VirtualBox

source: vbox/trunk/src/libs/openssl-3.0.2/ssl/statem/extensions_srvr.c@ 94403

最後變更 在這個檔案從94403是 94082,由 vboxsync 提交於 3 年 前

libs/openssl-3.0.1: started applying and adjusting our OpenSSL changes to 3.0.1. bugref:10128
檔案大小: 64.2 KB
 
1/*
2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
11#include "../ssl_local.h"
12#include "statem_local.h"
13#include "internal/cryptlib.h"
14
15#define COOKIE_STATE_FORMAT_VERSION 0
16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23 */
24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
33 */
34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
41int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
43{
44 unsigned int ilen;
45 const unsigned char *data;
46
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
51 return 0;
52 }
53
54 /* Check that the extension matches */
55 if (ilen != s->s3.previous_client_finished_len) {
56 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
57 return 0;
58 }
59
60 if (memcmp(data, s->s3.previous_client_finished,
61 s->s3.previous_client_finished_len)) {
62 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
63 return 0;
64 }
65
66 s->s3.send_connection_binding = 1;
67
68 return 1;
69}
70
71/*-
72 * The servername extension is treated as follows:
73 *
74 * - Only the hostname type is supported with a maximum length of 255.
75 * - The servername is rejected if too long or if it contains zeros,
76 * in which case an fatal alert is generated.
77 * - The servername field is maintained together with the session cache.
78 * - When a session is resumed, the servername call back invoked in order
79 * to allow the application to position itself to the right context.
80 * - The servername is acknowledged if it is new for a session or when
81 * it is identical to a previously used for the same session.
82 * Applications can control the behaviour. They can at any time
83 * set a 'desirable' servername for a new SSL object. This can be the
84 * case for example with HTTPS when a Host: header field is received and
85 * a renegotiation is requested. In this case, a possible servername
86 * presented in the new client hello is only acknowledged if it matches
87 * the value of the Host: field.
88 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
89 * if they provide for changing an explicit servername context for the
90 * session, i.e. when the session has been established with a servername
91 * extension.
92 * - On session reconnect, the servername extension may be absent.
93 */
94int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
95 X509 *x, size_t chainidx)
96{
97 unsigned int servname_type;
98 PACKET sni, hostname;
99
100 if (!PACKET_as_length_prefixed_2(pkt, &sni)
101 /* ServerNameList must be at least 1 byte long. */
102 || PACKET_remaining(&sni) == 0) {
103 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
104 return 0;
105 }
106
107 /*
108 * Although the intent was for server_name to be extensible, RFC 4366
109 * was not clear about it; and so OpenSSL among other implementations,
110 * always and only allows a 'host_name' name types.
111 * RFC 6066 corrected the mistake but adding new name types
112 * is nevertheless no longer feasible, so act as if no other
113 * SNI types can exist, to simplify parsing.
114 *
115 * Also note that the RFC permits only one SNI value per type,
116 * i.e., we can only have a single hostname.
117 */
118 if (!PACKET_get_1(&sni, &servname_type)
119 || servname_type != TLSEXT_NAMETYPE_host_name
120 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
121 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
122 return 0;
123 }
124
125 /*
126 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
127 * we always use the SNI value from the handshake.
128 */
129 if (!s->hit || SSL_IS_TLS13(s)) {
130 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
131 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
132 return 0;
133 }
134
135 if (PACKET_contains_zero_byte(&hostname)) {
136 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
137 return 0;
138 }
139
140 /*
141 * Store the requested SNI in the SSL as temporary storage.
142 * If we accept it, it will get stored in the SSL_SESSION as well.
143 */
144 OPENSSL_free(s->ext.hostname);
145 s->ext.hostname = NULL;
146 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
148 return 0;
149 }
150
151 s->servername_done = 1;
152 } else {
153 /*
154 * In TLSv1.2 and below we should check if the SNI is consistent between
155 * the initial handshake and the resumption. In TLSv1.3 SNI is not
156 * associated with the session.
157 */
158 s->servername_done = (s->session->ext.hostname != NULL)
159 && PACKET_equal(&hostname, s->session->ext.hostname,
160 strlen(s->session->ext.hostname));
161 }
162
163 return 1;
164}
165
166int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx)
168{
169 unsigned int value;
170
171 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
172 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
173 return 0;
174 }
175
176 /* Received |value| should be a valid max-fragment-length code. */
177 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
178 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
179 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
180 return 0;
181 }
182
183 /*
184 * RFC 6066: The negotiated length applies for the duration of the session
185 * including session resumptions.
186 * We should receive the same code as in resumed session !
187 */
188 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
189 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
190 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
191 return 0;
192 }
193
194 /*
195 * Store it in session, so it'll become binding for us
196 * and we'll include it in a next Server Hello.
197 */
198 s->session->ext.max_fragment_len_mode = value;
199 return 1;
200}
201
202#ifndef OPENSSL_NO_SRP
203int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
204 size_t chainidx)
205{
206 PACKET srp_I;
207
208 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
209 || PACKET_contains_zero_byte(&srp_I)) {
210 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
211 return 0;
212 }
213
214 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
216 return 0;
217 }
218
219 return 1;
220}
221#endif
222
223int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
224 X509 *x, size_t chainidx)
225{
226 PACKET ec_point_format_list;
227
228 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
229 || PACKET_remaining(&ec_point_format_list) == 0) {
230 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
231 return 0;
232 }
233
234 if (!s->hit) {
235 if (!PACKET_memdup(&ec_point_format_list,
236 &s->ext.peer_ecpointformats,
237 &s->ext.peer_ecpointformats_len)) {
238 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
239 return 0;
240 }
241 }
242
243 return 1;
244}
245
246int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
247 X509 *x, size_t chainidx)
248{
249 if (s->ext.session_ticket_cb &&
250 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
251 PACKET_remaining(pkt),
252 s->ext.session_ticket_cb_arg)) {
253 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
254 return 0;
255 }
256
257 return 1;
258}
259
260int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
261 ossl_unused unsigned int context,
262 ossl_unused X509 *x,
263 ossl_unused size_t chainidx)
264{
265 PACKET supported_sig_algs;
266
267 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
268 || PACKET_remaining(&supported_sig_algs) == 0) {
269 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
270 return 0;
271 }
272
273 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
274 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
275 return 0;
276 }
277
278 return 1;
279}
280
281int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
282 size_t chainidx)
283{
284 PACKET supported_sig_algs;
285
286 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
287 || PACKET_remaining(&supported_sig_algs) == 0) {
288 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
289 return 0;
290 }
291
292 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
293 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
294 return 0;
295 }
296
297 return 1;
298}
299
300#ifndef OPENSSL_NO_OCSP
301int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
302 X509 *x, size_t chainidx)
303{
304 PACKET responder_id_list, exts;
305
306 /* We ignore this in a resumption handshake */
307 if (s->hit)
308 return 1;
309
310 /* Not defined if we get one of these in a client Certificate */
311 if (x != NULL)
312 return 1;
313
314 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
315 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
316 return 0;
317 }
318
319 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
320 /*
321 * We don't know what to do with any other type so ignore it.
