Path: blob/main/crypto/openssl/ssl/statem/extensions_clnt.c
105333 views
/*1* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89#include <openssl/ocsp.h>10#include "../ssl_local.h"11#include "internal/cryptlib.h"12#include "internal/ssl_unwrap.h"13#include "statem_local.h"1415EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,16unsigned int context, X509 *x,17size_t chainidx)18{19if (!s->renegotiate) {20/* If not renegotiating, send an empty RI extension to indicate support */2122#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION23#error Internal DTLS version error24#endif2526if (!SSL_CONNECTION_IS_DTLS(s)27&& (s->min_proto_version >= TLS1_3_VERSION28|| (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL)29&& s->min_proto_version <= TLS1_VERSION))) {30/*31* For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this32* extension isn't used at all.33*/34return EXT_RETURN_NOT_SENT;35}3637if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)38|| !WPACKET_start_sub_packet_u16(pkt)39|| !WPACKET_put_bytes_u8(pkt, 0)40|| !WPACKET_close(pkt)) {41SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);42return EXT_RETURN_FAIL;43}4445return EXT_RETURN_SENT;46}4748/* Add a complete RI extension if renegotiating */49if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)50|| !WPACKET_start_sub_packet_u16(pkt)51|| !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,52s->s3.previous_client_finished_len)53|| !WPACKET_close(pkt)) {54SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);55return EXT_RETURN_FAIL;56}5758return EXT_RETURN_SENT;59}6061EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,62unsigned int context, X509 *x,63size_t chainidx)64{65if (s->ext.hostname == NULL)66return EXT_RETURN_NOT_SENT;6768/* Add TLS extension servername to the Client Hello message */69if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)70/* Sub-packet for server_name extension */71|| !WPACKET_start_sub_packet_u16(pkt)72/* Sub-packet for servername list (always 1 hostname)*/73|| !WPACKET_start_sub_packet_u16(pkt)74|| !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)75|| !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,76strlen(s->ext.hostname))77|| !WPACKET_close(pkt)78|| !WPACKET_close(pkt)) {79SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);80return EXT_RETURN_FAIL;81}8283return EXT_RETURN_SENT;84}8586/* Push a Max Fragment Len extension into ClientHello */87EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,88unsigned int context, X509 *x,89size_t chainidx)90{91if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)92return EXT_RETURN_NOT_SENT;9394/* Add Max Fragment Length extension if client enabled it. */95/*-96* 4 bytes for this extension type and extension length97* 1 byte for the Max Fragment Length code value.98*/99if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)100/* Sub-packet for Max Fragment Length extension (1 byte) */101|| !WPACKET_start_sub_packet_u16(pkt)102|| !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)103|| !WPACKET_close(pkt)) {104SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);105return EXT_RETURN_FAIL;106}107108return EXT_RETURN_SENT;109}110111#ifndef OPENSSL_NO_SRP112EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,113unsigned int context,114X509 *x, size_t chainidx)115{116/* Add SRP username if there is one */117if (s->srp_ctx.login == NULL)118return EXT_RETURN_NOT_SENT;119120if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)121/* Sub-packet for SRP extension */122|| !WPACKET_start_sub_packet_u16(pkt)123|| !WPACKET_start_sub_packet_u8(pkt)124/* login must not be zero...internal error if so */125|| !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)126|| !WPACKET_memcpy(pkt, s->srp_ctx.login,127strlen(s->srp_ctx.login))128|| !WPACKET_close(pkt)129|| !WPACKET_close(pkt)) {130SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);131return EXT_RETURN_FAIL;132}133134return EXT_RETURN_SENT;135}136#endif137138static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)139{140int i, end, ret = 0;141unsigned long alg_k, alg_a;142STACK_OF(SSL_CIPHER) *cipher_stack = NULL;143const uint16_t *pgroups = NULL;144size_t num_groups, j;145SSL *ssl = SSL_CONNECTION_GET_SSL(s);146147/* See if we support any ECC ciphersuites */148if (s->version == SSL3_VERSION)149return 0;150151cipher_stack = SSL_get1_supported_ciphers(ssl);152end = sk_SSL_CIPHER_num(cipher_stack);153for (i = 0; i < end; i++) {154const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);155156alg_k = c->algorithm_mkey;157alg_a = c->algorithm_auth;158if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))159|| (alg_a & SSL_aECDSA)160|| c->min_tls >= TLS1_3_VERSION) {161ret = 1;162break;163}164}165sk_SSL_CIPHER_free(cipher_stack);166if (!ret)167return 0;168169/* Check we have at least one EC supported group */170tls1_get_supported_groups(s, &pgroups, &num_groups);171for (j = 0; j < num_groups; j++) {172uint16_t ctmp = pgroups[j];173174if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)175&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))176return 1;177}178179return 0;180}181182EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,183unsigned int context, X509 *x,184size_t chainidx)185{186const unsigned char *pformats;187size_t num_formats;188int reason, min_version, max_version;189190reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);191if (reason != 0) {192SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);193return EXT_RETURN_FAIL;194}195if (!use_ecc(s, min_version, max_version))196return EXT_RETURN_NOT_SENT;197198/* Add TLS extension ECPointFormats to the ClientHello message */199tls1_get_formatlist(s, &pformats, &num_formats);200201if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)202/* Sub-packet for formats extension */203|| !WPACKET_start_sub_packet_u16(pkt)204|| !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)205|| !WPACKET_close(pkt)) {206SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);207return EXT_RETURN_FAIL;208}209210return EXT_RETURN_SENT;211}212213EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,214unsigned int context, X509 *x,215size_t chainidx)216{217const uint16_t *pgroups = NULL;218size_t num_groups = 0, i, tls13added = 0, added = 0;219int min_version, max_version, reason;220221reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);222if (reason != 0) {223SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);224return EXT_RETURN_FAIL;225}226227/*228* We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore229* if we don't have EC support then we don't send this extension.230*/231if (!use_ecc(s, min_version, max_version)232&& (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))233return EXT_RETURN_NOT_SENT;234235/*236* Add TLS extension supported_groups to the ClientHello message237*/238tls1_get_supported_groups(s, &pgroups, &num_groups);239240if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)241/* Sub-packet for supported_groups extension */242|| !WPACKET_start_sub_packet_u16(pkt)243|| !WPACKET_start_sub_packet_u16(pkt)244|| !