);
875*4724848cSchristos return 0;
876*4724848cSchristos }
877*4724848cSchristos
878*4724848cSchristos /*
879*4724848cSchristos * Reconstruct the HRR that we would have sent in response to the original
880*4724848cSchristos * ClientHello so we can add it to the transcript hash.
881*4724848cSchristos * Note: This won't work with custom HRR extensions
882*4724848cSchristos */
883*4724848cSchristos if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
884*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
885*4724848cSchristos ERR_R_INTERNAL_ERROR);
886*4724848cSchristos return 0;
887*4724848cSchristos }
888*4724848cSchristos if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
889*4724848cSchristos || !WPACKET_start_sub_packet_u24(&hrrpkt)
890*4724848cSchristos || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
891*4724848cSchristos || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
892*4724848cSchristos || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
893*4724848cSchristos s->tmp_session_id_len)
894*4724848cSchristos || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
895*4724848cSchristos &ciphlen)
896*4724848cSchristos || !WPACKET_put_bytes_u8(&hrrpkt, 0)
897*4724848cSchristos || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
898*4724848cSchristos WPACKET_cleanup(&hrrpkt);
899*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
900*4724848cSchristos ERR_R_INTERNAL_ERROR);
901*4724848cSchristos return 0;
902*4724848cSchristos }
903*4724848cSchristos if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
904*4724848cSchristos || !WPACKET_start_sub_packet_u16(&hrrpkt)
905*4724848cSchristos || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
906*4724848cSchristos || !WPACKET_close(&hrrpkt)) {
907*4724848cSchristos WPACKET_cleanup(&hrrpkt);
908*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
909*4724848cSchristos ERR_R_INTERNAL_ERROR);
910*4724848cSchristos return 0;
911*4724848cSchristos }
912*4724848cSchristos if (key_share) {
913*4724848cSchristos if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
914*4724848cSchristos || !WPACKET_start_sub_packet_u16(&hrrpkt)
915*4724848cSchristos || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
916*4724848cSchristos || !WPACKET_close(&hrrpkt)) {
917*4724848cSchristos WPACKET_cleanup(&hrrpkt);
918*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
919*4724848cSchristos ERR_R_INTERNAL_ERROR);
920*4724848cSchristos return 0;
921*4724848cSchristos }
922*4724848cSchristos }
923*4724848cSchristos if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
924*4724848cSchristos || !WPACKET_start_sub_packet_u16(&hrrpkt)
925*4724848cSchristos || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
926*4724848cSchristos || !WPACKET_close(&hrrpkt) /* cookie extension */
927*4724848cSchristos || !WPACKET_close(&hrrpkt) /* extension block */
928*4724848cSchristos || !WPACKET_close(&hrrpkt) /* message */
929*4724848cSchristos || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
930*4724848cSchristos || !WPACKET_finish(&hrrpkt)) {
931*4724848cSchristos WPACKET_cleanup(&hrrpkt);
932*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
933*4724848cSchristos ERR_R_INTERNAL_ERROR);
934*4724848cSchristos return 0;
935*4724848cSchristos }
936*4724848cSchristos
937*4724848cSchristos /* Reconstruct the transcript hash */
938*4724848cSchristos if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
939*4724848cSchristos PACKET_remaining(&chhash), hrr,
940*4724848cSchristos hrrlen)) {
941*4724848cSchristos /* SSLfatal() already called */
942*4724848cSchristos return 0;
943*4724848cSchristos }
944*4724848cSchristos
945*4724848cSchristos /* Act as if this ClientHello came after a HelloRetryRequest */
946*4724848cSchristos s->hello_retry_request = 1;
947*4724848cSchristos
948*4724848cSchristos s->ext.cookieok = 1;
949*4724848cSchristos #endif
950*4724848cSchristos
951*4724848cSchristos return 1;
952*4724848cSchristos }
953*4724848cSchristos
954*4724848cSchristos #ifndef OPENSSL_NO_EC
tls_parse_ctos_supported_groups(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)955*4724848cSchristos int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
956*4724848cSchristos X509 *x, size_t chainidx)
957*4724848cSchristos {
958*4724848cSchristos PACKET supported_groups_list;
959*4724848cSchristos
960*4724848cSchristos /* Each group is 2 bytes and we must have at least 1. */
961*4724848cSchristos if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
962*4724848cSchristos || PACKET_remaining(&supported_groups_list) == 0
963*4724848cSchristos || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
964*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
965*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
966*4724848cSchristos return 0;
967*4724848cSchristos }
968*4724848cSchristos
969*4724848cSchristos if (!s->hit || SSL_IS_TLS13(s)) {
970*4724848cSchristos OPENSSL_free(s->ext.peer_supportedgroups);
971*4724848cSchristos s->ext.peer_supportedgroups = NULL;
972*4724848cSchristos s->ext.peer_supportedgroups_len = 0;
973*4724848cSchristos if (!tls1_save_u16(&supported_groups_list,
974*4724848cSchristos &s->ext.peer_supportedgroups,
975*4724848cSchristos &s->ext.peer_supportedgroups_len)) {
976*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
977*4724848cSchristos SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
978*4724848cSchristos ERR_R_INTERNAL_ERROR);
979*4724848cSchristos return 0;
980*4724848cSchristos }
981*4724848cSchristos }
982*4724848cSchristos
983*4724848cSchristos return 1;
984*4724848cSchristos }
985*4724848cSchristos #endif
986*4724848cSchristos
tls_parse_ctos_ems(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)987*4724848cSchristos int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
988*4724848cSchristos size_t chainidx)
989*4724848cSchristos {
990*4724848cSchristos /* The extension must always be empty */
991*4724848cSchristos if (PACKET_remaining(pkt) != 0) {
992*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
993*4724848cSchristos SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
994*4724848cSchristos return 0;
995*4724848cSchristos }
996*4724848cSchristos
997*4724848cSchristos s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
998*4724848cSchristos
999*4724848cSchristos return 1;
1000*4724848cSchristos }
1001*4724848cSchristos
1002*4724848cSchristos
tls_parse_ctos_early_data(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1003*4724848cSchristos int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
1004*4724848cSchristos X509 *x, size_t chainidx)
1005*4724848cSchristos {
1006*4724848cSchristos if (PACKET_remaining(pkt) != 0) {
1007*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
1008*4724848cSchristos SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1009*4724848cSchristos return 0;
1010*4724848cSchristos }
1011*4724848cSchristos
1012*4724848cSchristos if (s->hello_retry_request != SSL_HRR_NONE) {