322 */
323 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
324 return 1;
325 }
326
327 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
328 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
329 return 0;
330 }
331
332 /*
333 * We remove any OCSP_RESPIDs from a previous handshake
334 * to prevent unbounded memory growth - CVE-2016-6304
335 */
336 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
337 if (PACKET_remaining(&responder_id_list) > 0) {
338 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
339 if (s->ext.ocsp.ids == NULL) {
340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
341 return 0;
342 }
343 } else {
344 s->ext.ocsp.ids = NULL;
345 }
346
347 while (PACKET_remaining(&responder_id_list) > 0) {
348 OCSP_RESPID *id;
349 PACKET responder_id;
350 const unsigned char *id_data;
351
352 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
353 || PACKET_remaining(&responder_id) == 0) {
354 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
355 return 0;
356 }
357
358 id_data = PACKET_data(&responder_id);
359 id = d2i_OCSP_RESPID(NULL, &id_data,
360 (int)PACKET_remaining(&responder_id));
361 if (id == NULL) {
362 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
363 return 0;
364 }
365
366 if (id_data != PACKET_end(&responder_id)) {
367 OCSP_RESPID_free(id);
368 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
369
370 return 0;
371 }
372
373 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
374 OCSP_RESPID_free(id);
375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
376
377 return 0;
378 }
379 }
380
381 /* Read in request_extensions */
382 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
383 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
384 return 0;
385 }
386
387 if (PACKET_remaining(&exts) > 0) {
388 const unsigned char *ext_data = PACKET_data(&exts);
389
390 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
391 X509_EXTENSION_free);
392 s->ext.ocsp.exts =
393 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
394 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
395 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
396 return 0;
397 }
398 }
399
400 return 1;
401}
402#endif
403
404#ifndef OPENSSL_NO_NEXTPROTONEG
405int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
406 size_t chainidx)
407{
408 /*
409 * We shouldn't accept this extension on a
410 * renegotiation.
411 */
412 if (SSL_IS_FIRST_HANDSHAKE(s))
413 s->s3.npn_seen = 1;
414
415 return 1;
416}
417#endif
418
419/*
420 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
421 * extension, not including type and length. Returns: 1 on success, 0 on error.
422 */
423int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
424 size_t chainidx)
425{
426 PACKET protocol_list, save_protocol_list, protocol;
427
428 if (!SSL_IS_FIRST_HANDSHAKE(s))
429 return 1;
430
431 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
432 || PACKET_remaining(&protocol_list) < 2) {
433 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
434 return 0;
435 }
436
437 save_protocol_list = protocol_list;
438 do {
439 /* Protocol names can't be empty. */
440 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
441 || PACKET_remaining(&protocol) == 0) {
442 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
443 return 0;
444 }
445 } while (PACKET_remaining(&protocol_list) != 0);
446
447 OPENSSL_free(s->s3.alpn_proposed);
448 s->s3.alpn_proposed = NULL;
449 s->s3.alpn_proposed_len = 0;
450 if (!PACKET_memdup(&save_protocol_list,
451 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
453 return 0;
454 }
455
456 return 1;
457}
458
459#ifndef OPENSSL_NO_SRTP
460int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
461 size_t chainidx)
462{
463 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
464 unsigned int ct, mki_len, id;
465 int i, srtp_pref;
466 PACKET subpkt;
467
468 /* Ignore this if we have no SRTP profiles */
469 if (SSL_get_srtp_profiles(s) == NULL)
470 return 1;
471
472 /* Pull off the length of the cipher suite list and check it is even */
473 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
474 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
475 SSLfatal(s, SSL_AD_DECODE_ERROR,
476 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
477 return 0;
478 }
479
480 srvr = SSL_get_srtp_profiles(s);
481 s->srtp_profile = NULL;
482 /* Search all profiles for a match initially */
483 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
484
485 while (PACKET_remaining(&subpkt)) {
486 if (!PACKET_get_net_2(&subpkt, &id)) {
487 SSLfatal(s, SSL_AD_DECODE_ERROR,
488 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
489 return 0;
490 }
491
492 /*
493 * Only look for match in profiles of higher preference than
494 * current match.
495 * If no profiles have been have been configured then this
496 * does nothing.