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {245SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);246return EXT_RETURN_FAIL;247}248/* Copy group ID if supported */249for (i = 0; i < num_groups; i++) {250uint16_t ctmp = pgroups[i];251int okfortls13;252253if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)254&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {255if (!WPACKET_put_bytes_u16(pkt, ctmp)) {256SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);257return EXT_RETURN_FAIL;258}259if (okfortls13 && max_version == TLS1_3_VERSION)260tls13added++;261added++;262}263}264if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {265if (added == 0)266SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,267"No groups enabled for max supported SSL/TLS version");268else269SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);270return EXT_RETURN_FAIL;271}272273if (tls13added == 0 && max_version == TLS1_3_VERSION) {274SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,275"No groups enabled for max supported SSL/TLS version");276return EXT_RETURN_FAIL;277}278279return EXT_RETURN_SENT;280}281282EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,283unsigned int context, X509 *x,284size_t chainidx)285{286size_t ticklen;287288if (!tls_use_ticket(s))289return EXT_RETURN_NOT_SENT;290291if (!s->new_session && s->session != NULL292&& s->session->ext.tick != NULL293&& s->session->ssl_version != TLS1_3_VERSION) {294ticklen = s->session->ext.ticklen;295} else if (s->session && s->ext.session_ticket != NULL296&& s->ext.session_ticket->data != NULL) {297ticklen = s->ext.session_ticket->length;298s->session->ext.tick = OPENSSL_malloc(ticklen);299if (s->session->ext.tick == NULL) {300SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);301return EXT_RETURN_FAIL;302}303memcpy(s->session->ext.tick,304s->ext.session_ticket->data, ticklen);305s->session->ext.ticklen = ticklen;306} else {307ticklen = 0;308}309310if (ticklen == 0 && s->ext.session_ticket != NULL && s->ext.session_ticket->data == NULL)311return EXT_RETURN_NOT_SENT;312313if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)314|| !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {315SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);316return EXT_RETURN_FAIL;317}318319return EXT_RETURN_SENT;320}321322EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,323unsigned int context, X509 *x,324size_t chainidx)325{326size_t salglen;327const uint16_t *salg;328329/*330* This used both in the initial hello and as part of renegotiation,331* in the latter case, the client version may be already set and may332* be lower than that initially offered in `client_version`.333*/334if (!SSL_CONNECTION_IS_DTLS(s)) {335if (s->client_version < TLS1_2_VERSION336|| (s->ssl.method->version != TLS_ANY_VERSION337&& s->version < TLS1_2_VERSION))338return EXT_RETURN_NOT_SENT;339} else {340if (DTLS_VERSION_LT(s->client_version, DTLS1_2_VERSION)341|| (s->ssl.method->version != DTLS_ANY_VERSION342&& DTLS_VERSION_LT(s->version, DTLS1_2_VERSION)))343return EXT_RETURN_NOT_SENT;344}345346salglen = tls12_get_psigalgs(s, 1, &salg);347if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)348/* Sub-packet for sig-algs extension */349|| !WPACKET_start_sub_packet_u16(pkt)350/* Sub-packet for the actual list */351|| !WPACKET_start_sub_packet_u16(pkt)352|| !tls12_copy_sigalgs(s, pkt, salg, salglen)353|| !WPACKET_close(pkt)354|| !WPACKET_close(pkt)) {355SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);356return EXT_RETURN_FAIL;357}358359return EXT_RETURN_SENT;360}361362#ifndef OPENSSL_NO_OCSP363EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,364unsigned int context, X509 *x,365size_t chainidx)366{367int i;368369/* This extension isn't defined for client Certificates */370if (x != NULL)371return EXT_RETURN_NOT_SENT;372373if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)374return EXT_RETURN_NOT_SENT;375376if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)377/* Sub-packet for status request extension */378|| !WPACKET_start_sub_packet_u16(pkt)379|| !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)380/* Sub-packet for the ids */381|| !WPACKET_start_sub_packet_u16(pkt)) {382SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);383return EXT_RETURN_FAIL;384}385for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {386unsigned char *idbytes;387OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);388int idlen = i2d_OCSP_RESPID(id, NULL);389390if (idlen <= 0391/* Sub-packet for an individual id */392|| !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)393|| i2d_OCSP_RESPID(id, &idbytes) != idlen) {394SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);395return EXT_RETURN_FAIL;396}397}398if (!WPACKET_close(pkt)399|| !WPACKET_start_sub_packet_u16(pkt)) {400SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);401return EXT_RETURN_FAIL;402}403if (s->ext.ocsp.exts) {404unsigned char *extbytes;405int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);406407if (extlen < 0) {408SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);409return EXT_RETURN_FAIL;410}411if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)412|| i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)413!= extlen) {414SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);415return EXT_RETURN_FAIL;416}417}418if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {419SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);420return EXT_RETURN_FAIL;421}422423return EXT_RETURN_SENT;424}425#endif426427#ifndef OPENSSL_NO_NEXTPROTONEG428EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,429unsigned int context,430X509 *x, size_t chainidx)431{432if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL433|| !SSL_IS_FIRST_HANDSHAKE(s))434return EXT_RETURN_NOT_SENT;435436/*437* The client advertises an empty extension to indicate its support438* for Next Protocol Negotiation439*/440if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)441|| !WPACKET_put_bytes_u16(pkt, 0)) {442SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);443return EXT_RETURN_FAIL;444}445446return EXT_RETURN_SENT;447}448#endif449450EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,451unsigned int context,452X509 *x, size_t chainidx)453{454s->s3.alpn_sent = 0;455456if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))457return EXT_RETURN_NOT_SENT;458459if (!WPACKET_put_bytes_u16(pkt,460TLSEXT_TYPE_application_layer_protocol_negotiation)461/* Sub-packet ALPN extension */462|| !WPACKET_start_sub_packet_u16(pkt)463|| !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)464|| !WPACKET_close(pkt)) {465SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);466return EXT_RETURN_FAIL;467}468s->s3.alpn_sent = 1;469470return EXT_RETURN_SENT;471}472473#ifndef OPENSSL_NO_SRTP474EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,475unsigned int context, X509 *x,476size_t chainidx)477{478SSL *ssl = SSL_CONNECTION_GET_SSL(s);479STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);480int i, end;481482if (clnt == NULL)483return EXT_RETURN_NOT_SENT;484485if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)486/* Sub-packet for SRTP extension */487|| !WPACKET_start_sub_packet_u16(pkt)488/* Sub-packet for the protection profile list */489|| !WPACKET_start_sub_packet_u16(pkt)) {490SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);491return EXT_RETURN_FAIL;492}493494end = sk_SRTP_PROTECTION_PROFILE_num(clnt);495for (i = 0; i < end; i++) {496const SRTP_PROTECTION_PROFILE *prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);497498if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {499SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);500return EXT_RETURN_FAIL;501}502}503if (!WPACKET_close(pkt)504/* Add an empty use_mki value */505|| !WPACKET_put_bytes_u8(pkt, 0)506|| !WPACKET_close(pkt)) {507SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);508return EXT_RETURN_FAIL;509}510511return EXT_RETURN_SENT;512}513#endif514515EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,516unsigned int context,517X509 *x, size_t chainidx)518{519if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)520return EXT_RETURN_NOT_SENT;521522if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)523|| !WPACKET_put_bytes_u16(pkt, 0)) {524SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);525return EXT_RETURN_FAIL;526}527528return EXT_RETURN_SENT;529}530531#ifndef OPENSSL_NO_CT532EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,533unsigned int context,534X509 *x, size_t chainidx)535{536if (s->ct_validation_callback == NULL)537return EXT_RETURN_NOT_SENT;538539/* Not defined for client Certificates */540if (x != NULL)541return EXT_RETURN_NOT_SENT;542543if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)544|| !WPACKET_put_bytes_u16(pkt, 0)) {545SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);546return EXT_RETURN_FAIL;547}548549return EXT_RETURN_SENT;550}551#endif552553EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,554unsigned int context,555X509 *x, size_t chainidx)556{557if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)558return EXT_RETURN_NOT_SENT;559560if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)561|| !WPACKET_put_bytes_u16(pkt, 