1013*4724848cSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1014*4724848cSchristos SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1015*4724848cSchristos return 0;
1016*4724848cSchristos }
1017*4724848cSchristos
1018*4724848cSchristos return 1;
1019*4724848cSchristos }
1020*4724848cSchristos
tls_get_stateful_ticket(SSL * s,PACKET * tick,SSL_SESSION ** sess)1021*4724848cSchristos static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
1022*4724848cSchristos SSL_SESSION **sess)
1023*4724848cSchristos {
1024*4724848cSchristos SSL_SESSION *tmpsess = NULL;
1025*4724848cSchristos
1026*4724848cSchristos s->ext.ticket_expected = 1;
1027*4724848cSchristos
1028*4724848cSchristos switch (PACKET_remaining(tick)) {
1029*4724848cSchristos case 0:
1030*4724848cSchristos return SSL_TICKET_EMPTY;
1031*4724848cSchristos
1032*4724848cSchristos case SSL_MAX_SSL_SESSION_ID_LENGTH:
1033*4724848cSchristos break;
1034*4724848cSchristos
1035*4724848cSchristos default:
1036*4724848cSchristos return SSL_TICKET_NO_DECRYPT;
1037*4724848cSchristos }
1038*4724848cSchristos
1039*4724848cSchristos tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1040*4724848cSchristos SSL_MAX_SSL_SESSION_ID_LENGTH);
1041*4724848cSchristos
1042*4724848cSchristos if (tmpsess == NULL)
1043*4724848cSchristos return SSL_TICKET_NO_DECRYPT;
1044*4724848cSchristos
1045*4724848cSchristos *sess = tmpsess;
1046*4724848cSchristos return SSL_TICKET_SUCCESS;
1047*4724848cSchristos }
1048*4724848cSchristos
tls_parse_ctos_psk(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1049*4724848cSchristos int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1050*4724848cSchristos size_t chainidx)
1051*4724848cSchristos {
1052*4724848cSchristos PACKET identities, binders, binder;
1053*4724848cSchristos size_t binderoffset, hashsize;
1054*4724848cSchristos SSL_SESSION *sess = NULL;
1055*4724848cSchristos unsigned int id, i, ext = 0;
1056*4724848cSchristos const EVP_MD *md = NULL;
1057*4724848cSchristos
1058*4724848cSchristos /*
1059*4724848cSchristos * If we have no PSK kex mode that we recognise then we can't resume so
1060*4724848cSchristos * ignore this extension
1061*4724848cSchristos */
1062*4724848cSchristos if ((s->ext.psk_kex_mode
1063*4724848cSchristos & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1064*4724848cSchristos return 1;
1065*4724848cSchristos
1066*4724848cSchristos if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1067*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
1068*4724848cSchristos SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1069*4724848cSchristos return 0;
1070*4724848cSchristos }
1071*4724848cSchristos
1072*4724848cSchristos s->ext.ticket_expected = 0;
1073*4724848cSchristos for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1074*4724848cSchristos PACKET identity;
1075*4724848cSchristos unsigned long ticket_agel;
1076*4724848cSchristos size_t idlen;
1077*4724848cSchristos
1078*4724848cSchristos if (!PACKET_get_length_prefixed_2(&identities, &identity)
1079*4724848cSchristos || !PACKET_get_net_4(&identities, &ticket_agel)) {
1080*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
1081*4724848cSchristos SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1082*4724848cSchristos return 0;
1083*4724848cSchristos }
1084*4724848cSchristos
1085*4724848cSchristos idlen = PACKET_remaining(&identity);
1086*4724848cSchristos if (s->psk_find_session_cb != NULL
1087*4724848cSchristos && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1088*4724848cSchristos &sess)) {
1089*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1090*4724848cSchristos SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1091*4724848cSchristos return 0;
1092*4724848cSchristos }
1093*4724848cSchristos
1094*4724848cSchristos #ifndef OPENSSL_NO_PSK
1095*4724848cSchristos if(sess == NULL
1096*4724848cSchristos && s->psk_server_callback != NULL
1097*4724848cSchristos && idlen <= PSK_MAX_IDENTITY_LEN) {
1098*4724848cSchristos char *pskid = NULL;
1099*4724848cSchristos unsigned char pskdata[PSK_MAX_PSK_LEN];
1100*4724848cSchristos unsigned int pskdatalen;
1101*4724848cSchristos
1102*4724848cSchristos if (!PACKET_strndup(&identity, &pskid)) {
1103*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1104*4724848cSchristos ERR_R_INTERNAL_ERROR);
1105*4724848cSchristos return 0;
1106*4724848cSchristos }
1107*4724848cSchristos pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1108*4724848cSchristos sizeof(pskdata));
1109*4724848cSchristos OPENSSL_free(pskid);
1110*4724848cSchristos if (pskdatalen > PSK_MAX_PSK_LEN) {
1111*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1112*4724848cSchristos ERR_R_INTERNAL_ERROR);
1113*4724848cSchristos return 0;
1114*4724848cSchristos } else if (pskdatalen > 0) {
1115*4724848cSchristos const SSL_CIPHER *cipher;
1116*4724848cSchristos const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1117*4724848cSchristos
1118*4724848cSchristos /*
1119*4724848cSchristos * We found a PSK using an old style callback. We don't know
1120*4724848cSchristos * the digest so we default to SHA256 as per the TLSv1.3 spec
1121*4724848cSchristos */
1122*4724848cSchristos cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1123*4724848cSchristos if (cipher == NULL) {
1124*4724848cSchristos OPENSSL_cleanse(pskdata, pskdatalen);
1125*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1126*4724848cSchristos ERR_R_INTERNAL_ERROR);
1127*4724848cSchristos return 0;
1128*4724848cSchristos }
1129*4724848cSchristos
1130*4724848cSchristos sess = SSL_SESSION_new();
1131*4724848cSchristos if (sess == NULL
1132*4724848cSchristos || !SSL_SESSION_set1_master_key(sess, pskdata,
1133*4724848cSchristos pskdatalen)
1134*4724848cSchristos || !SSL_SESSION_set_cipher(sess, cipher)
1135*4724848cSchristos || !SSL_SESSION_set_protocol_version(sess,
1136*4724848cSchristos TLS1_3_VERSION)) {
1137*4724848cSchristos OPENSSL_cleanse(pskdata, pskdatalen);
1138*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1139*4724848cSchristos ERR_R_INTERNAL_ERROR);
1140*4724848cSchristos goto err;
1141*4724848cSchristos }
1142*4724848cSchristos OPENSSL_cleanse(pskdata, pskdatalen);
1143*4724848cSchristos }
1144*4724848cSchristos }
1145*4724848cSchristos #endif /* OPENSSL_NO_PSK */
1146*4724848cSchristos
1147*4724848cSchristos if (sess != NULL) {
1148*4724848cSchristos /* We found a PSK */
1149*4724848cSchristos SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1150*4724848cSchristos
1151*4724848cSchristos if (sesstmp == NULL) {
1152*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1153*4724848cSchristos SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1154*4724848cSchristos goto err;
1155*4724848cSchristos }
1156*4724848cSchristos SSL_SESSION_free(sess);
1157*4724848cSchristos sess = sesstmp;
1158*4724848cSchristos
1159*4724848cSchristos /*
1160*4724848cSchristos * We've just been told to use this session for this context so
1161*4724848cSchristos * make sure the sid_ctx matches up.
