1 | /*
|
---|
2 | * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include <openssl/ocsp.h>
|
---|
11 | #include "../ssl_local.h"
|
---|
12 | #include "internal/cryptlib.h"
|
---|
13 | #include "statem_local.h"
|
---|
14 |
|
---|
15 | EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
|
---|
16 | unsigned int context, X509 *x,
|
---|
17 | size_t chainidx)
|
---|
18 | {
|
---|
19 | /* Add RI if renegotiating */
|
---|
20 | if (!s->renegotiate)
|
---|
21 | return EXT_RETURN_NOT_SENT;
|
---|
22 |
|
---|
23 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
|
---|
24 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
25 | || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
|
---|
26 | s->s3.previous_client_finished_len)
|
---|
27 | || !WPACKET_close(pkt)) {
|
---|
28 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
29 | return EXT_RETURN_FAIL;
|
---|
30 | }
|
---|
31 |
|
---|
32 | return EXT_RETURN_SENT;
|
---|
33 | }
|
---|
34 |
|
---|
35 | EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
|
---|
36 | unsigned int context, X509 *x,
|
---|
37 | size_t chainidx)
|
---|
38 | {
|
---|
39 | if (s->ext.hostname == NULL)
|
---|
40 | return EXT_RETURN_NOT_SENT;
|
---|
41 |
|
---|
42 | /* Add TLS extension servername to the Client Hello message */
|
---|
43 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
|
---|
44 | /* Sub-packet for server_name extension */
|
---|
45 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
46 | /* Sub-packet for servername list (always 1 hostname)*/
|
---|
47 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
48 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
|
---|
49 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
|
---|
50 | strlen(s->ext.hostname))
|
---|
51 | || !WPACKET_close(pkt)
|
---|
52 | || !WPACKET_close(pkt)) {
|
---|
53 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
54 | return EXT_RETURN_FAIL;
|
---|
55 | }
|
---|
56 |
|
---|
57 | return EXT_RETURN_SENT;
|
---|
58 | }
|
---|
59 |
|
---|
60 | /* Push a Max Fragment Len extension into ClientHello */
|
---|
61 | EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
|
---|
62 | unsigned int context, X509 *x,
|
---|
63 | size_t chainidx)
|
---|
64 | {
|
---|
65 | if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
|
---|
66 | return EXT_RETURN_NOT_SENT;
|
---|
67 |
|
---|
68 | /* Add Max Fragment Length extension if client enabled it. */
|
---|
69 | /*-
|
---|
70 | * 4 bytes for this extension type and extension length
|
---|
71 | * 1 byte for the Max Fragment Length code value.
|
---|
72 | */
|
---|
73 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
|
---|
74 | /* Sub-packet for Max Fragment Length extension (1 byte) */
|
---|
75 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
76 | || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
|
---|
77 | || !WPACKET_close(pkt)) {
|
---|
78 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
79 | return EXT_RETURN_FAIL;
|
---|
80 | }
|
---|
81 |
|
---|
82 | return EXT_RETURN_SENT;
|
---|
83 | }
|
---|
84 |
|
---|
85 | #ifndef OPENSSL_NO_SRP
|
---|
86 | EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
87 | X509 *x, size_t chainidx)
|
---|
88 | {
|
---|
89 | /* Add SRP username if there is one */
|
---|
90 | if (s->srp_ctx.login == NULL)
|
---|
91 | return EXT_RETURN_NOT_SENT;
|
---|
92 |
|
---|
93 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
|
---|
94 | /* Sub-packet for SRP extension */
|
---|
95 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
96 | || !WPACKET_start_sub_packet_u8(pkt)
|
---|
97 | /* login must not be zero...internal error if so */
|
---|
98 | || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
|
---|
99 | || !WPACKET_memcpy(pkt, s->srp_ctx.login,
|
---|
100 | strlen(s->srp_ctx.login))
|
---|
101 | || !WPACKET_close(pkt)
|
---|
102 | || !WPACKET_close(pkt)) {
|
---|
103 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
104 | return EXT_RETURN_FAIL;
|
---|
105 | }
|
---|
106 |
|
---|
107 | return EXT_RETURN_SENT;
|
---|
108 | }
|
---|
109 | #endif
|
---|
110 |
|
---|
111 | static int use_ecc(SSL *s, int min_version, int max_version)
|
---|
112 | {
|
---|
113 | int i, end, ret = 0;
|
---|
114 | unsigned long alg_k, alg_a;
|
---|
115 | STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
|
---|
116 | const uint16_t *pgroups = NULL;
|
---|
117 | size_t num_groups, j;
|
---|
118 |
|
---|
119 | /* See if we support any ECC ciphersuites */
|
---|
120 | if (s->version == SSL3_VERSION)
|
---|
121 | return 0;
|
---|
122 |
|
---|
123 | cipher_stack = SSL_get1_supported_ciphers(s);
|
---|
124 | end = sk_SSL_CIPHER_num(cipher_stack);
|
---|
125 | for (i = 0; i < end; i++) {
|
---|
126 | const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
|
---|
127 |
|
---|
128 | alg_k = c->algorithm_mkey;
|
---|
129 | alg_a = c->algorithm_auth;
|
---|
130 | if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
|
---|
131 | || (alg_a & SSL_aECDSA)
|
---|
132 | || c->min_tls >= TLS1_3_VERSION) {
|
---|
133 | ret = 1;
|
---|
134 | break;
|
---|
135 | }
|
---|
136 | }
|
---|
137 | sk_SSL_CIPHER_free(cipher_stack);
|
---|
138 | if (!ret)
|
---|
139 | return 0;
|
---|
140 |
|
---|
141 | /* Check we have at least one EC supported group */
|
---|
142 | tls1_get_supported_groups(s, &pgroups, &num_groups);
|
---|
143 | for (j = 0; j < num_groups; j++) {
|
---|
144 | uint16_t ctmp = pgroups[j];
|
---|
145 |
|
---|
146 | if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
|
---|
147 | && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
|
---|
148 | return 1;
|
---|
149 | }
|
---|
150 |
|
---|
151 | return 0;
|
---|
152 | }
|
---|
153 |
|
---|
154 | EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
|
---|
155 | unsigned int context, X509 *x,
|
---|
156 | size_t chainidx)
|
---|
157 | {
|
---|
158 | const unsigned char *pformats;
|
---|
159 | size_t num_formats;
|
---|
160 | int reason, min_version, max_version;
|
---|
161 |
|
---|
162 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
|
---|
163 | if (reason != 0) {
|
---|
164 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
|
---|
165 | return EXT_RETURN_FAIL;
|
---|
166 | }
|
---|
167 | if (!use_ecc(s, min_version, max_version))
|
---|
168 | return EXT_RETURN_NOT_SENT;
|
---|
169 |
|
---|
170 | /* Add TLS extension ECPointFormats to the ClientHello message */
|
---|
171 | tls1_get_formatlist(s, &pformats, &num_formats);
|
---|
172 |
|
---|
173 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
|
---|
174 | /* Sub-packet for formats extension */
|
---|
175 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
176 | || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
|
---|
177 | || !WPACKET_close(pkt)) {
|
---|
178 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
179 | return EXT_RETURN_FAIL;
|
---|
180 | }
|
---|
181 |
|
---|
182 | return EXT_RETURN_SENT;
|
---|
183 | }
|
---|
184 |
|
---|
185 | EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
|
---|
186 | unsigned int context, X509 *x,
|
---|
187 | size_t chainidx)
|
---|
188 | {
|
---|
189 | const uint16_t *pgroups = NULL;
|
---|
190 | size_t num_groups = 0, i, tls13added = 0, added = 0;
|
---|
191 | int min_version, max_version, reason;
|
---|
192 |
|
---|
193 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
|
---|
194 | if (reason != 0) {
|
---|
195 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
|
---|
196 | return EXT_RETURN_FAIL;
|
---|
197 | }
|
---|
198 |
|
---|
199 | /*
|
---|
200 | * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
|
---|
201 | * if we don't have EC support then we don't send this extension.