0)) {562SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);563return EXT_RETURN_FAIL;564}565566return EXT_RETURN_SENT;567}568569EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,570unsigned int context, X509 *x,571size_t chainidx)572{573int currv, min_version, max_version, reason;574575reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);576if (reason != 0) {577SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);578return EXT_RETURN_FAIL;579}580581/*582* Don't include this if we can't negotiate TLSv1.3. We can do a straight583* comparison here because we will never be called in DTLS.584*/585if (max_version < TLS1_3_VERSION)586return EXT_RETURN_NOT_SENT;587588if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)589|| !WPACKET_start_sub_packet_u16(pkt)590|| !WPACKET_start_sub_packet_u8(pkt)) {591SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);592return EXT_RETURN_FAIL;593}594595for (currv = max_version; currv >= min_version; currv--) {596if (!WPACKET_put_bytes_u16(pkt, currv)) {597SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);598return EXT_RETURN_FAIL;599}600}601if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {602SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);603return EXT_RETURN_FAIL;604}605606return EXT_RETURN_SENT;607}608609/*610* Construct a psk_kex_modes extension.611*/612EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,613unsigned int context, X509 *x,614size_t chainidx)615{616#ifndef OPENSSL_NO_TLS1_3617int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;618619if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)620|| !WPACKET_start_sub_packet_u16(pkt)621|| !WPACKET_start_sub_packet_u8(pkt)622|| !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)623|| (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))624|| !WPACKET_close(pkt)625|| !WPACKET_close(pkt)) {626SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);627return EXT_RETURN_FAIL;628}629630s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;631if (nodhe)632s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;633#endif634635return EXT_RETURN_SENT;636}637638#ifndef OPENSSL_NO_TLS1_3639static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int group_id, size_t loop_num)640{641unsigned char *encoded_pubkey = NULL;642EVP_PKEY *key_share_key = NULL;643size_t encodedlen;644645if (loop_num < s->s3.tmp.num_ks_pkey) {646if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)647|| !ossl_assert(s->s3.tmp.ks_pkey[loop_num] != NULL)) {648SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);649return 0;650}651/*652* Could happen if we got an HRR that wasn't requesting a new key_share653*/654key_share_key = s->s3.tmp.ks_pkey[loop_num];655} else {656key_share_key = ssl_generate_pkey_group(s, group_id);657if (key_share_key == NULL) {658/* SSLfatal() already called */659return 0;660}661}662663/* Encode the public key. */664encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,665&encoded_pubkey);666if (encodedlen == 0) {667SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);668goto err;669}670671/* Create KeyShareEntry */672if (!WPACKET_put_bytes_u16(pkt, group_id)673|| !WPACKET_sub_memcpy_u16(pkt, encoded_pubkey, encodedlen)) {674SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);675goto err;676}677678/* For backward compatibility, we use the first valid group to add a key share */679if (loop_num == 0) {680s->s3.tmp.pkey = key_share_key;681s->s3.group_id = group_id;682}683/* We ensure in t1_lib.c that the loop number does not exceed OPENSSL_CLIENT_MAX_KEY_SHARES */684s->s3.tmp.ks_pkey[loop_num] = key_share_key;685s->s3.tmp.ks_group_id[loop_num] = group_id;686if (loop_num >= s->s3.tmp.num_ks_pkey)687s->s3.tmp.num_ks_pkey++;688689OPENSSL_free(encoded_pubkey);690691return 1;692err:693if (key_share_key != s->s3.tmp.ks_pkey[loop_num])694EVP_PKEY_free(key_share_key);695OPENSSL_free(encoded_pubkey);696return 0;697}698#endif699700EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,701unsigned int context, X509 *x,702size_t chainidx)703{704#ifndef OPENSSL_NO_TLS1_3705size_t i, num_groups = 0;706const uint16_t *pgroups = NULL;707uint16_t group_id = 0;708int add_only_one = 0;709size_t valid_keyshare = 0;710711/* key_share extension */712if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)713/* Extension data sub-packet */714|| !WPACKET_start_sub_packet_u16(pkt)715/* KeyShare list sub-packet */716|| !WPACKET_start_sub_packet_u16(pkt)) {717SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);718return EXT_RETURN_FAIL;719}720721tls1_get_requested_keyshare_groups(s, &pgroups, &num_groups);722if (num_groups == 1 && pgroups[0] == 0) { /* Indication that no * prefix was used */723tls1_get_supported_groups(s, &pgroups, &num_groups);724add_only_one = 1;725}726727/* If neither the default nor the keyshares have any entry --> fatal */728if (num_groups == 0) {729SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);730return EXT_RETURN_FAIL;731}732733/* Add key shares */734735if (s->s3.group_id != 0 && s->s3.tmp.pkey == NULL) {736/* new, single key share */737group_id = s->s3.group_id;738s->s3.tmp.num_ks_pkey = 0;739if (!add_key_share(s, pkt, group_id, 0)) {740/* SSLfatal() already called */741return EXT_RETURN_FAIL;742}743valid_keyshare++;744} else {745if (s->ext.supportedgroups == NULL) /* use default */746add_only_one = 1;747748for (i = 0; i < num_groups; i++) {749if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))750continue;751if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,7520, NULL))753continue;754755group_id = pgroups[i];756757if (group_id == 0) {758SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);759return EXT_RETURN_FAIL;760}761if (!add_key_share(s, pkt, group_id, valid_keyshare)) {762/* SSLfatal() already called */763return EXT_RETURN_FAIL;764}765valid_keyshare++;766if (add_only_one)767break;768}769}770771if (valid_keyshare == 0) {772/* No key shares were allowed */773SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);774return EXT_RETURN_FAIL;775}776777if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {778SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);779return EXT_RETURN_FAIL;780}781return EXT_RETURN_SENT;782#else783return EXT_RETURN_NOT_SENT;784#endif785}786787EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,788unsigned int context,789X509 *x, size_t chainidx)790{791EXT_RETURN ret = EXT_RETURN_FAIL;792793/* Should only be set if we've had an HRR */794if (s->ext.tls13_cookie_len == 0)795return EXT_RETURN_NOT_SENT;796797if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)798/* Extension data sub-packet */799|| !WPACKET_start_sub_packet_u16(pkt)800|| !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,801s->ext.tls13_cookie_len)802|| !WPACKET_close(pkt)) {803SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);804goto end;805}806807ret = EXT_RETURN_SENT;808end:809OPENSSL_free(s->ext.tls13_cookie);810s->ext.tls13_cookie = NULL;811s->ext.tls13_cookie_len = 0;812813return ret;814}815816EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,817unsigned int context, X509 *x,818size_t chainidx)819{820#ifndef OPENSSL_NO_PSK821char identity[PSK_MAX_IDENTITY_LEN + 1];822#endif /* OPENSSL_NO_PSK */823const unsigned char *id = NULL;824size_t idlen = 0;825SSL_SESSION *psksess = NULL;826SSL_SESSION *edsess = NULL;827const EVP_MD *handmd = NULL;828SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);829830if (s->hello_retry_request == SSL_HRR_PENDING)831handmd = ssl_handshake_md(s);832833if (s->psk_use_session_cb != NULL834&& (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess)835|| (psksess != NULL836&& psksess->ssl_version != TLS1_3_VERSION))) {837SSL_SESSION_free(psksess);838SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);839return EXT_RETURN_FAIL;840}841842#ifndef OPENSSL_NO_PSK843if (psksess == NULL && s->psk_client_callback != NULL) {844unsigned char psk[PSK_MAX_PSK_LEN];845size_t psklen = 0;846847memset(identity, 0, sizeof(identity));848psklen = s->psk_client_callback(ussl, NULL,849identity, sizeof(identity) - 1,850psk, sizeof(psk));851852if (psklen > PSK_MAX_PSK_LEN) {853SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);854return EXT_RETURN_FAIL;855} else if (psklen > 0) {856const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };857const SSL_CIPHER *cipher;858859idlen = strlen(identity);860if (idlen > PSK_MAX_IDENTITY_LEN) {861SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);862return EXT_RETURN_FAIL;863}864id = (unsigned char *)identity;865866/*867* We found a PSK using an old style callback. We don't know868* the digest so we default to SHA256 as per the TLSv1.3 spec869*/870cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s),871tls13_aes128gcmsha256_id);872if (cipher == NULL) {873SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);874return EXT_RETURN_FAIL;875}876877psksess = SSL_SESSION_new();878if (psksess == NULL879|| !SSL_SESSION_set1_master_key(psksess, psk, psklen)880|| !SSL_SESSION_set_cipher(psksess, cipher)881|| !