1162*4724848cSchristos */
1163*4724848cSchristos memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1164*4724848cSchristos sess->sid_ctx_length = s->sid_ctx_length;
1165*4724848cSchristos ext = 1;
1166*4724848cSchristos if (id == 0)
1167*4724848cSchristos s->ext.early_data_ok = 1;
1168*4724848cSchristos s->ext.ticket_expected = 1;
1169*4724848cSchristos } else {
1170*4724848cSchristos uint32_t ticket_age = 0, agesec, agems;
1171*4724848cSchristos int ret;
1172*4724848cSchristos
1173*4724848cSchristos /*
1174*4724848cSchristos * If we are using anti-replay protection then we behave as if
1175*4724848cSchristos * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1176*4724848cSchristos * is no point in using full stateless tickets.
1177*4724848cSchristos */
1178*4724848cSchristos if ((s->options & SSL_OP_NO_TICKET) != 0
1179*4724848cSchristos || (s->max_early_data > 0
1180*4724848cSchristos && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1181*4724848cSchristos ret = tls_get_stateful_ticket(s, &identity, &sess);
1182*4724848cSchristos else
1183*4724848cSchristos ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1184*4724848cSchristos PACKET_remaining(&identity), NULL, 0,
1185*4724848cSchristos &sess);
1186*4724848cSchristos
1187*4724848cSchristos if (ret == SSL_TICKET_EMPTY) {
1188*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1189*4724848cSchristos SSL_R_BAD_EXTENSION);
1190*4724848cSchristos return 0;
1191*4724848cSchristos }
1192*4724848cSchristos
1193*4724848cSchristos if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1194*4724848cSchristos || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1195*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1196*4724848cSchristos SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1197*4724848cSchristos return 0;
1198*4724848cSchristos }
1199*4724848cSchristos if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1200*4724848cSchristos continue;
1201*4724848cSchristos
1202*4724848cSchristos /* Check for replay */
1203*4724848cSchristos if (s->max_early_data > 0
1204*4724848cSchristos && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1205*4724848cSchristos && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1206*4724848cSchristos SSL_SESSION_free(sess);
1207*4724848cSchristos sess = NULL;
1208*4724848cSchristos continue;
1209*4724848cSchristos }
1210*4724848cSchristos
1211*4724848cSchristos ticket_age = (uint32_t)ticket_agel;
1212*4724848cSchristos agesec = (uint32_t)(time(NULL) - sess->time);
1213*4724848cSchristos agems = agesec * (uint32_t)1000;
1214*4724848cSchristos ticket_age -= sess->ext.tick_age_add;
1215*4724848cSchristos
1216*4724848cSchristos /*
1217*4724848cSchristos * For simplicity we do our age calculations in seconds. If the
1218*4724848cSchristos * client does it in ms then it could appear that their ticket age
1219*4724848cSchristos * is longer than ours (our ticket age calculation should always be
1220*4724848cSchristos * slightly longer than the client's due to the network latency).
1221*4724848cSchristos * Therefore we add 1000ms to our age calculation to adjust for
1222*4724848cSchristos * rounding errors.
1223*4724848cSchristos */
1224*4724848cSchristos if (id == 0
1225*4724848cSchristos && sess->timeout >= (long)agesec
1226*4724848cSchristos && agems / (uint32_t)1000 == agesec
1227*4724848cSchristos && ticket_age <= agems + 1000
1228*4724848cSchristos && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1229*4724848cSchristos /*
1230*4724848cSchristos * Ticket age is within tolerance and not expired. We allow it
1231*4724848cSchristos * for early data
1232*4724848cSchristos */
1233*4724848cSchristos s->ext.early_data_ok = 1;
1234*4724848cSchristos }
1235*4724848cSchristos }
1236*4724848cSchristos
1237*4724848cSchristos md = ssl_md(sess->cipher->algorithm2);
1238*4724848cSchristos if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1239*4724848cSchristos /* The ciphersuite is not compatible with this session. */
1240*4724848cSchristos SSL_SESSION_free(sess);
1241*4724848cSchristos sess = NULL;
1242*4724848cSchristos s->ext.early_data_ok = 0;
1243*4724848cSchristos s->ext.ticket_expected = 0;
1244*4724848cSchristos continue;
1245*4724848cSchristos }
1246*4724848cSchristos break;
1247*4724848cSchristos }
1248*4724848cSchristos
1249*4724848cSchristos if (sess == NULL)
1250*4724848cSchristos return 1;
1251*4724848cSchristos
1252*4724848cSchristos binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1253*4724848cSchristos hashsize = EVP_MD_size(md);
1254*4724848cSchristos
1255*4724848cSchristos if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1256*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1257*4724848cSchristos SSL_R_BAD_EXTENSION);
1258*4724848cSchristos goto err;
1259*4724848cSchristos }
1260*4724848cSchristos
1261*4724848cSchristos for (i = 0; i <= id; i++) {
1262*4724848cSchristos if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1263*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1264*4724848cSchristos SSL_R_BAD_EXTENSION);