|
---|
202 | */
|
---|
203 | if (!use_ecc(s, min_version, max_version)
|
---|
204 | && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))
|
---|
205 | return EXT_RETURN_NOT_SENT;
|
---|
206 |
|
---|
207 | /*
|
---|
208 | * Add TLS extension supported_groups to the ClientHello message
|
---|
209 | */
|
---|
210 | tls1_get_supported_groups(s, &pgroups, &num_groups);
|
---|
211 |
|
---|
212 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
|
---|
213 | /* Sub-packet for supported_groups extension */
|
---|
214 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
215 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
216 | || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
|
---|
217 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
218 | return EXT_RETURN_FAIL;
|
---|
219 | }
|
---|
220 | /* Copy group ID if supported */
|
---|
221 | for (i = 0; i < num_groups; i++) {
|
---|
222 | uint16_t ctmp = pgroups[i];
|
---|
223 | int okfortls13;
|
---|
224 |
|
---|
225 | if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
|
---|
226 | && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
|
---|
227 | if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
|
---|
228 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
229 | return EXT_RETURN_FAIL;
|
---|
230 | }
|
---|
231 | if (okfortls13 && max_version == TLS1_3_VERSION)
|
---|
232 | tls13added++;
|
---|
233 | added++;
|
---|
234 | }
|
---|
235 | }
|
---|
236 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
|
---|
237 | if (added == 0)
|
---|
238 | SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
|
---|
239 | "No groups enabled for max supported SSL/TLS version");
|
---|
240 | else
|
---|
241 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
242 | return EXT_RETURN_FAIL;
|
---|
243 | }
|
---|
244 |
|
---|
245 | if (tls13added == 0 && max_version == TLS1_3_VERSION) {
|
---|
246 | SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
|
---|
247 | "No groups enabled for max supported SSL/TLS version");
|
---|
248 | return EXT_RETURN_FAIL;
|
---|
249 | }
|
---|
250 |
|
---|
251 | return EXT_RETURN_SENT;
|
---|
252 | }
|
---|
253 |
|
---|
254 | EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
|
---|
255 | unsigned int context, X509 *x,
|
---|
256 | size_t chainidx)
|
---|
257 | {
|
---|
258 | size_t ticklen;
|
---|
259 |
|
---|
260 | if (!tls_use_ticket(s))
|
---|
261 | return EXT_RETURN_NOT_SENT;
|
---|
262 |
|
---|
263 | if (!s->new_session && s->session != NULL
|
---|
264 | && s->session->ext.tick != NULL
|
---|
265 | && s->session->ssl_version != TLS1_3_VERSION) {
|
---|
266 | ticklen = s->session->ext.ticklen;
|
---|
267 | } else if (s->session && s->ext.session_ticket != NULL
|
---|
268 | && s->ext.session_ticket->data != NULL) {
|
---|
269 | ticklen = s->ext.session_ticket->length;
|
---|
270 | s->session->ext.tick = OPENSSL_malloc(ticklen);
|
---|
271 | if (s->session->ext.tick == NULL) {
|
---|
272 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
273 | return EXT_RETURN_FAIL;
|
---|
274 | }
|
---|
275 | memcpy(s->session->ext.tick,
|
---|
276 | s->ext.session_ticket->data, ticklen);
|
---|
277 | s->session->ext.ticklen = ticklen;
|
---|
278 | } else {
|
---|
279 | ticklen = 0;
|
---|
280 | }
|
---|
281 |
|
---|
282 | if (ticklen == 0 && s->ext.session_ticket != NULL &&
|
---|
283 | s->ext.session_ticket->data == NULL)
|
---|
284 | return EXT_RETURN_NOT_SENT;
|
---|
285 |
|
---|
286 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
|
---|
287 | || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
|
---|
288 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
289 | return EXT_RETURN_FAIL;
|
---|
290 | }
|
---|
291 |
|
---|
292 | return EXT_RETURN_SENT;
|
---|
293 | }
|
---|
294 |
|
---|
295 | EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
|
---|
296 | unsigned int context, X509 *x,
|
---|
297 | size_t chainidx)
|
---|
298 | {
|
---|
299 | size_t salglen;
|
---|
300 | const uint16_t *salg;
|
---|
301 |
|
---|
302 | if (!SSL_CLIENT_USE_SIGALGS(s))
|
---|
303 | return EXT_RETURN_NOT_SENT;
|
---|
304 |
|
---|
305 | salglen = tls12_get_psigalgs(s, 1, &salg);
|
---|
306 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
|
---|
307 | /* Sub-packet for sig-algs extension */
|
---|
308 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
309 | /* Sub-packet for the actual list */
|
---|
310 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
311 | || !tls12_copy_sigalgs(s, pkt, salg, salglen)
|
---|
312 | || !WPACKET_close(pkt)
|
---|
313 | || !WPACKET_close(pkt)) {
|
---|
314 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
315 | return EXT_RETURN_FAIL;
|
---|
316 | }
|
---|
317 |
|
---|
318 | return EXT_RETURN_SENT;
|
---|
319 | }
|
---|
320 |
|
---|
321 | #ifndef OPENSSL_NO_OCSP
|
---|
322 | EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
|
---|
323 | unsigned int context, X509 *x,
|
---|
324 | size_t chainidx)
|
---|
325 | {
|
---|
326 | int i;
|
---|
327 |
|
---|
328 | /* This extension isn't defined for client Certificates */
|
---|
329 | if (x != NULL)
|
---|
330 | return EXT_RETURN_NOT_SENT;
|
---|
331 |
|
---|
332 | if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
|
---|
333 | return EXT_RETURN_NOT_SENT;
|
---|
334 |
|
---|
335 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
|
---|
336 | /* Sub-packet for status request extension */
|
---|
337 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
338 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
|
---|
339 | /* Sub-packet for the ids */
|
---|
340 | || !WPACKET_start_sub_packet_u16(pkt)) {
|
---|
341 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
342 | return EXT_RETURN_FAIL;
|
---|
343 | }
|
---|
344 | for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
|
---|
345 | unsigned char *idbytes;
|
---|
346 | OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
|
---|
347 | int idlen = i2d_OCSP_RESPID(id, NULL);
|
---|
348 |
|
---|
349 | if (idlen <= 0
|
---|
350 | /* Sub-packet for an individual id */
|
---|
351 | || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
|
---|
352 | || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
|
---|
353 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
354 | return EXT_RETURN_FAIL;
|
---|
355 | }
|
---|
356 | }
|
---|
357 | if (!WPACKET_close(pkt)
|
---|
358 | || !WPACKET_start_sub_packet_u16(pkt)) {
|
---|
359 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
360 | return EXT_RETURN_FAIL;
|
---|
361 | }
|
---|
362 | if (s->ext.ocsp.exts) {
|
---|
363 | unsigned char *extbytes;
|
---|
364 | int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
|
---|
365 |
|
---|
366 | if (extlen < 0) {
|
---|
367 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
368 | return EXT_RETURN_FAIL;
|
---|
369 | }
|
---|
370 | if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
|
---|
371 | || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
|
---|
372 | != extlen) {
|
---|
373 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
374 | return EXT_RETURN_FAIL;
|
---|
375 | }
|
---|
376 | }
|
---|
377 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
|
---|
378 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
379 | return EXT_RETURN_FAIL;
|
---|
380 | }
|
---|
381 |
|
---|
382 | return EXT_RETURN_SENT;
|
---|
383 | }
|
---|
384 | #endif
|
---|
385 |
|
---|
386 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
387 | EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
388 | X509 *x, size_t chainidx)
|
---|
389 | {
|
---|
390 | if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
|
---|
391 | return EXT_RETURN_NOT_SENT;
|
---|
392 |
|
---|
393 | /*
|
---|
394 | * The client advertises an empty extension to indicate its support
|
---|
395 | * for Next Protocol Negotiation
|
---|
396 | */
|
---|
397 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
|
---|
398 | || !WPACKET_put_bytes_u16(pkt, 0)) {
|
---|
399 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
400 | return EXT_RETURN_FAIL;
|
---|
401 | }
|
---|
402 |
|
---|
403 | return EXT_RETURN_SENT;
|
---|
404 | }
|
---|
405 | #endif
|
---|
406 |
|
---|
407 | EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
408 | X509 *x, size_t chainidx)
|
---|
409 | {
|
---|
410 | s->s3.alpn_sent = 0;
|
---|
411 |
|
---|
412 | if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
|
---|
413 | return EXT_RETURN_NOT_SENT;
|
---|
414 |
|
---|
415 | if (!WPACKET_put_bytes_u16(pkt,
|
---|
416 | TLSEXT_TYPE_application_layer_protocol_negotiation)
|
---|
417 | /* Sub-packet ALPN extension */
|
---|
418 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
419 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
|
---|
420 | || !WPACKET_close(pkt)) {
|
---|
421 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
422 | return EXT_RETURN_FAIL;
|
---|
423 | }
|
---|
424 | s->s3.alpn_sent = 1;
|
---|
425 |
|
---|
426 | return EXT_RETURN_SENT;
|
---|
427 | }
|
---|
428 |
|
---|
429 |
|
---|
430 | #ifndef OPENSSL_NO_SRTP
|
---|
431 | EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
|
---|
432 | unsigned int context, X509 *x,
|
---|
433 | size_t chainidx)
|
---|
434 | {
|
---|
435 | STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
|
---|
436 | int i, end;
|
---|
437 |
|
---|
438 | if (clnt == NULL)
|
---|
439 | return EXT_RETURN_NOT_SENT;
|
---|
440 |
|
---|
441 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
|
---|
442 | /* Sub-packet for SRTP extension */
|
---|
443 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
444 | /* Sub-packet for the protection profile list */
|
---|
445 | || !WPACKET_start_sub_packet_u16(pkt)) {
|
---|
446 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
447 | return EXT_RETURN_FAIL;
|
---|
448 | }
|
---|
449 |
|
---|
450 | end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
|
---|
451 | for (i = 0; i < end; i++) {
|
---|
452 | const SRTP_PROTECTION_PROFILE *prof =
|
---|
453 | sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
|
---|
454 |
|
---|
455 | if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
|
---|
456 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
457 | return EXT_RETURN_FAIL;
|
---|
458 | }
|
---|
459 | }
|
---|
460 | if (!WPACKET_close(pkt)
|
---|
461 | /* Add an empty use_mki value */
|
---|
462 | || !WPACKET_put_bytes_u8(pkt, 0)
|
---|
463 | || !WPACKET_close(pkt)) {
|
---|
464 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
465 | return EXT_RETURN_FAIL;
|
---|
466 | }
|
---|
467 |
|
---|
468 | return EXT_RETURN_SENT;
|
---|
469 | }
|
---|
470 | #endif
|
---|
471 |
|
---|
472 | EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
473 | X509 *x, size_t chainidx)
|
---|
474 | {
|
---|
475 | if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
|
---|
476 | return EXT_RETURN_NOT_SENT;
|
---|
477 |
|
---|
478 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
|
---|
479 | || !WPACKET_put_bytes_u16(pkt, 0)) {
|
---|
480 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
481 | return EXT_RETURN_FAIL;
|
---|
482 | }
|
---|
483 |
|
---|
484 | return EXT_RETURN_SENT;
|
---|
485 | }
|
---|
486 |
|
---|
487 | #ifndef OPENSSL_NO_CT
|
---|
488 | EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
489 | X509 *x, size_t chainidx)
|
---|
490 | {
|
---|
491 | if (s->ct_validation_callback == NULL)
|
---|
492 | return EXT_RETURN_NOT_SENT;
|
---|
493 |
|
---|
494 | /* Not defined for client Certificates */
|
---|
495 | if (x != NULL)
|
---|
496 | return EXT_RETURN_NOT_SENT;
|
---|
497 |
|
---|
498 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
|
---|
499 | || !WPACKET_put_bytes_u16(pkt, 0)) {
|
---|
500 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
501 | return EXT_RETURN_FAIL;
|
---|
502 | }
|
---|
503 |
|
---|
504 | return EXT_RETURN_SENT;
|
---|
505 | }
|
---|
506 | #endif
|
---|
507 |
|
---|
508 | EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
509 | X509 *x, size_t chainidx)
|
---|
510 | {
|
---|
511 | if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
|
---|
512 | return EXT_RETURN_NOT_SENT;
|
---|
513 |
|
---|
514 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
|
---|
515 | || !WPACKET_put_bytes_u16(pkt, 0)) {
|
---|
516 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
517 | return EXT_RETURN_FAIL;
|
---|
518 | }
|
---|
519 |
|
---|
520 | return EXT_RETURN_SENT;
|
---|
521 | }
|
---|
522 |
|
---|
523 | EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
|
---|
524 | unsigned int context, X509 *x,
|
---|
525 | size_t chainidx)
|
---|
526 | {
|
---|
527 | int currv, min_version, max_version, reason;
|
---|
528 |
|
---|
529 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
|
---|
530 | if (reason != 0) {
|
---|
531 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
|
---|
532 | return EXT_RETURN_FAIL;
|
---|
533 | }
|
---|
534 |
|
---|
535 | /*
|
---|
536 | * Don't include this if we can't negotiate TLSv1.3. We can do a straight
|
---|
537 | * comparison here because we will never be called in DTLS.