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {882SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);883OPENSSL_cleanse(psk, psklen);884return EXT_RETURN_FAIL;885}886OPENSSL_cleanse(psk, psklen);887}888}889#endif /* OPENSSL_NO_PSK */890891SSL_SESSION_free(s->psksession);892s->psksession = psksess;893if (psksess != NULL) {894OPENSSL_free(s->psksession_id);895s->psksession_id = OPENSSL_memdup(id, idlen);896if (s->psksession_id == NULL) {897s->psksession_id_len = 0;898SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);899return EXT_RETURN_FAIL;900}901s->psksession_id_len = idlen;902}903904if (s->early_data_state != SSL_EARLY_DATA_CONNECTING905|| (s->session->ext.max_early_data == 0906&& (psksess == NULL || psksess->ext.max_early_data == 0))) {907s->max_early_data = 0;908return EXT_RETURN_NOT_SENT;909}910edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;911s->max_early_data = edsess->ext.max_early_data;912913if (edsess->ext.hostname != NULL) {914if (s->ext.hostname == NULL915|| (s->ext.hostname != NULL916&& strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {917SSLfatal(s, SSL_AD_INTERNAL_ERROR,918SSL_R_INCONSISTENT_EARLY_DATA_SNI);919return EXT_RETURN_FAIL;920}921}922923if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {924SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);925return EXT_RETURN_FAIL;926}927928/*929* Verify that we are offering an ALPN protocol consistent with the early930* data.931*/932if (edsess->ext.alpn_selected != NULL) {933PACKET prots, alpnpkt;934int found = 0;935936if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {937SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);938return EXT_RETURN_FAIL;939}940while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {941if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,942edsess->ext.alpn_selected_len)) {943found = 1;944break;945}946}947if (!found) {948SSLfatal(s, SSL_AD_INTERNAL_ERROR,949SSL_R_INCONSISTENT_EARLY_DATA_ALPN);950return EXT_RETURN_FAIL;951}952}953954if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)955|| !WPACKET_start_sub_packet_u16(pkt)956|| !WPACKET_close(pkt)) {957SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);958return EXT_RETURN_FAIL;959}960961/*962* We set this to rejected here. Later, if the server acknowledges the963* extension, we set it to accepted.964*/965s->ext.early_data = SSL_EARLY_DATA_REJECTED;966s->ext.early_data_ok = 1;967968return EXT_RETURN_SENT;969}970971#define F5_WORKAROUND_MIN_MSG_LEN 0xff972#define F5_WORKAROUND_MAX_MSG_LEN 0x200973974/*975* PSK pre binder overhead =976* 2 bytes for TLSEXT_TYPE_psk977* 2 bytes for extension length978* 2 bytes for identities list length979* 2 bytes for identity length980* 4 bytes for obfuscated_ticket_age981* 2 bytes for binder list length982* 1 byte for binder length983* The above excludes the number of bytes for the identity itself and the984* subsequent binder bytes985*/986#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)987988EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,989unsigned int context, X509 *x,990size_t chainidx)991{992unsigned char *padbytes;993size_t hlen;994995if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)996return EXT_RETURN_NOT_SENT;997998/*999* Add padding to workaround bugs in F5 terminators. See RFC7685.1000* This code calculates the length of all extensions added so far but1001* excludes the PSK extension (because that MUST be written last). Therefore1002* this extension MUST always appear second to last.1003*/1004if (!WPACKET_get_total_written(pkt, &hlen)) {1005SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1006return EXT_RETURN_FAIL;1007}10081009/*1010* If we're going to send a PSK then that will be written out after this1011* extension, so we need to calculate how long it is going to be.1012*/1013if (s->session->ssl_version == TLS1_3_VERSION1014&& s->session->ext.ticklen != 01015&& s->session->cipher != NULL) {1016const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),1017s->session->cipher->algorithm2);10181019if (md != NULL) {1020/*1021* Add the fixed PSK overhead, the identity length and the binder1022* length.1023*/1024int md_size = EVP_MD_get_size(md);10251026if (md_size <= 0)1027return EXT_RETURN_FAIL;1028hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen1029+ md_size;1030}1031}10321033if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {1034/* Calculate the amount of padding we need to add */1035hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;10361037/*1038* Take off the size of extension header itself (2 bytes for type and1039* 2 bytes for length bytes), but ensure that the extension is at least1040* 1 byte long so as not to have an empty extension last (WebSphere 7.x,1041* 8.x are intolerant of that condition)1042*/1043if (hlen > 4)1044hlen -= 4;1045else1046hlen = 1;10471048if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)1049|| !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {1050SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1051return EXT_RETURN_FAIL;1052}1053memset(padbytes, 0, hlen);1054}10551056return EXT_RETURN_SENT;1057}10581059/*1060* Construct the pre_shared_key extension1061*/1062EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,1063unsigned int context,1064X509 *x, size_t chainidx)1065{1066#ifndef OPENSSL_NO_TLS1_31067uint32_t agesec, agems = 0;1068size_t binderoffset, msglen;1069int reshashsize = 0, pskhashsize = 0;1070unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;1071const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;1072int dores = 0;1073SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);1074OSSL_TIME t;10751076s->ext.tick_identity = 0;10771078/*1079* Note: At this stage of the code we only support adding a single1080* resumption PSK. If we add support for multiple PSKs then the length1081* calculations in the padding extension will need to be adjusted.1082*/10831084/*1085* If this is an incompatible or new session then we have nothing to resume1086* so don't add this extension.1087*/1088if (s->session->ssl_version != TLS1_3_VERSION1089|| (s->session->ext.ticklen == 0 && s->psksession == NULL))1090return EXT_RETURN_NOT_SENT;10911092if (s->hello_retry_request == SSL_HRR_PENDING)1093handmd = ssl_handshake_md(s);10941095if (s->session->ext.ticklen != 0) {1096/* Get the digest associated with the ciphersuite in the session */1097if (s->session->cipher == NULL) {1098SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1099return EXT_RETURN_FAIL;1100}1101mdres = ssl_md(sctx, s->session->cipher->algorithm2);1102if (mdres == NULL) {1103/*1104* Don't recognize this cipher so we can't use the session.1105* Ignore it1106*/1107goto dopsksess;1108}11091110if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {1111/*1112* Selected ciphersuite hash does not match the hash for the session1113* so we can't use it.1114*/1115goto dopsksess;1116}11171118/*1119* Technically the C standard just says time() returns a time_t and says1120* nothing about the encoding of that type. In practice most1121* implementations follow POSIX which holds it as an integral type in1122* seconds since epoch. We've already made the assumption that we can do1123* this in multiple places in the code, so