1265*4724848cSchristos goto err;
1266*4724848cSchristos }
1267*4724848cSchristos }
1268*4724848cSchristos
1269*4724848cSchristos if (PACKET_remaining(&binder) != hashsize) {
1270*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1271*4724848cSchristos SSL_R_BAD_EXTENSION);
1272*4724848cSchristos goto err;
1273*4724848cSchristos }
1274*4724848cSchristos if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1275*4724848cSchristos binderoffset, PACKET_data(&binder), NULL, sess, 0,
1276*4724848cSchristos ext) != 1) {
1277*4724848cSchristos /* SSLfatal() already called */
1278*4724848cSchristos goto err;
1279*4724848cSchristos }
1280*4724848cSchristos
1281*4724848cSchristos s->ext.tick_identity = id;
1282*4724848cSchristos
1283*4724848cSchristos SSL_SESSION_free(s->session);
1284*4724848cSchristos s->session = sess;
1285*4724848cSchristos return 1;
1286*4724848cSchristos err:
1287*4724848cSchristos SSL_SESSION_free(sess);
1288*4724848cSchristos return 0;
1289*4724848cSchristos }
1290*4724848cSchristos
tls_parse_ctos_post_handshake_auth(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1291*4724848cSchristos int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1292*4724848cSchristos X509 *x, size_t chainidx)
1293*4724848cSchristos {
1294*4724848cSchristos if (PACKET_remaining(pkt) != 0) {
1295*4724848cSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1296*4724848cSchristos SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1297*4724848cSchristos return 0;
1298*4724848cSchristos }
1299*4724848cSchristos
1300*4724848cSchristos s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1301*4724848cSchristos
1302*4724848cSchristos return 1;
1303*4724848cSchristos }
1304*4724848cSchristos
1305*4724848cSchristos /*
1306*4724848cSchristos * Add the server's renegotiation binding
1307*4724848cSchristos */
tls_construct_stoc_renegotiate(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1308*4724848cSchristos EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1309*4724848cSchristos unsigned int context, X509 *x,
1310*4724848cSchristos size_t chainidx)
1311*4724848cSchristos {
1312*4724848cSchristos if (!s->s3->send_connection_binding)
1313*4724848cSchristos return EXT_RETURN_NOT_SENT;
1314*4724848cSchristos
1315*4724848cSchristos /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1316*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1317*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1318*4724848cSchristos || !WPACKET_start_sub_packet_u8(pkt)
1319*4724848cSchristos || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1320*4724848cSchristos s->s3->previous_client_finished_len)
1321*4724848cSchristos || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1322*4724848cSchristos s->s3->previous_server_finished_len)
1323*4724848cSchristos || !WPACKET_close(pkt)
1324*4724848cSchristos || !WPACKET_close(pkt)) {
1325*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1326*4724848cSchristos ERR_R_INTERNAL_ERROR);
1327*4724848cSchristos return EXT_RETURN_FAIL;
1328*4724848cSchristos }
1329*4724848cSchristos
1330*4724848cSchristos return EXT_RETURN_SENT;
1331*4724848cSchristos }
1332*4724848cSchristos
tls_construct_stoc_server_name(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1333*4724848cSchristos EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1334*4724848cSchristos unsigned int context, X509 *x,
1335*4724848cSchristos size_t chainidx)
1336*4724848cSchristos {
1337*4724848cSchristos if (s->servername_done != 1)
1338*4724848cSchristos return EXT_RETURN_NOT_SENT;
1339*4724848cSchristos
1340*4724848cSchristos /*
1341*4724848cSchristos * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1342*4724848cSchristos * We just use the servername from the initial handshake.
1343*4724848cSchristos */
1344*4724848cSchristos if (s->hit && !SSL_IS_TLS13(s))
1345*4724848cSchristos return EXT_RETURN_NOT_SENT;
1346*4724848cSchristos
1347*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1348*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, 0)) {
1349*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1350*4724848cSchristos ERR_R_INTERNAL_ERROR);
1351*4724848cSchristos return EXT_RETURN_FAIL;
1352*4724848cSchristos }
1353*4724848cSchristos
1354*4724848cSchristos return EXT_RETURN_SENT;
1355*4724848cSchristos }
1356*4724848cSchristos
1357*4724848cSchristos /* Add/include the server's max fragment len extension into ServerHello */
tls_construct_stoc_maxfragmentlen(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1358*4724848cSchristos EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1359*4724848cSchristos unsigned int context, X509 *x,
1360*4724848cSchristos size_t chainidx)
1361*4724848cSchristos {
1362*4724848cSchristos if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1363*4724848cSchristos return EXT_RETURN_NOT_SENT;
1364*4724848cSchristos
1365*4724848cSchristos /*-
1366*4724848cSchristos * 4 bytes for this extension type and extension length
1367*4724848cSchristos * 1 byte for the Max Fragment Length code value.