|
---|
538 | */
|
---|
539 | if (max_version < TLS1_3_VERSION)
|
---|
540 | return EXT_RETURN_NOT_SENT;
|
---|
541 |
|
---|
542 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
|
---|
543 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
544 | || !WPACKET_start_sub_packet_u8(pkt)) {
|
---|
545 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
546 | return EXT_RETURN_FAIL;
|
---|
547 | }
|
---|
548 |
|
---|
549 | for (currv = max_version; currv >= min_version; currv--) {
|
---|
550 | if (!WPACKET_put_bytes_u16(pkt, currv)) {
|
---|
551 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
552 | return EXT_RETURN_FAIL;
|
---|
553 | }
|
---|
554 | }
|
---|
555 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
|
---|
556 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
557 | return EXT_RETURN_FAIL;
|
---|
558 | }
|
---|
559 |
|
---|
560 | return EXT_RETURN_SENT;
|
---|
561 | }
|
---|
562 |
|
---|
563 | /*
|
---|
564 | * Construct a psk_kex_modes extension.
|
---|
565 | */
|
---|
566 | EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
|
---|
567 | unsigned int context, X509 *x,
|
---|
568 | size_t chainidx)
|
---|
569 | {
|
---|
570 | #ifndef OPENSSL_NO_TLS1_3
|
---|
571 | int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
|
---|
572 |
|
---|
573 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
|
---|
574 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
575 | || !WPACKET_start_sub_packet_u8(pkt)
|
---|
576 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
|
---|
577 | || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
|
---|
578 | || !WPACKET_close(pkt)
|
---|
579 | || !WPACKET_close(pkt)) {
|
---|
580 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
581 | return EXT_RETURN_FAIL;
|
---|
582 | }
|
---|
583 |
|
---|
584 | s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
|
---|
585 | if (nodhe)
|
---|
586 | s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
|
---|
587 | #endif
|
---|
588 |
|
---|
589 | return EXT_RETURN_SENT;
|
---|
590 | }
|
---|
591 |
|
---|
592 | #ifndef OPENSSL_NO_TLS1_3
|
---|
593 | static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
|
---|
594 | {
|
---|
595 | unsigned char *encoded_point = NULL;
|
---|
596 | EVP_PKEY *key_share_key = NULL;
|
---|
597 | size_t encodedlen;
|
---|
598 |
|
---|
599 | if (s->s3.tmp.pkey != NULL) {
|
---|
600 | if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
|
---|
601 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
602 | return 0;
|
---|
603 | }
|
---|
604 | /*
|
---|
605 | * Could happen if we got an HRR that wasn't requesting a new key_share
|
---|
606 | */
|
---|
607 | key_share_key = s->s3.tmp.pkey;
|
---|
608 | } else {
|
---|
609 | key_share_key = ssl_generate_pkey_group(s, curve_id);
|
---|
610 | if (key_share_key == NULL) {
|
---|
611 | /* SSLfatal() already called */
|
---|
612 | return 0;
|
---|
613 | }
|
---|
614 | }
|
---|
615 |
|
---|
616 | /* Encode the public key. */
|
---|
617 | encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
|
---|
618 | &encoded_point);
|
---|
619 | if (encodedlen == 0) {
|
---|
620 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
|
---|
621 | goto err;
|
---|
622 | }
|
---|
623 |
|
---|
624 | /* Create KeyShareEntry */
|
---|
625 | if (!WPACKET_put_bytes_u16(pkt, curve_id)
|
---|
626 | || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
|
---|
627 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
628 | goto err;
|
---|
629 | }
|
---|
630 |
|
---|
631 | /*
|
---|
632 | * When changing to send more than one key_share we're
|
---|
633 | * going to need to be able to save more than one EVP_PKEY. For now
|
---|
634 | * we reuse the existing tmp.pkey
|
---|
635 | */
|
---|
636 | s->s3.tmp.pkey = key_share_key;
|
---|
637 | s->s3.group_id = curve_id;
|
---|
638 | OPENSSL_free(encoded_point);
|
---|
639 |
|
---|
640 | return 1;
|
---|
641 | err:
|
---|
642 | if (s->s3.tmp.pkey == NULL)
|
---|
643 | EVP_PKEY_free(key_share_key);
|
---|
644 | OPENSSL_free(encoded_point);
|
---|
645 | return 0;
|
---|
646 | }
|
---|
647 | #endif
|
---|
648 |
|
---|
649 | EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
|
---|
650 | unsigned int context, X509 *x,
|
---|
651 | size_t chainidx)
|
---|
652 | {
|
---|
653 | #ifndef OPENSSL_NO_TLS1_3
|
---|
654 | size_t i, num_groups = 0;
|
---|
655 | const uint16_t *pgroups = NULL;
|
---|
656 | uint16_t curve_id = 0;
|
---|
657 |
|
---|
658 | /* key_share extension */
|
---|
659 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
|
---|
660 | /* Extension data sub-packet */
|
---|
661 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
662 | /* KeyShare list sub-packet */
|
---|
663 | || !WPACKET_start_sub_packet_u16(pkt)) {
|
---|
664 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
665 | return EXT_RETURN_FAIL;
|
---|
666 | }
|
---|
667 |
|
---|
668 | tls1_get_supported_groups(s, &pgroups, &num_groups);
|
---|
669 |
|
---|
670 | /*
|
---|
671 | * Make the number of key_shares sent configurable. For
|
---|
672 | * now, we just send one
|
---|
673 | */
|
---|
674 | if (s->s3.group_id != 0) {
|
---|
675 | curve_id = s->s3.group_id;
|
---|
676 | } else {
|
---|
677 | for (i = 0; i < num_groups; i++) {
|
---|
678 |
|
---|
679 | if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
|
---|
680 | continue;
|
---|
681 |
|
---|
682 | if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
|
---|
683 | 0, NULL))
|
---|
684 | continue;
|
---|
685 |
|
---|
686 | curve_id = pgroups[i];
|
---|
687 | break;
|
---|
688 | }
|
---|
689 | }
|
---|
690 |
|
---|
691 | if (curve_id == 0) {
|
---|
692 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
|
---|
693 | return EXT_RETURN_FAIL;
|
---|
694 | }
|
---|
695 |
|
---|
696 | if (!add_key_share(s, pkt, curve_id)) {
|
---|
697 | /* SSLfatal() already called */
|
---|
698 | return EXT_RETURN_FAIL;
|
---|
699 | }
|
---|
700 |
|
---|
701 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
|
---|
702 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
703 | return EXT_RETURN_FAIL;
|
---|
704 | }
|
---|
705 | return EXT_RETURN_SENT;
|
---|
706 | #else
|
---|
707 | return EXT_RETURN_NOT_SENT;
|
---|
708 | #endif
|
---|
709 | }
|
---|
710 |
|
---|
711 | EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
712 | X509 *x, size_t chainidx)
|
---|
713 | {
|
---|
714 | EXT_RETURN ret = EXT_RETURN_FAIL;
|
---|
715 |
|
---|
716 | /* Should only be set if we've had an HRR */
|
---|
717 | if (s->ext.tls13_cookie_len == 0)
|
---|
718 | return EXT_RETURN_NOT_SENT;
|
---|
719 |
|
---|
720 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
|
---|
721 | /* Extension data sub-packet */
|
---|
722 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
723 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
|
---|
724 | s->ext.tls13_cookie_len)
|
---|
725 | || !WPACKET_close(pkt)) {
|
---|
726 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
727 | goto end;
|
---|
728 | }
|
---|
729 |
|
---|
730 | ret = EXT_RETURN_SENT;
|
---|
731 | end:
|
---|
732 | OPENSSL_free(s->ext.tls13_cookie);
|
---|
733 | s->ext.tls13_cookie = NULL;
|
---|
734 | s->ext.tls13_cookie_len = 0;
|
---|
735 |
|
---|
736 | return ret;
|
---|
737 | }
|
---|
738 |
|
---|
739 | EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
|
---|
740 | unsigned int context, X509 *x,
|
---|
741 | size_t chainidx)
|
---|
742 | {
|
---|
743 | #ifndef OPENSSL_NO_PSK
|
---|
744 | char identity[PSK_MAX_IDENTITY_LEN + 1];
|
---|
745 | #endif /* OPENSSL_NO_PSK */
|
---|
746 | const unsigned char *id = NULL;
|
---|
747 | size_t idlen = 0;
|
---|
748 | SSL_SESSION *psksess = NULL;
|
---|
749 | SSL_SESSION *edsess = NULL;
|
---|
750 | const EVP_MD *handmd = NULL;
|
---|
751 |
|
---|
752 | if (s->hello_retry_request == SSL_HRR_PENDING)
|
---|
753 | handmd = ssl_handshake_md(s);
|
---|
754 |
|
---|
755 | if (s->psk_use_session_cb != NULL
|
---|
756 | && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess)
|
---|
757 | || (psksess != NULL
|
---|
758 | && psksess->ssl_version != TLS1_3_VERSION))) {
|
---|
759 | SSL_SESSION_free(psksess);
|
---|
760 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
|
---|
761 | return EXT_RETURN_FAIL;
|
---|
762 | }
|
---|
763 |
|
---|
764 | #ifndef OPENSSL_NO_PSK
|
---|
765 | if (psksess == NULL && s->psk_client_callback != NULL) {
|
---|
766 | unsigned char psk[PSK_MAX_PSK_LEN];
|
---|
767 | size_t psklen = 0;
|
---|
768 |
|
---|
769 | memset(identity, 0, sizeof(identity));
|
---|
770 | psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1,
|
---|
771 | psk, sizeof(psk));
|
---|
772 |
|
---|
773 | if (psklen > PSK_MAX_PSK_LEN) {
|
---|
774 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
|
---|
775 | return EXT_RETURN_FAIL;
|
---|
776 | } else if (psklen > 0) {
|
---|
777 | const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
|
---|
778 | const SSL_CIPHER *cipher;
|
---|
779 |
|
---|
780 | idlen = strlen(identity);
|
---|
781 | if (idlen > PSK_MAX_IDENTITY_LEN) {
|
---|
782 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
783 | return EXT_RETURN_FAIL;
|
---|
784 | }
|
---|
785 | id = (unsigned char *)identity;
|
---|
786 |
|
---|
787 | /*
|
---|
788 | * We found a PSK using an old style callback. We don't know
|
---|
789 | * the digest so we default to SHA256 as per the TLSv1.3 spec
|
---|
790 | */
|
---|
791 | cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
|
---|
792 | if (cipher == NULL) {
|
---|
793 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
794 | return EXT_RETURN_FAIL;
|
---|
795 | }
|
---|
796 |
|
---|
797 | psksess = SSL_SESSION_new();
|
---|
798 | if (psksess == NULL
|
---|
799 | || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
|
---|
800 | || !SSL_SESSION_set_cipher(psksess, cipher)
|
---|
801 | || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
|
---|
802 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
803 | OPENSSL_cleanse(psk, psklen);
|
---|
804 | return EXT_RETURN_FAIL;
|
---|
805 | }
|
---|
806 | OPENSSL_cleanse(psk, psklen);
|
---|
807 | }
|
---|
808 | }
|
---|
809 | #endif /* OPENSSL_NO_PSK */
|
---|
810 |
|
---|
811 | SSL_SESSION_free(s->psksession);
|
---|
812 | s->psksession = psksess;
|
---|
813 | if (psksess != NULL) {
|
---|
814 | OPENSSL_free(s->psksession_id);
|
---|
815 | s->psksession_id = OPENSSL_memdup(id, idlen);
|
---|
816 | if (s->psksession_id == NULL) {
|
---|
817 | s->psksession_id_len = 0;
|
---|
818 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
819 | return EXT_RETURN_FAIL;
|
---|
820 | }
|
---|
821 | s->psksession_id_len = idlen;
|
---|
822 | }
|
---|
823 |
|
---|
824 | if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
|
---|
825 | || (s->session->ext.max_early_data == 0
|
---|
826 | && (psksess == NULL || psksess->ext.max_early_data == 0))) {
|
---|
827 | s->max_early_data = 0;
|
---|
828 | return EXT_RETURN_NOT_SENT;
|
---|
829 | }
|
---|
830 | edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
|
---|
831 | s->max_early_data = edsess->ext.max_early_data;
|
---|
832 |
|
---|
833 | if (edsess->ext.hostname != NULL) {
|
---|
834 | if (s->ext.hostname == NULL
|
---|
835 | || (s->ext.hostname != NULL
|
---|
836 | && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
|
---|
837 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
838 | SSL_R_INCONSISTENT_EARLY_DATA_SNI);
|
---|
839 | return EXT_RETURN_FAIL;
|
---|
840 | }
|
---|
841 | }
|
---|
842 |
|
---|
843 | if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
|
---|
844 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
|
---|
845 | return EXT_RETURN_FAIL;
|
---|
846 | }
|
---|
847 |
|
---|
848 | /*
|
---|
849 | * Verify that we are offering an ALPN protocol consistent with the early
|
---|
850 | * data.
|
---|
851 | */
|
---|
852 | if (edsess->ext.alpn_selected != NULL) {
|
---|
853 | PACKET prots, alpnpkt;
|
---|
854 | int found = 0;
|
---|
855 |
|
---|
856 | if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
|
---|
857 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
858 | return EXT_RETURN_FAIL;
|
---|
859 | }
|
---|
860 | while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
|
---|
861 | if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
|
---|
862 | edsess->ext.alpn_selected_len)) {
|
---|
863 | found = 1;
|
---|
864 | break;
|
---|
865 | }
|
---|
866 | }
|
---|
867 | if (!found) {
|
---|
868 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
869 | SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
|
---|
870 | return EXT_RETURN_FAIL;
|
---|
871 | }
|
---|
872 | }
|
---|
873 |
|
---|
874 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
|
---|
875 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
876 | || !WPACKET_close(pkt)) {
|
---|
877 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
878 | return EXT_RETURN_FAIL;
|
---|
879 | }
|
---|
880 |
|
---|
881 | /*
|
---|
882 | * We set this to rejected here. Later, if the server acknowledges the
|
---|
883 | * extension, we set it to accepted.
|
---|
884 | */
|
---|
885 | s->ext.early_data = SSL_EARLY_DATA_REJECTED;
|
---|
886 | s->ext.early_data_ok = 1;
|
---|
887 |
|
---|
888 | return EXT_RETURN_SENT;
|
---|
889 | }
|
---|
890 |
|
---|
891 | #define F5_WORKAROUND_MIN_MSG_LEN 0xff
|
---|
892 | #define F5_WORKAROUND_MAX_MSG_LEN 0x200
|
---|
893 |
|
---|
894 | /*
|
---|
895 | * PSK pre binder overhead =
|
---|
896 | * 2 bytes for TLSEXT_TYPE_psk
|
---|
897 | * 2 bytes for extension length
|
---|
898 | * 2 bytes for identities list length
|
---|
899 | * 2 bytes for identity length
|
---|
900 | * 4 bytes for obfuscated_ticket_age
|
---|
901 | * 2 bytes for binder list length
|
---|
902 | * 1 byte for binder length
|
---|
903 | * The above excludes the number of bytes for the identity itself and the
|
---|
904 | * subsequent binder bytes
|
---|
905 | */
|
---|
906 | #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
|
---|
907 |
|
---|
908 | EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
|
---|
909 | unsigned int context, X509 *x,
|
---|
910 | size_t chainidx)
|
---|
911 | {
|
---|
912 | unsigned char *padbytes;
|
---|
913 | size_t hlen;
|
---|
914 |
|
---|
915 | if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
|
---|
916 | return EXT_RETURN_NOT_SENT;
|
---|
917 |
|
---|
918 | /*
|
---|
919 | * Add padding to workaround bugs in F5 terminators. See RFC7685.
|
---|
920 | * This code calculates the length of all extensions added so far but
|
---|
921 | * excludes the PSK extension (because that MUST be written last). Therefore
|
---|
922 | * this extension MUST always appear second to last.
|
---|
923 | */
|
---|
924 | if (!WPACKET_get_total_written(pkt, &hlen)) {
|
---|
925 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
926 | return EXT_RETURN_FAIL;
|
---|
927 | }
|
---|
928 |
|
---|
929 | /*
|
---|
930 | * If we're going to send a PSK then that will be written out after this
|
---|
931 | * extension, so we need to calculate how long it is going to be.
|
---|
932 | */
|
---|
933 | if (s->session->ssl_version == TLS1_3_VERSION
|
---|
934 | && s->session->ext.ticklen != 0
|
---|
935 | && s->session->cipher != NULL) {
|
---|
936 | const EVP_MD *md = ssl_md(s->ctx, s->session->cipher->algorithm2);
|
---|
937 |
|
---|
938 | if (md != NULL) {
|
---|
939 | /*
|
---|
940 | * Add the fixed PSK overhead, the identity length and the binder
|
---|
941 | * length.
|
---|
942 | */
|
---|
943 | hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
|
---|
944 | + EVP_MD_get_size(md);
|
---|
945 | }
|
---|
946 | }
|
---|
947 |
|
---|
948 | if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
|
---|
949 | /* Calculate the amount of padding we need to add */
|
---|
950 | hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
|
---|
951 |
|
---|
952 | /*
|
---|
953 | * Take off the size of extension header itself (2 bytes for type and
|
---|
954 | * 2 bytes for length bytes), but ensure that the extension is at least
|
---|
955 | * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
|
---|
956 | * 8.x are intolerant of that condition)
|
---|
957 | */
|
---|
958 | if (hlen > 4)
|
---|
959 | hlen -= 4;
|
---|
960 | else
|
---|
961 | hlen = 1;
|
---|
962 |
|
---|
963 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
|
---|
964 | || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
|
---|
965 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
966 | return EXT_RETURN_FAIL;
|
---|
967 | }
|
---|
968 | memset(padbytes, 0, hlen);
|
---|
969 | }
|
---|
970 |
|
---|
971 | return EXT_RETURN_SENT;
|
---|
972 | }
|
---|
973 |
|
---|
974 | /*
|
---|
975 | * Construct the pre_shared_key extension
|
---|
976 | */
|
---|
977 | EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
|
---|
978 | X509 *x, size_t chainidx)
|
---|
979 | {
|
---|
980 | #ifndef OPENSSL_NO_TLS1_3
|
---|
981 | uint32_t agesec, agems = 0;
|
---|
982 | size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
|
---|
983 | unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
|
---|
984 | const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
|
---|
985 | int dores = 0;
|
---|
986 |
|
---|
987 | s->ext.tick_identity = 0;
|
---|
988 |
|
---|
989 | /*
|
---|
990 | * Note: At this stage of the code we only support adding a single
|
---|
991 | * resumption PSK. If we add support for multiple PSKs then the length
|
---|
992 | * calculations in the padding extension will need to be adjusted.
|
---|
993 | */
|
---|
994 |
|
---|
995 | /*
|
---|
996 | * If this is an incompatible or new session then we have nothing to resume
|
---|
997 | * so don't add this extension.
|
---|
998 | */
|
---|
999 | if (s->session->ssl_version != TLS1_3_VERSION
|
---|
1000 | || (s->session->ext.ticklen == 0 && s->psksession == NULL))
|
---|
1001 | return EXT_RETURN_NOT_SENT;
|
---|
1002 |
|
---|
1003 | if (s->hello_retry_request == SSL_HRR_PENDING)
|
---|
1004 | handmd = ssl_handshake_md(s);
|
---|
1005 |
|
---|
1006 | if (s->session->ext.ticklen != 0) {
|
---|
1007 | /* Get the digest associated with the ciphersuite in the session */
|
---|
1008 | if (s->session->cipher == NULL) {
|
---|
1009 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1010 | return EXT_RETURN_FAIL;
|
---|
1011 | }
|
---|
1012 | mdres = ssl_md(s->ctx, s->session->cipher->algorithm2);
|
---|
1013 | if (mdres == NULL) {
|
---|
1014 | /*
|
---|
1015 | * Don't recognize this cipher so we can't use the session.
|
---|
1016 | * Ignore it
|
---|
1017 | */
|
---|
1018 | goto dopsksess;
|
---|
1019 | }
|
---|
1020 |
|
---|
1021 | if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
|
---|
1022 | /*
|
---|
1023 | * Selected ciphersuite hash does not match the hash for the session
|
---|
1024 | * so we can't use it.
|
---|
1025 | */
|
---|
1026 | goto dopsksess;
|
---|
1027 | }
|
---|
1028 |
|
---|
1029 | /*
|
---|
1030 | * Technically the C standard just says time() returns a time_t and says
|
---|
1031 | * nothing about the encoding of that type. In practice most
|
---|
1032 | * implementations follow POSIX which holds it as an integral type in
|
---|
1033 | * seconds since epoch. We've already made the assumption that we can do
|
---|
1034 | * this in multiple places in the code, so portability shouldn't be an
|
---|
1035 | * issue.
|
---|
1036 | */
|
---|
1037 | agesec = (uint32_t)(time(NULL) - s->session->time);
|
---|
1038 | /*
|
---|
1039 | * We calculate the age in seconds but the server may work in ms. Due to
|
---|
1040 | * rounding errors we could overestimate the age by up to 1s. It is
|
---|
1041 | * better to underestimate it. Otherwise, if the RTT is very short, when
|
---|
1042 | * the server calculates the age reported by the client it could be
|
---|
1043 | * bigger than the age calculated on the server - which should never
|
---|
1044 | * happen.
|
---|
1045 | */
|
---|
1046 | if (agesec > 0)
|
---|
1047 | agesec--;
|
---|
1048 |
|
---|
1049 | if (s->session->ext.tick_lifetime_hint < agesec) {
|
---|
1050 | /* Ticket is too old. Ignore it. */
|
---|
1051 | goto dopsksess;
|
---|
1052 | }
|
---|
1053 |
|
---|
1054 | /*
|
---|
1055 | * Calculate age in ms. We're just doing it to nearest second. Should be
|
---|
1056 | * good enough.
|
---|
1057 | */
|
---|
1058 | agems = agesec * (uint32_t)1000;
|
---|
1059 |
|
---|
1060 | if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
|
---|
1061 | /*
|
---|
1062 | * Overflow. Shouldn't happen unless this is a *really* old session.
|
---|
1063 | * If so we just ignore it.
|
---|
1064 | */
|
---|
1065 | goto dopsksess;
|
---|
1066 | }
|
---|
1067 |
|
---|
1068 | /*
|
---|
1069 | * Obfuscate the age. Overflow here is fine, this addition is supposed
|
---|
1070 | * to be mod 2^32.
|
---|
1071 | */
|
---|
1072 | agems += s->session->ext.tick_age_add;
|
---|
1073 |
|
---|
1074 | reshashsize = EVP_MD_get_size(mdres);
|
---|
1075 | s->ext.tick_identity++;
|
---|
1076 | dores = 1;
|
---|
1077 | }
|
---|
1078 |
|
---|
1079 | dopsksess:
|
---|
1080 | if (!dores && s->psksession == NULL)
|
---|
1081 | return EXT_RETURN_NOT_SENT;
|
---|
1082 |
|
---|
1083 | if (s->psksession != NULL) {
|
---|
1084 | mdpsk = ssl_md(s->ctx, s->psksession->cipher->algorithm2);
|
---|
1085 | if (mdpsk == NULL) {
|
---|
1086 | /*
|
---|
1087 | * Don't recognize this cipher so we can't use the session.
|
---|
1088 | * If this happens it's an application bug.
|
---|
1089 | */
|
---|
1090 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
|
---|
1091 | return EXT_RETURN_FAIL;
|
---|
1092 | }
|
---|
1093 |
|
---|
1094 | if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
|
---|
1095 | /*
|
---|
1096 | * Selected ciphersuite hash does not match the hash for the PSK
|
---|
1097 | * session. This is an application bug.
|
---|
1098 | */
|
---|
1099 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
|
---|
1100 | return EXT_RETURN_FAIL;
|
---|
1101 | }
|
---|
1102 |
|
---|
1103 | pskhashsize = EVP_MD_get_size(mdpsk);
|
---|
1104 | }
|
---|
1105 |
|
---|
1106 | /* Create the extension, but skip over the binder for now */
|
---|
1107 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
|
---|
1108 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1109 | || !WPACKET_start_sub_packet_u16(pkt)) {
|
---|
1110 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1111 | return EXT_RETURN_FAIL;
|
---|
1112 | }
|
---|
1113 |
|
---|
1114 | if (dores) {
|
---|
1115 | if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
|
---|
1116 | s->session->ext.ticklen)
|
---|
1117 | || !WPACKET_put_bytes_u32(pkt, agems)) {
|
---|
1118 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1119 | return EXT_RETURN_FAIL;
|
---|
1120 | }
|
---|
1121 | }
|
---|
1122 |
|
---|
1123 | if (s->psksession != NULL) {
|
---|
1124 | if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
|
---|
1125 | s->psksession_id_len)
|
---|
1126 | || !WPACKET_put_bytes_u32(pkt, 0)) {
|
---|
1127 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1128 | return EXT_RETURN_FAIL;
|
---|
1129 | }
|
---|
1130 | s->ext.tick_identity++;
|
---|
1131 | }
|
---|
1132 |
|
---|
1133 | if (!WPACKET_close(pkt)
|
---|
1134 | || !WPACKET_get_total_written(pkt, &binderoffset)
|
---|
1135 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1136 | || (dores
|
---|
1137 | && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
|
---|
1138 | || (s->psksession != NULL
|
---|
1139 | && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
|
---|
1140 | || !WPACKET_close(pkt)
|
---|
1141 | || !WPACKET_close(pkt)
|
---|
1142 | || !WPACKET_get_total_written(pkt, &msglen)
|
---|
1143 | /*
|
---|
1144 | * We need to fill in all the sub-packet lengths now so we can
|
---|
1145 | * calculate the HMAC of the message up to the binders
|
---|
1146 | */
|
---|
1147 | || !WPACKET_fill_lengths(pkt)) {
|
---|
1148 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1149 | return EXT_RETURN_FAIL;
|
---|
1150 | }
|
---|
1151 |
|
---|
1152 | msgstart = WPACKET_get_curr(pkt) - msglen;
|
---|
1153 |
|
---|
1154 | if (dores
|
---|
1155 | && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
|
---|
1156 | resbinder, s->session, 1, 0) != 1) {
|
---|
1157 | /* SSLfatal() already called */
|
---|
1158 | return EXT_RETURN_FAIL;
|
---|
1159 | }
|
---|
1160 |
|
---|
1161 | if (s->psksession != NULL
|
---|
1162 | && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
|
---|
1163 | pskbinder, s->psksession, 1, 1) != 1) {
|
---|
1164 | /* SSLfatal() already called */
|
---|
1165 | return EXT_RETURN_FAIL;
|
---|
1166 | }
|
---|
1167 |
|
---|
1168 | return EXT_RETURN_SENT;
|
---|
1169 | #else
|
---|
1170 | return EXT_RETURN_NOT_SENT;
|
---|
1171 | #endif
|
---|
1172 | }
|
---|
1173 |
|
---|
1174 | EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
|
---|
1175 | ossl_unused unsigned int context,
|
---|
1176 | ossl_unused X509 *x,
|
---|
1177 | ossl_unused size_t chainidx)
|
---|
1178 | {
|
---|
1179 | #ifndef OPENSSL_NO_TLS1_3
|
---|
1180 | if (!s->pha_enabled)
|
---|
1181 | return EXT_RETURN_NOT_SENT;
|
---|
1182 |
|
---|
1183 | /* construct extension - 0 length, no contents */
|
---|
1184 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
|
---|
1185 | || !WPACKET_start_sub_packet_u16(pkt)
|
---|
1186 | || !WPACKET_close(pkt)) {
|
---|
1187 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1188 | return EXT_RETURN_FAIL;
|
---|
1189 | }
|
---|
1190 |
|
---|
1191 | s->post_handshake_auth = SSL_PHA_EXT_SENT;
|
---|
1192 |
|
---|
1193 | return EXT_RETURN_SENT;
|
---|
1194 | #else
|
---|
1195 | return EXT_RETURN_NOT_SENT;
|
---|
1196 | #endif
|
---|
1197 | }
|
---|
1198 |
|
---|
1199 |
|
---|
1200 | /*
|
---|
1201 | * Parse the server's renegotiation binding and abort if it's not right
|
---|
1202 | */
|
---|
1203 | int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1204 | X509 *x, size_t chainidx)
|
---|
1205 | {
|
---|
1206 | size_t expected_len = s->s3.previous_client_finished_len
|
---|
1207 | + s->s3.previous_server_finished_len;
|
---|
1208 | size_t ilen;
|
---|
1209 | const unsigned char *data;
|
---|
1210 |
|
---|
1211 | /* Check for logic errors */
|
---|
1212 | if (!ossl_assert(expected_len == 0
|
---|
1213 | || s->s3.previous_client_finished_len != 0)
|
---|
1214 | || !ossl_assert(expected_len == 0
|
---|
1215 | || s->s3.previous_server_finished_len != 0)) {
|
---|
1216 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1217 | return 0;
|
---|
1218 | }
|
---|
1219 |
|
---|
1220 | /* Parse the length byte */
|
---|
1221 | if (!PACKET_get_1_len(pkt, &ilen)) {
|
---|
1222 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
|
---|
1223 | return 0;
|
---|
1224 | }
|
---|
1225 |
|
---|
1226 | /* Consistency check */
|
---|
1227 | if (PACKET_remaining(pkt) != ilen) {
|
---|
1228 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
|
---|
1229 | return 0;
|
---|
1230 | }
|
---|
1231 |
|
---|
1232 | /* Check that the extension matches */
|
---|
1233 | if (ilen != expected_len) {
|
---|
1234 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
|
---|
1235 | return 0;
|
---|
1236 | }
|
---|
1237 |
|
---|
1238 | if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
|
---|
1239 | || memcmp(data, s->s3.previous_client_finished,
|
---|
1240 | s->s3.previous_client_finished_len) != 0) {
|
---|
1241 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
|
---|
1242 | return 0;
|
---|
1243 | }
|
---|
1244 |
|
---|
1245 | if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
|
---|
1246 | || memcmp(data, s->s3.previous_server_finished,
|
---|
1247 | s->s3.previous_server_finished_len) != 0) {
|
---|
1248 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
|
---|
1249 | return 0;
|
---|
1250 | }
|
---|
1251 | s->s3.send_connection_binding = 1;
|
---|
1252 |
|
---|
1253 | return 1;
|
---|
1254 | }
|
---|
1255 |
|
---|
1256 | /* Parse the server's max fragment len extension packet */
|
---|
1257 | int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1258 | X509 *x, size_t chainidx)
|
---|
1259 | {
|
---|
1260 | unsigned int value;
|
---|
1261 |
|
---|
1262 | if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
|
---|
1263 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1264 | return 0;
|
---|
1265 | }
|
---|
1266 |
|
---|
1267 | /* |value| should contains a valid max-fragment-length code. */
|
---|
1268 | if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
|
---|
1269 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
1270 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
|
---|
1271 | return 0;
|
---|
1272 | }
|
---|
1273 |
|
---|
1274 | /* Must be the same value as client-configured one who was sent to server */
|
---|
1275 | /*-
|
---|
1276 | * RFC 6066: if a client receives a maximum fragment length negotiation
|
---|
1277 | * response that differs from the length it requested, ...
|
---|
1278 | * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
|
---|
1279 | */
|
---|
1280 | if (value != s->ext.max_fragment_len_mode) {
|
---|
1281 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
1282 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
|
---|
1283 | return 0;
|
---|
1284 | }
|
---|
1285 |
|
---|
1286 | /*
|
---|
1287 | * Maximum Fragment Length Negotiation succeeded.
|
---|
1288 | * The negotiated Maximum Fragment Length is binding now.
|
---|
1289 | */
|
---|
1290 | s->session->ext.max_fragment_len_mode = value;
|
---|
1291 |
|
---|
1292 | return 1;
|
---|
1293 | }
|
---|
1294 |
|
---|
1295 | int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1296 | X509 *x, size_t chainidx)
|
---|
1297 | {
|
---|
1298 | if (s->ext.hostname == NULL) {
|
---|
1299 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1300 | return 0;
|
---|
1301 | }
|
---|
1302 |
|
---|
1303 | if (PACKET_remaining(pkt) > 0) {
|
---|
1304 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1305 | return 0;
|
---|
1306 | }
|
---|
1307 |
|
---|
1308 | if (!s->hit) {
|
---|
1309 | if (s->session->ext.hostname != NULL) {
|
---|
1310 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1311 | return 0;
|
---|
1312 | }
|
---|
1313 | s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
|
---|
1314 | if (s->session->ext.hostname == NULL) {
|
---|
1315 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1316 | return 0;
|
---|
1317 | }
|
---|
1318 | }
|
---|
1319 |
|
---|
1320 | return 1;
|
---|
1321 | }
|
---|
1322 |
|
---|
1323 | int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1324 | X509 *x, size_t chainidx)
|
---|
1325 | {
|
---|
1326 | size_t ecpointformats_len;
|
---|
1327 | PACKET ecptformatlist;
|
---|
1328 |
|
---|
1329 | if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
|
---|
1330 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1331 | return 0;
|
---|
1332 | }
|
---|
1333 | if (!s->hit) {
|
---|
1334 | ecpointformats_len = PACKET_remaining(&ecptformatlist);
|
---|
1335 | if (ecpointformats_len == 0) {
|
---|
1336 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
|
---|
1337 | return 0;
|
---|
1338 | }
|
---|
1339 |
|
---|
1340 | s->ext.peer_ecpointformats_len = 0;
|
---|
1341 | OPENSSL_free(s->ext.peer_ecpointformats);
|
---|
1342 | s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
|
---|
1343 | if (s->ext.peer_ecpointformats == NULL) {
|
---|
1344 | s->ext.peer_ecpointformats_len = 0;
|
---|
1345 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1346 | return 0;
|
---|
1347 | }
|
---|
1348 |
|
---|
1349 | s->ext.peer_ecpointformats_len = ecpointformats_len;
|
---|
1350 |
|
---|
1351 | if (!PACKET_copy_bytes(&ecptformatlist,
|
---|
1352 | s->ext.peer_ecpointformats,
|
---|
1353 | ecpointformats_len)) {
|
---|
1354 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1355 | return 0;
|
---|
1356 | }
|
---|
1357 | }
|
---|
1358 |
|
---|
1359 | return 1;
|
---|
1360 | }
|
---|
1361 |
|
---|
1362 | int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1363 | X509 *x, size_t chainidx)
|
---|
1364 | {
|
---|
1365 | if (s->ext.session_ticket_cb != NULL &&
|
---|
1366 | !s->ext.session_ticket_cb(s, PACKET_data(pkt),
|
---|
1367 | PACKET_remaining(pkt),
|
---|
1368 | s->ext.session_ticket_cb_arg)) {
|
---|
1369 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
|
---|
1370 | return 0;
|
---|
1371 | }
|
---|
1372 |
|
---|
1373 | if (!tls_use_ticket(s)) {
|
---|
1374 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
|
---|
1375 | return 0;
|
---|
1376 | }
|
---|
1377 | if (PACKET_remaining(pkt) > 0) {
|
---|
1378 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1379 | return 0;
|
---|
1380 | }
|
---|
1381 |
|
---|
1382 | s->ext.ticket_expected = 1;
|
---|
1383 |
|
---|
1384 | return 1;
|
---|
1385 | }
|
---|
1386 |
|
---|
1387 | #ifndef OPENSSL_NO_OCSP
|
---|
1388 | int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1389 | X509 *x, size_t chainidx)
|
---|
1390 | {
|
---|
1391 | if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
|
---|
1392 | /* We ignore this if the server sends a CertificateRequest */
|
---|
1393 | return 1;
|
---|
1394 | }
|
---|
1395 |
|
---|
1396 | /*
|
---|
1397 | * MUST only be sent if we've requested a status
|
---|
1398 | * request message. In TLS <= 1.2 it must also be empty.
|
---|
1399 | */
|
---|
1400 | if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
|
---|
1401 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
|
---|
1402 | return 0;
|
---|
1403 | }
|
---|
1404 | if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
|
---|
1405 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1406 | return 0;
|
---|
1407 | }
|
---|
1408 |
|
---|
1409 | if (SSL_IS_TLS13(s)) {
|
---|
1410 | /* We only know how to handle this if it's for the first Certificate in
|
---|
1411 | * the chain. We ignore any other responses.
|
---|
1412 | */
|
---|
1413 | if (chainidx != 0)
|
---|
1414 | return 1;
|
---|
1415 |
|
---|
1416 | /* SSLfatal() already called */
|
---|
1417 | return tls_process_cert_status_body(s, pkt);
|
---|
1418 | }
|
---|
1419 |
|
---|
1420 | /* Set flag to expect CertificateStatus message */
|
---|
1421 | s->ext.status_expected = 1;
|
---|
1422 |
|
---|
1423 | return 1;
|
---|
1424 | }
|
---|
1425 | #endif
|
---|
1426 |
|
---|
1427 |
|
---|
1428 | #ifndef OPENSSL_NO_CT
|
---|
1429 | int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1430 | size_t chainidx)
|
---|
1431 | {
|
---|
1432 | if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
|
---|
1433 | /* We ignore this if the server sends it in a CertificateRequest */
|
---|
1434 | return 1;
|
---|
1435 | }
|
---|
1436 |
|
---|
1437 | /*
|
---|
1438 | * Only take it if we asked for it - i.e if there is no CT validation
|
---|
1439 | * callback set, then a custom extension MAY be processing it, so we
|
---|
1440 | * need to let control continue to flow to that.
|
---|
1441 | */
|
---|
1442 | if (s->ct_validation_callback != NULL) {
|
---|
1443 | size_t size = PACKET_remaining(pkt);
|
---|
1444 |
|
---|
1445 | /* Simply copy it off for later processing */
|
---|
1446 | OPENSSL_free(s->ext.scts);
|
---|
1447 | s->ext.scts = NULL;
|
---|
1448 |
|
---|
1449 | s->ext.scts_len = (uint16_t)size;
|
---|
1450 | if (size > 0) {
|
---|
1451 | s->ext.scts = OPENSSL_malloc(size);
|
---|
1452 | if (s->ext.scts == NULL) {
|
---|
1453 | s->ext.scts_len = 0;
|
---|
1454 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
|
---|
1455 | return 0;
|
---|
1456 | }
|
---|
1457 | if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
|
---|
1458 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1459 | return 0;
|
---|
1460 | }
|
---|
1461 | }
|
---|
1462 | } else {
|
---|
1463 | ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
|
---|
1464 | ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
|
---|
1465 |
|
---|
1466 | /*
|
---|
1467 | * If we didn't ask for it then there must be a custom extension,
|
---|
1468 | * otherwise this is unsolicited.
|
---|
1469 | */
|
---|
1470 | if (custom_ext_find(&s->cert->custext, role,
|
---|
1471 | TLSEXT_TYPE_signed_certificate_timestamp,
|
---|
1472 | NULL) == NULL) {
|
---|
1473 | SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
|
---|
1474 | return 0;
|
---|
1475 | }
|
---|
1476 |
|
---|
1477 | if (!custom_ext_parse(s, context,
|
---|
1478 | TLSEXT_TYPE_signed_certificate_timestamp,
|
---|
1479 | PACKET_data(pkt), PACKET_remaining(pkt),
|
---|
1480 | x, chainidx)) {
|
---|
1481 | /* SSLfatal already called */
|
---|
1482 | return 0;
|
---|
1483 | }
|
---|
1484 | }
|
---|
1485 |
|
---|
1486 | return 1;
|
---|
1487 | }
|
---|
1488 | #endif
|
---|
1489 |
|
---|
1490 |
|
---|
1491 | #ifndef OPENSSL_NO_NEXTPROTONEG
|
---|
1492 | /*
|
---|
1493 | * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
|
---|
1494 | * elements of zero length are allowed and the set of elements must exactly
|
---|
1495 | * fill the length of the block. Returns 1 on success or 0 on failure.
|
---|
1496 | */
|
---|
1497 | static int ssl_next_proto_validate(SSL *s, PACKET *pkt)
|
---|
1498 | {
|
---|
1499 | PACKET tmp_protocol;
|
---|
1500 |
|
---|
1501 | while (PACKET_remaining(pkt)) {
|
---|
1502 | if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
|
---|
1503 | || PACKET_remaining(&tmp_protocol) == 0) {
|
---|
1504 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1505 | return 0;
|
---|
1506 | }
|
---|
1507 | }
|
---|
1508 |
|
---|
1509 | return 1;
|
---|
1510 | }
|
---|
1511 |
|
---|
1512 | int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1513 | size_t chainidx)
|
---|
1514 | {
|
---|
1515 | unsigned char *selected;
|
---|
1516 | unsigned char selected_len;
|
---|
1517 | PACKET tmppkt;
|
---|
1518 |
|
---|
1519 | /* Check if we are in a renegotiation. If so ignore this extension */
|
---|
1520 | if (!SSL_IS_FIRST_HANDSHAKE(s))
|
---|
1521 | return 1;
|
---|
1522 |
|
---|
1523 | /* We must have requested it. */
|
---|
1524 | if (s->ctx->ext.npn_select_cb == NULL) {
|
---|
1525 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
|
---|
1526 | return 0;
|
---|
1527 | }
|
---|
1528 |
|
---|
1529 | /* The data must be valid */
|
---|
1530 | tmppkt = *pkt;
|
---|
1531 | if (!ssl_next_proto_validate(s, &tmppkt)) {
|
---|
1532 | /* SSLfatal() already called */
|
---|
1533 | return 0;
|
---|
1534 | }
|
---|
1535 | if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
|
---|
1536 | PACKET_data(pkt),
|
---|
1537 | PACKET_remaining(pkt),
|
---|
1538 | s->ctx->ext.npn_select_cb_arg) !=
|
---|
1539 | SSL_TLSEXT_ERR_OK) {
|
---|
1540 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
|
---|
1541 | return 0;
|
---|
1542 | }
|
---|
1543 |
|
---|
1544 | /*
|
---|
1545 | * Could be non-NULL if server has sent multiple NPN extensions in
|
---|
1546 | * a single Serverhello
|
---|
1547 | */
|
---|
1548 | OPENSSL_free(s->ext.npn);
|
---|
1549 | s->ext.npn = OPENSSL_malloc(selected_len);
|
---|
1550 | if (s->ext.npn == NULL) {
|
---|
1551 | s->ext.npn_len = 0;
|
---|
1552 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1553 | return 0;
|
---|
1554 | }
|
---|
1555 |
|
---|
1556 | memcpy(s->ext.npn, selected, selected_len);
|
---|
1557 | s->ext.npn_len = selected_len;
|
---|
1558 | s->s3.npn_seen = 1;
|
---|
1559 |
|
---|
1560 | return 1;
|
---|
1561 | }
|
---|
1562 | #endif
|
---|
1563 |
|
---|
1564 | int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1565 | size_t chainidx)
|
---|
1566 | {
|
---|
1567 | size_t len;
|
---|
1568 |
|
---|
1569 | /* We must have requested it. */
|
---|
1570 | if (!s->s3.alpn_sent) {
|
---|
1571 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
|
---|
1572 | return 0;
|
---|
1573 | }
|
---|
1574 | /*-
|
---|
1575 | * The extension data consists of:
|
---|
1576 | * uint16 list_length
|
---|
1577 | * uint8 proto_length;
|
---|
1578 | * uint8 proto[proto_length];
|
---|
1579 | */
|
---|
1580 | if (!PACKET_get_net_2_len(pkt, &len)
|
---|
1581 | || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
|
---|
1582 | || PACKET_remaining(pkt) != len) {
|
---|
1583 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1584 | return 0;
|
---|
1585 | }
|
---|
1586 | OPENSSL_free(s->s3.alpn_selected);
|
---|
1587 | s->s3.alpn_selected = OPENSSL_malloc(len);
|
---|
1588 | if (s->s3.alpn_selected == NULL) {
|
---|
1589 | s->s3.alpn_selected_len = 0;
|
---|
1590 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1591 | return 0;
|
---|
1592 | }
|
---|
1593 | if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
|
---|
1594 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1595 | return 0;
|
---|
1596 | }
|
---|
1597 | s->s3.alpn_selected_len = len;
|
---|
1598 |
|
---|
1599 | if (s->session->ext.alpn_selected == NULL
|
---|
1600 | || s->session->ext.alpn_selected_len != len
|
---|
1601 | || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
|
---|
1602 | != 0) {
|
---|
1603 | /* ALPN not consistent with the old session so cannot use early_data */
|
---|
1604 | s->ext.early_data_ok = 0;
|
---|
1605 | }
|
---|
1606 | if (!s->hit) {
|
---|
1607 | /*
|
---|
1608 | * This is a new session and so alpn_selected should have been
|
---|
1609 | * initialised to NULL. We should update it with the selected ALPN.
|
---|
1610 | */
|
---|
1611 | if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
|
---|
1612 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1613 | return 0;
|
---|
1614 | }
|
---|
1615 | s->session->ext.alpn_selected =
|
---|
1616 | OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
|
---|
1617 | if (s->session->ext.alpn_selected == NULL) {
|
---|
1618 | s->session->ext.alpn_selected_len = 0;
|
---|
1619 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1620 | return 0;
|
---|
1621 | }
|
---|
1622 | s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
|
---|
1623 | }
|
---|
1624 |
|
---|
1625 | return 1;
|
---|
1626 | }
|
---|
1627 |
|
---|
1628 | #ifndef OPENSSL_NO_SRTP
|
---|
1629 | int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1630 | size_t chainidx)
|
---|
1631 | {
|
---|
1632 | unsigned int id, ct, mki;
|
---|
1633 | int i;
|
---|
1634 | STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
|
---|
1635 | SRTP_PROTECTION_PROFILE *prof;
|
---|
1636 |
|
---|
1637 | if (!PACKET_get_net_2(pkt, &ct) || ct != 2
|
---|
1638 | || !PACKET_get_net_2(pkt, &id)
|
---|
1639 | || !PACKET_get_1(pkt, &mki)
|
---|
1640 | || PACKET_remaining(pkt) != 0) {
|
---|
1641 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
1642 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
---|
1643 | return 0;
|
---|
1644 | }
|
---|
1645 |
|
---|
1646 | if (mki != 0) {
|
---|
1647 | /* Must be no MKI, since we never offer one */
|
---|
1648 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
|
---|
1649 | return 0;
|
---|
1650 | }
|
---|
1651 |
|
---|
1652 | /* Throw an error if the server gave us an unsolicited extension */
|
---|
1653 | clnt = SSL_get_srtp_profiles(s);
|
---|
1654 | if (clnt == NULL) {
|
---|
1655 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
|
---|
1656 | return 0;
|
---|
1657 | }
|
---|
1658 |
|
---|
1659 | /*
|
---|
1660 | * Check to see if the server gave us something we support (and
|
---|
1661 | * presumably offered)
|
---|
1662 | */
|
---|
1663 | for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
|
---|
1664 | prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
|
---|
1665 |
|
---|
1666 | if (prof->id == id) {
|
---|
1667 | s->srtp_profile = prof;
|
---|
1668 | return 1;
|
---|
1669 | }
|
---|
1670 | }
|
---|
1671 |
|
---|
1672 | SSLfatal(s, SSL_AD_DECODE_ERROR,
|
---|
1673 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
---|
1674 | return 0;
|
---|
1675 | }
|
---|
1676 | #endif
|
---|
1677 |
|
---|
1678 | int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1679 | size_t chainidx)
|
---|
1680 | {
|
---|
1681 | /* Ignore if inappropriate ciphersuite */
|
---|
1682 | if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
|
---|
1683 | && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
|
---|
1684 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
|
---|
1685 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
|
---|
1686 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
|
---|
1687 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
|
---|
1688 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
|
---|
1689 | s->ext.use_etm = 1;
|
---|
1690 |
|
---|
1691 | return 1;
|
---|
1692 | }
|
---|
1693 |
|
---|
1694 | int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1695 | size_t chainidx)
|
---|
1696 | {
|
---|
1697 | if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
|
---|
1698 | return 1;
|
---|
1699 | s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
|
---|
1700 | if (!s->hit)
|
---|
1701 | s->session->flags |= SSL_SESS_FLAG_EXTMS;
|
---|
1702 |
|
---|
1703 | return 1;
|
---|
1704 | }
|
---|
1705 |
|
---|
1706 | int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1707 | X509 *x, size_t chainidx)
|
---|
1708 | {
|
---|
1709 | unsigned int version;
|
---|
1710 |
|
---|
1711 | if (!PACKET_get_net_2(pkt, &version)
|
---|
1712 | || PACKET_remaining(pkt) != 0) {
|
---|
1713 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
|
---|
1714 | return 0;
|
---|
1715 | }
|
---|
1716 |
|
---|
1717 | /*
|
---|
1718 | * The only protocol version we support which is valid in this extension in
|
---|
1719 | * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
|
---|
1720 | */
|
---|
1721 | if (version != TLS1_3_VERSION) {
|
---|
1722 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
|
---|
1723 | SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
|
---|
1724 | return 0;
|
---|
1725 | }
|
---|
1726 |
|
---|
1727 | /* We ignore this extension for HRRs except to sanity check it */
|
---|
1728 | if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
|
---|
1729 | return 1;
|
---|
1730 |
|
---|
1731 | /* We just set it here. We validate it in ssl_choose_client_version */
|
---|
1732 | s->version = version;
|
---|
1733 |
|
---|
1734 | return 1;
|
---|
1735 | }
|
---|
1736 |
|
---|
1737 | int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1738 | size_t chainidx)
|
---|
1739 | {
|
---|
1740 | #ifndef OPENSSL_NO_TLS1_3
|
---|
1741 | unsigned int group_id;
|
---|
1742 | PACKET encoded_pt;
|
---|
1743 | EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
|
---|
1744 | const TLS_GROUP_INFO *ginf = NULL;
|
---|
1745 |
|
---|
1746 | /* Sanity check */
|
---|
1747 | if (ckey == NULL || s->s3.peer_tmp != NULL) {
|
---|
1748 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1749 | return 0;
|
---|
1750 | }
|
---|
1751 |
|
---|
1752 | if (!PACKET_get_net_2(pkt, &group_id)) {
|
---|
1753 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
|
---|
1754 | return 0;
|
---|
1755 | }
|
---|
1756 |
|
---|
1757 | if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
|
---|
1758 | const uint16_t *pgroups = NULL;
|
---|
1759 | size_t i, num_groups;
|
---|
1760 |
|
---|
1761 | if (PACKET_remaining(pkt) != 0) {
|
---|
1762 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
|
---|
1763 | return 0;
|
---|
1764 | }
|
---|
1765 |
|
---|
1766 | /*
|
---|
1767 | * It is an error if the HelloRetryRequest wants a key_share that we
|
---|
1768 | * already sent in the first ClientHello
|
---|
1769 | */
|
---|
1770 | if (group_id == s->s3.group_id) {
|
---|
1771 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
|
---|
1772 | return 0;
|
---|
1773 | }
|
---|
1774 |
|
---|
1775 | /* Validate the selected group is one we support */
|
---|
1776 | tls1_get_supported_groups(s, &pgroups, &num_groups);
|
---|
1777 | for (i = 0; i < num_groups; i++) {
|
---|
1778 | if (group_id == pgroups[i])
|
---|
1779 | break;
|
---|
1780 | }
|
---|
1781 | if (i >= num_groups
|
---|
1782 | || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
|
---|
1783 | || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
|
---|
1784 | 0, NULL)) {
|
---|
1785 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
|
---|
1786 | return 0;
|
---|
1787 | }
|
---|
1788 |
|
---|
1789 | s->s3.group_id = group_id;
|
---|
1790 | EVP_PKEY_free(s->s3.tmp.pkey);
|
---|
1791 | s->s3.tmp.pkey = NULL;
|
---|
1792 | return 1;
|
---|
1793 | }
|
---|
1794 |
|
---|
1795 | if (group_id != s->s3.group_id) {
|
---|
1796 | /*
|
---|
1797 | * This isn't for the group that we sent in the original
|
---|
1798 | * key_share!
|
---|
1799 | */
|
---|
1800 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
|
---|
1801 | return 0;
|
---|
1802 | }
|
---|
1803 | /* Retain this group in the SSL_SESSION */
|
---|
1804 | if (!s->hit) {
|
---|
1805 | s->session->kex_group = group_id;
|
---|
1806 | } else if (group_id != s->session->kex_group) {
|
---|
1807 | /*
|
---|
1808 | * If this is a resumption but changed what group was used, we need
|
---|
1809 | * to record the new group in the session, but the session is not
|
---|
1810 | * a new session and could be in use by other threads. So, make
|
---|
1811 | * a copy of the session to record the new information so that it's
|
---|
1812 | * useful for any sessions resumed from tickets issued on this
|
---|
1813 | * connection.
|
---|
1814 | */
|
---|
1815 | SSL_SESSION *new_sess;
|
---|
1816 |
|
---|
1817 | if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
|
---|
1818 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
|
---|
1819 | return 0;
|
---|
1820 | }
|
---|
1821 | SSL_SESSION_free(s->session);
|
---|
1822 | s->session = new_sess;
|
---|
1823 | s->session->kex_group = group_id;
|
---|
1824 | }
|
---|
1825 |
|
---|
1826 | if ((ginf = tls1_group_id_lookup(s->ctx, group_id)) == NULL) {
|
---|
1827 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
|
---|
1828 | return 0;
|
---|
1829 | }
|
---|
1830 |
|
---|
1831 | if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
|
---|
1832 | || PACKET_remaining(&encoded_pt) == 0) {
|
---|
1833 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
|
---|
1834 | return 0;
|
---|
1835 | }
|
---|
1836 |
|
---|
1837 | if (!ginf->is_kem) {
|
---|
1838 | /* Regular KEX */
|
---|
1839 | skey = EVP_PKEY_new();
|
---|
1840 | if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
|
---|
1841 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
|
---|
1842 | EVP_PKEY_free(skey);
|
---|
1843 | return 0;
|
---|
1844 | }
|
---|
1845 |
|
---|
1846 | if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
|
---|
1847 | PACKET_remaining(&encoded_pt)) <= 0) {
|
---|
1848 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
|
---|
1849 | EVP_PKEY_free(skey);
|
---|
1850 | return 0;
|
---|
1851 | }
|
---|
1852 |
|
---|
1853 | if (ssl_derive(s, ckey, skey, 1) == 0) {
|
---|
1854 | /* SSLfatal() already called */
|
---|
1855 | EVP_PKEY_free(skey);
|
---|
1856 | return 0;
|
---|
1857 | }
|
---|
1858 | s->s3.peer_tmp = skey;
|
---|
1859 | } else {
|
---|
1860 | /* KEM Mode */
|
---|
1861 | const unsigned char *ct = PACKET_data(&encoded_pt);
|
---|
1862 | size_t ctlen = PACKET_remaining(&encoded_pt);
|
---|
1863 |
|
---|
1864 | if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
|
---|
1865 | /* SSLfatal() already called */
|
---|
1866 | return 0;
|
---|
1867 | }
|
---|
1868 | }
|
---|
1869 | s->s3.did_kex = 1;
|
---|
1870 | #endif
|
---|
1871 |
|
---|
1872 | return 1;
|
---|
1873 | }
|
---|
1874 |
|
---|
1875 | int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1876 | size_t chainidx)
|
---|
1877 | {
|
---|
1878 | PACKET cookie;
|
---|
1879 |
|
---|
1880 | if (!PACKET_as_length_prefixed_2(pkt, &cookie)
|
---|
1881 | || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
|
---|
1882 | &s->ext.tls13_cookie_len)) {
|
---|
1883 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
|
---|
1884 | return 0;
|
---|
1885 | }
|
---|
1886 |
|
---|
1887 | return 1;
|
---|
1888 | }
|
---|
1889 |
|
---|
1890 | int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
|
---|
1891 | X509 *x, size_t chainidx)
|
---|
1892 | {
|
---|
1893 | if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
|
---|
1894 | unsigned long max_early_data;
|
---|
1895 |
|
---|
1896 | if (!PACKET_get_net_4(pkt, &max_early_data)
|
---|
1897 | || PACKET_remaining(pkt) != 0) {
|
---|
1898 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
|
---|
1899 | return 0;
|
---|
1900 | }
|
---|
1901 |
|
---|
1902 | s->session->ext.max_early_data = max_early_data;
|
---|
1903 |
|
---|
1904 | return 1;
|
---|
1905 | }
|
---|
1906 |
|
---|
1907 | if (PACKET_remaining(pkt) != 0) {
|
---|
1908 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
|
---|
1909 | return 0;
|
---|
1910 | }
|
---|
1911 |
|
---|
1912 | if (!s->ext.early_data_ok
|
---|
1913 | || !s->hit) {
|
---|
1914 | /*
|
---|
1915 | * If we get here then we didn't send early data, or we didn't resume
|
---|
1916 | * using the first identity, or the SNI/ALPN is not consistent so the
|
---|
1917 | * server should not be accepting it.
|
---|
1918 | */
|
---|
1919 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
|
---|
1920 | return 0;
|
---|
1921 | }
|
---|
1922 |
|
---|
1923 | s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
|
---|
1924 |
|
---|
1925 | return 1;
|
---|
1926 | }
|
---|
1927 |
|
---|
1928 | int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
|
---|
1929 | size_t chainidx)
|
---|
1930 | {
|
---|
1931 | #ifndef OPENSSL_NO_TLS1_3
|
---|
1932 | unsigned int identity;
|
---|
1933 |
|
---|
1934 | if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
|
---|
1935 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
|
---|
1936 | return 0;
|
---|
1937 | }
|
---|
1938 |
|
---|
1939 | if (identity >= (unsigned int)s->ext.tick_identity) {
|
---|
1940 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
|
---|
1941 | return 0;
|
---|
1942 | }
|
---|
1943 |
|
---|
1944 | /*
|
---|
1945 | * Session resumption tickets are always sent before PSK tickets. If the
|
---|
1946 | * ticket index is 0 then it must be for a session resumption ticket if we
|
---|
1947 | * sent two tickets, or if we didn't send a PSK ticket.
|
---|
1948 | */
|
---|
1949 | if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
|
---|
1950 | s->hit = 1;
|
---|
1951 | SSL_SESSION_free(s->psksession);
|
---|
1952 | s->psksession = NULL;
|
---|
1953 | return 1;
|
---|
1954 | }
|
---|
1955 |
|
---|
1956 | if (s->psksession == NULL) {
|
---|
1957 | /* Should never happen */
|
---|
1958 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
---|
1959 | return 0;
|
---|
1960 | }
|
---|
1961 |
|
---|
1962 | /*
|
---|
1963 | * If we used the external PSK for sending early_data then s->early_secret
|
---|
1964 | * is already set up, so don't overwrite it. Otherwise we copy the
|
---|
1965 | * early_secret across that we generated earlier.
|
---|
1966 | */
|
---|
1967 | if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
|
---|
1968 | && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
|
---|
1969 | || s->session->ext.max_early_data > 0
|
---|
1970 | || s->psksession->ext.max_early_data == 0)
|
---|
1971 | memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
|
---|
1972 |
|
---|
1973 | SSL_SESSION_free(s->session);
|
---|
1974 | s->session = s->psksession;
|
---|
1975 | s->psksession = NULL;
|
---|
1976 | s->hit = 1;
|
---|
1977 | /* Early data is only allowed if we used the first ticket */
|
---|
1978 | if (identity != 0)
|
---|
1979 | s->ext.early_data_ok = 0;
|
---|
1980 | #endif
|
---|
1981 |
|
---|
1982 | return 1;
|
---|
1983 | }
|
---|