497 */
498 for (i = 0; i < srtp_pref; i++) {
499 SRTP_PROTECTION_PROFILE *sprof =
500 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
501
502 if (sprof->id == id) {
503 s->srtp_profile = sprof;
504 srtp_pref = i;
505 break;
506 }
507 }
508 }
509
510 /* Now extract the MKI value as a sanity check, but discard it for now */
511 if (!PACKET_get_1(pkt, &mki_len)) {
512 SSLfatal(s, SSL_AD_DECODE_ERROR,
513 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
514 return 0;
515 }
516
517 if (!PACKET_forward(pkt, mki_len)
518 || PACKET_remaining(pkt)) {
519 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
520 return 0;
521 }
522
523 return 1;
524}
525#endif
526
527int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
528 size_t chainidx)
529{
530 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
531 s->ext.use_etm = 1;
532
533 return 1;
534}
535
536/*
537 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
538 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
539 */
540int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
541 X509 *x, size_t chainidx)
542{
543#ifndef OPENSSL_NO_TLS1_3
544 PACKET psk_kex_modes;
545 unsigned int mode;
546
547 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
548 || PACKET_remaining(&psk_kex_modes) == 0) {
549 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
550 return 0;
551 }
552
553 while (PACKET_get_1(&psk_kex_modes, &mode)) {
554 if (mode == TLSEXT_KEX_MODE_KE_DHE)
555 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
556 else if (mode == TLSEXT_KEX_MODE_KE
557 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
558 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
559 }
560#endif
561
562 return 1;
563}
564
565/*
566 * Process a key_share extension received in the ClientHello. |pkt| contains
567 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
568 */
569int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
570 size_t chainidx)
571{
572#ifndef OPENSSL_NO_TLS1_3
573 unsigned int group_id;
574 PACKET key_share_list, encoded_pt;
575 const uint16_t *clntgroups, *srvrgroups;
576 size_t clnt_num_groups, srvr_num_groups;
577 int found = 0;
578
579 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
580 return 1;
581
582 /* Sanity check */
583 if (s->s3.peer_tmp != NULL) {
584 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
585 return 0;
586 }
587
588 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
589 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
590 return 0;
591 }
592
593 /* Get our list of supported groups */
594 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
595 /* Get the clients list of supported groups. */
596 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
597 if (clnt_num_groups == 0) {
598 /*
599 * This can only happen if the supported_groups extension was not sent,
600 * because we verify that the length is non-zero when we process that
601 * extension.
602 */
603 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
604 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
605 return 0;
606 }
607
608 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
609 /*
610 * If we set a group_id already, then we must have sent an HRR
611 * requesting a new key_share. If we haven't got one then that is an
612 * error
613 */
614 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
615 return 0;
616 }
617
618 while (PACKET_remaining(&key_share_list) > 0) {
619 if (!PACKET_get_net_2(&key_share_list, &group_id)
620 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
621 || PACKET_remaining(&encoded_pt) == 0) {
622 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
623 return 0;
624 }
625
626 /*
627 * If we already found a suitable key_share we loop through the
628 * rest to verify the structure, but don't process them.
629 */
630 if (found)
631 continue;
632
633 /*
634 * If we sent an HRR then the key_share sent back MUST be for the group
635 * we requested, and must be the only key_share sent.
636 */
637 if (s->s3.group_id != 0
638 && (group_id != s->s3.group_id
639 || PACKET_remaining(&key_share_list) != 0)) {
640 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
641 return 0;
642 }
643
644 /* Check if this share is in supported_groups sent from client */
645 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
646 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
647 return 0;
648 }
649
650 /* Check if this share is for a group we can use */
651 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
652 /* Share not suitable */
653 continue;
654 }
655
656 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
657 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
658 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
659 return 0;
660 }
661
662 s->s3.group_id = group_id;
663 /* Cache the selected group ID in the SSL_SESSION */
664 s->session->kex_group = group_id;
665
666 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
667 PACKET_data(&encoded_pt),
668 PACKET_remaining(&encoded_pt)) <= 0) {
669 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
670 return 0;
671 }
672
673 found = 1;
674 }
675#endif
676
677 return 1;
678}
679
680int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
681 size_t chainidx)
682{
683#ifndef OPENSSL_NO_TLS1_3
684 unsigned int format, version, key_share, group_id;
685 EVP_MD_CTX *hctx;
686 EVP_PKEY *pkey;
687 PACKET cookie, raw, chhash, appcookie;
688 WPACKET hrrpkt;
689 const unsigned char *data, *mdin, *ciphdata;
690 unsigned char hmac[SHA256_DIGEST_LENGTH];
691 unsigned char hrr[MAX_HRR_SIZE];
692 size_t rawlen, hmaclen, hrrlen, ciphlen;
693 unsigned long tm, now;
694
695 /* Ignore any cookie if we're not set up to verify it */
696 if (s->ctx->verify_stateless_cookie_cb == NULL
697 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
698 return 1;
699
700 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
701 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
702 return 0;
703 }
704
705 raw = cookie;
706 data = PACKET_data(&raw);
707 rawlen = PACKET_remaining(&raw);
708 if (rawlen < SHA256_DIGEST_LENGTH
709 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
710 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
711 return 0;
712 }
713 mdin = PACKET_data(&raw);
714
715 /* Verify the HMAC of the cookie */
716 hctx = EVP_MD_CTX_create();
717 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
718 s->ctx->propq,
719 s->session_ctx->ext.cookie_hmac_key,
720 sizeof(s->session_ctx->ext.cookie_hmac_key));
721 if (hctx == NULL || pkey == NULL) {
722 EVP_MD_CTX_free(hctx);
723 EVP_PKEY_free(pkey);
724 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
725 return 0;
726 }
727
728 hmaclen = SHA256_DIGEST_LENGTH;
729 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
730 s->ctx->propq, pkey, NULL) <= 0
731 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
732 rawlen - SHA256_DIGEST_LENGTH) <= 0
733 || hmaclen != SHA256_DIGEST_LENGTH) {
734 EVP_MD_CTX_free(hctx);
735 EVP_PKEY_free(pkey);
736 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
737 return 0;
738 }
739
740 EVP_MD_CTX_free(hctx);
741 EVP_PKEY_free(pkey);
742
743 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
744 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
745 return 0;
746 }
747
748 if (!PACKET_get_net_2(&cookie, &format)) {
749 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
750 return 0;
751 }
752 /* Check the cookie format is something we recognise. Ignore it if not */
753 if (format != COOKIE_STATE_FORMAT_VERSION)
754 return 1;
755
756 /*
757 * The rest of these checks really shouldn't fail since we have verified the
758 * HMAC above.
759 */
760
761 /* Check the version number is sane */
762 if (!PACKET_get_net_2(&cookie, &version)) {
763 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
764 return 0;
765 }
766 if (version != TLS1_3_VERSION) {
767 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
768 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
769 return 0;
770 }
771
772 if (!PACKET_get_net_2(&cookie, &group_id)) {
773 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
774 return 0;
775 }
776
777 ciphdata = PACKET_data(&cookie);
778 if (!PACKET_forward(&cookie, 2)) {
779 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
780 return 0;
781 }
782 if (group_id != s->s3.group_id
783 || s->s3.tmp.new_cipher
784 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
785 /*
786 * We chose a different cipher or group id this time around to what is
787 * in the cookie. Something must have changed.