1368*4724848cSchristos */
1369*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1370*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1371*4724848cSchristos || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1372*4724848cSchristos || !WPACKET_close(pkt)) {
1373*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1374*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1375*4724848cSchristos return EXT_RETURN_FAIL;
1376*4724848cSchristos }
1377*4724848cSchristos
1378*4724848cSchristos return EXT_RETURN_SENT;
1379*4724848cSchristos }
1380*4724848cSchristos
1381*4724848cSchristos #ifndef OPENSSL_NO_EC
tls_construct_stoc_ec_pt_formats(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1382*4724848cSchristos EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1383*4724848cSchristos unsigned int context, X509 *x,
1384*4724848cSchristos size_t chainidx)
1385*4724848cSchristos {
1386*4724848cSchristos unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1387*4724848cSchristos unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1388*4724848cSchristos int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1389*4724848cSchristos && (s->ext.peer_ecpointformats != NULL);
1390*4724848cSchristos const unsigned char *plist;
1391*4724848cSchristos size_t plistlen;
1392*4724848cSchristos
1393*4724848cSchristos if (!using_ecc)
1394*4724848cSchristos return EXT_RETURN_NOT_SENT;
1395*4724848cSchristos
1396*4724848cSchristos tls1_get_formatlist(s, &plist, &plistlen);
1397*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1398*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1399*4724848cSchristos || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1400*4724848cSchristos || !WPACKET_close(pkt)) {
1401*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1402*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1403*4724848cSchristos return EXT_RETURN_FAIL;
1404*4724848cSchristos }
1405*4724848cSchristos
1406*4724848cSchristos return EXT_RETURN_SENT;
1407*4724848cSchristos }
1408*4724848cSchristos #endif
1409*4724848cSchristos
1410*4724848cSchristos #ifndef OPENSSL_NO_EC
tls_construct_stoc_supported_groups(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1411*4724848cSchristos EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1412*4724848cSchristos unsigned int context, X509 *x,
1413*4724848cSchristos size_t chainidx)
1414*4724848cSchristos {
1415*4724848cSchristos const uint16_t *groups;
1416*4724848cSchristos size_t numgroups, i, first = 1;
1417*4724848cSchristos
1418*4724848cSchristos /* s->s3->group_id is non zero if we accepted a key_share */
1419*4724848cSchristos if (s->s3->group_id == 0)
1420*4724848cSchristos return EXT_RETURN_NOT_SENT;
1421*4724848cSchristos
1422*4724848cSchristos /* Get our list of supported groups */
1423*4724848cSchristos tls1_get_supported_groups(s, &groups, &numgroups);
1424*4724848cSchristos if (numgroups == 0) {
1425*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1426*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1427*4724848cSchristos return EXT_RETURN_FAIL;
1428*4724848cSchristos }
1429*4724848cSchristos
1430*4724848cSchristos /* Copy group ID if supported */
1431*4724848cSchristos for (i = 0; i < numgroups; i++) {
1432*4724848cSchristos uint16_t group = groups[i];
1433*4724848cSchristos
1434*4724848cSchristos if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1435*4724848cSchristos if (first) {
1436*4724848cSchristos /*
1437*4724848cSchristos * Check if the client is already using our preferred group. If
1438*4724848cSchristos * so we don't need to add this extension
1439*4724848cSchristos */
1440*4724848cSchristos if (s->s3->group_id == group)
1441*4724848cSchristos return EXT_RETURN_NOT_SENT;
1442*4724848cSchristos
1443*4724848cSchristos /* Add extension header */
1444*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1445*4724848cSchristos /* Sub-packet for supported_groups extension */
1446*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1447*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)) {
1448*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1449*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1450*4724848cSchristos ERR_R_INTERNAL_ERROR);
1451*4724848cSchristos return EXT_RETURN_FAIL;
1452*4724848cSchristos }
1453*4724848cSchristos
1454*4724848cSchristos first = 0;
1455*4724848cSchristos }
1456*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, group)) {
1457*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1458*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1459*4724848cSchristos ERR_R_INTERNAL_ERROR);
1460*4724848cSchristos return EXT_RETURN_FAIL;
1461*4724848cSchristos }
1462*4724848cSchristos }
1463*4724848cSchristos }
1464*4724848cSchristos
1465*4724848cSchristos if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1466*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1467*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1468*4724848cSchristos ERR_R_INTERNAL_ERROR);
1469*4724848cSchristos return EXT_RETURN_FAIL;
1470*4724848cSchristos }
1471*4724848cSchristos
1472*4724848cSchristos return EXT_RETURN_SENT;
1473*4724848cSchristos }
1474*4724848cSchristos #endif
1475*4724848cSchristos
tls_construct_stoc_session_ticket(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1476*4724848cSchristos EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1477*4724848cSchristos unsigned int context, X509 *x,
1478*4724848cSchristos size_t chainidx)
1479*4724848cSchristos {
1480*4724848cSchristos if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1481*4724848cSchristos s->ext.ticket_expected = 0;
1482*4724848cSchristos return EXT_RETURN_NOT_SENT;
1483*4724848cSchristos }
1484*4724848cSchristos
1485*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1486*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, 0)) {
1487*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1488*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1489*4724848cSchristos return EXT_RETURN_FAIL;
1490*4724848cSchristos }
1491*4724848cSchristos
1492*4724848cSchristos return EXT_RETURN_SENT;
1493*4724848cSchristos }
1494*4724848cSchristos
1495*4724848cSchristos #ifndef OPENSSL_NO_OCSP
tls_construct_stoc_status_request(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1496*4724848cSchristos EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1497*4724848cSchristos unsigned int context, X509 *x,
1498*4724848cSchristos size_t chainidx)
1499*4724848cSchristos {
1500*4724848cSchristos /* We don't currently support this extension inside a CertificateRequest */
1501*4724848cSchristos if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1502*4724848cSchristos return EXT_RETURN_NOT_SENT;
1503*4724848cSchristos
1504*4724848cSchristos if (!s->ext.status_expected)
1505*4724848cSchristos return EXT_RETURN_NOT_SENT;
1506*4724848cSchristos
1507*4724848cSchristos if (SSL_IS_TLS13(s) && chainidx != 0)
1508*4724848cSchristos return EXT_RETURN_NOT_SENT;
1509*4724848cSchristos
1510*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1511*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)) {
1512*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1513*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1514*4724848cSchristos return EXT_RETURN_FAIL;
1515*4724848cSchristos }
1516*4724848cSchristos
1517*4724848cSchristos /*
1518*4724848cSchristos * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1519*4724848cSchristos * send back an empty extension, with the certificate status appearing as a
1520*4724848cSchristos * separate message
1521*4724848cSchristos */
1522*4724848cSchristos if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1523*4724848cSchristos /* SSLfatal() already called */
1524*4724848cSchristos return EXT_RETURN_FAIL;
1525*4724848cSchristos }
1526*4724848cSchristos if (!WPACKET_close(pkt)) {
1527*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1528*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1529*4724848cSchristos return EXT_RETURN_FAIL;
1530*4724848cSchristos }
1531*4724848cSchristos
1532*4724848cSchristos return EXT_RETURN_SENT;
1533*4724848cSchristos }
1534*4724848cSchristos #endif
1535*4724848cSchristos
1536*4724848cSchristos #ifndef OPENSSL_NO_NEXTPROTONEG
tls_construct_stoc_next_proto_neg(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1537*4724848cSchristos EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1538*4724848cSchristos unsigned int context, X509 *x,
1539*4724848cSchristos size_t chainidx)
1540*4724848cSchristos {
1541*4724848cSchristos const unsigned char *npa;
1542*4724848cSchristos unsigned int npalen;
1543*4724848cSchristos int ret;
1544*4724848cSchristos int npn_seen = s->s3->npn_seen;
1545*4724848cSchristos