portability shouldn't be an1124* issue.1125*/1126t = ossl_time_subtract(ossl_time_now(), s->session->time);1127agesec = (uint32_t)ossl_time2seconds(t);1128/*1129* We calculate the age in seconds but the server may work in ms. Due to1130* rounding errors we could overestimate the age by up to 1s. It is1131* better to underestimate it. Otherwise, if the RTT is very short, when1132* the server calculates the age reported by the client it could be1133* bigger than the age calculated on the server - which should never1134* happen.1135*/1136if (agesec > 0)1137agesec--;11381139if (s->session->ext.tick_lifetime_hint < agesec) {1140/* Ticket is too old. Ignore it. */1141goto dopsksess;1142}11431144/*1145* Calculate age in ms. We're just doing it to nearest second. Should be1146* good enough.1147*/1148agems = agesec * (uint32_t)1000;11491150if (agesec != 0 && agems / (uint32_t)1000 != agesec) {1151/*1152* Overflow. Shouldn't happen unless this is a *really* old session.1153* If so we just ignore it.1154*/1155goto dopsksess;1156}11571158/*1159* Obfuscate the age. Overflow here is fine, this addition is supposed1160* to be mod 2^32.1161*/1162agems += s->session->ext.tick_age_add;11631164reshashsize = EVP_MD_get_size(mdres);1165if (reshashsize <= 0)1166goto dopsksess;1167s->ext.tick_identity++;1168dores = 1;1169}11701171dopsksess:1172if (!dores && s->psksession == NULL)1173return EXT_RETURN_NOT_SENT;11741175if (s->psksession != NULL) {1176mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);1177if (mdpsk == NULL) {1178/*1179* Don't recognize this cipher so we can't use the session.1180* If this happens it's an application bug.1181*/1182SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);1183return EXT_RETURN_FAIL;1184}11851186if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {1187/*1188* Selected ciphersuite hash does not match the hash for the PSK1189* session. This is an application bug.1190*/1191SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);1192return EXT_RETURN_FAIL;1193}11941195pskhashsize = EVP_MD_get_size(mdpsk);1196if (pskhashsize <= 0) {1197SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);1198return EXT_RETURN_FAIL;1199}1200}12011202/* Create the extension, but skip over the binder for now */1203if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)1204|| !WPACKET_start_sub_packet_u16(pkt)1205|| !WPACKET_start_sub_packet_u16(pkt)) {1206SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1207return EXT_RETURN_FAIL;1208}12091210if (dores) {1211if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,1212s->session->ext.ticklen)1213|| !WPACKET_put_bytes_u32(pkt, agems)) {1214SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1215return EXT_RETURN_FAIL;1216}1217}12181219if (s->psksession != NULL) {1220if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,1221s->psksession_id_len)1222|| !WPACKET_put_bytes_u32(pkt, 0)) {1223SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1224return EXT_RETURN_FAIL;1225}1226s->ext.tick_identity++;1227}12281229if (!WPACKET_close(pkt)1230|| !WPACKET_get_total_written(pkt, &binderoffset)1231|| !WPACKET_start_sub_packet_u16(pkt)1232|| (dores1233&& !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))1234|| (s->psksession != NULL1235&& !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))1236|| !WPACKET_close(pkt)1237|| !WPACKET_close(pkt)1238|| !WPACKET_get_total_written(pkt, &msglen)1239/*1240* We need to fill in all the sub-packet lengths now so we can1241* calculate the HMAC of the message up to the binders1242*/1243|| !WPACKET_fill_lengths(pkt)) {1244SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1245return EXT_RETURN_FAIL;1246}12471248msgstart = WPACKET_get_curr(pkt) - msglen;12491250if (dores1251&& tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,1252resbinder, s->session, 1, 0)1253!= 1) {1254/* SSLfatal() already called */1255return EXT_RETURN_FAIL;1256}12571258if (s->psksession != NULL1259&& tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,1260pskbinder, s->psksession, 1, 1)1261!= 1) {1262/* SSLfatal() already called */1263return EXT_RETURN_FAIL;1264}12651266return EXT_RETURN_SENT;1267#else1268return EXT_RETURN_NOT_SENT;1269#endif1270}12711272EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,1273ossl_unused unsigned int context,1274ossl_unused X509 *x,1275ossl_unused size_t chainidx)1276{1277#ifndef OPENSSL_NO_TLS1_31278if (!s->pha_enabled)1279return EXT_RETURN_NOT_SENT;12801281/* construct extension - 0 length, no contents */1282if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)1283|| !WPACKET_start_sub_packet_u16(pkt)1284|| !WPACKET_close(pkt)) {1285SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1286return EXT_RETURN_FAIL;1287}12881289s->post_handshake_auth = SSL_PHA_EXT_SENT;12901291return EXT_RETURN_SENT;1292#else1293return EXT_RETURN_NOT_SENT;1294#endif1295}12961297/*1298* Parse the server's renegotiation binding and abort if it's not right1299*/1300int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,1301unsigned int context,1302X509 *x, size_t chainidx)1303{1304size_t expected_len = s->s3.previous_client_finished_len1305+ s->s3.previous_server_finished_len;1306size_t ilen;1307const unsigned char *data;13081309/* Check for logic errors */1310if (!ossl_assert(expected_len == 01311|| s->s3.previous_client_finished_len != 0)1312|| !ossl_assert(expected_len == 01313|| s->s3.previous_server_finished_len != 0)) {1314SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1315return 0;1316}13171318/* Parse the length byte */1319if (!PACKET_get_1_len(pkt, &ilen)) {1320SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);1321return 0;1322}13231324/* Consistency check */1325if (PACKET_remaining(pkt) != ilen) {1326SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);1327return 0;1328}13291330/* Check that the extension matches */1331if (ilen != expected_len) {1332SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);1333return 0;1334}13351336if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)1337|| memcmp(data, s->s3.previous_client_finished,1338s->s3.previous_client_finished_len)1339!= 0) {1340SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);1341return 0;1342}13431344if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)1345|| memcmp(data, s->s3.previous_server_finished,1346s->s3.previous_server_finished_len)1347!= 0) {1348SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);1349return 0;1350}1351s->s3.send_connection_binding = 1;13521353return 1;1354}13551356/* Parse the server's max fragment len extension packet */1357int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,1358unsigned int context,1359X509 *x, size_t chainidx)1360{1361unsigned int value;13621363if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {1364SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1365return 0;1366}13671368/* |value| should contains a valid max-fragment-length code. */1369if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {1370SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,1371SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);1372return 0;1373}13741375/* Must be the same value as client-configured one who was sent to server */1376/*-1377* RFC 6066: if a client receives a maximum fragment length negotiation1378* response that differs from the length it requested, ...1379* It must abort with SSL_AD_ILLEGAL_PARAMETER alert1380*/1381if (value != s->ext.max_fragment_len_mode) {1382SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,1383SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);1384return 0;1385}13861387/*1388* Maximum Fragment Length Negotiation succeeded.1389* The negotiated Maximum Fragment Length is binding now.1390*/1391s->session->ext.max_fragment_len_mode = value;13921393return 1;1394}13951396int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,1397unsigned int context,1398X509 *x, size_t chainidx)1399{1400if (s->ext.hostname == NULL) {1401SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1402return 0;1403}14041405if (PACKET_remaining(pkt) > 0) {1406SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1407return 0;1408}14091410if (!s->hit) {1411if (s->session->ext.hostname != NULL) {1412SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1413return 0;1414}1415s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);1416if (s->session->ext.hostname == NULL) {1417SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1418return 0;1419}1420}14211422return 1;1423}14241425int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,1426unsigned int context,1427X509 *x, size_t chainidx)1428{1429size_t ecpointformats_len;1430PACKET ecptformatlist;14311432if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {1433SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1434return 0;1435}1436if (!s->hit) {1437ecpointformats_len = PACKET_remaining(&ecptformatlist);1438if (ecpointformats_len == 0) {1439SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);1440return 0;1441}14421443s->ext.peer_ecpointformats_len = 0;1444OPENSSL_free(s->ext.peer_ecpointformats);1445s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);1446if (s->ext.peer_ecpointformats == NULL) {1447s->ext.peer_ecpointformats_len = 0;1448SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1449return 0;1450}14511452s->ext.peer_ecpointformats_len = ecpointformats_len;14531454if (!PACKET_copy_bytes(&ecptformatlist,1455s->ext.peer_ecpointformats,1456ecpointformats_len)) {1457SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1458return 0;1459}1460}14611462return 1;1463}14641465int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,1466unsigned int context,1467X509 *x, size_t chainidx)1468{1469SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);14701471if (s->ext.session_ticket_cb != NULL && !s->ext.session_ticket_cb(ssl, PACKET_data(pkt), PACKET_remaining(pkt), s->ext.session_ticket_cb_arg)) {1472SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);1473return 0;1474}14751476if (!tls_use_ticket(s)) {1477SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1478return 0;1479}1480if (PACKET_remaining(pkt) > 0) {1481SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1482return 0;1483}14841485s->ext.ticket_expected = 1;14861487return 1;1488}14891490#ifndef OPENSSL_NO_OCSP1491int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,1492unsigned int context,1493X509 *x, size_t chainidx)1494{1495if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {1496/* We ignore this if the server sends a CertificateRequest */1497return 1;1498}14991500/*1501* MUST only be sent if we've requested a status1502* request message. In TLS <= 1.2 it must also be empty.1503*/1504if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {1505SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1506return 0;1507}1508if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {1509SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1510return 0;1511}15121513if (SSL_CONNECTION_IS_TLS13(s)) {1514/* We only know how to handle this if it's for the first Certificate in1515* the chain. We ignore any other responses.1516*/1517if (chainidx != 0)1518return 1;15191520/* SSLfatal() already called */1521return tls_process_cert_status_body(s, pkt);1522}15231524/* Set flag to expect CertificateStatus message */1525s->ext.status_expected = 1;15261527return 1;1528}1529#endif15301531#ifndef OPENSSL_NO_CT1532int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1533X509 *x, size_t chainidx)1534{1535if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {1536/* We ignore this if the server sends it in a CertificateRequest */1537return 1;1538}15391540/*1541* Only take it if we asked for it - i.e if there is no CT validation1542* callback set, then a custom extension MAY be processing it, so we1543* need to let control continue to flow to that.1544*/1545if (s->ct_validation_callback != NULL) {1546size_t size = PACKET_remaining(pkt);15471548/* Simply copy it off for later processing */1549OPENSSL_free(s->ext.scts);1550s->ext.scts = NULL;15511552s->ext.scts_len = (uint16_t)size;1553if (size > 0) {1554s->ext.scts = OPENSSL_malloc(size);1555if (s->ext.scts == NULL) {1556s->ext.scts_len = 0;1557SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);1558return 0;1559}1560if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {1561SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1562return 0;1563}1564}1565} else {1566ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 01567? ENDPOINT_CLIENT1568: ENDPOINT_BOTH;15691570/*1571* If we didn't ask for it then there must be a custom extension,1572* otherwise this is unsolicited.1573*/1574if (custom_ext_find(&s->cert->custext, role,1575TLSEXT_TYPE_signed_certificate_timestamp,1576NULL)1577== NULL) {1578SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1579return 0;1580}15811582if (!custom_ext_parse(s, context,1583TLSEXT_TYPE_signed_certificate_timestamp,1584PACKET_data(pkt), PACKET_remaining(pkt),1585x, chainidx)) {1586/* SSLfatal already called */1587return 0;1588}1589}15901591return 1;1592}1593#endif15941595#ifndef OPENSSL_NO_NEXTPROTONEG1596/*1597* ssl_next_proto_validate validates a Next Protocol Negotiation block. No1598* elements of zero length are allowed and the set of elements must exactly1599* fill the length of the block. Returns 1 on success or 0 on failure.1600*/1601static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)1602{1603PACKET tmp_protocol;16041605while (PACKET_remaining(pkt)) {1606if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)1607|| PACKET_remaining(&tmp_protocol) == 0) {1608SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1609return 0;1610}1611}16121613return 1;1614}16151616int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1617X509 *x, size_t chainidx)1618{1619unsigned char *selected;1620unsigned char selected_len;1621PACKET tmppkt;1622SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);16231624/* Check if we are in a renegotiation. If so ignore this extension */1625if (!SSL_IS_FIRST_HANDSHAKE(s))1626return 1;16271628/* We must have requested it. */1629if (sctx->ext.npn_select_cb == NULL) {1630SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1631return 0;1632}16331634/* The data must be valid */1635tmppkt = *pkt;1636if (!ssl_next_proto_validate(s, &tmppkt)) {1637/* SSLfatal() already called */1638return 0;1639}1640if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s),1641&selected, &selected_len,1642PACKET_data(pkt), PACKET_remaining(pkt),1643sctx->ext.npn_select_cb_arg)1644!= SSL_TLSEXT_ERR_OK1645|| selected_len == 0) {1646SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);1647return 0;1648}16491650/*1651* Could be non-NULL if server has sent multiple NPN extensions in1652* a single Serverhello1653*/1654OPENSSL_free(s->ext.npn);1655s->ext.npn = OPENSSL_malloc(selected_len);1656if (s->ext.npn == NULL) {1657s->ext.npn_len = 0;1658SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1659return 0;1660}16611662memcpy(s->ext.npn, selected, selected_len);1663s->ext.npn_len = selected_len;1664s->s3.npn_seen = 1;16651666return 1;1667}1668#endif16691670int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1671X509 *x, size_t chainidx)1672{1673size_t len;1674PACKET confpkt, protpkt;1675int valid = 0;16761677/* We must have requested it. */1678if (!s->s3.alpn_sent) {1679SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1680return 0;1681}1682/*-1683* The extension data consists of:1684* uint16 list_length1685* uint8 proto_length;1686* uint8 proto[proto_length];1687*/1688if (!PACKET_get_net_2_len(pkt, &len)1689|| PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)1690|| PACKET_remaining(pkt) != len) {1691SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1692return 0;1693}16941695/* It must be a protocol that we sent */1696if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {1697SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1698return 0;1699}1700while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {1701if (PACKET_remaining(&protpkt) != len)1702continue;1703if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {1704/* Valid protocol found */1705valid = 1;1706break;1707}1708}17091710if (!valid) {1711/* The protocol sent from the server does not match one we advertised */1712SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1713return 0;1714}17151716OPENSSL_free(s->s3.alpn_selected);1717s->s3.alpn_selected = OPENSSL_malloc(len);1718if (s->s3.alpn_selected == NULL) {1719s->s3.alpn_selected_len = 0;1720SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1721return 0;1722}1723if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {1724SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1725return 0;1726}1727s->s3.alpn_selected_len = len;17281729if (s->session->ext.alpn_selected == NULL1730|| s->session->ext.alpn_selected_len != len1731|| memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)1732!