788 */
789 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
790 return 0;
791 }
792
793 if (!PACKET_get_1(&cookie, &key_share)
794 || !PACKET_get_net_4(&cookie, &tm)
795 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
796 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
797 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
798 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
799 return 0;
800 }
801
802 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
803 now = (unsigned long)time(NULL);
804 if (tm > now || (now - tm) > 600) {
805 /* Cookie is stale. Ignore it */
806 return 1;
807 }
808
809 /* Verify the app cookie */
810 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
811 PACKET_remaining(&appcookie)) == 0) {
812 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
813 return 0;
814 }
815
816 /*
817 * Reconstruct the HRR that we would have sent in response to the original
818 * ClientHello so we can add it to the transcript hash.
819 * Note: This won't work with custom HRR extensions
820 */
821 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
822 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
823 return 0;
824 }
825 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
826 || !WPACKET_start_sub_packet_u24(&hrrpkt)
827 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
828 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
829 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
830 s->tmp_session_id_len)
831 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
832 &ciphlen)
833 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
834 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
835 WPACKET_cleanup(&hrrpkt);
836 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
837 return 0;
838 }
839 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
840 || !WPACKET_start_sub_packet_u16(&hrrpkt)
841 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
842 || !WPACKET_close(&hrrpkt)) {
843 WPACKET_cleanup(&hrrpkt);
844 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
845 return 0;
846 }
847 if (key_share) {
848 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
849 || !WPACKET_start_sub_packet_u16(&hrrpkt)
850 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
851 || !WPACKET_close(&hrrpkt)) {
852 WPACKET_cleanup(&hrrpkt);
853 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
854 return 0;
855 }
856 }
857 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
858 || !WPACKET_start_sub_packet_u16(&hrrpkt)
859 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
860 || !WPACKET_close(&hrrpkt) /* cookie extension */
861 || !WPACKET_close(&hrrpkt) /* extension block */
862 || !WPACKET_close(&hrrpkt) /* message */
863 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
864 || !WPACKET_finish(&hrrpkt)) {
865 WPACKET_cleanup(&hrrpkt);
866 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
867 return 0;
868 }
869
870 /* Reconstruct the transcript hash */
871 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
872 PACKET_remaining(&chhash), hrr,
873 hrrlen)) {
874 /* SSLfatal() already called */
875 return 0;
876 }
877
878 /* Act as if this ClientHello came after a HelloRetryRequest */
879 s->hello_retry_request = 1;
880
881 s->ext.cookieok = 1;
882#endif
883
884 return 1;
885}
886
887int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
888 X509 *x, size_t chainidx)
889{
890 PACKET supported_groups_list;
891
892 /* Each group is 2 bytes and we must have at least 1. */
893 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
894 || PACKET_remaining(&supported_groups_list) == 0
895 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
896 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
897 return 0;
898 }
899
900 if (!s->hit || SSL_IS_TLS13(s)) {
901 OPENSSL_free(s->ext.peer_supportedgroups);
902 s->ext.peer_supportedgroups = NULL;
903 s->ext.peer_supportedgroups_len = 0;
904 if (!tls1_save_u16(&supported_groups_list,
905 &s->ext.peer_supportedgroups,
906 &s->ext.peer_supportedgroups_len)) {
907 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
908 return 0;
909 }
910 }
911
912 return 1;
913}
914
915int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
916 size_t chainidx)
917{
918 /* The extension must always be empty */
919 if (PACKET_remaining(pkt) != 0) {
920 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
921 return 0;
922 }
923
924 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
925 return 1;
926
927 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
928
929 return 1;
930}
931
932
933int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
934 X509 *x, size_t chainidx)
935{
936 if (PACKET_remaining(pkt) != 0) {
937 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
938 return 0;
939 }
940
941 if (s->hello_retry_request != SSL_HRR_NONE) {
942 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
943 return 0;
944 }
945
946 return 1;
947}
948
949static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
950 SSL_SESSION **sess)
951{
952 SSL_SESSION *tmpsess = NULL;
953
954 s->ext.ticket_expected = 1;
955
956 switch (PACKET_remaining(tick)) {
957 case 0:
958 return SSL_TICKET_EMPTY;
959
960 case SSL_MAX_SSL_SESSION_ID_LENGTH:
961 break;
962
963 default:
964 return SSL_TICKET_NO_DECRYPT;
965 }
966
967 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
968 SSL_MAX_SSL_SESSION_ID_LENGTH);
969
970 if (tmpsess == NULL)
971 return SSL_TICKET_NO_DECRYPT;
972
973 *sess = tmpsess;
974 return SSL_TICKET_SUCCESS;
975}
976
977int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
978 size_t chainidx)
979{
980 PACKET identities, binders, binder;
981 size_t binderoffset, hashsize;
982 SSL_SESSION *sess = NULL;
983 unsigned int id, i, ext = 0;
984 const EVP_MD *md = NULL;
985
986 /*
987 * If we have no PSK kex mode that we recognise then we can't resume so
988 * ignore this extension
989 */
990 if ((s->ext.psk_kex_mode
991 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
992 return 1;
993
994 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
995 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
996 return 0;
997 }
998
999 s->ext.ticket_expected = 0;
1000 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1001 PACKET identity;
1002 unsigned long ticket_agel;
1003 size_t idlen;
1004
1005 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1006 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1007 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1008 return 0;
1009 }
1010
1011 idlen = PACKET_remaining(&identity);
1012 if (s->psk_find_session_cb != NULL
1013 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1014 &sess)) {
1015 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1016 return 0;
1017 }
1018
1019#ifndef OPENSSL_NO_PSK
1020 if(sess == NULL
1021 && s->psk_server_callback != NULL
1022 && idlen <= PSK_MAX_IDENTITY_LEN) {
1023 char *pskid = NULL;
1024 unsigned char pskdata[PSK_MAX_PSK_LEN];
1025 unsigned int pskdatalen;
1026
1027 if (!PACKET_strndup(&identity, &pskid)) {
1028 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1029 return 0;
1030 }
1031 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1032 sizeof(pskdata));
1033 OPENSSL_free(pskid);
1034 if (pskdatalen > PSK_MAX_PSK_LEN) {
1035 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1036 return 0;
1037 } else if (pskdatalen > 0) {
1038 const SSL_CIPHER *cipher;
1039 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1040
1041 /*
1042 * We found a PSK using an old style callback. We don't know
1043 * the digest so we default to SHA256 as per the TLSv1.3 spec
1044 */
1045 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1046 if (cipher == NULL) {
1047 OPENSSL_cleanse(pskdata, pskdatalen);
1048 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1049 return 0;
1050 }
1051
1052 sess = SSL_SESSION_new();
1053 if (sess == NULL
1054 || !SSL_SESSION_set1_master_key(sess, pskdata,
1055 pskdatalen)
1056 || !SSL_SESSION_set_cipher(sess, cipher)
1057 || !SSL_SESSION_set_protocol_version(sess,
1058 TLS1_3_VERSION)) {
1059 OPENSSL_cleanse(pskdata, pskdatalen);
1060 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1061 goto err;
1062 }
1063 OPENSSL_cleanse(pskdata, pskdatalen);
1064 }
1065 }
1066#endif /* OPENSSL_NO_PSK */
1067
1068 if (sess != NULL) {
1069 /* We found a PSK */
1070 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1071
1072 if (sesstmp == NULL) {
1073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1074 return 0;
1075 }
1076 SSL_SESSION_free(sess);
1077 sess = sesstmp;
1078
1079 /*
1080 * We've just been told to use this session for this context so
1081 * make sure the sid_ctx matches up.