1546*4724848cSchristos s->s3->npn_seen = 0;
1547*4724848cSchristos if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1548*4724848cSchristos return EXT_RETURN_NOT_SENT;
1549*4724848cSchristos
1550*4724848cSchristos ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1551*4724848cSchristos s->ctx->ext.npn_advertised_cb_arg);
1552*4724848cSchristos if (ret == SSL_TLSEXT_ERR_OK) {
1553*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1554*4724848cSchristos || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1555*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1556*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1557*4724848cSchristos ERR_R_INTERNAL_ERROR);
1558*4724848cSchristos return EXT_RETURN_FAIL;
1559*4724848cSchristos }
1560*4724848cSchristos s->s3->npn_seen = 1;
1561*4724848cSchristos }
1562*4724848cSchristos
1563*4724848cSchristos return EXT_RETURN_SENT;
1564*4724848cSchristos }
1565*4724848cSchristos #endif
1566*4724848cSchristos
tls_construct_stoc_alpn(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1567*4724848cSchristos EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1568*4724848cSchristos X509 *x, size_t chainidx)
1569*4724848cSchristos {
1570*4724848cSchristos if (s->s3->alpn_selected == NULL)
1571*4724848cSchristos return EXT_RETURN_NOT_SENT;
1572*4724848cSchristos
1573*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt,
1574*4724848cSchristos TLSEXT_TYPE_application_layer_protocol_negotiation)
1575*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1576*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1577*4724848cSchristos || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1578*4724848cSchristos s->s3->alpn_selected_len)
1579*4724848cSchristos || !WPACKET_close(pkt)
1580*4724848cSchristos || !WPACKET_close(pkt)) {
1581*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1582*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1583*4724848cSchristos return EXT_RETURN_FAIL;
1584*4724848cSchristos }
1585*4724848cSchristos
1586*4724848cSchristos return EXT_RETURN_SENT;
1587*4724848cSchristos }
1588*4724848cSchristos
1589*4724848cSchristos #ifndef OPENSSL_NO_SRTP
tls_construct_stoc_use_srtp(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1590*4724848cSchristos EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1591*4724848cSchristos unsigned int context, X509 *x,
1592*4724848cSchristos size_t chainidx)
1593*4724848cSchristos {
1594*4724848cSchristos if (s->srtp_profile == NULL)
1595*4724848cSchristos return EXT_RETURN_NOT_SENT;
1596*4724848cSchristos
1597*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1598*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1599*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, 2)
1600*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1601*4724848cSchristos || !WPACKET_put_bytes_u8(pkt, 0)
1602*4724848cSchristos || !WPACKET_close(pkt)) {
1603*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1604*4724848cSchristos ERR_R_INTERNAL_ERROR);
1605*4724848cSchristos return EXT_RETURN_FAIL;
1606*4724848cSchristos }
1607*4724848cSchristos
1608*4724848cSchristos return EXT_RETURN_SENT;
1609*4724848cSchristos }
1610*4724848cSchristos #endif
1611*4724848cSchristos
tls_construct_stoc_etm(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1612*4724848cSchristos EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1613*4724848cSchristos X509 *x, size_t chainidx)
1614*4724848cSchristos {
1615*4724848cSchristos if (!s->ext.use_etm)
1616*4724848cSchristos return EXT_RETURN_NOT_SENT;
1617*4724848cSchristos
1618*4724848cSchristos /*
1619*4724848cSchristos * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1620*4724848cSchristos * for other cases too.
1621*4724848cSchristos */
1622*4724848cSchristos if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1623*4724848cSchristos || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1624*4724848cSchristos || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1625*4724848cSchristos || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1626*4724848cSchristos s->ext.use_etm = 0;
1627*4724848cSchristos return EXT_RETURN_NOT_SENT;
1628*4724848cSchristos }
1629*4724848cSchristos
1630*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1631*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, 0)) {
1632*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1633*4724848cSchristos ERR_R_INTERNAL_ERROR);
1634*4724848cSchristos return EXT_RETURN_FAIL;
1635*4724848cSchristos }
1636*4724848cSchristos
1637*4724848cSchristos return EXT_RETURN_SENT;
1638*4724848cSchristos }
1639*4724848cSchristos
tls_construct_stoc_ems(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1640*4724848cSchristos EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1641*4724848cSchristos X509 *x, size_t chainidx)
1642*4724848cSchristos {
1643*4724848cSchristos if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1644*4724848cSchristos return EXT_RETURN_NOT_SENT;
1645*4724848cSchristos
1646*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1647*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, 0)) {
1648*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1649*4724848cSchristos ERR_R_INTERNAL_ERROR);
1650*4724848cSchristos return EXT_RETURN_FAIL;
1651*4724848cSchristos }
1652*4724848cSchristos
1653*4724848cSchristos return EXT_RETURN_SENT;
1654*4724848cSchristos }
1655*4724848cSchristos
tls_construct_stoc_supported_versions(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1656*4724848cSchristos EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1657*4724848cSchristos unsigned int context, X509 *x,
1658*4724848cSchristos size_t chainidx)
1659*4724848cSchristos {
1660*4724848cSchristos if (!ossl_assert(SSL_IS_TLS13(s))) {
1661*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1662*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1663*4724848cSchristos ERR_R_INTERNAL_ERROR);
1664*4724848cSchristos return EXT_RETURN_FAIL;
1665*4724848cSchristos }
1666*4724848cSchristos
1667*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1668*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1669*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, s->version)
1670*4724848cSchristos || !WPACKET_close(pkt)) {
1671*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1672*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1673*4724848cSchristos ERR_R_INTERNAL_ERROR);
1674*4724848cSchristos return EXT_RETURN_FAIL;
1675*4724848cSchristos }
1676*4724848cSchristos
1677*4724848cSchristos return EXT_RETURN_SENT;
1678*4724848cSchristos }
1679*4724848cSchristos
tls_construct_stoc_key_share(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1680*4724848cSchristos EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1681*4724848cSchristos unsigned int context, X509 *x,
1682*4724848cSchristos size_t chainidx)
1683*4724848cSchristos {
1684*4724848cSchristos #ifndef OPENSSL_NO_TLS1_3
1685*4724848cSchristos unsigned char *encodedPoint;
1686*4724848cSchristos size_t encoded_pt_len = 0;
1687*4724848cSchristos EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1688*4724848cSchristos
1689*4724848cSchristos if (s->hello_retry_request == SSL_HRR_PENDING) {
1690*4724848cSchristos if (ckey != NULL) {
1691*4724848cSchristos /* Original key_share was acceptable so don't ask for another one */
1692*4724848cSchristos return EXT_RETURN_NOT_SENT;
1693*4724848cSchristos }
1694*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1695*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1696*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1697*4724848cSchristos || !WPACKET_close(pkt)) {
1698*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1699*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1700*4724848cSchristos ERR_R_INTERNAL_ERROR);
1701*4724848cSchristos return EXT_RETURN_FAIL;
1702*4724848cSchristos }
1703*4724848cSchristos
1704*4724848cSchristos return EXT_RETURN_SENT;
1705*4724848cSchristos }
1706*4724848cSchristos
1707*4724848cSchristos if (ckey == NULL) {
1708*4724848cSchristos /* No key_share received from client - must be resuming */
1709*4724848cSchristos if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1710*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1711*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1712*4724848cSchristos return EXT_RETURN_FAIL;
1713*4724848cSchristos }
1714*4724848cSchristos return EXT_RETURN_NOT_SENT;
1715*4724848cSchristos }
1716*4724848cSchristos if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1717*4724848cSchristos /*
1718*4724848cSchristos * PSK ('hit') and explicitly not doing DHE (if the client sent the
1719*4724848cSchristos * DHE option we always take it); don't send key share.