= 0) {1733/* ALPN not consistent with the old session so cannot use early_data */1734s->ext.early_data_ok = 0;1735}1736if (!s->hit) {1737/*1738* This is a new session and so alpn_selected should have been1739* initialised to NULL. We should update it with the selected ALPN.1740*/1741if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {1742SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1743return 0;1744}1745s->session->ext.alpn_selected = OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);1746if (s->session->ext.alpn_selected == NULL) {1747s->session->ext.alpn_selected_len = 0;1748SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1749return 0;1750}1751s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;1752}17531754return 1;1755}17561757#ifndef OPENSSL_NO_SRTP1758int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,1759unsigned int context, X509 *x, size_t chainidx)1760{1761unsigned int id, ct, mki;1762int i;1763STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;1764SRTP_PROTECTION_PROFILE *prof;17651766if (!PACKET_get_net_2(pkt, &ct) || ct != 21767|| !PACKET_get_net_2(pkt, &id)1768|| !PACKET_get_1(pkt, &mki)1769|| PACKET_remaining(pkt) != 0) {1770SSLfatal(s, SSL_AD_DECODE_ERROR,1771SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);1772return 0;1773}17741775if (mki != 0) {1776/* Must be no MKI, since we never offer one */1777SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);1778return 0;1779}17801781/* Throw an error if the server gave us an unsolicited extension */1782clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));1783if (clnt == NULL) {1784SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);1785return 0;1786}17871788/*1789* Check to see if the server gave us something we support (and1790* presumably offered)1791*/1792for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {1793prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);17941795if (prof->id == id) {1796s->srtp_profile = prof;1797return 1;1798}1799}18001801SSLfatal(s, SSL_AD_DECODE_ERROR,1802SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);1803return 0;1804}1805#endif18061807int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1808X509 *x, size_t chainidx)1809{1810/* Ignore if inappropriate ciphersuite */1811if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)1812&& s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD1813&& s->s3.tmp.new_cipher->algorithm_enc != SSL_RC41814&& s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT1815&& s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT121816&& s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA1817&& s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)1818s->ext.use_etm = 1;18191820return 1;1821}18221823int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1824X509 *x, size_t chainidx)1825{1826if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)1827return 1;1828s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;1829if (!s->hit)1830s->session->flags |= SSL_SESS_FLAG_EXTMS;18311832return 1;1833}18341835int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,1836unsigned int context,1837X509 *x, size_t chainidx)1838{1839unsigned int version;18401841if (!PACKET_get_net_2(pkt, &version)1842|| PACKET_remaining(pkt) != 0) {1843SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);1844return 0;1845}18461847/*1848* The only protocol version we support which is valid in this extension in1849* a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.1850*/1851if (version != TLS1_3_VERSION) {1852SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,1853SSL_R_BAD_PROTOCOL_VERSION_NUMBER);1854return 0;1855}18561857/* We ignore this extension for HRRs except to sanity check it */1858if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)1859return 1;18601861/* We just set it here. We validate it in ssl_choose_client_version */1862s->version = version;1863if (!ssl_set_record_protocol_version(s, version)) {1864SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1865return 0;1866}18671868return 1;1869}18701871int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,1872unsigned int context, X509 *x,1873size_t chainidx)1874{1875#ifndef OPENSSL_NO_TLS1_31876unsigned int group_id;1877PACKET encoded_pt;1878EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;1879const TLS_GROUP_INFO *ginf = NULL;1880uint16_t valid_ks_id = 0;1881size_t i;18821883/* Sanity check */1884if (ckey == NULL || s->s3.peer_tmp != NULL) {1885SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1886return 0;1887}18881889/* Which group ID does the server want -> group_id */1890if (!PACKET_get_net_2(pkt, &group_id)) {1891SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);1892return 0;1893}18941895if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {1896const uint16_t *pgroups = NULL;1897size_t num_groups;18981899if (PACKET_remaining(pkt) != 0) {1900SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);1901return 0;1902}19031904/*1905* It is an error if the HelloRetryRequest wants a key_share that we1906* already sent in the first ClientHello1907*/1908for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) {1909if (s->s3.tmp.ks_group_id[i] == group_id) {1910SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);1911return 0;1912}1913}19141915/* Validate the selected group is one we support */1916tls1_get_supported_groups(s, &pgroups, &num_groups);1917for (i = 0; i < num_groups; i++) {1918if (group_id == pgroups[i])1919break;1920}1921if (i >= num_groups1922|| !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)1923|| !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,19240, NULL)) {1925SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);1926return 0;1927}19281929/* Memorize which groupID the server wants */1930s->s3.group_id = group_id;19311932/* The initial keyshares are obsolete now, hence free memory */1933for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) {1934if (s->s3.tmp.ks_pkey[i] != NULL) {1935EVP_PKEY_free(s->s3.tmp.ks_pkey[i]);1936s->s3.tmp.ks_pkey[i] = NULL;1937}1938}1939s->s3.tmp.num_ks_pkey = 0;1940s->s3.tmp.pkey = NULL;19411942return 1;1943}19441945/*1946* check that the group requested by the server is one we've1947* sent a key share for, and if so: memorize which one1948*/1949for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) {1950if (s->s3.tmp.ks_group_id[i] == group_id) {1951valid_ks_id = group_id;1952ckey = s->s3.tmp.ks_pkey[i];1953s->s3.group_id = group_id;1954s->s3.tmp.pkey = ckey;1955break;1956}1957}1958if (valid_ks_id == 0) {1959/*1960* This isn't for the group that we sent in the original1961* key_share!1962*/1963SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);1964return 0;1965}1966/* Retain this group in the SSL_SESSION */1967if (!s->hit) {1968s->session->kex_group = group_id;1969} else if (group_id != s->session->kex_group) {1970/*1971* If this is a resumption but changed what group was used, we need1972* to record the new group in the session, but the session is not1973* a new session and could be in use by other threads. So, make1974* a copy of the session to record the new information so that it's1975* useful for any sessions resumed from tickets issued on this1976* connection.1977*/1978SSL_SESSION *new_sess;19791980if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {1981SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);1982return 0;1983}1984SSL_SESSION_free(s->session);1985s->session = new_sess;1986s->session->kex_group = group_id;1987}19881989if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),1990group_id))1991== NULL) {1992SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);1993return 0;1994}19951996if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)1997|| PACKET_remaining(&encoded_pt) == 0) {1998SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);1999return 0;2000}20012002if (!ginf->is_kem) {2003/* Regular KEX */2004skey = EVP_PKEY_new();2005if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {2006SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);2007EVP_PKEY_free(skey);2008return 0;2009}20102011if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),2012PACKET_remaining(&encoded_pt))2013<= 0) {2014SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);2015EVP_PKEY_free(skey);2016return 0;2017}20182019if (ssl_derive(s, ckey, skey, 1) == 0) {2020/* SSLfatal() already called */2021EVP_PKEY_free(skey);2022return 0;2023}2024s->s3.peer_tmp = skey;2025} else {2026/* KEM Mode */2027const unsigned char *ct = PACKET_data(&encoded_pt);2028size_t ctlen = PACKET_remaining(&encoded_pt);20292030if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {2031/* SSLfatal() already called */2032return 0;2033}2034}2035s->s3.did_kex = 1;2036#endif20372038return 1;2039}20402041int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,2042X509 *x, size_t chainidx)2043{2044PACKET cookie;20452046if (!PACKET_as_length_prefixed_2(pkt, &cookie)2047|| !PACKET_memdup(&cookie, &s->ext.tls13_cookie,2048&s->ext.tls13_cookie_len)) {2049SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);2050return 0;2051}20522053return 1;2054}20552056int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,2057unsigned int context,2058X509 *x, size_t chainidx)2059{2060if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {2061unsigned long max_early_data;20622063if (!PACKET_get_net_4(pkt, &max_early_data)2064|| PACKET_remaining(pkt) != 0) {2065SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);2066return 0;2067}20682069s->session->ext.max_early_data = max_early_data;20702071if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) {2072/*2073* QUIC allows missing max_early_data, or a max_early_data value2074* of 0xffffffff. Missing max_early_data is stored in the session2075* as 0. This is indistinguishable in OpenSSL from a present2076* max_early_data value that was 0. In order that later checks for2077* invalid max_early_data correctly treat as an error the case where2078* max_early_data is present and it is 0, we store any invalid2079* value in the same (non-zero) way. Otherwise we would have to2080* introduce a new flag just for this.2081*/2082s->session->ext.max_early_data = 1;2083SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);2084return 0;2085}20862087return 1;2088}20892090if (PACKET_remaining(pkt) != 0) {2091SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2092return 0;2093}20942095if (!s->ext.early_data_ok2096|| !s->hit) {2097/*2098* If we get here then we didn't send early data, or we didn't resume2099* using the first identity, or the SNI/ALPN is not consistent so the2100* server should not be accepting it.2101*/2102SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);2103return 0;2104}21052106s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;21072108return 1;2109}21102111int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,2112unsigned int context, X509 *x,2113size_t chainidx)2114{2115#ifndef OPENSSL_NO_TLS1_32116unsigned int identity;21172118if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {2119SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);2120return 0;2121}21222123if (identity >= (unsigned int)s->ext.tick_identity) {2124SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);2125return 0;2126}21272128/*2129* Session resumption tickets are always sent before PSK tickets. If the2130* ticket index is 0 then it must be for a session resumption ticket if we2131* sent two tickets, or if we didn't send a PSK ticket.2132*/2133if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {2134s->hit = 1;2135SSL_SESSION_free(s->psksession);2136s->psksession = NULL;2137return 1;2138}21392140if (s->psksession == NULL) {2141/* Should never happen */2142SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);2143return 0;2144}21452146/*2147* If we used the external PSK for sending early_data then s->early_secret2148* is already set up, so don't overwrite it. Otherwise we copy the2149* early_secret across that we generated earlier.2150*/2151if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY2152&& s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)2153|| s->session->ext.max_early_data > 02154|| s->psksession->ext.max_early_data == 0)2155memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);21562157SSL_SESSION_free(s->session);2158s->session = s->psksession;2159s->psksession = NULL;2160s->hit = 1;2161/* Early data is only allowed if we used the first ticket */2162if (identity != 0)2163s->ext.early_data_ok = 0;2164#endif21652166return 1;2167}21682169EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,2170unsigned int context,2171X509 *x, size_t chainidx)2172{2173sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;2174if (sc->client_cert_type == NULL)2175return EXT_RETURN_NOT_SENT;21762177if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)2178|| !WPACKET_start_sub_packet_u16(pkt)2179|| !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len)2180|| !WPACKET_close(pkt)) {2181SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);2182return EXT_RETURN_FAIL;2183}2184sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;2185return EXT_RETURN_SENT;2186}21872188int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,2189unsigned int context,2190X509 *x, size_t chainidx)2191{2192unsigned int type;21932194if (PACKET_remaining(pkt) != 1) {2195SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2196return 0;2197}2198if (!PACKET_get_1(pkt, &type)) {2199SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2200return 0;2201}2202/* We did not send/ask for this */2203if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {2204SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2205return 0;2206}2207/* We don't have this enabled */2208if (sc->client_cert_type == NULL) {2209SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2210return 0;2211}2212/* Given back a value we didn't configure */2213if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) {2214SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);2215return 0;2216}2217sc->ext.client_cert_type = type;2218return 1;2219}22202221EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,2222unsigned int context,2223X509 *x, size_t chainidx)2224{2225sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;2226if (sc->server_cert_type == NULL)2227return EXT_RETURN_NOT_SENT;22282229if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)2230|| !WPACKET_start_sub_packet_u16(pkt)2231|| !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len)2232|| !WPACKET_close(pkt)) {2233SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);2234return EXT_RETURN_FAIL;2235}2236sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;2237return EXT_RETURN_SENT;2238}22392240int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,2241unsigned int context,2242X509 *x, size_t chainidx)2243{2244unsigned int type;22452246if (PACKET_remaining(pkt) != 1) {2247SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2248return 0;2249}2250if (!PACKET_get_1(pkt, &type)) {2251SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2252return 0;2253}2254/* We did not send/ask for this */2255if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {2256SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2257return 0;2258}2259/* We don't have this enabled */2260if (sc->server_cert_type == NULL) {2261SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2262return 0;2263}2264/* Given back a value we didn't configure */2265if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) {2266SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);2267return 0;2268}2269sc->ext.server_cert_type = type;2270return 1;2271}227222732274