1082 */
1083 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1084 sess->sid_ctx_length = s->sid_ctx_length;
1085 ext = 1;
1086 if (id == 0)
1087 s->ext.early_data_ok = 1;
1088 s->ext.ticket_expected = 1;
1089 } else {
1090 uint32_t ticket_age = 0, now, agesec, agems;
1091 int ret;
1092
1093 /*
1094 * If we are using anti-replay protection then we behave as if
1095 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1096 * is no point in using full stateless tickets.
1097 */
1098 if ((s->options & SSL_OP_NO_TICKET) != 0
1099 || (s->max_early_data > 0
1100 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1101 ret = tls_get_stateful_ticket(s, &identity, &sess);
1102 else
1103 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1104 PACKET_remaining(&identity), NULL, 0,
1105 &sess);
1106
1107 if (ret == SSL_TICKET_EMPTY) {
1108 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1109 return 0;
1110 }
1111
1112 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1113 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1114 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1115 return 0;
1116 }
1117 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1118 continue;
1119
1120 /* Check for replay */
1121 if (s->max_early_data > 0
1122 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1123 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1124 SSL_SESSION_free(sess);
1125 sess = NULL;
1126 continue;
1127 }
1128
1129 ticket_age = (uint32_t)ticket_agel;
1130 now = (uint32_t)time(NULL);
1131 agesec = now - (uint32_t)sess->time;
1132 agems = agesec * (uint32_t)1000;
1133 ticket_age -= sess->ext.tick_age_add;
1134
1135 /*
1136 * For simplicity we do our age calculations in seconds. If the
1137 * client does it in ms then it could appear that their ticket age
1138 * is longer than ours (our ticket age calculation should always be
1139 * slightly longer than the client's due to the network latency).
1140 * Therefore we add 1000ms to our age calculation to adjust for
1141 * rounding errors.
1142 */
1143 if (id == 0
1144 && sess->timeout >= (long)agesec
1145 && agems / (uint32_t)1000 == agesec
1146 && ticket_age <= agems + 1000
1147 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1148 /*
1149 * Ticket age is within tolerance and not expired. We allow it
1150 * for early data
1151 */
1152 s->ext.early_data_ok = 1;
1153 }
1154 }
1155
1156 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1157 if (!EVP_MD_is_a(md,
1158 EVP_MD_get0_name(ssl_md(s->ctx,
1159 s->s3.tmp.new_cipher->algorithm2)))) {
1160 /* The ciphersuite is not compatible with this session. */
1161 SSL_SESSION_free(sess);
1162 sess = NULL;
1163 s->ext.early_data_ok = 0;
1164 s->ext.ticket_expected = 0;
1165 continue;
1166 }
1167 break;
1168 }
1169
1170 if (sess == NULL)
1171 return 1;
1172
1173 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1174 hashsize = EVP_MD_get_size(md);
1175
1176 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1177 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1178 goto err;
1179 }
1180
1181 for (i = 0; i <= id; i++) {
1182 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1183 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1184 goto err;
1185 }
1186 }
1187
1188 if (PACKET_remaining(&binder) != hashsize) {
1189 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1190 goto err;
1191 }
1192 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1193 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1194 ext) != 1) {
1195 /* SSLfatal() already called */
1196 goto err;
1197 }
1198
1199 s->ext.tick_identity = id;
1200
1201 SSL_SESSION_free(s->session);
1202 s->session = sess;
1203 return 1;
1204err:
1205 SSL_SESSION_free(sess);
1206 return 0;
1207}
1208
1209int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
1210 ossl_unused unsigned int context,
1211 ossl_unused X509 *x,
1212 ossl_unused size_t chainidx)
1213{
1214 if (PACKET_remaining(pkt) != 0) {
1215 SSLfatal(s, SSL_AD_DECODE_ERROR,
1216 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1217 return 0;
1218 }
1219
1220 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1221
1222 return 1;
1223}
1224
1225/*
1226 * Add the server's renegotiation binding
1227 */
1228EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1229 unsigned int context, X509 *x,
1230 size_t chainidx)
1231{
1232 if (!s->s3.send_connection_binding)
1233 return EXT_RETURN_NOT_SENT;
1234
1235 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1236 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1237 || !WPACKET_start_sub_packet_u16(pkt)
1238 || !WPACKET_start_sub_packet_u8(pkt)
1239 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1240 s->s3.previous_client_finished_len)
1241 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1242 s->s3.previous_server_finished_len)
1243 || !WPACKET_close(pkt)
1244 || !WPACKET_close(pkt)) {
1245 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1246 return EXT_RETURN_FAIL;
1247 }
1248
1249 return EXT_RETURN_SENT;
1250}
1251
1252EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1253 unsigned int context, X509 *x,
1254 size_t chainidx)
1255{
1256 if (s->servername_done != 1)
1257 return EXT_RETURN_NOT_SENT;
1258
1259 /*
1260 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1261 * We just use the servername from the initial handshake.