1720*4724848cSchristos */
1721*4724848cSchristos return EXT_RETURN_NOT_SENT;
1722*4724848cSchristos }
1723*4724848cSchristos
1724*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1725*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1726*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1727*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1728*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1729*4724848cSchristos return EXT_RETURN_FAIL;
1730*4724848cSchristos }
1731*4724848cSchristos
1732*4724848cSchristos skey = ssl_generate_pkey(ckey);
1733*4724848cSchristos if (skey == NULL) {
1734*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1735*4724848cSchristos ERR_R_MALLOC_FAILURE);
1736*4724848cSchristos return EXT_RETURN_FAIL;
1737*4724848cSchristos }
1738*4724848cSchristos
1739*4724848cSchristos /* Generate encoding of server key */
1740*4724848cSchristos encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1741*4724848cSchristos if (encoded_pt_len == 0) {
1742*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1743*4724848cSchristos ERR_R_EC_LIB);
1744*4724848cSchristos EVP_PKEY_free(skey);
1745*4724848cSchristos return EXT_RETURN_FAIL;
1746*4724848cSchristos }
1747*4724848cSchristos
1748*4724848cSchristos if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1749*4724848cSchristos || !WPACKET_close(pkt)) {
1750*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1751*4724848cSchristos ERR_R_INTERNAL_ERROR);
1752*4724848cSchristos EVP_PKEY_free(skey);
1753*4724848cSchristos OPENSSL_free(encodedPoint);
1754*4724848cSchristos return EXT_RETURN_FAIL;
1755*4724848cSchristos }
1756*4724848cSchristos OPENSSL_free(encodedPoint);
1757*4724848cSchristos
1758*4724848cSchristos /* This causes the crypto state to be updated based on the derived keys */
1759*4724848cSchristos s->s3->tmp.pkey = skey;
1760*4724848cSchristos if (ssl_derive(s, skey, ckey, 1) == 0) {
1761*4724848cSchristos /* SSLfatal() already called */
1762*4724848cSchristos return EXT_RETURN_FAIL;
1763*4724848cSchristos }
1764*4724848cSchristos return EXT_RETURN_SENT;
1765*4724848cSchristos #else
1766*4724848cSchristos return EXT_RETURN_FAIL;
1767*4724848cSchristos #endif
1768*4724848cSchristos }
1769*4724848cSchristos
tls_construct_stoc_cookie(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1770*4724848cSchristos EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1771*4724848cSchristos X509 *x, size_t chainidx)
1772*4724848cSchristos {
1773*4724848cSchristos #ifndef OPENSSL_NO_TLS1_3
1774*4724848cSchristos unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1775*4724848cSchristos unsigned char *hmac, *hmac2;
1776*4724848cSchristos size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1777*4724848cSchristos EVP_MD_CTX *hctx;
1778*4724848cSchristos EVP_PKEY *pkey;
1779*4724848cSchristos int ret = EXT_RETURN_FAIL;
1780*4724848cSchristos
1781*4724848cSchristos if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1782*4724848cSchristos return EXT_RETURN_NOT_SENT;
1783*4724848cSchristos
1784*4724848cSchristos if (s->ctx->gen_stateless_cookie_cb == NULL) {
1785*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1786*4724848cSchristos SSL_R_NO_COOKIE_CALLBACK_SET);
1787*4724848cSchristos return EXT_RETURN_FAIL;
1788*4724848cSchristos }
1789*4724848cSchristos
1790*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1791*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1792*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1793*4724848cSchristos || !WPACKET_get_total_written(pkt, &startlen)
1794*4724848cSchristos || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1795*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1796*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1797*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1798*4724848cSchristos || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1799*4724848cSchristos &ciphlen)
1800*4724848cSchristos /* Is there a key_share extension present in this HRR? */
1801*4724848cSchristos || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
1802*4724848cSchristos || !WPACKET_put_bytes_u64(pkt, time(NULL))
1803*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1804*4724848cSchristos || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1805*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1806*4724848cSchristos ERR_R_INTERNAL_ERROR);
1807*4724848cSchristos return EXT_RETURN_FAIL;
1808*4724848cSchristos }
1809*4724848cSchristos
1810*4724848cSchristos /*
1811*4724848cSchristos * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1812*4724848cSchristos * on raw buffers, so we first reserve sufficient bytes (above) and then
1813*4724848cSchristos * subsequently allocate them (below)
1814*4724848cSchristos */
1815*4724848cSchristos if (!ssl3_digest_cached_records(s, 0)
1816*4724848cSchristos || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1817*4724848cSchristos /* SSLfatal() already called */
1818*4724848cSchristos return EXT_RETURN_FAIL;
1819*4724848cSchristos }
1820*4724848cSchristos
1821*4724848cSchristos if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1822*4724848cSchristos || !ossl_assert(hashval1 == hashval2)
1823*4724848cSchristos || !WPACKET_close(pkt)
1824*4724848cSchristos || !WPACKET_start_sub_packet_u8(pkt)
1825*4724848cSchristos || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1826*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1827*4724848cSchristos ERR_R_INTERNAL_ERROR);
1828*4724848cSchristos return EXT_RETURN_FAIL;
1829*4724848cSchristos }
1830*4724848cSchristos
1831*4724848cSchristos /* Generate the application cookie */
1832*4724848cSchristos if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1833*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1834*4724848cSchristos SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1835*4724848cSchristos return EXT_RETURN_FAIL;
1836*4724848cSchristos }
1837*4724848cSchristos
1838*4724848cSchristos if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1839*4724848cSchristos || !ossl_assert(appcookie1 == appcookie2)
1840*4724848cSchristos || !WPACKET_close(pkt)
1841*4724848cSchristos || !WPACKET_get_total_written(pkt, &totcookielen)
1842*4724848cSchristos || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1843*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1844*4724848cSchristos ERR_R_INTERNAL_ERROR);
1845*4724848cSchristos return EXT_RETURN_FAIL;
1846*4724848cSchristos }
1847*4724848cSchristos hmaclen = SHA256_DIGEST_LENGTH;
