1 | /*
|
---|
2 | * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include <openssl/ocsp.h>
|
---|
11 | #include "../ssl_local.h"
|
---|
12 | #include "statem_local.h"
|
---|
13 | #include "internal/cryptlib.h"
|
---|
14 |
|
---|
15 | #define COOKIE_STATE_FORMAT_VERSION 0
|
---|
16 |
|
---|
17 | /*
|
---|
18 | * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
|
---|
19 | * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
|
---|
20 | * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
|
---|
21 | * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
|
---|
22 | * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
|
---|
23 | */
|
---|
24 | #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
|
---|
25 | + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
|
---|
26 |
|
---|
27 | /*
|
---|
28 | * Message header + 2 bytes for protocol version + number of random bytes +
|
---|
29 | * + 1 byte for legacy session id length + number of bytes in legacy session id
|
---|
30 | * + 2 bytes for ciphersuite + 1 byte for legacy compression
|
---|
31 | * + 2 bytes for extension block length + 6 bytes for key_share extension
|
---|
32 | * + 4 bytes for cookie extension header + the number of bytes in the cookie
|
---|
33 | */
|
---|
34 | #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
|
---|
35 | + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
|
---|
36 | + MAX_COOKIE_SIZE)
|
---|
37 |
|
---|
38 | /*
|
---|
39 | * Parse the client's renegotiation binding and abort if it's not right
|
---|
40 | */
|
---|
41 | int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
|
---|
42 | X509 *x, size_t chainidx)
|
---|
43 | {
|
---|
44 | unsigned int ilen;
|
---|
45 | const unsigned char *data;
|
---|
46 |
|
---|
47 | /* Parse the length byte */
|
---|
48 | if (!PACKET_get_1(pkt, &ilen)
|
---|
49 | || !PACKET_get_bytes(pkt, &data, ilen)) {
|
---|
50 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
|
---|
51 | SSL_R_RENEGOTIATION_ENCODING_ERR);
|
---|
52 | return 0;
|
---|
53 | }
|
---|
54 |
|
---|
55 | /* Check that the extension matches */
|
---|
56 | if (ilen != s->s3->previous_client_finished_len) {
|
---|
57 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
|
---|
58 | SSL_R_RENEGOTIATION_MISMATCH);
|
---|
59 | return 0;
|
---|
60 | }
|
---|
61 |
|
---|
62 | if (memcmp(data, s->s3->previous_client_finished,
|
---|
63 | s->s3->previous_client_finished_len)) {
|
---|
64 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
|
---|
65 | SSL_R_RENEGOTIATION_MISMATCH);
|
---|
66 | return 0;
|
---|
67 | }
|
---|
68 |
|
---|
69 | s->s3->send_connection_binding = 1;
|
---|
70 |
|
---|
71 | return 1;
|
---|
72 | }
|
---|
73 |
|
---|
74 | /*-
|
---|
75 | * The servername extension is treated as follows:
|
---|
76 | *
|
---|
77 | * - Only the hostname type is supported with a maximum length of 255.
|
---|
78 | * - The servername is rejected if too long or if it contains zeros,
|
---|
79 | * in which case an fatal alert is generated.
|
---|
80 | * - The servername field is maintained together with the session cache.
|
---|
81 | * - When a session is resumed, the servername call back invoked in order
|
---|
82 | * to allow the application to position itself to the right context.
|
---|
83 | * - The servername is acknowledged if it is new for a session or when
|
---|
84 | * it is identical to a previously used for the same session.
|
---|
85 | * Applications can control the behaviour. They can at any time
|
---|
86 | * set a 'desirable' servername for a new SSL object. This can be the
|
---|
87 | * case for example with HTTPS when a Host: header field is received and
|
---|
88 | * a renegotiation is requested. In this case, a possible servername
|
---|
89 | * presented in the new client hello is only acknowledged if it matches
|
---|
90 | * the value of the Host: field.
|
---|
91 | * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
|
---|
92 | * if they provide for changing an explicit servername context for the
|
---|
93 | * session, i.e. when the session has been established with a servername
|
---|
94 | * extension.
|
---|
95 | * - On session reconnect, the servername extension may be absent.
|
---|
96 | */
|
---|
97 | int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
|
---|
98 | X509 *x, size_t chainidx)
|
---|
99 | {
|
---|
100 | unsigned int servname_type;
|
---|
101 | PACKET sni, hostname;
|
---|
102 |
|
---|
103 | if (!PACKET_as_length_prefixed_2(pkt, &sni)
|
---|
104 | /* ServerNameList must be at least 1 byte long. */
|
---|
105 | || PACKET_remaining(&sni) == 0) {
|
---|
106 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
|
---|
107 | SSL_R_BAD_EXTENSION);
|
---|
108 | return 0;
|
---|
109 | }
|
---|
110 |
|
---|
111 | /*
|
---|
112 | * Although the intent was for server_name to be extensible, RFC 4366
|
---|
113 | * was not clear about it; and so OpenSSL among other implementations,
|
---|
114 | * always and only allows a 'host_name' name types.
|
---|
115 | * RFC 6066 corrected the mistake but adding new name types
|
---|
116 | * is nevertheless no longer feasible, so act as if no other
|
---|
117 | * SNI types can exist, to simplify parsing.
|
---|
118 | *
|
---|
119 | * Also note that the RFC permits only one SNI value per type,
|
---|
120 | * i.e., we can only have a single hostname.
|
---|
121 | */
|
---|
122 | if (!PACKET_get_1(&sni, &servname_type)
|
---|
123 | || servname_type != TLSEXT_NAMETYPE_host_name
|
---|
124 | || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
|
---|
125 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
|
---|
126 | SSL_R_BAD_EXTENSION);
|
---|
127 | return 0;
|
---|
128 | }
|
---|
129 |
|
---|
130 | /*
|
---|
131 | * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
|
---|
132 | * we always use the SNI value from the handshake.
|
---|
133 | */
|
---|
134 | if (!s->hit || SSL_IS_TLS13(s)) {
|
---|
135 | if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
|
---|
136 | SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
|
---|
137 | SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
|
---|
138 | SSL_R_BAD_EXTENSION);
|
---|
139 | return 0;
|
---|
140 | }
|
---|
141 |
|
---|
142 | if (PACKET_contains_zero_byte(&hostname)) {
|
---|
143 | SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
|
---|
144 | SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
|
---|
145 | SSL_R_BAD_EXTENSION);
|
---|
146 | return 0;
|
---|
147 | }
|
---|
148 |
|
---|
149 | /*
|
---|
150 | * Store the requested SNI in the SSL as temporary storage.
|
---|
151 | * If we accept it, it will get stored in the SSL_SESSION as well.
|
---|
152 | */
|
---|
153 | OPENSSL_free(s->ext.hostname);
|
---|
154 | s->ext.hostname = NULL;
|
---|
155 | if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
|
---|
156 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
|
---|
157 | ERR_R_INTERNAL_ERROR);
|
---|
158 | return 0;
|
---|
159 | }
|
---|
160 |
|
---|
161 | s->servername_done = 1;
|
---|
162 | } else {
|
---|
163 | /*
|
---|
164 | * In TLSv1.2 and below we should check if the SNI is consistent between
|
---|
165 | * the initial handshake and the resumption. In TLSv1.3 SNI is not
|
---|
166 | * associated with the session.
|
---|
167 | */
|
---|
168 | /*
|
---|
169 | * TODO(openssl-team): if the SNI doesn't match, we MUST
|
---|
170 | * fall back to a full handshake.
|
---|
171 | */
|
---|
172 | s->servername_done = (s->session->ext.hostname != NULL)
|
---|
173 | && PACKET_equal(&hostname, s->session->ext.hostname,
|
---|
174 | strlen(s->session->ext.hostname));
|
---|
175 | }
|
---|
176 |
|
---|
177 | return 1;
|
---|
178 | }
|
---|
179 |
|
---|
180 | int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
|
---|
181 | X509 *x, size_t chainidx)
|
---|
182 | {
|
---|
183 | unsigned int value;
|
---|
184 |
|
---|
185 | if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
|
---|
186 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
|
---|
187 | SSL_R_BAD_EXTENSION);
|
---|
188 | return 0;
|
---|
189 | }
|
---|
190 |
|
---|
191 | /* Received |value| should be a valid max-fragment-length code. */
|
---|
192 | if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
|
---|
193 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
194 | SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
|
---|
195 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
|
---|
196 | return 0;
|
---|
197 | }
|
---|
198 |
|
---|
199 | /*
|
---|
200 | * RFC 6066: The negotiated length applies for the duration of the session
|
---|
201 | * including session resumptions.
|
---|
202 | * We should receive the same code as in resumed session !
|
---|
203 | */
|
---|
204 | if (s->hit && s->session->ext.max_fragment_len_mode != value) {
|
---|
205 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
206 | SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
|
---|
207 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
|
---|
208 | return 0;
|
---|
209 | }
|
---|
210 |
|
---|
211 | /*
|
---|
212 | * Store it in session, so it'll become binding for us
|
---|
213 | * and we'll include it in a next Server Hello.
|
---|
214 | */
|
---|
215 | s->session->ext.max_fragment_len_mode = value;
|
---|
216 | return 1;
|
---|
217 | }
|
---|
218 |
|
---|
219 | #ifndef OPENSSL_NO_SRP
|
---|
220 | int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
221 | size_t chainidx)
|
---|
222 | {
|
---|
223 | PACKET srp_I;
|
---|
224 |
|
---|
225 | if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
|
---|
226 | || PACKET_contains_zero_byte(&srp_I)) {
|
---|
227 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
228 | SSL_F_TLS_PARSE_CTOS_SRP,
|
---|
229 | SSL_R_BAD_EXTENSION);
|
---|
230 | return 0;
|
---|
231 | }
|
---|
232 |
|
---|
233 | /*
|
---|
234 | * TODO(openssl-team): currently, we re-authenticate the user
|
---|
235 | * upon resumption. Instead, we MUST ignore the login.
|
---|
236 | */
|
---|
237 | if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
|
---|
238 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
|
---|
239 | ERR_R_INTERNAL_ERROR);
|
---|
240 | return 0;
|
---|
241 | }
|
---|
242 |
|
---|
243 | return 1;
|
---|
244 | }
|
---|
245 | #endif
|
---|
246 |
|
---|
247 | #ifndef OPENSSL_NO_EC
|
---|
248 | int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
|
---|
249 | X509 *x, size_t chainidx)
|
---|
250 | {
|
---|
251 | PACKET ec_point_format_list;
|
---|
252 |
|
---|
253 | if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
|
---|
254 | || PACKET_remaining(&ec_point_format_list) == 0) {
|
---|
255 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
|
---|
256 | SSL_R_BAD_EXTENSION);
|
---|
257 | return 0;
|
---|
258 | }
|
---|
259 |
|
---|
260 | if (!s->hit) {
|
---|
261 | if (!PACKET_memdup(&ec_point_format_list,
|
---|
262 | &s->ext.peer_ecpointformats,
|
---|
263 | &s->ext.peer_ecpointformats_len)) {
|
---|
264 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
265 | SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
|
---|
266 | return 0;
|
---|
267 | }
|
---|
268 | }
|
---|
269 |
|
---|
270 | return 1;
|
---|
271 | }
|
---|
272 | #endif /* OPENSSL_NO_EC */
|
---|
273 |
|
---|
274 | int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
|
---|
275 | X509 *x, size_t chainidx)
|
---|
276 | {
|
---|
277 | if (s->ext.session_ticket_cb &&
|
---|
278 | !s->ext.session_ticket_cb(s, PACKET_data(pkt),
|
---|
279 | PACKET_remaining(pkt),
|
---|
280 | s->ext.session_ticket_cb_arg)) {
|
---|
281 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
282 | SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
|
---|
283 | return 0;
|
---|
284 | }
|
---|
285 |
|
---|
286 | return 1;
|
---|
287 | }
|
---|
288 |
|
---|
289 | int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
|
---|
290 | X509 *x, size_t chainidx)
|
---|
291 | {
|
---|
292 | PACKET supported_sig_algs;
|
---|
293 |
|
---|
294 | if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
|
---|
295 | || PACKET_remaining(&supported_sig_algs) == 0) {
|
---|
296 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
297 | SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
|
---|
298 | return 0;
|
---|
299 | }
|
---|
300 |
|
---|
301 | if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
|
---|
302 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
303 | SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
|
---|
304 | return 0;
|
---|
305 | }
|
---|
306 |
|
---|
307 | return 1;
|
---|
308 | }
|
---|
309 |
|
---|
310 | int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
311 | size_t chainidx)
|
---|
312 | {
|
---|
313 | PACKET supported_sig_algs;
|
---|
314 |
|
---|
315 | if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
|
---|
316 | || PACKET_remaining(&supported_sig_algs) == 0) {
|
---|
317 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
318 | SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
|
---|
319 | return 0;
|
---|
320 | }
|
---|
321 |
|
---|
322 | if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
|
---|
323 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
324 | SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
|
---|
325 | return 0;
|
---|
326 | }
|
---|
327 |
|
---|
328 | return 1;
|
---|
329 | }
|
---|
330 |
|
---|
331 | #ifndef OPENSSL_NO_OCSP
|
---|
332 | int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
|
---|
333 | X509 *x, size_t chainidx)
|
---|
334 | {
|
---|
335 | PACKET responder_id_list, exts;
|
---|
336 |
|
---|
337 | /* We ignore this in a resumption handshake */
|
---|
338 | if (s->hit)
|
---|
339 | return 1;
|
---|
340 |
|
---|
341 | /* Not defined if we get one of these in a client Certificate */
|
---|
342 | if (x != NULL)
|
---|
343 | return 1;
|
---|
344 |
|
---|
345 | if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
|
---|
346 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
347 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
|
---|
348 | return 0;
|
---|
349 | }
|
---|
350 |
|
---|
351 | if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
|
---|
352 | /*
|
---|
353 | * We don't know what to do with any other type so ignore it.
|
---|
354 | */
|
---|
355 | s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
|
---|
356 | return 1;
|
---|
357 | }
|
---|
358 |
|
---|
359 | if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
|
---|
360 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
361 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
|
---|
362 | return 0;
|
---|
363 | }
|
---|
364 |
|
---|
365 | /*
|
---|
366 | * We remove any OCSP_RESPIDs from a previous handshake
|
---|
367 | * to prevent unbounded memory growth - CVE-2016-6304
|
---|
368 | */
|
---|
369 | sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
|
---|
370 | if (PACKET_remaining(&responder_id_list) > 0) {
|
---|
371 | s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
|
---|
372 | if (s->ext.ocsp.ids == NULL) {
|
---|
373 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
374 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
|
---|
375 | return 0;
|
---|
376 | }
|
---|
377 | } else {
|
---|
378 | s->ext.ocsp.ids = NULL;
|
---|
379 | }
|
---|
380 |
|
---|
381 | while (PACKET_remaining(&responder_id_list) > 0) {
|
---|
382 | OCSP_RESPID *id;
|
---|
383 | PACKET responder_id;
|
---|
384 | const unsigned char *id_data;
|
---|
385 |
|
---|
386 | if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
|
---|
387 | || PACKET_remaining(&responder_id) == 0) {
|
---|
388 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
389 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
|
---|
390 | return 0;
|
---|
391 | }
|
---|
392 |
|
---|
393 | id_data = PACKET_data(&responder_id);
|
---|
394 | /* TODO(size_t): Convert d2i_* to size_t */
|
---|
395 | id = d2i_OCSP_RESPID(NULL, &id_data,
|
---|
396 | (int)PACKET_remaining(&responder_id));
|
---|
397 | if (id == NULL) {
|
---|
398 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
399 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
|
---|
400 | return 0;
|
---|
401 | }
|
---|
402 |
|
---|
403 | if (id_data != PACKET_end(&responder_id)) {
|
---|
404 | OCSP_RESPID_free(id);
|
---|
405 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
406 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
|
---|
407 |
|
---|
408 | return 0;
|
---|
409 | }
|
---|
410 |
|
---|
411 | if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
|
---|
412 | OCSP_RESPID_free(id);
|
---|
413 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
414 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
|
---|
415 |
|
---|
416 | return 0;
|
---|
417 | }
|
---|
418 | }
|
---|
419 |
|
---|
420 | /* Read in request_extensions */
|
---|
421 | if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
|
---|
422 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
423 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
|
---|
424 | return 0;
|
---|
425 | }
|
---|
426 |
|
---|
427 | if (PACKET_remaining(&exts) > 0) {
|
---|
428 | const unsigned char *ext_data = PACKET_data(&exts);
|
---|
429 |
|
---|
430 | sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
|
---|
431 | X509_EXTENSION_free);
|
---|
432 | s->ext.ocsp.exts =
|
---|
433 | d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
|
---|
434 | if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
|
---|
435 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
436 | SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
|
---|
437 | return 0;
|
---|
438 | }
|
---|
439 | }
|
---|
440 |
|
---|
441 | return 1;
|
---|
442 | }
|
---|
443 | #endif
|
---|
444 |
|
---|
445 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
446 | int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
447 | size_t chainidx)
|
---|
448 | {
|
---|
449 | /*
|
---|
450 | * We shouldn't accept this extension on a
|
---|
451 | * renegotiation.
|
---|
452 | */
|
---|
453 | if (SSL_IS_FIRST_HANDSHAKE(s))
|
---|
454 | s->s3->npn_seen = 1;
|
---|
455 |
|
---|
456 | return 1;
|
---|
457 | }
|
---|
458 | #endif
|
---|
459 |
|
---|
460 | /*
|
---|
461 | * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
|
---|
462 | * extension, not including type and length. Returns: 1 on success, 0 on error.
|
---|
463 | */
|
---|
464 | int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
465 | size_t chainidx)
|
---|
466 | {
|
---|
467 | PACKET protocol_list, save_protocol_list, protocol;
|
---|
468 |
|
---|
469 | if (!SSL_IS_FIRST_HANDSHAKE(s))
|
---|
470 | return 1;
|
---|
471 |
|
---|
472 | if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
|
---|
473 | || PACKET_remaining(&protocol_list) < 2) {
|
---|
474 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
|
---|
475 | SSL_R_BAD_EXTENSION);
|
---|
476 | return 0;
|
---|
477 | }
|
---|
478 |
|
---|
479 | save_protocol_list = protocol_list;
|
---|
480 | do {
|
---|
481 | /* Protocol names can't be empty. */
|
---|
482 | if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
|
---|
483 | || PACKET_remaining(&protocol) == 0) {
|
---|
484 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
|
---|
485 | SSL_R_BAD_EXTENSION);
|
---|
486 | return 0;
|
---|
487 | }
|
---|
488 | } while (PACKET_remaining(&protocol_list) != 0);
|
---|
489 |
|
---|
490 | OPENSSL_free(s->s3->alpn_proposed);
|
---|
491 | s->s3->alpn_proposed = NULL;
|
---|
492 | s->s3->alpn_proposed_len = 0;
|
---|
493 | if (!PACKET_memdup(&save_protocol_list,
|
---|
494 | &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
|
---|
495 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
|
---|
496 | ERR_R_INTERNAL_ERROR);
|
---|
497 | return 0;
|
---|
498 | }
|
---|
499 |
|
---|
500 | return 1;
|
---|
501 | }
|
---|
502 |
|
---|
503 | #ifndef OPENSSL_NO_SRTP
|
---|
504 | int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
505 | size_t chainidx)
|
---|
506 | {
|
---|
507 | STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
|
---|
508 | unsigned int ct, mki_len, id;
|
---|
509 | int i, srtp_pref;
|
---|
510 | PACKET subpkt;
|
---|
511 |
|
---|
512 | /* Ignore this if we have no SRTP profiles */
|
---|
513 | if (SSL_get_srtp_profiles(s) == NULL)
|
---|
514 | return 1;
|
---|
515 |
|
---|
516 | /* Pull off the length of the cipher suite list and check it is even */
|
---|
517 | if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
|
---|
518 | || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
|
---|
519 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
|
---|
520 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
---|
521 | return 0;
|
---|
522 | }
|
---|
523 |
|
---|
524 | srvr = SSL_get_srtp_profiles(s);
|
---|
525 | s->srtp_profile = NULL;
|
---|
526 | /* Search all profiles for a match initially */
|
---|
527 | srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
|
---|
528 |
|
---|
529 | while (PACKET_remaining(&subpkt)) {
|
---|
530 | if (!PACKET_get_net_2(&subpkt, &id)) {
|
---|
531 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
|
---|
532 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
---|
533 | return 0;
|
---|
534 | }
|
---|
535 |
|
---|
536 | /*
|
---|
537 | * Only look for match in profiles of higher preference than
|
---|
538 | * current match.
|
---|
539 | * If no profiles have been have been configured then this
|
---|
540 | * does nothing.
|
---|
541 | */
|
---|
542 | for (i = 0; i < srtp_pref; i++) {
|
---|
543 | SRTP_PROTECTION_PROFILE *sprof =
|
---|
544 | sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
|
---|
545 |
|
---|
546 | if (sprof->id == id) {
|
---|
547 | s->srtp_profile = sprof;
|
---|
548 | srtp_pref = i;
|
---|
549 | break;
|
---|
550 | }
|
---|
551 | }
|
---|
552 | }
|
---|
553 |
|
---|
554 | /* Now extract the MKI value as a sanity check, but discard it for now */
|
---|
555 | if (!PACKET_get_1(pkt, &mki_len)) {
|
---|
556 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
|
---|
557 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
---|
558 | return 0;
|
---|
559 | }
|
---|
560 |
|
---|
561 | if (!PACKET_forward(pkt, mki_len)
|
---|
562 | || PACKET_remaining(pkt)) {
|
---|
563 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
|
---|
564 | SSL_R_BAD_SRTP_MKI_VALUE);
|
---|
565 | return 0;
|
---|
566 | }
|
---|
567 |
|
---|
568 | return 1;
|
---|
569 | }
|
---|
570 | #endif
|
---|
571 |
|
---|
572 | int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
573 | size_t chainidx)
|
---|
574 | {
|
---|
575 | if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
|
---|
576 | s->ext.use_etm = 1;
|
---|
577 |
|
---|
578 | return 1;
|
---|
579 | }
|
---|
580 |
|
---|
581 | /*
|
---|
582 | * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
|
---|
583 | * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
|
---|
584 | */
|
---|
585 | int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
|
---|
586 | X509 *x, size_t chainidx)
|
---|
587 | {
|
---|
588 | #ifndef OPENSSL_NO_TLS1_3
|
---|
589 | PACKET psk_kex_modes;
|
---|
590 | unsigned int mode;
|
---|
591 |
|
---|
592 | if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
|
---|
593 | || PACKET_remaining(&psk_kex_modes) == 0) {
|
---|
594 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
|
---|
595 | SSL_R_BAD_EXTENSION);
|
---|
596 | return 0;
|
---|
597 | }
|
---|
598 |
|
---|
599 | while (PACKET_get_1(&psk_kex_modes, &mode)) {
|
---|
600 | if (mode == TLSEXT_KEX_MODE_KE_DHE)
|
---|
601 | s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
|
---|
602 | else if (mode == TLSEXT_KEX_MODE_KE
|
---|
603 | && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
|
---|
604 | s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
|
---|
605 | }
|
---|
606 | #endif
|
---|
607 |
|
---|
608 | return 1;
|
---|
609 | }
|
---|
610 |
|
---|
611 | /*
|
---|
612 | * Process a key_share extension received in the ClientHello. |pkt| contains
|
---|
613 | * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
|
---|
614 | */
|
---|
615 | int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
616 | size_t chainidx)
|
---|
617 | {
|
---|
618 | #ifndef OPENSSL_NO_TLS1_3
|
---|
619 | unsigned int group_id;
|
---|
620 | PACKET key_share_list, encoded_pt;
|
---|
621 | const uint16_t *clntgroups, *srvrgroups;
|
---|
622 | size_t clnt_num_groups, srvr_num_groups;
|
---|
623 | int found = 0;
|
---|
624 |
|
---|
625 | if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
|
---|
626 | return 1;
|
---|
627 |
|
---|
628 | /* Sanity check */
|
---|
629 | if (s->s3->peer_tmp != NULL) {
|
---|
630 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
|
---|
631 | ERR_R_INTERNAL_ERROR);
|
---|
632 | return 0;
|
---|
633 | }
|
---|
634 |
|
---|
635 | if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
|
---|
636 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
|
---|
637 | SSL_R_LENGTH_MISMATCH);
|
---|
638 | return 0;
|
---|
639 | }
|
---|
640 |
|
---|
641 | /* Get our list of supported groups */
|
---|
642 | tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
|
---|
643 | /* Get the clients list of supported groups. */
|
---|
644 | tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
|
---|
645 | if (clnt_num_groups == 0) {
|
---|
646 | /*
|
---|
647 | * This can only happen if the supported_groups extension was not sent,
|
---|
648 | * because we verify that the length is non-zero when we process that
|
---|
649 | * extension.
|
---|
650 | */
|
---|
651 | SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
|
---|
652 | SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
|
---|
653 | return 0;
|
---|
654 | }
|
---|
655 |
|
---|
656 | if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
|
---|
657 | /*
|
---|
658 | * If we set a group_id already, then we must have sent an HRR
|
---|
659 | * requesting a new key_share. If we haven't got one then that is an
|
---|
660 | * error
|
---|
661 | */
|
---|
662 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
|
---|
663 | SSL_R_BAD_KEY_SHARE);
|
---|
664 | return 0;
|
---|
665 | }
|
---|
666 |
|
---|
667 | while (PACKET_remaining(&key_share_list) > 0) {
|
---|
668 | if (!PACKET_get_net_2(&key_share_list, &group_id)
|
---|
669 | || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
|
---|
670 | || PACKET_remaining(&encoded_pt) == 0) {
|
---|
671 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
|
---|
672 | SSL_R_LENGTH_MISMATCH);
|
---|
673 | return 0;
|
---|
674 | }
|
---|
675 |
|
---|
676 | /*
|
---|
677 | * If we already found a suitable key_share we loop through the
|
---|
678 | * rest to verify the structure, but don't process them.
|
---|
679 | */
|
---|
680 | if (found)
|
---|
681 | continue;
|
---|
682 |
|
---|
683 | /*
|
---|
684 | * If we sent an HRR then the key_share sent back MUST be for the group
|
---|
685 | * we requested, and must be the only key_share sent.
|
---|
686 | */
|
---|
687 | if (s->s3->group_id != 0
|
---|
688 | && (group_id != s->s3->group_id
|
---|
689 | || PACKET_remaining(&key_share_list) != 0)) {
|
---|
690 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
691 | SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
|
---|
692 | return 0;
|
---|
693 | }
|
---|
694 |
|
---|
695 | /* Check if this share is in supported_groups sent from client */
|
---|
696 | if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
|
---|
697 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
698 | SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
|
---|
699 | return 0;
|
---|
700 | }
|
---|
701 |
|
---|
702 | /* Check if this share is for a group we can use */
|
---|
703 | if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
|
---|
704 | /* Share not suitable */
|
---|
705 | continue;
|
---|
706 | }
|
---|
707 |
|
---|
708 | if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
|
---|
709 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
|
---|
710 | SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
|
---|
711 | return 0;
|
---|
712 | }
|
---|
713 |
|
---|
714 | s->s3->group_id = group_id;
|
---|
715 |
|
---|
716 | if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
|
---|
717 | PACKET_data(&encoded_pt),
|
---|
718 | PACKET_remaining(&encoded_pt))) {
|
---|
719 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
720 | SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
|
---|
721 | return 0;
|
---|
722 | }
|
---|
723 |
|
---|
724 | found = 1;
|
---|
725 | }
|
---|
726 | #endif
|
---|
727 |
|
---|
728 | return 1;
|
---|
729 | }
|
---|
730 |
|
---|
731 | int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
732 | size_t chainidx)
|
---|
733 | {
|
---|
734 | #ifndef OPENSSL_NO_TLS1_3
|
---|
735 | unsigned int format, version, key_share, group_id;
|
---|
736 | EVP_MD_CTX *hctx;
|
---|
737 | EVP_PKEY *pkey;
|
---|
738 | PACKET cookie, raw, chhash, appcookie;
|
---|
739 | WPACKET hrrpkt;
|
---|
740 | const unsigned char *data, *mdin, *ciphdata;
|
---|
741 | unsigned char hmac[SHA256_DIGEST_LENGTH];
|
---|
742 | unsigned char hrr[MAX_HRR_SIZE];
|
---|
743 | size_t rawlen, hmaclen, hrrlen, ciphlen;
|
---|
744 | unsigned long tm, now;
|
---|
745 |
|
---|
746 | /* Ignore any cookie if we're not set up to verify it */
|
---|
747 | if (s->ctx->verify_stateless_cookie_cb == NULL
|
---|
748 | || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
|
---|
749 | return 1;
|
---|
750 |
|
---|
751 | if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
|
---|
752 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
753 | SSL_R_LENGTH_MISMATCH);
|
---|
754 | return 0;
|
---|
755 | }
|
---|
756 |
|
---|
757 | raw = cookie;
|
---|
758 | data = PACKET_data(&raw);
|
---|
759 | rawlen = PACKET_remaining(&raw);
|
---|
760 | if (rawlen < SHA256_DIGEST_LENGTH
|
---|
761 | || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
|
---|
762 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
763 | SSL_R_LENGTH_MISMATCH);
|
---|
764 | return 0;
|
---|
765 | }
|
---|
766 | mdin = PACKET_data(&raw);
|
---|
767 |
|
---|
768 | /* Verify the HMAC of the cookie */
|
---|
769 | hctx = EVP_MD_CTX_create();
|
---|
770 | pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
|
---|
771 | s->session_ctx->ext.cookie_hmac_key,
|
---|
772 | sizeof(s->session_ctx->ext
|
---|
773 | .cookie_hmac_key));
|
---|
774 | if (hctx == NULL || pkey == NULL) {
|
---|
775 | EVP_MD_CTX_free(hctx);
|
---|
776 | EVP_PKEY_free(pkey);
|
---|
777 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
778 | ERR_R_MALLOC_FAILURE);
|
---|
779 | return 0;
|
---|
780 | }
|
---|
781 |
|
---|
782 | hmaclen = SHA256_DIGEST_LENGTH;
|
---|
783 | if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
|
---|
784 | || EVP_DigestSign(hctx, hmac, &hmaclen, data,
|
---|
785 | rawlen - SHA256_DIGEST_LENGTH) <= 0
|
---|
786 | || hmaclen != SHA256_DIGEST_LENGTH) {
|
---|
787 | EVP_MD_CTX_free(hctx);
|
---|
788 | EVP_PKEY_free(pkey);
|
---|
789 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
790 | ERR_R_INTERNAL_ERROR);
|
---|
791 | return 0;
|
---|
792 | }
|
---|
793 |
|
---|
794 | EVP_MD_CTX_free(hctx);
|
---|
795 | EVP_PKEY_free(pkey);
|
---|
796 |
|
---|
797 | if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
|
---|
798 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
799 | SSL_R_COOKIE_MISMATCH);
|
---|
800 | return 0;
|
---|
801 | }
|
---|
802 |
|
---|
803 | if (!PACKET_get_net_2(&cookie, &format)) {
|
---|
804 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
805 | SSL_R_LENGTH_MISMATCH);
|
---|
806 | return 0;
|
---|
807 | }
|
---|
808 | /* Check the cookie format is something we recognise. Ignore it if not */
|
---|
809 | if (format != COOKIE_STATE_FORMAT_VERSION)
|
---|
810 | return 1;
|
---|
811 |
|
---|
812 | /*
|
---|
813 | * The rest of these checks really shouldn't fail since we have verified the
|
---|
814 | * HMAC above.
|
---|
815 | */
|
---|
816 |
|
---|
817 | /* Check the version number is sane */
|
---|
818 | if (!PACKET_get_net_2(&cookie, &version)) {
|
---|
819 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
820 | SSL_R_LENGTH_MISMATCH);
|
---|
821 | return 0;
|
---|
822 | }
|
---|
823 | if (version != TLS1_3_VERSION) {
|
---|
824 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
825 | SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
|
---|
826 | return 0;
|
---|
827 | }
|
---|
828 |
|
---|
829 | if (!PACKET_get_net_2(&cookie, &group_id)) {
|
---|
830 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
831 | SSL_R_LENGTH_MISMATCH);
|
---|
832 | return 0;
|
---|
833 | }
|
---|
834 |
|
---|
835 | ciphdata = PACKET_data(&cookie);
|
---|
836 | if (!PACKET_forward(&cookie, 2)) {
|
---|
837 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
838 | SSL_R_LENGTH_MISMATCH);
|
---|
839 | return 0;
|
---|
840 | }
|
---|
841 | if (group_id != s->s3->group_id
|
---|
842 | || s->s3->tmp.new_cipher
|
---|
843 | != ssl_get_cipher_by_char(s, ciphdata, 0)) {
|
---|
844 | /*
|
---|
845 | * We chose a different cipher or group id this time around to what is
|
---|
846 | * in the cookie. Something must have changed.
|
---|
847 | */
|
---|
848 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
849 | SSL_R_BAD_CIPHER);
|
---|
850 | return 0;
|
---|
851 | }
|
---|
852 |
|
---|
853 | if (!PACKET_get_1(&cookie, &key_share)
|
---|
854 | || !PACKET_get_net_4(&cookie, &tm)
|
---|
855 | || !PACKET_get_length_prefixed_2(&cookie, &chhash)
|
---|
856 | || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
|
---|
857 | || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
|
---|
858 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
859 | SSL_R_LENGTH_MISMATCH);
|
---|
860 | return 0;
|
---|
861 | }
|
---|
862 |
|
---|
863 | /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
|
---|
864 | now = (unsigned long)time(NULL);
|
---|
865 | if (tm > now || (now - tm) > 600) {
|
---|
866 | /* Cookie is stale. Ignore it */
|
---|
867 | return 1;
|
---|
868 | }
|
---|
869 |
|
---|
870 | /* Verify the app cookie */
|
---|
871 | if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
|
---|
872 | PACKET_remaining(&appcookie)) == 0) {
|
---|
873 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
874 | SSL_R_COOKIE_MISMATCH);
|
---|
875 | return 0;
|
---|
876 | }
|
---|
877 |
|
---|
878 | /*
|
---|
879 | * Reconstruct the HRR that we would have sent in response to the original
|
---|
880 | * ClientHello so we can add it to the transcript hash.
|
---|
881 | * Note: This won't work with custom HRR extensions
|
---|
882 | */
|
---|
883 | if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
|
---|
884 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
885 | ERR_R_INTERNAL_ERROR);
|
---|
886 | return 0;
|
---|
887 | }
|
---|
888 | if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
|
---|
889 | || !WPACKET_start_sub_packet_u24(&hrrpkt)
|
---|
890 | || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
|
---|
891 | || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
|
---|
892 | || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
|
---|
893 | s->tmp_session_id_len)
|
---|
894 | || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
|
---|
895 | &ciphlen)
|
---|
896 | || !WPACKET_put_bytes_u8(&hrrpkt, 0)
|
---|
897 | || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
|
---|
898 | WPACKET_cleanup(&hrrpkt);
|
---|
899 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
900 | ERR_R_INTERNAL_ERROR);
|
---|
901 | return 0;
|
---|
902 | }
|
---|
903 | if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
|
---|
904 | || !WPACKET_start_sub_packet_u16(&hrrpkt)
|
---|
905 | || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
|
---|
906 | || !WPACKET_close(&hrrpkt)) {
|
---|
907 | WPACKET_cleanup(&hrrpkt);
|
---|
908 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
909 | ERR_R_INTERNAL_ERROR);
|
---|
910 | return 0;
|
---|
911 | }
|
---|
912 | if (key_share) {
|
---|
913 | if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
|
---|
914 | || !WPACKET_start_sub_packet_u16(&hrrpkt)
|
---|
915 | || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
|
---|
916 | || !WPACKET_close(&hrrpkt)) {
|
---|
917 | WPACKET_cleanup(&hrrpkt);
|
---|
918 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
919 | ERR_R_INTERNAL_ERROR);
|
---|
920 | return 0;
|
---|
921 | }
|
---|
922 | }
|
---|
923 | if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
|
---|
924 | || !WPACKET_start_sub_packet_u16(&hrrpkt)
|
---|
925 | || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
|
---|
926 | || !WPACKET_close(&hrrpkt) /* cookie extension */
|
---|
927 | || !WPACKET_close(&hrrpkt) /* extension block */
|
---|
928 | || !WPACKET_close(&hrrpkt) /* message */
|
---|
929 | || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
|
---|
930 | || !WPACKET_finish(&hrrpkt)) {
|
---|
931 | WPACKET_cleanup(&hrrpkt);
|
---|
932 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
|
---|
933 | ERR_R_INTERNAL_ERROR);
|
---|
934 | return 0;
|
---|
935 | }
|
---|
936 |
|
---|
937 | /* Reconstruct the transcript hash */
|
---|
938 | if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
|
---|
939 | PACKET_remaining(&chhash), hrr,
|
---|
940 | hrrlen)) {
|
---|
941 | /* SSLfatal() already called */
|
---|
942 | return 0;
|
---|
943 | }
|
---|
944 |
|
---|
945 | /* Act as if this ClientHello came after a HelloRetryRequest */
|
---|
946 | s->hello_retry_request = 1;
|
---|
947 |
|
---|
948 | s->ext.cookieok = 1;
|
---|
949 | #endif
|
---|
950 |
|
---|
951 | return 1;
|
---|
952 | }
|
---|
953 |
|
---|
954 | #ifndef OPENSSL_NO_EC
|
---|
955 | int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
|
---|
956 | X509 *x, size_t chainidx)
|
---|
957 | {
|
---|
958 | PACKET supported_groups_list;
|
---|
959 |
|
---|
960 | /* Each group is 2 bytes and we must have at least 1. */
|
---|
961 | if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
|
---|
962 | || PACKET_remaining(&supported_groups_list) == 0
|
---|
963 | || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
|
---|
964 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
965 | SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
|
---|
966 | return 0;
|
---|
967 | }
|
---|
968 |
|
---|
969 | if (!s->hit || SSL_IS_TLS13(s)) {
|
---|
970 | OPENSSL_free(s->ext.peer_supportedgroups);
|
---|
971 | s->ext.peer_supportedgroups = NULL;
|
---|
972 | s->ext.peer_supportedgroups_len = 0;
|
---|
973 | if (!tls1_save_u16(&supported_groups_list,
|
---|
974 | &s->ext.peer_supportedgroups,
|
---|
975 | &s->ext.peer_supportedgroups_len)) {
|
---|
976 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
977 | SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
|
---|
978 | ERR_R_INTERNAL_ERROR);
|
---|
979 | return 0;
|
---|
980 | }
|
---|
981 | }
|
---|
982 |
|
---|
983 | return 1;
|
---|
984 | }
|
---|
985 | #endif
|
---|
986 |
|
---|
987 | int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
988 | size_t chainidx)
|
---|
989 | {
|
---|
990 | /* The extension must always be empty */
|
---|
991 | if (PACKET_remaining(pkt) != 0) {
|
---|
992 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
993 | SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
|
---|
994 | return 0;
|
---|
995 | }
|
---|
996 |
|
---|
997 | s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
|
---|
998 |
|
---|
999 | return 1;
|
---|
1000 | }
|
---|
1001 |
|
---|
1002 |
|
---|
1003 | int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1004 | X509 *x, size_t chainidx)
|
---|
1005 | {
|
---|
1006 | if (PACKET_remaining(pkt) != 0) {
|
---|
1007 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
1008 | SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
|
---|
1009 | return 0;
|
---|
1010 | }
|
---|
1011 |
|
---|
1012 | if (s->hello_retry_request != SSL_HRR_NONE) {
|
---|
1013 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
1014 | SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
|
---|
1015 | return 0;
|
---|
1016 | }
|
---|
1017 |
|
---|
1018 | return 1;
|
---|
1019 | }
|
---|
1020 |
|
---|
1021 | static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
|
---|
1022 | SSL_SESSION **sess)
|
---|
1023 | {
|
---|
1024 | SSL_SESSION *tmpsess = NULL;
|
---|
1025 |
|
---|
1026 | s->ext.ticket_expected = 1;
|
---|
1027 |
|
---|
1028 | switch (PACKET_remaining(tick)) {
|
---|
1029 | case 0:
|
---|
1030 | return SSL_TICKET_EMPTY;
|
---|
1031 |
|
---|
1032 | case SSL_MAX_SSL_SESSION_ID_LENGTH:
|
---|
1033 | break;
|
---|
1034 |
|
---|
1035 | default:
|
---|
1036 | return SSL_TICKET_NO_DECRYPT;
|
---|
1037 | }
|
---|
1038 |
|
---|
1039 | tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
|
---|
1040 | SSL_MAX_SSL_SESSION_ID_LENGTH);
|
---|
1041 |
|
---|
1042 | if (tmpsess == NULL)
|
---|
1043 | return SSL_TICKET_NO_DECRYPT;
|
---|
1044 |
|
---|
1045 | *sess = tmpsess;
|
---|
1046 | return SSL_TICKET_SUCCESS;
|
---|
1047 | }
|
---|
1048 |
|
---|
1049 | int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1050 | size_t chainidx)
|
---|
1051 | {
|
---|
1052 | PACKET identities, binders, binder;
|
---|
1053 | size_t binderoffset, hashsize;
|
---|
1054 | SSL_SESSION *sess = NULL;
|
---|
1055 | unsigned int id, i, ext = 0;
|
---|
1056 | const EVP_MD *md = NULL;
|
---|
1057 |
|
---|
1058 | /*
|
---|
1059 | * If we have no PSK kex mode that we recognise then we can't resume so
|
---|
1060 | * ignore this extension
|
---|
1061 | */
|
---|
1062 | if ((s->ext.psk_kex_mode
|
---|
1063 | & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
|
---|
1064 | return 1;
|
---|
1065 |
|
---|
1066 | if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
|
---|
1067 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
1068 | SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
|
---|
1069 | return 0;
|
---|
1070 | }
|
---|
1071 |
|
---|
1072 | s->ext.ticket_expected = 0;
|
---|
1073 | for (id = 0; PACKET_remaining(&identities) != 0; id++) {
|
---|
1074 | PACKET identity;
|
---|
1075 | unsigned long ticket_agel;
|
---|
1076 | size_t idlen;
|
---|
1077 |
|
---|
1078 | if (!PACKET_get_length_prefixed_2(&identities, &identity)
|
---|
1079 | || !PACKET_get_net_4(&identities, &ticket_agel)) {
|
---|
1080 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
1081 | SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
|
---|
1082 | return 0;
|
---|
1083 | }
|
---|
1084 |
|
---|
1085 | idlen = PACKET_remaining(&identity);
|
---|
1086 | if (s->psk_find_session_cb != NULL
|
---|
1087 | && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
|
---|
1088 | &sess)) {
|
---|
1089 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1090 | SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
|
---|
1091 | return 0;
|
---|
1092 | }
|
---|
1093 |
|
---|
1094 | #ifndef OPENSSL_NO_PSK
|
---|
1095 | if(sess == NULL
|
---|
1096 | && s->psk_server_callback != NULL
|
---|
1097 | && idlen <= PSK_MAX_IDENTITY_LEN) {
|
---|
1098 | char *pskid = NULL;
|
---|
1099 | unsigned char pskdata[PSK_MAX_PSK_LEN];
|
---|
1100 | unsigned int pskdatalen;
|
---|
1101 |
|
---|
1102 | if (!PACKET_strndup(&identity, &pskid)) {
|
---|
1103 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
|
---|
1104 | ERR_R_INTERNAL_ERROR);
|
---|
1105 | return 0;
|
---|
1106 | }
|
---|
1107 | pskdatalen = s->psk_server_callback(s, pskid, pskdata,
|
---|
1108 | sizeof(pskdata));
|
---|
1109 | OPENSSL_free(pskid);
|
---|
1110 | if (pskdatalen > PSK_MAX_PSK_LEN) {
|
---|
1111 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
|
---|
1112 | ERR_R_INTERNAL_ERROR);
|
---|
1113 | return 0;
|
---|
1114 | } else if (pskdatalen > 0) {
|
---|
1115 | const SSL_CIPHER *cipher;
|
---|
1116 | const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
|
---|
1117 |
|
---|
1118 | /*
|
---|
1119 | * We found a PSK using an old style callback. We don't know
|
---|
1120 | * the digest so we default to SHA256 as per the TLSv1.3 spec
|
---|
1121 | */
|
---|
1122 | cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
|
---|
1123 | if (cipher == NULL) {
|
---|
1124 | OPENSSL_cleanse(pskdata, pskdatalen);
|
---|
1125 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
|
---|
1126 | ERR_R_INTERNAL_ERROR);
|
---|
1127 | return 0;
|
---|
1128 | }
|
---|
1129 |
|
---|
1130 | sess = SSL_SESSION_new();
|
---|
1131 | if (sess == NULL
|
---|
1132 | || !SSL_SESSION_set1_master_key(sess, pskdata,
|
---|
1133 | pskdatalen)
|
---|
1134 | || !SSL_SESSION_set_cipher(sess, cipher)
|
---|
1135 | || !SSL_SESSION_set_protocol_version(sess,
|
---|
1136 | TLS1_3_VERSION)) {
|
---|
1137 | OPENSSL_cleanse(pskdata, pskdatalen);
|
---|
1138 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
|
---|
1139 | ERR_R_INTERNAL_ERROR);
|
---|
1140 | goto err;
|
---|
1141 | }
|
---|
1142 | OPENSSL_cleanse(pskdata, pskdatalen);
|
---|
1143 | }
|
---|
1144 | }
|
---|
1145 | #endif /* OPENSSL_NO_PSK */
|
---|
1146 |
|
---|
1147 | if (sess != NULL) {
|
---|
1148 | /* We found a PSK */
|
---|
1149 | SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
|
---|
1150 |
|
---|
1151 | if (sesstmp == NULL) {
|
---|
1152 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1153 | SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
|
---|
1154 | goto err;
|
---|
1155 | }
|
---|
1156 | SSL_SESSION_free(sess);
|
---|
1157 | sess = sesstmp;
|
---|
1158 |
|
---|
1159 | /*
|
---|
1160 | * We've just been told to use this session for this context so
|
---|
1161 | * make sure the sid_ctx matches up.
|
---|
1162 | */
|
---|
1163 | memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
|
---|
1164 | sess->sid_ctx_length = s->sid_ctx_length;
|
---|
1165 | ext = 1;
|
---|
1166 | if (id == 0)
|
---|
1167 | s->ext.early_data_ok = 1;
|
---|
1168 | s->ext.ticket_expected = 1;
|
---|
1169 | } else {
|
---|
1170 | uint32_t ticket_age = 0, now, agesec, agems;
|
---|
1171 | int ret;
|
---|
1172 |
|
---|
1173 | /*
|
---|
1174 | * If we are using anti-replay protection then we behave as if
|
---|
1175 | * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
|
---|
1176 | * is no point in using full stateless tickets.
|
---|
1177 | */
|
---|
1178 | if ((s->options & SSL_OP_NO_TICKET) != 0
|
---|
1179 | || (s->max_early_data > 0
|
---|
1180 | && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
|
---|
1181 | ret = tls_get_stateful_ticket(s, &identity, &sess);
|
---|
1182 | else
|
---|
1183 | ret = tls_decrypt_ticket(s, PACKET_data(&identity),
|
---|
1184 | PACKET_remaining(&identity), NULL, 0,
|
---|
1185 | &sess);
|
---|
1186 |
|
---|
1187 | if (ret == SSL_TICKET_EMPTY) {
|
---|
1188 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
|
---|
1189 | SSL_R_BAD_EXTENSION);
|
---|
1190 | return 0;
|
---|
1191 | }
|
---|
1192 |
|
---|
1193 | if (ret == SSL_TICKET_FATAL_ERR_MALLOC
|
---|
1194 | || ret == SSL_TICKET_FATAL_ERR_OTHER) {
|
---|
1195 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1196 | SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
|
---|
1197 | return 0;
|
---|
1198 | }
|
---|
1199 | if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
|
---|
1200 | continue;
|
---|
1201 |
|
---|
1202 | /* Check for replay */
|
---|
1203 | if (s->max_early_data > 0
|
---|
1204 | && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
|
---|
1205 | && !SSL_CTX_remove_session(s->session_ctx, sess)) {
|
---|
1206 | SSL_SESSION_free(sess);
|
---|
1207 | sess = NULL;
|
---|
1208 | continue;
|
---|
1209 | }
|
---|
1210 |
|
---|
1211 | ticket_age = (uint32_t)ticket_agel;
|
---|
1212 | now = (uint32_t)time(NULL);
|
---|
1213 | agesec = now - (uint32_t)sess->time;
|
---|
1214 | agems = agesec * (uint32_t)1000;
|
---|
1215 | ticket_age -= sess->ext.tick_age_add;
|
---|
1216 |
|
---|
1217 | /*
|
---|
1218 | * For simplicity we do our age calculations in seconds. If the
|
---|
1219 | * client does it in ms then it could appear that their ticket age
|
---|
1220 | * is longer than ours (our ticket age calculation should always be
|
---|
1221 | * slightly longer than the client's due to the network latency).
|
---|
1222 | * Therefore we add 1000ms to our age calculation to adjust for
|
---|
1223 | * rounding errors.
|
---|
1224 | */
|
---|
1225 | if (id == 0
|
---|
1226 | && sess->timeout >= (long)agesec
|
---|
1227 | && agems / (uint32_t)1000 == agesec
|
---|
1228 | && ticket_age <= agems + 1000
|
---|
1229 | && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
|
---|
1230 | /*
|
---|
1231 | * Ticket age is within tolerance and not expired. We allow it
|
---|
1232 | * for early data
|
---|
1233 | */
|
---|
1234 | s->ext.early_data_ok = 1;
|
---|
1235 | }
|
---|
1236 | }
|
---|
1237 |
|
---|
1238 | md = ssl_md(sess->cipher->algorithm2);
|
---|
1239 | if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
|
---|
1240 | /* The ciphersuite is not compatible with this session. */
|
---|
1241 | SSL_SESSION_free(sess);
|
---|
1242 | sess = NULL;
|
---|
1243 | s->ext.early_data_ok = 0;
|
---|
1244 | s->ext.ticket_expected = 0;
|
---|
1245 | continue;
|
---|
1246 | }
|
---|
1247 | break;
|
---|
1248 | }
|
---|
1249 |
|
---|
1250 | if (sess == NULL)
|
---|
1251 | return 1;
|
---|
1252 |
|
---|
1253 | binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
|
---|
1254 | hashsize = EVP_MD_size(md);
|
---|
1255 |
|
---|
1256 | if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
|
---|
1257 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
|
---|
1258 | SSL_R_BAD_EXTENSION);
|
---|
1259 | goto err;
|
---|
1260 | }
|
---|
1261 |
|
---|
1262 | for (i = 0; i <= id; i++) {
|
---|
1263 | if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
|
---|
1264 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
|
---|
1265 | SSL_R_BAD_EXTENSION);
|
---|
1266 | goto err;
|
---|
1267 | }
|
---|
1268 | }
|
---|
1269 |
|
---|
1270 | if (PACKET_remaining(&binder) != hashsize) {
|
---|
1271 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
|
---|
1272 | SSL_R_BAD_EXTENSION);
|
---|
1273 | goto err;
|
---|
1274 | }
|
---|
1275 | if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
|
---|
1276 | binderoffset, PACKET_data(&binder), NULL, sess, 0,
|
---|
1277 | ext) != 1) {
|
---|
1278 | /* SSLfatal() already called */
|
---|
1279 | goto err;
|
---|
1280 | }
|
---|
1281 |
|
---|
1282 | s->ext.tick_identity = id;
|
---|
1283 |
|
---|
1284 | SSL_SESSION_free(s->session);
|
---|
1285 | s->session = sess;
|
---|
1286 | return 1;
|
---|
1287 | err:
|
---|
1288 | SSL_SESSION_free(sess);
|
---|
1289 | return 0;
|
---|
1290 | }
|
---|
1291 |
|
---|
1292 | int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1293 | X509 *x, size_t chainidx)
|
---|
1294 | {
|
---|
1295 | if (PACKET_remaining(pkt) != 0) {
|
---|
1296 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
|
---|
1297 | SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
|
---|
1298 | return 0;
|
---|
1299 | }
|
---|
1300 |
|
---|
1301 | s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
|
---|
1302 |
|
---|
1303 | return 1;
|
---|
1304 | }
|
---|
1305 |
|
---|
1306 | /*
|
---|
1307 | * Add the server's renegotiation binding
|
---|
1308 | */
|
---|
1309 | EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
|
---|
1310 | unsigned int context, X509 *x,
|
---|
1311 | size_t chainidx)
|
---|
1312 | {
|
---|
1313 | if (!s->s3->send_connection_binding)
|
---|
1314 | return EXT_RETURN_NOT_SENT;
|
---|
1315 |
|
---|
1316 | /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
|
---|
1317 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
|
---|
1318 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1319 | || !WPACKET_start_sub_packet_u8(pkt)
|
---|
1320 | || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
|
---|
1321 | s->s3->previous_client_finished_len)
|
---|
1322 | || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
|
---|
1323 | s->s3->previous_server_finished_len)
|
---|
1324 | || !WPACKET_close(pkt)
|
---|
1325 | || !WPACKET_close(pkt)) {
|
---|
1326 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
|
---|
1327 | ERR_R_INTERNAL_ERROR);
|
---|
1328 | return EXT_RETURN_FAIL;
|
---|
1329 | }
|
---|
1330 |
|
---|
1331 | return EXT_RETURN_SENT;
|
---|
1332 | }
|
---|
1333 |
|
---|
1334 | EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
|
---|
1335 | unsigned int context, X509 *x,
|
---|
1336 | size_t chainidx)
|
---|
1337 | {
|
---|
1338 | if (s->servername_done != 1)
|
---|
1339 | return EXT_RETURN_NOT_SENT;
|
---|
1340 |
|
---|
1341 | /*
|
---|
1342 | * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
|
---|
1343 | * We just use the servername from the initial handshake.
|
---|
1344 | */
|
---|
1345 | if (s->hit && !SSL_IS_TLS13(s))
|
---|
1346 | return EXT_RETURN_NOT_SENT;
|
---|
1347 |
|
---|
1348 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
|
---|
1349 | || !WPACKET_put_bytes_u16(pkt, 0)) {
|
---|
1350 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
|
---|
1351 | ERR_R_INTERNAL_ERROR);
|
---|
1352 | return EXT_RETURN_FAIL;
|
---|
1353 | }
|
---|
1354 |
|
---|
1355 | return EXT_RETURN_SENT;
|
---|
1356 | }
|
---|
1357 |
|
---|
1358 | /* Add/include the server's max fragment len extension into ServerHello */
|
---|
1359 | EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
|
---|
1360 | unsigned int context, X509 *x,
|
---|
1361 | size_t chainidx)
|
---|
1362 | {
|
---|
1363 | if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
|
---|
1364 | return EXT_RETURN_NOT_SENT;
|
---|
1365 |
|
---|
1366 | /*-
|
---|
1367 | * 4 bytes for this extension type and extension length
|
---|
1368 | * 1 byte for the Max Fragment Length code value.
|
---|
1369 | */
|
---|
1370 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
|
---|
1371 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1372 | || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
|
---|
1373 | || !WPACKET_close(pkt)) {
|
---|
1374 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1375 | SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
|
---|
1376 | return EXT_RETURN_FAIL;
|
---|
1377 | }
|
---|
1378 |
|
---|
1379 | return EXT_RETURN_SENT;
|
---|
1380 | }
|
---|
1381 |
|
---|
1382 | #ifndef OPENSSL_NO_EC
|
---|
1383 | EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
|
---|
1384 | unsigned int context, X509 *x,
|
---|
1385 | size_t chainidx)
|
---|
1386 | {
|
---|
1387 | unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
|
---|
1388 | unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
|
---|
1389 | int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
|
---|
1390 | && (s->ext.peer_ecpointformats != NULL);
|
---|
1391 | const unsigned char *plist;
|
---|
1392 | size_t plistlen;
|
---|
1393 |
|
---|
1394 | if (!using_ecc)
|
---|
1395 | return EXT_RETURN_NOT_SENT;
|
---|
1396 |
|
---|
1397 | tls1_get_formatlist(s, &plist, &plistlen);
|
---|
1398 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
|
---|
1399 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1400 | || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
|
---|
1401 | || !WPACKET_close(pkt)) {
|
---|
1402 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1403 | SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
|
---|
1404 | return EXT_RETURN_FAIL;
|
---|
1405 | }
|
---|
1406 |
|
---|
1407 | return EXT_RETURN_SENT;
|
---|
1408 | }
|
---|
1409 | #endif
|
---|
1410 |
|
---|
1411 | #ifndef OPENSSL_NO_EC
|
---|
1412 | EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
|
---|
1413 | unsigned int context, X509 *x,
|
---|
1414 | size_t chainidx)
|
---|
1415 | {
|
---|
1416 | const uint16_t *groups;
|
---|
1417 | size_t numgroups, i, first = 1;
|
---|
1418 |
|
---|
1419 | /* s->s3->group_id is non zero if we accepted a key_share */
|
---|
1420 | if (s->s3->group_id == 0)
|
---|
1421 | return EXT_RETURN_NOT_SENT;
|
---|
1422 |
|
---|
1423 | /* Get our list of supported groups */
|
---|
1424 | tls1_get_supported_groups(s, &groups, &numgroups);
|
---|
1425 | if (numgroups == 0) {
|
---|
1426 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1427 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
|
---|
1428 | return EXT_RETURN_FAIL;
|
---|
1429 | }
|
---|
1430 |
|
---|
1431 | /* Copy group ID if supported */
|
---|
1432 | for (i = 0; i < numgroups; i++) {
|
---|
1433 | uint16_t group = groups[i];
|
---|
1434 |
|
---|
1435 | if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
|
---|
1436 | if (first) {
|
---|
1437 | /*
|
---|
1438 | * Check if the client is already using our preferred group. If
|
---|
1439 | * so we don't need to add this extension
|
---|
1440 | */
|
---|
1441 | if (s->s3->group_id == group)
|
---|
1442 | return EXT_RETURN_NOT_SENT;
|
---|
1443 |
|
---|
1444 | /* Add extension header */
|
---|
1445 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
|
---|
1446 | /* Sub-packet for supported_groups extension */
|
---|
1447 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1448 | || !WPACKET_start_sub_packet_u16(pkt)) {
|
---|
1449 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1450 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
|
---|
1451 | ERR_R_INTERNAL_ERROR);
|
---|
1452 | return EXT_RETURN_FAIL;
|
---|
1453 | }
|
---|
1454 |
|
---|
1455 | first = 0;
|
---|
1456 | }
|
---|
1457 | if (!WPACKET_put_bytes_u16(pkt, group)) {
|
---|
1458 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1459 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
|
---|
1460 | ERR_R_INTERNAL_ERROR);
|
---|
1461 | return EXT_RETURN_FAIL;
|
---|
1462 | }
|
---|
1463 | }
|
---|
1464 | }
|
---|
1465 |
|
---|
1466 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
|
---|
1467 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1468 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
|
---|
1469 | ERR_R_INTERNAL_ERROR);
|
---|
1470 | return EXT_RETURN_FAIL;
|
---|
1471 | }
|
---|
1472 |
|
---|
1473 | return EXT_RETURN_SENT;
|
---|
1474 | }
|
---|
1475 | #endif
|
---|
1476 |
|
---|
1477 | EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
|
---|
1478 | unsigned int context, X509 *x,
|
---|
1479 | size_t chainidx)
|
---|
1480 | {
|
---|
1481 | if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
|
---|
1482 | s->ext.ticket_expected = 0;
|
---|
1483 | return EXT_RETURN_NOT_SENT;
|
---|
1484 | }
|
---|
1485 |
|
---|
1486 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
|
---|
1487 | || !WPACKET_put_bytes_u16(pkt, 0)) {
|
---|
1488 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1489 | SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
|
---|
1490 | return EXT_RETURN_FAIL;
|
---|
1491 | }
|
---|
1492 |
|
---|
1493 | return EXT_RETURN_SENT;
|
---|
1494 | }
|
---|
1495 |
|
---|
1496 | #ifndef OPENSSL_NO_OCSP
|
---|
1497 | EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
|
---|
1498 | unsigned int context, X509 *x,
|
---|
1499 | size_t chainidx)
|
---|
1500 | {
|
---|
1501 | /* We don't currently support this extension inside a CertificateRequest */
|
---|
1502 | if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
|
---|
1503 | return EXT_RETURN_NOT_SENT;
|
---|
1504 |
|
---|
1505 | if (!s->ext.status_expected)
|
---|
1506 | return EXT_RETURN_NOT_SENT;
|
---|
1507 |
|
---|
1508 | if (SSL_IS_TLS13(s) && chainidx != 0)
|
---|
1509 | return EXT_RETURN_NOT_SENT;
|
---|
1510 |
|
---|
1511 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
|
---|
1512 | || !WPACKET_start_sub_packet_u16(pkt)) {
|
---|
1513 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1514 | SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
|
---|
1515 | return EXT_RETURN_FAIL;
|
---|
1516 | }
|
---|
1517 |
|
---|
1518 | /*
|
---|
1519 | * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
|
---|
1520 | * send back an empty extension, with the certificate status appearing as a
|
---|
1521 | * separate message
|
---|
1522 | */
|
---|
1523 | if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
|
---|
1524 | /* SSLfatal() already called */
|
---|
1525 | return EXT_RETURN_FAIL;
|
---|
1526 | }
|
---|
1527 | if (!WPACKET_close(pkt)) {
|
---|
1528 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1529 | SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
|
---|
1530 | return EXT_RETURN_FAIL;
|
---|
1531 | }
|
---|
1532 |
|
---|
1533 | return EXT_RETURN_SENT;
|
---|
1534 | }
|
---|
1535 | #endif
|
---|
1536 |
|
---|
1537 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
1538 | EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
|
---|
1539 | unsigned int context, X509 *x,
|
---|
1540 | size_t chainidx)
|
---|
1541 | {
|
---|
1542 | const unsigned char *npa;
|
---|
1543 | unsigned int npalen;
|
---|
1544 | int ret;
|
---|
1545 | int npn_seen = s->s3->npn_seen;
|
---|
1546 |
|
---|
1547 | s->s3->npn_seen = 0;
|
---|
1548 | if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
|
---|
1549 | return EXT_RETURN_NOT_SENT;
|
---|
1550 |
|
---|
1551 | ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
|
---|
1552 | s->ctx->ext.npn_advertised_cb_arg);
|
---|
1553 | if (ret == SSL_TLSEXT_ERR_OK) {
|
---|
1554 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
|
---|
1555 | || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
|
---|
1556 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1557 | SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
|
---|
1558 | ERR_R_INTERNAL_ERROR);
|
---|
1559 | return EXT_RETURN_FAIL;
|
---|
1560 | }
|
---|
1561 | s->s3->npn_seen = 1;
|
---|
1562 | }
|
---|
1563 |
|
---|
1564 | return EXT_RETURN_SENT;
|
---|
1565 | }
|
---|
1566 | #endif
|
---|
1567 |
|
---|
1568 | EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
1569 | X509 *x, size_t chainidx)
|
---|
1570 | {
|
---|
1571 | if (s->s3->alpn_selected == NULL)
|
---|
1572 | return EXT_RETURN_NOT_SENT;
|
---|
1573 |
|
---|
1574 | if (!WPACKET_put_bytes_u16(pkt,
|
---|
1575 | TLSEXT_TYPE_application_layer_protocol_negotiation)
|
---|
1576 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1577 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1578 | || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
|
---|
1579 | s->s3->alpn_selected_len)
|
---|
1580 | || !WPACKET_close(pkt)
|
---|
1581 | || !WPACKET_close(pkt)) {
|
---|
1582 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1583 | SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
|
---|
1584 | return EXT_RETURN_FAIL;
|
---|
1585 | }
|
---|
1586 |
|
---|
1587 | return EXT_RETURN_SENT;
|
---|
1588 | }
|
---|
1589 |
|
---|
1590 | #ifndef OPENSSL_NO_SRTP
|
---|
1591 | EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
|
---|
1592 | unsigned int context, X509 *x,
|
---|
1593 | size_t chainidx)
|
---|
1594 | {
|
---|
1595 | if (s->srtp_profile == NULL)
|
---|
1596 | return EXT_RETURN_NOT_SENT;
|
---|
1597 |
|
---|
1598 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
|
---|
1599 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1600 | || !WPACKET_put_bytes_u16(pkt, 2)
|
---|
1601 | || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
|
---|
1602 | || !WPACKET_put_bytes_u8(pkt, 0)
|
---|
1603 | || !WPACKET_close(pkt)) {
|
---|
1604 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
|
---|
1605 | ERR_R_INTERNAL_ERROR);
|
---|
1606 | return EXT_RETURN_FAIL;
|
---|
1607 | }
|
---|
1608 |
|
---|
1609 | return EXT_RETURN_SENT;
|
---|
1610 | }
|
---|
1611 | #endif
|
---|
1612 |
|
---|
1613 | EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
1614 | X509 *x, size_t chainidx)
|
---|
1615 | {
|
---|
1616 | if (!s->ext.use_etm)
|
---|
1617 | return EXT_RETURN_NOT_SENT;
|
---|
1618 |
|
---|
1619 | /*
|
---|
1620 | * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
|
---|
1621 | * for other cases too.
|
---|
1622 | */
|
---|
1623 | if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
|
---|
1624 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
|
---|
1625 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
|
---|
1626 | || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
|
---|
1627 | s->ext.use_etm = 0;
|
---|
1628 | return EXT_RETURN_NOT_SENT;
|
---|
1629 | }
|
---|
1630 |
|
---|
1631 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
|
---|
1632 | || !WPACKET_put_bytes_u16(pkt, 0)) {
|
---|
1633 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
|
---|
1634 | ERR_R_INTERNAL_ERROR);
|
---|
1635 | return EXT_RETURN_FAIL;
|
---|
1636 | }
|
---|
1637 |
|
---|
1638 | return EXT_RETURN_SENT;
|
---|
1639 | }
|
---|
1640 |
|
---|
1641 | EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
1642 | X509 *x, size_t chainidx)
|
---|
1643 | {
|
---|
1644 | if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
|
---|
1645 | return EXT_RETURN_NOT_SENT;
|
---|
1646 |
|
---|
1647 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
---|
1648 | || !WPACKET_put_bytes_u16(pkt, 0)) {
|
---|
1649 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
|
---|
1650 | ERR_R_INTERNAL_ERROR);
|
---|
1651 | return EXT_RETURN_FAIL;
|
---|
1652 | }
|
---|
1653 |
|
---|
1654 | return EXT_RETURN_SENT;
|
---|
1655 | }
|
---|
1656 |
|
---|
1657 | EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
|
---|
1658 | unsigned int context, X509 *x,
|
---|
1659 | size_t chainidx)
|
---|
1660 | {
|
---|
1661 | if (!ossl_assert(SSL_IS_TLS13(s))) {
|
---|
1662 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1663 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
|
---|
1664 | ERR_R_INTERNAL_ERROR);
|
---|
1665 | return EXT_RETURN_FAIL;
|
---|
1666 | }
|
---|
1667 |
|
---|
1668 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
|
---|
1669 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1670 | || !WPACKET_put_bytes_u16(pkt, s->version)
|
---|
1671 | || !WPACKET_close(pkt)) {
|
---|
1672 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1673 | SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
|
---|
1674 | ERR_R_INTERNAL_ERROR);
|
---|
1675 | return EXT_RETURN_FAIL;
|
---|
1676 | }
|
---|
1677 |
|
---|
1678 | return EXT_RETURN_SENT;
|
---|
1679 | }
|
---|
1680 |
|
---|
1681 | EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
|
---|
1682 | unsigned int context, X509 *x,
|
---|
1683 | size_t chainidx)
|
---|
1684 | {
|
---|
1685 | #ifndef OPENSSL_NO_TLS1_3
|
---|
1686 | unsigned char *encodedPoint;
|
---|
1687 | size_t encoded_pt_len = 0;
|
---|
1688 | EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
|
---|
1689 |
|
---|
1690 | if (s->hello_retry_request == SSL_HRR_PENDING) {
|
---|
1691 | if (ckey != NULL) {
|
---|
1692 | /* Original key_share was acceptable so don't ask for another one */
|
---|
1693 | return EXT_RETURN_NOT_SENT;
|
---|
1694 | }
|
---|
1695 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
|
---|
1696 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1697 | || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
|
---|
1698 | || !WPACKET_close(pkt)) {
|
---|
1699 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1700 | SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
|
---|
1701 | ERR_R_INTERNAL_ERROR);
|
---|
1702 | return EXT_RETURN_FAIL;
|
---|
1703 | }
|
---|
1704 |
|
---|
1705 | return EXT_RETURN_SENT;
|
---|
1706 | }
|
---|
1707 |
|
---|
1708 | if (ckey == NULL) {
|
---|
1709 | /* No key_share received from client - must be resuming */
|
---|
1710 | if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
|
---|
1711 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1712 | SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
|
---|
1713 | return EXT_RETURN_FAIL;
|
---|
1714 | }
|
---|
1715 | return EXT_RETURN_NOT_SENT;
|
---|
1716 | }
|
---|
1717 |
|
---|
1718 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
|
---|
1719 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1720 | || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
|
---|
1721 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1722 | SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
|
---|
1723 | return EXT_RETURN_FAIL;
|
---|
1724 | }
|
---|
1725 |
|
---|
1726 | skey = ssl_generate_pkey(ckey);
|
---|
1727 | if (skey == NULL) {
|
---|
1728 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
|
---|
1729 | ERR_R_MALLOC_FAILURE);
|
---|
1730 | return EXT_RETURN_FAIL;
|
---|
1731 | }
|
---|
1732 |
|
---|
1733 | /* Generate encoding of server key */
|
---|
1734 | encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
|
---|
1735 | if (encoded_pt_len == 0) {
|
---|
1736 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
|
---|
1737 | ERR_R_EC_LIB);
|
---|
1738 | EVP_PKEY_free(skey);
|
---|
1739 | return EXT_RETURN_FAIL;
|
---|
1740 | }
|
---|
1741 |
|
---|
1742 | if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
|
---|
1743 | || !WPACKET_close(pkt)) {
|
---|
1744 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
|
---|
1745 | ERR_R_INTERNAL_ERROR);
|
---|
1746 | EVP_PKEY_free(skey);
|
---|
1747 | OPENSSL_free(encodedPoint);
|
---|
1748 | return EXT_RETURN_FAIL;
|
---|
1749 | }
|
---|
1750 | OPENSSL_free(encodedPoint);
|
---|
1751 |
|
---|
1752 | /* This causes the crypto state to be updated based on the derived keys */
|
---|
1753 | s->s3->tmp.pkey = skey;
|
---|
1754 | if (ssl_derive(s, skey, ckey, 1) == 0) {
|
---|
1755 | /* SSLfatal() already called */
|
---|
1756 | return EXT_RETURN_FAIL;
|
---|
1757 | }
|
---|
1758 | return EXT_RETURN_SENT;
|
---|
1759 | #else
|
---|
1760 | return EXT_RETURN_FAIL;
|
---|
1761 | #endif
|
---|
1762 | }
|
---|
1763 |
|
---|
1764 | EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
1765 | X509 *x, size_t chainidx)
|
---|
1766 | {
|
---|
1767 | #ifndef OPENSSL_NO_TLS1_3
|
---|
1768 | unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
|
---|
1769 | unsigned char *hmac, *hmac2;
|
---|
1770 | size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
|
---|
1771 | EVP_MD_CTX *hctx;
|
---|
1772 | EVP_PKEY *pkey;
|
---|
1773 | int ret = EXT_RETURN_FAIL;
|
---|
1774 |
|
---|
1775 | if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
|
---|
1776 | return EXT_RETURN_NOT_SENT;
|
---|
1777 |
|
---|
1778 | if (s->ctx->gen_stateless_cookie_cb == NULL) {
|
---|
1779 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1780 | SSL_R_NO_COOKIE_CALLBACK_SET);
|
---|
1781 | return EXT_RETURN_FAIL;
|
---|
1782 | }
|
---|
1783 |
|
---|
1784 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
|
---|
1785 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1786 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1787 | || !WPACKET_get_total_written(pkt, &startlen)
|
---|
1788 | || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
|
---|
1789 | || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
|
---|
1790 | || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
|
---|
1791 | || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
|
---|
1792 | || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
|
---|
1793 | &ciphlen)
|
---|
1794 | /* Is there a key_share extension present in this HRR? */
|
---|
1795 | || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
|
---|
1796 | || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
|
---|
1797 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1798 | || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
|
---|
1799 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1800 | ERR_R_INTERNAL_ERROR);
|
---|
1801 | return EXT_RETURN_FAIL;
|
---|
1802 | }
|
---|
1803 |
|
---|
1804 | /*
|
---|
1805 | * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
|
---|
1806 | * on raw buffers, so we first reserve sufficient bytes (above) and then
|
---|
1807 | * subsequently allocate them (below)
|
---|
1808 | */
|
---|
1809 | if (!ssl3_digest_cached_records(s, 0)
|
---|
1810 | || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
|
---|
1811 | /* SSLfatal() already called */
|
---|
1812 | return EXT_RETURN_FAIL;
|
---|
1813 | }
|
---|
1814 |
|
---|
1815 | if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
|
---|
1816 | || !ossl_assert(hashval1 == hashval2)
|
---|
1817 | || !WPACKET_close(pkt)
|
---|
1818 | || !WPACKET_start_sub_packet_u8(pkt)
|
---|
1819 | || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
|
---|
1820 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1821 | ERR_R_INTERNAL_ERROR);
|
---|
1822 | return EXT_RETURN_FAIL;
|
---|
1823 | }
|
---|
1824 |
|
---|
1825 | /* Generate the application cookie */
|
---|
1826 | if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
|
---|
1827 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1828 | SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
|
---|
1829 | return EXT_RETURN_FAIL;
|
---|
1830 | }
|
---|
1831 |
|
---|
1832 | if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
|
---|
1833 | || !ossl_assert(appcookie1 == appcookie2)
|
---|
1834 | || !WPACKET_close(pkt)
|
---|
1835 | || !WPACKET_get_total_written(pkt, &totcookielen)
|
---|
1836 | || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
|
---|
1837 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1838 | ERR_R_INTERNAL_ERROR);
|
---|
1839 | return EXT_RETURN_FAIL;
|
---|
1840 | }
|
---|
1841 | hmaclen = SHA256_DIGEST_LENGTH;
|
---|
1842 |
|
---|
1843 | totcookielen -= startlen;
|
---|
1844 | if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
|
---|
1845 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1846 | ERR_R_INTERNAL_ERROR);
|
---|
1847 | return EXT_RETURN_FAIL;
|
---|
1848 | }
|
---|
1849 |
|
---|
1850 | /* HMAC the cookie */
|
---|
1851 | hctx = EVP_MD_CTX_create();
|
---|
1852 | pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
|
---|
1853 | s->session_ctx->ext.cookie_hmac_key,
|
---|
1854 | sizeof(s->session_ctx->ext
|
---|
1855 | .cookie_hmac_key));
|
---|
1856 | if (hctx == NULL || pkey == NULL) {
|
---|
1857 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1858 | ERR_R_MALLOC_FAILURE);
|
---|
1859 | goto err;
|
---|
1860 | }
|
---|
1861 |
|
---|
1862 | if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
|
---|
1863 | || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
|
---|
1864 | totcookielen) <= 0) {
|
---|
1865 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1866 | ERR_R_INTERNAL_ERROR);
|
---|
1867 | goto err;
|
---|
1868 | }
|
---|
1869 |
|
---|
1870 | if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
|
---|
1871 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1872 | ERR_R_INTERNAL_ERROR);
|
---|
1873 | goto err;
|
---|
1874 | }
|
---|
1875 |
|
---|
1876 | if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
|
---|
1877 | || !ossl_assert(hmac == hmac2)
|
---|
1878 | || !ossl_assert(cookie == hmac - totcookielen)
|
---|
1879 | || !WPACKET_close(pkt)
|
---|
1880 | || !WPACKET_close(pkt)) {
|
---|
1881 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
|
---|
1882 | ERR_R_INTERNAL_ERROR);
|
---|
1883 | goto err;
|
---|
1884 | }
|
---|
1885 |
|
---|
1886 | ret = EXT_RETURN_SENT;
|
---|
1887 |
|
---|
1888 | err:
|
---|
1889 | EVP_MD_CTX_free(hctx);
|
---|
1890 | EVP_PKEY_free(pkey);
|
---|
1891 | return ret;
|
---|
1892 | #else
|
---|
1893 | return EXT_RETURN_FAIL;
|
---|
1894 | #endif
|
---|
1895 | }
|
---|
1896 |
|
---|
1897 | EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
|
---|
1898 | unsigned int context, X509 *x,
|
---|
1899 | size_t chainidx)
|
---|
1900 | {
|
---|
1901 | const unsigned char cryptopro_ext[36] = {
|
---|
1902 | 0xfd, 0xe8, /* 65000 */
|
---|
1903 | 0x00, 0x20, /* 32 bytes length */
|
---|
1904 | 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
|
---|
1905 | 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
|
---|
1906 | 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
|
---|
1907 | 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
|
---|
1908 | };
|
---|
1909 |
|
---|
1910 | if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
|
---|
1911 | && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
|
---|
1912 | || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
|
---|
1913 | return EXT_RETURN_NOT_SENT;
|
---|
1914 |
|
---|
1915 | if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
|
---|
1916 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1917 | SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
|
---|
1918 | return EXT_RETURN_FAIL;
|
---|
1919 | }
|
---|
1920 |
|
---|
1921 | return EXT_RETURN_SENT;
|
---|
1922 | }
|
---|
1923 |
|
---|
1924 | EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
|
---|
1925 | unsigned int context, X509 *x,
|
---|
1926 | size_t chainidx)
|
---|
1927 | {
|
---|
1928 | if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
|
---|
1929 | if (s->max_early_data == 0)
|
---|
1930 | return EXT_RETURN_NOT_SENT;
|
---|
1931 |
|
---|
1932 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
|
---|
1933 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1934 | || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
|
---|
1935 | || !WPACKET_close(pkt)) {
|
---|
1936 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1937 | SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
|
---|
1938 | return EXT_RETURN_FAIL;
|
---|
1939 | }
|
---|
1940 |
|
---|
1941 | return EXT_RETURN_SENT;
|
---|
1942 | }
|
---|
1943 |
|
---|
1944 | if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
|
---|
1945 | return EXT_RETURN_NOT_SENT;
|
---|
1946 |
|
---|
1947 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
|
---|
1948 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1949 | || !WPACKET_close(pkt)) {
|
---|
1950 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
|
---|
1951 | ERR_R_INTERNAL_ERROR);
|
---|
1952 | return EXT_RETURN_FAIL;
|
---|
1953 | }
|
---|
1954 |
|
---|
1955 | return EXT_RETURN_SENT;
|
---|
1956 | }
|
---|
1957 |
|
---|
1958 | EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
1959 | X509 *x, size_t chainidx)
|
---|
1960 | {
|
---|
1961 | if (!s->hit)
|
---|
1962 | return EXT_RETURN_NOT_SENT;
|
---|
1963 |
|
---|
1964 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
|
---|
1965 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1966 | || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
|
---|
1967 | || !WPACKET_close(pkt)) {
|
---|
1968 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
1969 | SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
|
---|
1970 | return EXT_RETURN_FAIL;
|
---|
1971 | }
|
---|
1972 |
|
---|
1973 | return EXT_RETURN_SENT;
|
---|
1974 | }
|
---|