1262 */
1263 if (s->hit && !SSL_IS_TLS13(s))
1264 return EXT_RETURN_NOT_SENT;
1265
1266 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1267 || !WPACKET_put_bytes_u16(pkt, 0)) {
1268 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1269 return EXT_RETURN_FAIL;
1270 }
1271
1272 return EXT_RETURN_SENT;
1273}
1274
1275/* Add/include the server's max fragment len extension into ServerHello */
1276EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1277 unsigned int context, X509 *x,
1278 size_t chainidx)
1279{
1280 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1281 return EXT_RETURN_NOT_SENT;
1282
1283 /*-
1284 * 4 bytes for this extension type and extension length
1285 * 1 byte for the Max Fragment Length code value.
1286 */
1287 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1288 || !WPACKET_start_sub_packet_u16(pkt)
1289 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1290 || !WPACKET_close(pkt)) {
1291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1292 return EXT_RETURN_FAIL;
1293 }
1294
1295 return EXT_RETURN_SENT;
1296}
1297
1298EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1299 unsigned int context, X509 *x,
1300 size_t chainidx)
1301{
1302 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1303 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1304 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1305 && (s->ext.peer_ecpointformats != NULL);
1306 const unsigned char *plist;
1307 size_t plistlen;
1308
1309 if (!using_ecc)
1310 return EXT_RETURN_NOT_SENT;
1311
1312 tls1_get_formatlist(s, &plist, &plistlen);
1313 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1314 || !WPACKET_start_sub_packet_u16(pkt)
1315 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1316 || !WPACKET_close(pkt)) {
1317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1318 return EXT_RETURN_FAIL;
1319 }
1320
1321 return EXT_RETURN_SENT;
1322}
1323
1324EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1325 unsigned int context, X509 *x,
1326 size_t chainidx)
1327{
1328 const uint16_t *groups;
1329 size_t numgroups, i, first = 1;
1330 int version;
1331
1332 /* s->s3.group_id is non zero if we accepted a key_share */
1333 if (s->s3.group_id == 0)
1334 return EXT_RETURN_NOT_SENT;
1335
1336 /* Get our list of supported groups */
1337 tls1_get_supported_groups(s, &groups, &numgroups);
1338 if (numgroups == 0) {
1339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1340 return EXT_RETURN_FAIL;
1341 }
1342
1343 /* Copy group ID if supported */
1344 version = SSL_version(s);
1345 for (i = 0; i < numgroups; i++) {
1346 uint16_t group = groups[i];
1347
1348 if (tls_valid_group(s, group, version, version, 0, NULL)
1349 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1350 if (first) {
1351 /*
1352 * Check if the client is already using our preferred group. If
1353 * so we don't need to add this extension
1354 */
1355 if (s->s3.group_id == group)
1356 return EXT_RETURN_NOT_SENT;
1357
1358 /* Add extension header */
1359 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1360 /* Sub-packet for supported_groups extension */
1361 || !WPACKET_start_sub_packet_u16(pkt)
1362 || !WPACKET_start_sub_packet_u16(pkt)) {
1363 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1364 return EXT_RETURN_FAIL;
1365 }
1366
1367 first = 0;
1368 }
1369 if (!WPACKET_put_bytes_u16(pkt, group)) {
1370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1371 return EXT_RETURN_FAIL;
1372 }
1373 }
1374 }
1375
1376 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1378 return EXT_RETURN_FAIL;
1379 }
1380
1381 return EXT_RETURN_SENT;
1382}
1383
1384EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1385 unsigned int context, X509 *x,
1386 size_t chainidx)
1387{
1388 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1389 s->ext.ticket_expected = 0;
1390 return EXT_RETURN_NOT_SENT;
1391 }
1392
1393 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1394 || !WPACKET_put_bytes_u16(pkt, 0)) {
1395 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1396 return EXT_RETURN_FAIL;
1397 }
1398
1399 return EXT_RETURN_SENT;
1400}
1401
1402#ifndef OPENSSL_NO_OCSP
1403EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1404 unsigned int context, X509 *x,
1405 size_t chainidx)
1406{
1407 /* We don't currently support this extension inside a CertificateRequest */
1408 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1409 return EXT_RETURN_NOT_SENT;
1410
1411 if (!s->ext.status_expected)
1412 return EXT_RETURN_NOT_SENT;
1413
1414 if (SSL_IS_TLS13(s) && chainidx != 0)
1415 return EXT_RETURN_NOT_SENT;
1416
1417 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1418 || !WPACKET_start_sub_packet_u16(pkt)) {
1419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1420 return EXT_RETURN_FAIL;
1421 }
1422
1423 /*
1424 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1425 * send back an empty extension, with the certificate status appearing as a
1426 * separate message
1427 */
1428 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1429 /* SSLfatal() already called */
1430 return EXT_RETURN_FAIL;
1431 }
1432 if (!WPACKET_close(pkt)) {
1433 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1434 return EXT_RETURN_FAIL;
1435 }
1436
1437 return EXT_RETURN_SENT;
1438}
1439#endif
1440
1441#ifndef OPENSSL_NO_NEXTPROTONEG
1442EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1443 unsigned int context, X509 *x,
1444 size_t chainidx)
1445{
1446 const unsigned char *npa;
1447 unsigned int npalen;
1448 int ret;
1449 int npn_seen = s->s3.npn_seen;
1450
1451 s->s3.npn_seen = 0;
1452 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1453 return EXT_RETURN_NOT_SENT;
1454
1455 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1456 s->ctx->ext.npn_advertised_cb_arg);
1457 if (ret == SSL_TLSEXT_ERR_OK) {
1458 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1459 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1461 return EXT_RETURN_FAIL;
1462 }
1463 s->s3.npn_seen = 1;
1464 }
1465
1466 return EXT_RETURN_SENT;
1467}
1468#endif
1469
1470EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1471 X509 *x, size_t chainidx)