1848*4724848cSchristos
1849*4724848cSchristos totcookielen -= startlen;
1850*4724848cSchristos if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1851*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1852*4724848cSchristos ERR_R_INTERNAL_ERROR);
1853*4724848cSchristos return EXT_RETURN_FAIL;
1854*4724848cSchristos }
1855*4724848cSchristos
1856*4724848cSchristos /* HMAC the cookie */
1857*4724848cSchristos hctx = EVP_MD_CTX_create();
1858*4724848cSchristos pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
1859*4724848cSchristos s->session_ctx->ext.cookie_hmac_key,
1860*4724848cSchristos sizeof(s->session_ctx->ext
1861*4724848cSchristos .cookie_hmac_key));
1862*4724848cSchristos if (hctx == NULL || pkey == NULL) {
1863*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1864*4724848cSchristos ERR_R_MALLOC_FAILURE);
1865*4724848cSchristos goto err;
1866*4724848cSchristos }
1867*4724848cSchristos
1868*4724848cSchristos if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1869*4724848cSchristos || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1870*4724848cSchristos totcookielen) <= 0) {
1871*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1872*4724848cSchristos ERR_R_INTERNAL_ERROR);
1873*4724848cSchristos goto err;
1874*4724848cSchristos }
1875*4724848cSchristos
1876*4724848cSchristos if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1877*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1878*4724848cSchristos ERR_R_INTERNAL_ERROR);
1879*4724848cSchristos goto err;
1880*4724848cSchristos }
1881*4724848cSchristos
1882*4724848cSchristos if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1883*4724848cSchristos || !ossl_assert(hmac == hmac2)
1884*4724848cSchristos || !ossl_assert(cookie == hmac - totcookielen)
1885*4724848cSchristos || !WPACKET_close(pkt)
1886*4724848cSchristos || !WPACKET_close(pkt)) {
1887*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1888*4724848cSchristos ERR_R_INTERNAL_ERROR);
1889*4724848cSchristos goto err;
1890*4724848cSchristos }
1891*4724848cSchristos
1892*4724848cSchristos ret = EXT_RETURN_SENT;
1893*4724848cSchristos
1894*4724848cSchristos err:
1895*4724848cSchristos EVP_MD_CTX_free(hctx);
1896*4724848cSchristos EVP_PKEY_free(pkey);
1897*4724848cSchristos return ret;
1898*4724848cSchristos #else
1899*4724848cSchristos return EXT_RETURN_FAIL;
1900*4724848cSchristos #endif
1901*4724848cSchristos }
1902*4724848cSchristos
tls_construct_stoc_cryptopro_bug(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1903*4724848cSchristos EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1904*4724848cSchristos unsigned int context, X509 *x,
1905*4724848cSchristos size_t chainidx)
1906*4724848cSchristos {
1907*4724848cSchristos const unsigned char cryptopro_ext[36] = {
1908*4724848cSchristos 0xfd, 0xe8, /* 65000 */
1909*4724848cSchristos 0x00, 0x20, /* 32 bytes length */
1910*4724848cSchristos 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1911*4724848cSchristos 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1912*4724848cSchristos 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1913*4724848cSchristos 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1914*4724848cSchristos };
1915*4724848cSchristos
1916*4724848cSchristos if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1917*4724848cSchristos && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1918*4724848cSchristos || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1919*4724848cSchristos return EXT_RETURN_NOT_SENT;
1920*4724848cSchristos
1921*4724848cSchristos if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1922*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1923*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1924*4724848cSchristos return EXT_RETURN_FAIL;
1925*4724848cSchristos }
1926*4724848cSchristos
1927*4724848cSchristos return EXT_RETURN_SENT;
1928*4724848cSchristos }
1929*4724848cSchristos
tls_construct_stoc_early_data(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1930*4724848cSchristos EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1931*4724848cSchristos unsigned int context, X509 *x,
1932*4724848cSchristos size_t chainidx)
1933*4724848cSchristos {
1934*4724848cSchristos if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1935*4724848cSchristos if (s->max_early_data == 0)
1936*4724848cSchristos return EXT_RETURN_NOT_SENT;
1937*4724848cSchristos
1938*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1939*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1940*4724848cSchristos || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1941*4724848cSchristos || !WPACKET_close(pkt)) {
1942*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1943*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1944*4724848cSchristos return EXT_RETURN_FAIL;
1945*4724848cSchristos }
1946*4724848cSchristos
1947*4724848cSchristos return EXT_RETURN_SENT;
1948*4724848cSchristos }
1949*4724848cSchristos
1950*4724848cSchristos if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1951*4724848cSchristos return EXT_RETURN_NOT_SENT;
1952*4724848cSchristos
1953*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1954*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1955*4724848cSchristos || !WPACKET_close(pkt)) {
1956*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1957*4724848cSchristos ERR_R_INTERNAL_ERROR);
1958*4724848cSchristos return EXT_RETURN_FAIL;
1959*4724848cSchristos }
1960*4724848cSchristos
1961*4724848cSchristos return EXT_RETURN_SENT;
1962*4724848cSchristos }
1963*4724848cSchristos
tls_construct_stoc_psk(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1964*4724848cSchristos EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1965*4724848cSchristos X509 *x, size_t chainidx)
1966*4724848cSchristos {
1967*4724848cSchristos if (!s->hit)
1968*4724848cSchristos return EXT_RETURN_NOT_SENT;
1969*4724848cSchristos
1970*4724848cSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1971*4724848cSchristos || !WPACKET_start_sub_packet_u16(pkt)
1972*4724848cSchristos || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1973*4724848cSchristos || !WPACKET_close(pkt)) {
1974*4724848cSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1975*4724848cSchristos SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1976*4724848cSchristos return EXT_RETURN_FAIL;
1977*4724848cSchristos }
1978*4724848cSchristos
1979*4724848cSchristos return EXT_RETURN_SENT;
1980*4724848cSchristos }
1981