1472{
1473 if (s->s3.alpn_selected == NULL)
1474 return EXT_RETURN_NOT_SENT;
1475
1476 if (!WPACKET_put_bytes_u16(pkt,
1477 TLSEXT_TYPE_application_layer_protocol_negotiation)
1478 || !WPACKET_start_sub_packet_u16(pkt)
1479 || !WPACKET_start_sub_packet_u16(pkt)
1480 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1481 s->s3.alpn_selected_len)
1482 || !WPACKET_close(pkt)
1483 || !WPACKET_close(pkt)) {
1484 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1485 return EXT_RETURN_FAIL;
1486 }
1487
1488 return EXT_RETURN_SENT;
1489}
1490
1491#ifndef OPENSSL_NO_SRTP
1492EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1493 unsigned int context, X509 *x,
1494 size_t chainidx)
1495{
1496 if (s->srtp_profile == NULL)
1497 return EXT_RETURN_NOT_SENT;
1498
1499 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1500 || !WPACKET_start_sub_packet_u16(pkt)
1501 || !WPACKET_put_bytes_u16(pkt, 2)
1502 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1503 || !WPACKET_put_bytes_u8(pkt, 0)
1504 || !WPACKET_close(pkt)) {
1505 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1506 return EXT_RETURN_FAIL;
1507 }
1508
1509 return EXT_RETURN_SENT;
1510}
1511#endif
1512
1513EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1514 X509 *x, size_t chainidx)
1515{
1516 if (!s->ext.use_etm)
1517 return EXT_RETURN_NOT_SENT;
1518
1519 /*
1520 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1521 * for other cases too.
1522 */
1523 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1524 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1525 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1526 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1527 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1528 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1529 s->ext.use_etm = 0;
1530 return EXT_RETURN_NOT_SENT;
1531 }
1532
1533 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1534 || !WPACKET_put_bytes_u16(pkt, 0)) {
1535 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1536 return EXT_RETURN_FAIL;
1537 }
1538
1539 return EXT_RETURN_SENT;
1540}
1541
1542EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1543 X509 *x, size_t chainidx)
1544{
1545 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1546 return EXT_RETURN_NOT_SENT;
1547
1548 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1549 || !WPACKET_put_bytes_u16(pkt, 0)) {
1550 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1551 return EXT_RETURN_FAIL;
1552 }
1553
1554 return EXT_RETURN_SENT;
1555}
1556
1557EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1558 unsigned int context, X509 *x,
1559 size_t chainidx)
1560{
1561 if (!ossl_assert(SSL_IS_TLS13(s))) {
1562 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1563 return EXT_RETURN_FAIL;
1564 }
1565
1566 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1567 || !WPACKET_start_sub_packet_u16(pkt)
1568 || !WPACKET_put_bytes_u16(pkt, s->version)
1569 || !WPACKET_close(pkt)) {
1570 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1571 return EXT_RETURN_FAIL;
1572 }
1573
1574 return EXT_RETURN_SENT;
1575}
1576
1577EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1578 unsigned int context, X509 *x,
1579 size_t chainidx)
1580{
1581#ifndef OPENSSL_NO_TLS1_3
1582 unsigned char *encodedPoint;
1583 size_t encoded_pt_len = 0;
1584 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1585 const TLS_GROUP_INFO *ginf = NULL;
1586
1587 if (s->hello_retry_request == SSL_HRR_PENDING) {
1588 if (ckey != NULL) {
1589 /* Original key_share was acceptable so don't ask for another one */
1590 return EXT_RETURN_NOT_SENT;
1591 }
1592 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1593 || !WPACKET_start_sub_packet_u16(pkt)
1594 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1595 || !WPACKET_close(pkt)) {
1596 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1597 return EXT_RETURN_FAIL;
1598 }
1599
1600 return EXT_RETURN_SENT;
1601 }
1602
1603 if (ckey == NULL) {
1604 /* No key_share received from client - must be resuming */
1605 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1606 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1607 return EXT_RETURN_FAIL;
1608 }
1609 return EXT_RETURN_NOT_SENT;
1610 }
1611 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1612 /*
1613 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1614 * DHE option we always take it); don't send key share.
1615 */
1616 return EXT_RETURN_NOT_SENT;
1617 }
1618
1619 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1620 || !WPACKET_start_sub_packet_u16(pkt)
1621 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1622 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1623 return EXT_RETURN_FAIL;
1624 }
1625
1626 if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) {
1627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1628 return EXT_RETURN_FAIL;
1629 }
1630
1631 if (!ginf->is_kem) {
1632 /* Regular KEX */
1633 skey = ssl_generate_pkey(s, ckey);
1634 if (skey == NULL) {
1635 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1636 return EXT_RETURN_FAIL;
1637 }
1638
1639 /* Generate encoding of server key */
1640 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1641 if (encoded_pt_len == 0) {
1642 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1643 EVP_PKEY_free(skey);
1644 return EXT_RETURN_FAIL;
1645 }
1646
1647 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1648 || !WPACKET_close(pkt)) {
1649 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1650 EVP_PKEY_free(skey);
1651 OPENSSL_free(encodedPoint);
1652 return EXT_RETURN_FAIL;
1653 }
1654 OPENSSL_free(encodedPoint);
1655
1656 /*
1657 * This causes the crypto state to be updated based on the derived keys
1658 */
1659 s->s3.tmp.pkey = skey;
1660 if (ssl_derive(s, skey, ckey, 1) == 0) {
1661 /* SSLfatal() already called */
1662 return EXT_RETURN_FAIL;
1663 }
1664 } else {
1665 /* KEM mode */
1666 unsigned char *ct = NULL;
1667 size_t ctlen = 0;
1668
1669 /*
1670 * This does not update the crypto state.
1671 *
1672 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1673 * ssl_gensecret().
1674 */
1675 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1676 /* SSLfatal() already called */
1677 return EXT_RETURN_FAIL;
1678 }
1679
1680 if (ctlen == 0) {
1681 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1682 OPENSSL_free(ct);
1683 return EXT_RETURN_FAIL;
1684 }
1685
1686 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1687 || !WPACKET_close(pkt)) {
1688 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1689 OPENSSL_free(ct);
1690 return EXT_RETURN_FAIL;
1691 }
1692 OPENSSL_free(ct);
1693
1694 /*
1695 * This causes the crypto state to be updated based on the generated pms
1696 */
1697 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1698 /* SSLfatal() already called */
1699 return EXT_RETURN_FAIL;
1700 }
1701 }
1702 s->s3.did_kex = 1;
1703 return EXT_RETURN_SENT;
1704#else
1705 return EXT_RETURN_FAIL;
1706#endif
1707}
1708
1709EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1710 X509 *x, size_t chainidx)
1711{
1712#ifndef OPENSSL_NO_TLS1_3
1713 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1714 unsigned char *hmac, *hmac2;
1715 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1716 EVP_MD_CTX *hctx;
1717 EVP_PKEY *pkey;
1718 int ret = EXT_RETURN_FAIL;
1719
1720 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1721 return EXT_RETURN_NOT_SENT;
1722
1723 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1724 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1725 return EXT_RETURN_FAIL;
1726 }
1727
1728 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1729 || !WPACKET_start_sub_packet_u16(pkt)
1730 || !WPACKET_start_sub_packet_u16(pkt)
1731 || !WPACKET_get_total_written(pkt, &startlen)
1732 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1733 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1734 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1735 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1736 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1737 &ciphlen)
1738 /* Is there a key_share extension present in this HRR? */
1739 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1740 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1741 || !WPACKET_start_sub_packet_u16(pkt)
1742 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1743 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1744 return EXT_RETURN_FAIL;
1745 }
1746
1747 /*
1748 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1749 * on raw buffers, so we first reserve sufficient bytes (above) and then
1750 * subsequently allocate them (below)
1751 */
1752 if (!ssl3_digest_cached_records(s, 0)
1753 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1754 /* SSLfatal() already called */
1755 return EXT_RETURN_FAIL;
1756 }
1757
1758 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1759 || !ossl_assert(hashval1 == hashval2)
1760 || !WPACKET_close(pkt)
1761 || !WPACKET_start_sub_packet_u8(pkt)
1762 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1763 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1764 return EXT_RETURN_FAIL;
1765 }
1766
1767 /* Generate the application cookie */
1768 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1770 return EXT_RETURN_FAIL;
1771 }
1772
1773 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1774 || !ossl_assert(appcookie1 == appcookie2)
1775 || !WPACKET_close(pkt)
1776 || !WPACKET_get_total_written(pkt, &totcookielen)
1777 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1778 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1779 return EXT_RETURN_FAIL;
1780 }
1781 hmaclen = SHA256_DIGEST_LENGTH;
1782
1783 totcookielen -= startlen;
1784 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1785 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1786 return EXT_RETURN_FAIL;
1787 }
1788
1789 /* HMAC the cookie */
1790 hctx = EVP_MD_CTX_create();
1791 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
1792 s->ctx->propq,
1793 s->session_ctx->ext.cookie_hmac_key,
1794 sizeof(s->session_ctx->ext.cookie_hmac_key));
1795 if (hctx == NULL || pkey == NULL) {
1796 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1797 goto err;
1798 }
1799
1800 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
1801 s->ctx->propq, pkey, NULL) <= 0
1802 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1803 totcookielen) <= 0) {
1804 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1805 goto err;
1806 }
1807
1808 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1809 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1810 goto err;
1811 }
1812
1813 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1814 || !ossl_assert(hmac == hmac2)
1815 || !ossl_assert(cookie == hmac - totcookielen)
1816 || !WPACKET_close(pkt)
1817 || !WPACKET_close(pkt)) {
1818 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1819 goto err;
1820 }
1821
1822 ret = EXT_RETURN_SENT;
1823
1824 err:
1825 EVP_MD_CTX_free(hctx);
1826 EVP_PKEY_free(pkey);
1827 return ret;
1828#else
1829 return EXT_RETURN_FAIL;
1830#endif
1831}
1832
1833EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1834 unsigned int context, X509 *x,
1835 size_t chainidx)
1836{
1837 const unsigned char cryptopro_ext[36] = {
1838 0xfd, 0xe8, /* 65000 */
1839 0x00, 0x20, /* 32 bytes length */
1840 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1841 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1842 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1843 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1844 };
1845
1846 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1847 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1848 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1849 return EXT_RETURN_NOT_SENT;
1850
1851 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1852 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1853 return EXT_RETURN_FAIL;
1854 }
1855
1856 return EXT_RETURN_SENT;
1857}
1858
1859EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1860 unsigned int context, X509 *x,
1861 size_t chainidx)
1862{
1863 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1864 if (s->max_early_data == 0)
1865 return EXT_RETURN_NOT_SENT;
1866
1867 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1868 || !WPACKET_start_sub_packet_u16(pkt)
1869 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1870 || !WPACKET_close(pkt)) {
1871 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1872 return EXT_RETURN_FAIL;
1873 }
1874
1875 return EXT_RETURN_SENT;
1876 }
1877
1878 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1879 return EXT_RETURN_NOT_SENT;
1880
1881 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1882 || !WPACKET_start_sub_packet_u16(pkt)
1883 || !WPACKET_close(pkt)) {
1884 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1885 return EXT_RETURN_FAIL;
1886 }
1887
1888 return EXT_RETURN_SENT;
1889}
1890
1891EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1892 X509 *x, size_t chainidx)
1893{
1894 if (!s->hit)
1895 return EXT_RETURN_NOT_SENT;
1896
1897 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1898 || !WPACKET_start_sub_packet_u16(pkt)
1899 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1900 || !WPACKET_close(pkt)) {
1901 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1902 return EXT_RETURN_FAIL;
1903 }
1904
1905 return EXT_RETURN_SENT;
1906}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette