Path: blob/main/crypto/openssl/ssl/statem/extensions_clnt.c
48266 views
/*1* Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89#include <openssl/ocsp.h>10#include "../ssl_local.h"11#include "internal/cryptlib.h"12#include "internal/ssl_unwrap.h"13#include "statem_local.h"1415EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,16unsigned int context, X509 *x,17size_t chainidx)18{19if (!s->renegotiate) {20/* If not renegotiating, send an empty RI extension to indicate support */2122#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION23# error Internal DTLS version error24#endif2526if (!SSL_CONNECTION_IS_DTLS(s)27&& (s->min_proto_version >= TLS1_3_VERSION28|| (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL)29&& s->min_proto_version <= TLS1_VERSION))) {30/*31* For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this32* extension isn't used at all.33*/34return EXT_RETURN_NOT_SENT;35}363738if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)39|| !WPACKET_start_sub_packet_u16(pkt)40|| !WPACKET_put_bytes_u8(pkt, 0)41|| !WPACKET_close(pkt)) {42SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);43return EXT_RETURN_FAIL;44}4546return EXT_RETURN_SENT;47}4849/* Add a complete RI extension if renegotiating */50if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)51|| !WPACKET_start_sub_packet_u16(pkt)52|| !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,53s->s3.previous_client_finished_len)54|| !WPACKET_close(pkt)) {55SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);56return EXT_RETURN_FAIL;57}5859return EXT_RETURN_SENT;60}6162EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,63unsigned int context, X509 *x,64size_t chainidx)65{66if (s->ext.hostname == NULL)67return EXT_RETURN_NOT_SENT;6869/* Add TLS extension servername to the Client Hello message */70if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)71/* Sub-packet for server_name extension */72|| !WPACKET_start_sub_packet_u16(pkt)73/* Sub-packet for servername list (always 1 hostname)*/74|| !WPACKET_start_sub_packet_u16(pkt)75|| !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)76|| !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,77strlen(s->ext.hostname))78|| !WPACKET_close(pkt)79|| !WPACKET_close(pkt)) {80SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);81return EXT_RETURN_FAIL;82}8384return EXT_RETURN_SENT;85}8687/* Push a Max Fragment Len extension into ClientHello */88EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,89unsigned int context, X509 *x,90size_t chainidx)91{92if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)93return EXT_RETURN_NOT_SENT;9495/* Add Max Fragment Length extension if client enabled it. */96/*-97* 4 bytes for this extension type and extension length98* 1 byte for the Max Fragment Length code value.99*/100if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)101/* Sub-packet for Max Fragment Length extension (1 byte) */102|| !WPACKET_start_sub_packet_u16(pkt)103|| !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)104|| !WPACKET_close(pkt)) {105SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);106return EXT_RETURN_FAIL;107}108109return EXT_RETURN_SENT;110}111112#ifndef OPENSSL_NO_SRP113EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,114unsigned int context,115X509 *x, size_t chainidx)116{117/* Add SRP username if there is one */118if (s->srp_ctx.login == NULL)119return EXT_RETURN_NOT_SENT;120121if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)122/* Sub-packet for SRP extension */123|| !WPACKET_start_sub_packet_u16(pkt)124|| !WPACKET_start_sub_packet_u8(pkt)125/* login must not be zero...internal error if so */126|| !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)127|| !WPACKET_memcpy(pkt, s->srp_ctx.login,128strlen(s->srp_ctx.login))129|| !WPACKET_close(pkt)130|| !WPACKET_close(pkt)) {131SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);132return EXT_RETURN_FAIL;133}134135return EXT_RETURN_SENT;136}137#endif138139static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)140{141int i, end, ret = 0;142unsigned long alg_k, alg_a;143STACK_OF(SSL_CIPHER) *cipher_stack = NULL;144const uint16_t *pgroups = NULL;145size_t num_groups, j;146SSL *ssl = SSL_CONNECTION_GET_SSL(s);147148/* See if we support any ECC ciphersuites */149if (s->version == SSL3_VERSION)150return 0;151152cipher_stack = SSL_get1_supported_ciphers(ssl);153end = sk_SSL_CIPHER_num(cipher_stack);154for (i = 0; i < end; i++) {155const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);156157alg_k = c->algorithm_mkey;158alg_a = c->algorithm_auth;159if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))160|| (alg_a & SSL_aECDSA)161|| c->min_tls >= TLS1_3_VERSION) {162ret = 1;163break;164}165}166sk_SSL_CIPHER_free(cipher_stack);167if (!ret)168return 0;169170/* Check we have at least one EC supported group */171tls1_get_supported_groups(s, &pgroups, &num_groups);172for (j = 0; j < num_groups; j++) {173uint16_t ctmp = pgroups[j];174175if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)176&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))177return 1;178}179180return 0;181}182183EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,184unsigned int context, X509 *x,185size_t chainidx)186{187const unsigned char *pformats;188size_t num_formats;189int reason, min_version, max_version;190191reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);192if (reason != 0) {193SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);194return EXT_RETURN_FAIL;195}196if (!use_ecc(s, min_version, max_version))197return EXT_RETURN_NOT_SENT;198199/* Add TLS extension ECPointFormats to the ClientHello message */200tls1_get_formatlist(s, &pformats, &num_formats);201202if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)203/* Sub-packet for formats extension */204|| !WPACKET_start_sub_packet_u16(pkt)205|| !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)206|| !WPACKET_close(pkt)) {207SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);208return EXT_RETURN_FAIL;209}210211return EXT_RETURN_SENT;212}213214EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,215unsigned int context, X509 *x,216size_t chainidx)217{218const uint16_t *pgroups = NULL;219size_t num_groups = 0, i, tls13added = 0, added = 0;220int min_version, max_version, reason;221222reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);223if (reason != 0) {224SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);225return EXT_RETURN_FAIL;226}227228/*229* We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore230* if we don't have EC support then we don't send this extension.231*/232if (!use_ecc(s, min_version, max_version)233&& (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))234return EXT_RETURN_NOT_SENT;235236/*237* Add TLS extension supported_groups to the ClientHello message238*/239tls1_get_supported_groups(s, &pgroups, &num_groups);240241if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)242/* Sub-packet for supported_groups extension */243|| !WPACKET_start_sub_packet_u16(pkt)244|| !WPACKET_start_sub_packet_u16(pkt)245|| !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {246SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);247return EXT_RETURN_FAIL;248}249/* Copy group ID if supported */250for (i = 0; i < num_groups; i++) {251uint16_t ctmp = pgroups[i];252int okfortls13;253254if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)255&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {256if (!WPACKET_put_bytes_u16(pkt, ctmp)) {257SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);258return EXT_RETURN_FAIL;259}260if (okfortls13 && max_version == TLS1_3_VERSION)261tls13added++;262added++;263}264}265if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {266if (added == 0)267SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,268"No groups enabled for max supported SSL/TLS version");269else270SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);271return EXT_RETURN_FAIL;272}273274if (tls13added == 0 && max_version == TLS1_3_VERSION) {275SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,276"No groups enabled for max supported SSL/TLS version");277return EXT_RETURN_FAIL;278}279280return EXT_RETURN_SENT;281}282283EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,284unsigned int context, X509 *x,285size_t chainidx)286{287size_t ticklen;288289if (!tls_use_ticket(s))290return EXT_RETURN_NOT_SENT;291292if (!s->new_session && s->session != NULL293&& s->session->ext.tick != NULL294&& s->session->ssl_version != TLS1_3_VERSION) {295ticklen = s->session->ext.ticklen;296} else if (s->session && s->ext.session_ticket != NULL297&& s->ext.session_ticket->data != NULL) {298ticklen = s->ext.session_ticket->length;299s->session->ext.tick = OPENSSL_malloc(ticklen);300if (s->session->ext.tick == NULL) {301SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);302return EXT_RETURN_FAIL;303}304memcpy(s->session->ext.tick,305s->ext.session_ticket->data, ticklen);306s->session->ext.ticklen = ticklen;307} else {308ticklen = 0;309}310311if (ticklen == 0 && s->ext.session_ticket != NULL &&312s->ext.session_ticket->data == NULL)313return EXT_RETURN_NOT_SENT;314315if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)316|| !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {317SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);318return EXT_RETURN_FAIL;319}320321return EXT_RETURN_SENT;322}323324EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,325unsigned int context, X509 *x,326size_t chainidx)327{328size_t salglen;329const uint16_t *salg;330331/*332* This used both in the initial hello and as part of renegotiation,333* in the latter case, the client version may be already set and may334* be lower than that initially offered in `client_version`.335*/336if (!SSL_CONNECTION_IS_DTLS(s)) {337if (s->client_version < TLS1_2_VERSION338|| (s->ssl.method->version != TLS_ANY_VERSION339&& s->version < TLS1_2_VERSION))340return EXT_RETURN_NOT_SENT;341} else {342if (DTLS_VERSION_LT(s->client_version, DTLS1_2_VERSION)343|| (s->ssl.method->version != DTLS_ANY_VERSION344&& DTLS_VERSION_LT(s->version, DTLS1_2_VERSION)))345return EXT_RETURN_NOT_SENT;346}347348salglen = tls12_get_psigalgs(s, 1, &salg);349if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)350/* Sub-packet for sig-algs extension */351|| !WPACKET_start_sub_packet_u16(pkt)352/* Sub-packet for the actual list */353|| !WPACKET_start_sub_packet_u16(pkt)354|| !tls12_copy_sigalgs(s, pkt, salg, salglen)355|| !WPACKET_close(pkt)356|| !WPACKET_close(pkt)) {357SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);358return EXT_RETURN_FAIL;359}360361return EXT_RETURN_SENT;362}363364#ifndef OPENSSL_NO_OCSP365EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,366unsigned int context, X509 *x,367size_t chainidx)368{369int i;370371/* This extension isn't defined for client Certificates */372if (x != NULL)373return EXT_RETURN_NOT_SENT;374375if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)376return EXT_RETURN_NOT_SENT;377378if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)379/* Sub-packet for status request extension */380|| !WPACKET_start_sub_packet_u16(pkt)381|| !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)382/* Sub-packet for the ids */383|| !WPACKET_start_sub_packet_u16(pkt)) {384SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);385return EXT_RETURN_FAIL;386}387for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {388unsigned char *idbytes;389OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);390int idlen = i2d_OCSP_RESPID(id, NULL);391392if (idlen <= 0393/* Sub-packet for an individual id */394|| !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)395|| i2d_OCSP_RESPID(id, &idbytes) != idlen) {396SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);397return EXT_RETURN_FAIL;398}399}400if (!WPACKET_close(pkt)401|| !WPACKET_start_sub_packet_u16(pkt)) {402SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);403return EXT_RETURN_FAIL;404}405if (s->ext.ocsp.exts) {406unsigned char *extbytes;407int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);408409if (extlen < 0) {410SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);411return EXT_RETURN_FAIL;412}413if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)414|| i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)415!= extlen) {416SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);417return EXT_RETURN_FAIL;418}419}420if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {421SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);422return EXT_RETURN_FAIL;423}424425return EXT_RETURN_SENT;426}427#endif428429#ifndef OPENSSL_NO_NEXTPROTONEG430EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,431unsigned int context,432X509 *x, size_t chainidx)433{434if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL435|| !SSL_IS_FIRST_HANDSHAKE(s))436return EXT_RETURN_NOT_SENT;437438/*439* The client advertises an empty extension to indicate its support440* for Next Protocol Negotiation441*/442if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)443|| !WPACKET_put_bytes_u16(pkt, 0)) {444SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);445return EXT_RETURN_FAIL;446}447448return EXT_RETURN_SENT;449}450#endif451452EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,453unsigned int context,454X509 *x, size_t chainidx)455{456s->s3.alpn_sent = 0;457458if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))459return EXT_RETURN_NOT_SENT;460461if (!WPACKET_put_bytes_u16(pkt,462TLSEXT_TYPE_application_layer_protocol_negotiation)463/* Sub-packet ALPN extension */464|| !WPACKET_start_sub_packet_u16(pkt)465|| !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)466|| !WPACKET_close(pkt)) {467SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);468return EXT_RETURN_FAIL;469}470s->s3.alpn_sent = 1;471472return EXT_RETURN_SENT;473}474475476#ifndef OPENSSL_NO_SRTP477EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,478unsigned int context, X509 *x,479size_t chainidx)480{481SSL *ssl = SSL_CONNECTION_GET_SSL(s);482STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);483int i, end;484485if (clnt == NULL)486return EXT_RETURN_NOT_SENT;487488if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)489/* Sub-packet for SRTP extension */490|| !WPACKET_start_sub_packet_u16(pkt)491/* Sub-packet for the protection profile list */492|| !WPACKET_start_sub_packet_u16(pkt)) {493SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);494return EXT_RETURN_FAIL;495}496497end = sk_SRTP_PROTECTION_PROFILE_num(clnt);498for (i = 0; i < end; i++) {499const SRTP_PROTECTION_PROFILE *prof =500sk_SRTP_PROTECTION_PROFILE_value(clnt, i);501502if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {503SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);504return EXT_RETURN_FAIL;505}506}507if (!WPACKET_close(pkt)508/* Add an empty use_mki value */509|| !WPACKET_put_bytes_u8(pkt, 0)510|| !WPACKET_close(pkt)) {511SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);512return EXT_RETURN_FAIL;513}514515return EXT_RETURN_SENT;516}517#endif518519EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,520unsigned int context,521X509 *x, size_t chainidx)522{523if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)524return EXT_RETURN_NOT_SENT;525526if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)527|| !WPACKET_put_bytes_u16(pkt, 0)) {528SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);529return EXT_RETURN_FAIL;530}531532return EXT_RETURN_SENT;533}534535#ifndef OPENSSL_NO_CT536EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,537unsigned int context,538X509 *x, size_t chainidx)539{540if (s->ct_validation_callback == NULL)541return EXT_RETURN_NOT_SENT;542543/* Not defined for client Certificates */544if (x != NULL)545return EXT_RETURN_NOT_SENT;546547if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)548|| !WPACKET_put_bytes_u16(pkt, 0)) {549SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);550return EXT_RETURN_FAIL;551}552553return EXT_RETURN_SENT;554}555#endif556557EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,558unsigned int context,559X509 *x, size_t chainidx)560{561if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)562return EXT_RETURN_NOT_SENT;563564if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)565|| !WPACKET_put_bytes_u16(pkt, 0)) {566SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);567return EXT_RETURN_FAIL;568}569570return EXT_RETURN_SENT;571}572573EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,574unsigned int context, X509 *x,575size_t chainidx)576{577int currv, min_version, max_version, reason;578579reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);580if (reason != 0) {581SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);582return EXT_RETURN_FAIL;583}584585/*586* Don't include this if we can't negotiate TLSv1.3. We can do a straight587* comparison here because we will never be called in DTLS.588*/589if (max_version < TLS1_3_VERSION)590return EXT_RETURN_NOT_SENT;591592if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)593|| !WPACKET_start_sub_packet_u16(pkt)594|| !WPACKET_start_sub_packet_u8(pkt)) {595SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);596return EXT_RETURN_FAIL;597}598599for (currv = max_version; currv >= min_version; currv--) {600if (!WPACKET_put_bytes_u16(pkt, currv)) {601SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);602return EXT_RETURN_FAIL;603}604}605if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {606SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);607return EXT_RETURN_FAIL;608}609610return EXT_RETURN_SENT;611}612613/*614* Construct a psk_kex_modes extension.615*/616EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,617unsigned int context, X509 *x,618size_t chainidx)619{620#ifndef OPENSSL_NO_TLS1_3621int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;622623if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)624|| !WPACKET_start_sub_packet_u16(pkt)625|| !WPACKET_start_sub_packet_u8(pkt)626|| !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)627|| (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))628|| !WPACKET_close(pkt)629|| !WPACKET_close(pkt)) {630SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);631return EXT_RETURN_FAIL;632}633634s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;635if (nodhe)636s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;637#endif638639return EXT_RETURN_SENT;640}641642#ifndef OPENSSL_NO_TLS1_3643static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int group_id, size_t loop_num)644{645unsigned char *encoded_pubkey = NULL;646EVP_PKEY *key_share_key = NULL;647size_t encodedlen;648649if (loop_num < s->s3.tmp.num_ks_pkey) {650if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)651|| !ossl_assert(s->s3.tmp.ks_pkey[loop_num] != NULL)) {652SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);653return 0;654}655/*656* Could happen if we got an HRR that wasn't requesting a new key_share657*/658key_share_key = s->s3.tmp.ks_pkey[loop_num];659} else {660key_share_key = ssl_generate_pkey_group(s, group_id);661if (key_share_key == NULL) {662/* SSLfatal() already called */663return 0;664}665}666667/* Encode the public key. */668encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,669&encoded_pubkey);670if (encodedlen == 0) {671SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);672goto err;673}674675/* Create KeyShareEntry */676if (!WPACKET_put_bytes_u16(pkt, group_id)677|| !WPACKET_sub_memcpy_u16(pkt, encoded_pubkey, encodedlen)) {678SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);679goto err;680}681682/* For backward compatibility, we use the first valid group to add a key share */683if (loop_num == 0) {684s->s3.tmp.pkey = key_share_key;685s->s3.group_id = group_id;686}687/* We ensure in t1_lib.c that the loop number does not exceed OPENSSL_CLIENT_MAX_KEY_SHARES */688s->s3.tmp.ks_pkey[loop_num] = key_share_key;689s->s3.tmp.ks_group_id[loop_num] = group_id;690if (loop_num >= s->s3.tmp.num_ks_pkey)691s->s3.tmp.num_ks_pkey++;692693OPENSSL_free(encoded_pubkey);694695return 1;696err:697if (key_share_key != s->s3.tmp.ks_pkey[loop_num])698EVP_PKEY_free(key_share_key);699OPENSSL_free(encoded_pubkey);700return 0;701}702#endif703704EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,705unsigned int context, X509 *x,706size_t chainidx)707{708#ifndef OPENSSL_NO_TLS1_3709size_t i, num_groups = 0;710const uint16_t *pgroups = NULL;711uint16_t group_id = 0;712int add_only_one = 0;713size_t valid_keyshare = 0;714715/* key_share extension */716if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)717/* Extension data sub-packet */718|| !WPACKET_start_sub_packet_u16(pkt)719/* KeyShare list sub-packet */720|| !WPACKET_start_sub_packet_u16(pkt)) {721SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);722return EXT_RETURN_FAIL;723}724725tls1_get_requested_keyshare_groups(s, &pgroups, &num_groups);726if (num_groups == 1 && pgroups[0] == 0) { /* Indication that no * prefix was used */727tls1_get_supported_groups(s, &pgroups, &num_groups);728add_only_one = 1;729}730731/* If neither the default nor the keyshares have any entry --> fatal */732if (num_groups == 0) {733SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);734return EXT_RETURN_FAIL;735}736737/* Add key shares */738739if (s->s3.group_id != 0 && s->s3.tmp.pkey == NULL) {740/* new, single key share */741group_id = s->s3.group_id;742s->s3.tmp.num_ks_pkey = 0;743if (!add_key_share(s, pkt, group_id, 0)) {744/* SSLfatal() already called */745return EXT_RETURN_FAIL;746}747valid_keyshare++;748} else {749if (s->ext.supportedgroups == NULL) /* use default */750add_only_one = 1;751752for (i = 0; i < num_groups; i++) {753if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))754continue;755if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,7560, NULL))757continue;758759group_id = pgroups[i];760761if (group_id == 0) {762SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);763return EXT_RETURN_FAIL;764}765if (!add_key_share(s, pkt, group_id, valid_keyshare)) {766/* SSLfatal() already called */767return EXT_RETURN_FAIL;768}769valid_keyshare++;770if (add_only_one)771break;772}773}774775if (valid_keyshare == 0) {776/* No key shares were allowed */777SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);778return EXT_RETURN_FAIL;779}780781if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {782SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);783return EXT_RETURN_FAIL;784}785return EXT_RETURN_SENT;786#else787return EXT_RETURN_NOT_SENT;788#endif789}790791EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,792unsigned int context,793X509 *x, size_t chainidx)794{795EXT_RETURN ret = EXT_RETURN_FAIL;796797/* Should only be set if we've had an HRR */798if (s->ext.tls13_cookie_len == 0)799return EXT_RETURN_NOT_SENT;800801if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)802/* Extension data sub-packet */803|| !WPACKET_start_sub_packet_u16(pkt)804|| !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,805s->ext.tls13_cookie_len)806|| !WPACKET_close(pkt)) {807SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);808goto end;809}810811ret = EXT_RETURN_SENT;812end:813OPENSSL_free(s->ext.tls13_cookie);814s->ext.tls13_cookie = NULL;815s->ext.tls13_cookie_len = 0;816817return ret;818}819820EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,821unsigned int context, X509 *x,822size_t chainidx)823{824#ifndef OPENSSL_NO_PSK825char identity[PSK_MAX_IDENTITY_LEN + 1];826#endif /* OPENSSL_NO_PSK */827const unsigned char *id = NULL;828size_t idlen = 0;829SSL_SESSION *psksess = NULL;830SSL_SESSION *edsess = NULL;831const EVP_MD *handmd = NULL;832SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);833834if (s->hello_retry_request == SSL_HRR_PENDING)835handmd = ssl_handshake_md(s);836837if (s->psk_use_session_cb != NULL838&& (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess)839|| (psksess != NULL840&& psksess->ssl_version != TLS1_3_VERSION))) {841SSL_SESSION_free(psksess);842SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);843return EXT_RETURN_FAIL;844}845846#ifndef OPENSSL_NO_PSK847if (psksess == NULL && s->psk_client_callback != NULL) {848unsigned char psk[PSK_MAX_PSK_LEN];849size_t psklen = 0;850851memset(identity, 0, sizeof(identity));852psklen = s->psk_client_callback(ussl, NULL,853identity, sizeof(identity) - 1,854psk, sizeof(psk));855856if (psklen > PSK_MAX_PSK_LEN) {857SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);858return EXT_RETURN_FAIL;859} else if (psklen > 0) {860const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };861const SSL_CIPHER *cipher;862863idlen = strlen(identity);864if (idlen > PSK_MAX_IDENTITY_LEN) {865SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);866return EXT_RETURN_FAIL;867}868id = (unsigned char *)identity;869870/*871* We found a PSK using an old style callback. We don't know872* the digest so we default to SHA256 as per the TLSv1.3 spec873*/874cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s),875tls13_aes128gcmsha256_id);876if (cipher == NULL) {877SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);878return EXT_RETURN_FAIL;879}880881psksess = SSL_SESSION_new();882if (psksess == NULL883|| !SSL_SESSION_set1_master_key(psksess, psk, psklen)884|| !SSL_SESSION_set_cipher(psksess, cipher)885|| !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {886SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);887OPENSSL_cleanse(psk, psklen);888return EXT_RETURN_FAIL;889}890OPENSSL_cleanse(psk, psklen);891}892}893#endif /* OPENSSL_NO_PSK */894895SSL_SESSION_free(s->psksession);896s->psksession = psksess;897if (psksess != NULL) {898OPENSSL_free(s->psksession_id);899s->psksession_id = OPENSSL_memdup(id, idlen);900if (s->psksession_id == NULL) {901s->psksession_id_len = 0;902SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);903return EXT_RETURN_FAIL;904}905s->psksession_id_len = idlen;906}907908if (s->early_data_state != SSL_EARLY_DATA_CONNECTING909|| (s->session->ext.max_early_data == 0910&& (psksess == NULL || psksess->ext.max_early_data == 0))) {911s->max_early_data = 0;912return EXT_RETURN_NOT_SENT;913}914edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;915s->max_early_data = edsess->ext.max_early_data;916917if (edsess->ext.hostname != NULL) {918if (s->ext.hostname == NULL919|| (s->ext.hostname != NULL920&& strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {921SSLfatal(s, SSL_AD_INTERNAL_ERROR,922SSL_R_INCONSISTENT_EARLY_DATA_SNI);923return EXT_RETURN_FAIL;924}925}926927if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {928SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);929return EXT_RETURN_FAIL;930}931932/*933* Verify that we are offering an ALPN protocol consistent with the early934* data.935*/936if (edsess->ext.alpn_selected != NULL) {937PACKET prots, alpnpkt;938int found = 0;939940if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {941SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);942return EXT_RETURN_FAIL;943}944while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {945if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,946edsess->ext.alpn_selected_len)) {947found = 1;948break;949}950}951if (!found) {952SSLfatal(s, SSL_AD_INTERNAL_ERROR,953SSL_R_INCONSISTENT_EARLY_DATA_ALPN);954return EXT_RETURN_FAIL;955}956}957958if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)959|| !WPACKET_start_sub_packet_u16(pkt)960|| !WPACKET_close(pkt)) {961SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);962return EXT_RETURN_FAIL;963}964965/*966* We set this to rejected here. Later, if the server acknowledges the967* extension, we set it to accepted.968*/969s->ext.early_data = SSL_EARLY_DATA_REJECTED;970s->ext.early_data_ok = 1;971972return EXT_RETURN_SENT;973}974975#define F5_WORKAROUND_MIN_MSG_LEN 0xff976#define F5_WORKAROUND_MAX_MSG_LEN 0x200977978/*979* PSK pre binder overhead =980* 2 bytes for TLSEXT_TYPE_psk981* 2 bytes for extension length982* 2 bytes for identities list length983* 2 bytes for identity length984* 4 bytes for obfuscated_ticket_age985* 2 bytes for binder list length986* 1 byte for binder length987* The above excludes the number of bytes for the identity itself and the988* subsequent binder bytes989*/990#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)991992EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,993unsigned int context, X509 *x,994size_t chainidx)995{996unsigned char *padbytes;997size_t hlen;998999if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)1000return EXT_RETURN_NOT_SENT;10011002/*1003* Add padding to workaround bugs in F5 terminators. See RFC7685.1004* This code calculates the length of all extensions added so far but1005* excludes the PSK extension (because that MUST be written last). Therefore1006* this extension MUST always appear second to last.1007*/1008if (!WPACKET_get_total_written(pkt, &hlen)) {1009SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1010return EXT_RETURN_FAIL;1011}10121013/*1014* If we're going to send a PSK then that will be written out after this1015* extension, so we need to calculate how long it is going to be.1016*/1017if (s->session->ssl_version == TLS1_3_VERSION1018&& s->session->ext.ticklen != 01019&& s->session->cipher != NULL) {1020const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),1021s->session->cipher->algorithm2);10221023if (md != NULL) {1024/*1025* Add the fixed PSK overhead, the identity length and the binder1026* length.1027*/1028int md_size = EVP_MD_get_size(md);10291030if (md_size <= 0)1031return EXT_RETURN_FAIL;1032hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen1033+ md_size;1034}1035}10361037if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {1038/* Calculate the amount of padding we need to add */1039hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;10401041/*1042* Take off the size of extension header itself (2 bytes for type and1043* 2 bytes for length bytes), but ensure that the extension is at least1044* 1 byte long so as not to have an empty extension last (WebSphere 7.x,1045* 8.x are intolerant of that condition)1046*/1047if (hlen > 4)1048hlen -= 4;1049else1050hlen = 1;10511052if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)1053|| !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {1054SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1055return EXT_RETURN_FAIL;1056}1057memset(padbytes, 0, hlen);1058}10591060return EXT_RETURN_SENT;1061}10621063/*1064* Construct the pre_shared_key extension1065*/1066EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,1067unsigned int context,1068X509 *x, size_t chainidx)1069{1070#ifndef OPENSSL_NO_TLS1_31071uint32_t agesec, agems = 0;1072size_t binderoffset, msglen;1073int reshashsize = 0, pskhashsize = 0;1074unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;1075const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;1076int dores = 0;1077SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);1078OSSL_TIME t;10791080s->ext.tick_identity = 0;10811082/*1083* Note: At this stage of the code we only support adding a single1084* resumption PSK. If we add support for multiple PSKs then the length1085* calculations in the padding extension will need to be adjusted.1086*/10871088/*1089* If this is an incompatible or new session then we have nothing to resume1090* so don't add this extension.1091*/1092if (s->session->ssl_version != TLS1_3_VERSION1093|| (s->session->ext.ticklen == 0 && s->psksession == NULL))1094return EXT_RETURN_NOT_SENT;10951096if (s->hello_retry_request == SSL_HRR_PENDING)1097handmd = ssl_handshake_md(s);10981099if (s->session->ext.ticklen != 0) {1100/* Get the digest associated with the ciphersuite in the session */1101if (s->session->cipher == NULL) {1102SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1103return EXT_RETURN_FAIL;1104}1105mdres = ssl_md(sctx, s->session->cipher->algorithm2);1106if (mdres == NULL) {1107/*1108* Don't recognize this cipher so we can't use the session.1109* Ignore it1110*/1111goto dopsksess;1112}11131114if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {1115/*1116* Selected ciphersuite hash does not match the hash for the session1117* so we can't use it.1118*/1119goto dopsksess;1120}11211122/*1123* Technically the C standard just says time() returns a time_t and says1124* nothing about the encoding of that type. In practice most1125* implementations follow POSIX which holds it as an integral type in1126* seconds since epoch. We've already made the assumption that we can do1127* this in multiple places in the code, so portability shouldn't be an1128* issue.1129*/1130t = ossl_time_subtract(ossl_time_now(), s->session->time);1131agesec = (uint32_t)ossl_time2seconds(t);1132/*1133* We calculate the age in seconds but the server may work in ms. Due to1134* rounding errors we could overestimate the age by up to 1s. It is1135* better to underestimate it. Otherwise, if the RTT is very short, when1136* the server calculates the age reported by the client it could be1137* bigger than the age calculated on the server - which should never1138* happen.1139*/1140if (agesec > 0)1141agesec--;11421143if (s->session->ext.tick_lifetime_hint < agesec) {1144/* Ticket is too old. Ignore it. */1145goto dopsksess;1146}11471148/*1149* Calculate age in ms. We're just doing it to nearest second. Should be1150* good enough.1151*/1152agems = agesec * (uint32_t)1000;11531154if (agesec != 0 && agems / (uint32_t)1000 != agesec) {1155/*1156* Overflow. Shouldn't happen unless this is a *really* old session.1157* If so we just ignore it.1158*/1159goto dopsksess;1160}11611162/*1163* Obfuscate the age. Overflow here is fine, this addition is supposed1164* to be mod 2^32.1165*/1166agems += s->session->ext.tick_age_add;11671168reshashsize = EVP_MD_get_size(mdres);1169if (reshashsize <= 0)1170goto dopsksess;1171s->ext.tick_identity++;1172dores = 1;1173}11741175dopsksess:1176if (!dores && s->psksession == NULL)1177return EXT_RETURN_NOT_SENT;11781179if (s->psksession != NULL) {1180mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);1181if (mdpsk == NULL) {1182/*1183* Don't recognize this cipher so we can't use the session.1184* If this happens it's an application bug.1185*/1186SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);1187return EXT_RETURN_FAIL;1188}11891190if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {1191/*1192* Selected ciphersuite hash does not match the hash for the PSK1193* session. This is an application bug.1194*/1195SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);1196return EXT_RETURN_FAIL;1197}11981199pskhashsize = EVP_MD_get_size(mdpsk);1200if (pskhashsize <= 0) {1201SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);1202return EXT_RETURN_FAIL;1203}1204}12051206/* Create the extension, but skip over the binder for now */1207if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)1208|| !WPACKET_start_sub_packet_u16(pkt)1209|| !WPACKET_start_sub_packet_u16(pkt)) {1210SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1211return EXT_RETURN_FAIL;1212}12131214if (dores) {1215if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,1216s->session->ext.ticklen)1217|| !WPACKET_put_bytes_u32(pkt, agems)) {1218SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1219return EXT_RETURN_FAIL;1220}1221}12221223if (s->psksession != NULL) {1224if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,1225s->psksession_id_len)1226|| !WPACKET_put_bytes_u32(pkt, 0)) {1227SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1228return EXT_RETURN_FAIL;1229}1230s->ext.tick_identity++;1231}12321233if (!WPACKET_close(pkt)1234|| !WPACKET_get_total_written(pkt, &binderoffset)1235|| !WPACKET_start_sub_packet_u16(pkt)1236|| (dores1237&& !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))1238|| (s->psksession != NULL1239&& !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))1240|| !WPACKET_close(pkt)1241|| !WPACKET_close(pkt)1242|| !WPACKET_get_total_written(pkt, &msglen)1243/*1244* We need to fill in all the sub-packet lengths now so we can1245* calculate the HMAC of the message up to the binders1246*/1247|| !WPACKET_fill_lengths(pkt)) {1248SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1249return EXT_RETURN_FAIL;1250}12511252msgstart = WPACKET_get_curr(pkt) - msglen;12531254if (dores1255&& tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,1256resbinder, s->session, 1, 0) != 1) {1257/* SSLfatal() already called */1258return EXT_RETURN_FAIL;1259}12601261if (s->psksession != NULL1262&& tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,1263pskbinder, s->psksession, 1, 1) != 1) {1264/* SSLfatal() already called */1265return EXT_RETURN_FAIL;1266}12671268return EXT_RETURN_SENT;1269#else1270return EXT_RETURN_NOT_SENT;1271#endif1272}12731274EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,1275ossl_unused unsigned int context,1276ossl_unused X509 *x,1277ossl_unused size_t chainidx)1278{1279#ifndef OPENSSL_NO_TLS1_31280if (!s->pha_enabled)1281return EXT_RETURN_NOT_SENT;12821283/* construct extension - 0 length, no contents */1284if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)1285|| !WPACKET_start_sub_packet_u16(pkt)1286|| !WPACKET_close(pkt)) {1287SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1288return EXT_RETURN_FAIL;1289}12901291s->post_handshake_auth = SSL_PHA_EXT_SENT;12921293return EXT_RETURN_SENT;1294#else1295return EXT_RETURN_NOT_SENT;1296#endif1297}129812991300/*1301* Parse the server's renegotiation binding and abort if it's not right1302*/1303int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,1304unsigned int context,1305X509 *x, size_t chainidx)1306{1307size_t expected_len = s->s3.previous_client_finished_len1308+ s->s3.previous_server_finished_len;1309size_t ilen;1310const unsigned char *data;13111312/* Check for logic errors */1313if (!ossl_assert(expected_len == 01314|| s->s3.previous_client_finished_len != 0)1315|| !ossl_assert(expected_len == 01316|| s->s3.previous_server_finished_len != 0)) {1317SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1318return 0;1319}13201321/* Parse the length byte */1322if (!PACKET_get_1_len(pkt, &ilen)) {1323SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);1324return 0;1325}13261327/* Consistency check */1328if (PACKET_remaining(pkt) != ilen) {1329SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);1330return 0;1331}13321333/* Check that the extension matches */1334if (ilen != expected_len) {1335SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);1336return 0;1337}13381339if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)1340|| memcmp(data, s->s3.previous_client_finished,1341s->s3.previous_client_finished_len) != 0) {1342SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);1343return 0;1344}13451346if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)1347|| memcmp(data, s->s3.previous_server_finished,1348s->s3.previous_server_finished_len) != 0) {1349SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);1350return 0;1351}1352s->s3.send_connection_binding = 1;13531354return 1;1355}13561357/* Parse the server's max fragment len extension packet */1358int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,1359unsigned int context,1360X509 *x, size_t chainidx)1361{1362unsigned int value;13631364if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {1365SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1366return 0;1367}13681369/* |value| should contains a valid max-fragment-length code. */1370if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {1371SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,1372SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);1373return 0;1374}13751376/* Must be the same value as client-configured one who was sent to server */1377/*-1378* RFC 6066: if a client receives a maximum fragment length negotiation1379* response that differs from the length it requested, ...1380* It must abort with SSL_AD_ILLEGAL_PARAMETER alert1381*/1382if (value != s->ext.max_fragment_len_mode) {1383SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,1384SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);1385return 0;1386}13871388/*1389* Maximum Fragment Length Negotiation succeeded.1390* The negotiated Maximum Fragment Length is binding now.1391*/1392s->session->ext.max_fragment_len_mode = value;13931394return 1;1395}13961397int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,1398unsigned int context,1399X509 *x, size_t chainidx)1400{1401if (s->ext.hostname == NULL) {1402SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1403return 0;1404}14051406if (PACKET_remaining(pkt) > 0) {1407SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1408return 0;1409}14101411if (!s->hit) {1412if (s->session->ext.hostname != NULL) {1413SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1414return 0;1415}1416s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);1417if (s->session->ext.hostname == NULL) {1418SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1419return 0;1420}1421}14221423return 1;1424}14251426int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,1427unsigned int context,1428X509 *x, size_t chainidx)1429{1430size_t ecpointformats_len;1431PACKET ecptformatlist;14321433if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {1434SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1435return 0;1436}1437if (!s->hit) {1438ecpointformats_len = PACKET_remaining(&ecptformatlist);1439if (ecpointformats_len == 0) {1440SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);1441return 0;1442}14431444s->ext.peer_ecpointformats_len = 0;1445OPENSSL_free(s->ext.peer_ecpointformats);1446s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);1447if (s->ext.peer_ecpointformats == NULL) {1448s->ext.peer_ecpointformats_len = 0;1449SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1450return 0;1451}14521453s->ext.peer_ecpointformats_len = ecpointformats_len;14541455if (!PACKET_copy_bytes(&ecptformatlist,1456s->ext.peer_ecpointformats,1457ecpointformats_len)) {1458SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1459return 0;1460}1461}14621463return 1;1464}14651466int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,1467unsigned int context,1468X509 *x, size_t chainidx)1469{1470SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);14711472if (s->ext.session_ticket_cb != NULL &&1473!s->ext.session_ticket_cb(ssl, PACKET_data(pkt),1474PACKET_remaining(pkt),1475s->ext.session_ticket_cb_arg)) {1476SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);1477return 0;1478}14791480if (!tls_use_ticket(s)) {1481SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1482return 0;1483}1484if (PACKET_remaining(pkt) > 0) {1485SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1486return 0;1487}14881489s->ext.ticket_expected = 1;14901491return 1;1492}14931494#ifndef OPENSSL_NO_OCSP1495int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,1496unsigned int context,1497X509 *x, size_t chainidx)1498{1499if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {1500/* We ignore this if the server sends a CertificateRequest */1501return 1;1502}15031504/*1505* MUST only be sent if we've requested a status1506* request message. In TLS <= 1.2 it must also be empty.1507*/1508if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {1509SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1510return 0;1511}1512if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {1513SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1514return 0;1515}15161517if (SSL_CONNECTION_IS_TLS13(s)) {1518/* We only know how to handle this if it's for the first Certificate in1519* the chain. We ignore any other responses.1520*/1521if (chainidx != 0)1522return 1;15231524/* SSLfatal() already called */1525return tls_process_cert_status_body(s, pkt);1526}15271528/* Set flag to expect CertificateStatus message */1529s->ext.status_expected = 1;15301531return 1;1532}1533#endif153415351536#ifndef OPENSSL_NO_CT1537int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1538X509 *x, size_t chainidx)1539{1540if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {1541/* We ignore this if the server sends it in a CertificateRequest */1542return 1;1543}15441545/*1546* Only take it if we asked for it - i.e if there is no CT validation1547* callback set, then a custom extension MAY be processing it, so we1548* need to let control continue to flow to that.1549*/1550if (s->ct_validation_callback != NULL) {1551size_t size = PACKET_remaining(pkt);15521553/* Simply copy it off for later processing */1554OPENSSL_free(s->ext.scts);1555s->ext.scts = NULL;15561557s->ext.scts_len = (uint16_t)size;1558if (size > 0) {1559s->ext.scts = OPENSSL_malloc(size);1560if (s->ext.scts == NULL) {1561s->ext.scts_len = 0;1562SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);1563return 0;1564}1565if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {1566SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1567return 0;1568}1569}1570} else {1571ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 01572? ENDPOINT_CLIENT : ENDPOINT_BOTH;15731574/*1575* If we didn't ask for it then there must be a custom extension,1576* otherwise this is unsolicited.1577*/1578if (custom_ext_find(&s->cert->custext, role,1579TLSEXT_TYPE_signed_certificate_timestamp,1580NULL) == NULL) {1581SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1582return 0;1583}15841585if (!custom_ext_parse(s, context,1586TLSEXT_TYPE_signed_certificate_timestamp,1587PACKET_data(pkt), PACKET_remaining(pkt),1588x, chainidx)) {1589/* SSLfatal already called */1590return 0;1591}1592}15931594return 1;1595}1596#endif159715981599#ifndef OPENSSL_NO_NEXTPROTONEG1600/*1601* ssl_next_proto_validate validates a Next Protocol Negotiation block. No1602* elements of zero length are allowed and the set of elements must exactly1603* fill the length of the block. Returns 1 on success or 0 on failure.1604*/1605static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)1606{1607PACKET tmp_protocol;16081609while (PACKET_remaining(pkt)) {1610if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)1611|| PACKET_remaining(&tmp_protocol) == 0) {1612SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1613return 0;1614}1615}16161617return 1;1618}16191620int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1621X509 *x, size_t chainidx)1622{1623unsigned char *selected;1624unsigned char selected_len;1625PACKET tmppkt;1626SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);16271628/* Check if we are in a renegotiation. If so ignore this extension */1629if (!SSL_IS_FIRST_HANDSHAKE(s))1630return 1;16311632/* We must have requested it. */1633if (sctx->ext.npn_select_cb == NULL) {1634SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1635return 0;1636}16371638/* The data must be valid */1639tmppkt = *pkt;1640if (!ssl_next_proto_validate(s, &tmppkt)) {1641/* SSLfatal() already called */1642return 0;1643}1644if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s),1645&selected, &selected_len,1646PACKET_data(pkt), PACKET_remaining(pkt),1647sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK1648|| selected_len == 0) {1649SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);1650return 0;1651}16521653/*1654* Could be non-NULL if server has sent multiple NPN extensions in1655* a single Serverhello1656*/1657OPENSSL_free(s->ext.npn);1658s->ext.npn = OPENSSL_malloc(selected_len);1659if (s->ext.npn == NULL) {1660s->ext.npn_len = 0;1661SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1662return 0;1663}16641665memcpy(s->ext.npn, selected, selected_len);1666s->ext.npn_len = selected_len;1667s->s3.npn_seen = 1;16681669return 1;1670}1671#endif16721673int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1674X509 *x, size_t chainidx)1675{1676size_t len;1677PACKET confpkt, protpkt;1678int valid = 0;16791680/* We must have requested it. */1681if (!s->s3.alpn_sent) {1682SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);1683return 0;1684}1685/*-1686* The extension data consists of:1687* uint16 list_length1688* uint8 proto_length;1689* uint8 proto[proto_length];1690*/1691if (!PACKET_get_net_2_len(pkt, &len)1692|| PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)1693|| PACKET_remaining(pkt) != len) {1694SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1695return 0;1696}16971698/* It must be a protocol that we sent */1699if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {1700SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1701return 0;1702}1703while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {1704if (PACKET_remaining(&protpkt) != len)1705continue;1706if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {1707/* Valid protocol found */1708valid = 1;1709break;1710}1711}17121713if (!valid) {1714/* The protocol sent from the server does not match one we advertised */1715SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1716return 0;1717}17181719OPENSSL_free(s->s3.alpn_selected);1720s->s3.alpn_selected = OPENSSL_malloc(len);1721if (s->s3.alpn_selected == NULL) {1722s->s3.alpn_selected_len = 0;1723SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1724return 0;1725}1726if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {1727SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);1728return 0;1729}1730s->s3.alpn_selected_len = len;17311732if (s->session->ext.alpn_selected == NULL1733|| s->session->ext.alpn_selected_len != len1734|| memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)1735!= 0) {1736/* ALPN not consistent with the old session so cannot use early_data */1737s->ext.early_data_ok = 0;1738}1739if (!s->hit) {1740/*1741* This is a new session and so alpn_selected should have been1742* initialised to NULL. We should update it with the selected ALPN.1743*/1744if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {1745SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1746return 0;1747}1748s->session->ext.alpn_selected =1749OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);1750if (s->session->ext.alpn_selected == NULL) {1751s->session->ext.alpn_selected_len = 0;1752SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1753return 0;1754}1755s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;1756}17571758return 1;1759}17601761#ifndef OPENSSL_NO_SRTP1762int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,1763unsigned int context, X509 *x, size_t chainidx)1764{1765unsigned int id, ct, mki;1766int i;1767STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;1768SRTP_PROTECTION_PROFILE *prof;17691770if (!PACKET_get_net_2(pkt, &ct) || ct != 21771|| !PACKET_get_net_2(pkt, &id)1772|| !PACKET_get_1(pkt, &mki)1773|| PACKET_remaining(pkt) != 0) {1774SSLfatal(s, SSL_AD_DECODE_ERROR,1775SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);1776return 0;1777}17781779if (mki != 0) {1780/* Must be no MKI, since we never offer one */1781SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);1782return 0;1783}17841785/* Throw an error if the server gave us an unsolicited extension */1786clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));1787if (clnt == NULL) {1788SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);1789return 0;1790}17911792/*1793* Check to see if the server gave us something we support (and1794* presumably offered)1795*/1796for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {1797prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);17981799if (prof->id == id) {1800s->srtp_profile = prof;1801return 1;1802}1803}18041805SSLfatal(s, SSL_AD_DECODE_ERROR,1806SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);1807return 0;1808}1809#endif18101811int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1812X509 *x, size_t chainidx)1813{1814/* Ignore if inappropriate ciphersuite */1815if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)1816&& s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD1817&& s->s3.tmp.new_cipher->algorithm_enc != SSL_RC41818&& s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT1819&& s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT121820&& s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA1821&& s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)1822s->ext.use_etm = 1;18231824return 1;1825}18261827int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,1828X509 *x, size_t chainidx)1829{1830if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)1831return 1;1832s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;1833if (!s->hit)1834s->session->flags |= SSL_SESS_FLAG_EXTMS;18351836return 1;1837}18381839int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,1840unsigned int context,1841X509 *x, size_t chainidx)1842{1843unsigned int version;18441845if (!PACKET_get_net_2(pkt, &version)1846|| PACKET_remaining(pkt) != 0) {1847SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);1848return 0;1849}18501851/*1852* The only protocol version we support which is valid in this extension in1853* a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.1854*/1855if (version != TLS1_3_VERSION) {1856SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,1857SSL_R_BAD_PROTOCOL_VERSION_NUMBER);1858return 0;1859}18601861/* We ignore this extension for HRRs except to sanity check it */1862if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)1863return 1;18641865/* We just set it here. We validate it in ssl_choose_client_version */1866s->version = version;1867if (!ssl_set_record_protocol_version(s, version)) {1868SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1869return 0;1870}18711872return 1;1873}18741875int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,1876unsigned int context, X509 *x,1877size_t chainidx)1878{1879#ifndef OPENSSL_NO_TLS1_31880unsigned int group_id;1881PACKET encoded_pt;1882EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;1883const TLS_GROUP_INFO *ginf = NULL;1884uint16_t valid_ks_id = 0;1885size_t i;18861887/* Sanity check */1888if (ckey == NULL || s->s3.peer_tmp != NULL) {1889SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);1890return 0;1891}18921893/* Which group ID does the server want -> group_id */1894if (!PACKET_get_net_2(pkt, &group_id)) {1895SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);1896return 0;1897}18981899if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {1900const uint16_t *pgroups = NULL;1901size_t num_groups;19021903if (PACKET_remaining(pkt) != 0) {1904SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);1905return 0;1906}19071908/*1909* It is an error if the HelloRetryRequest wants a key_share that we1910* already sent in the first ClientHello1911*/1912for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) {1913if (s->s3.tmp.ks_group_id[i] == group_id) {1914SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);1915return 0;1916}1917}19181919/* Validate the selected group is one we support */1920tls1_get_supported_groups(s, &pgroups, &num_groups);1921for (i = 0; i < num_groups; i++) {1922if (group_id == pgroups[i])1923break;1924}1925if (i >= num_groups1926|| !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)1927|| !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,19280, NULL)) {1929SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);1930return 0;1931}19321933/* Memorize which groupID the server wants */1934s->s3.group_id = group_id;19351936/* The initial keyshares are obsolete now, hence free memory */1937for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) {1938if (s->s3.tmp.ks_pkey[i] != NULL) {1939EVP_PKEY_free(s->s3.tmp.ks_pkey[i]);1940s->s3.tmp.ks_pkey[i] = NULL;1941}1942}1943s->s3.tmp.num_ks_pkey = 0;1944s->s3.tmp.pkey = NULL;19451946return 1;1947}19481949/*1950* check that the group requested by the server is one we've1951* sent a key share for, and if so: memorize which one1952*/1953for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) {1954if (s->s3.tmp.ks_group_id[i] == group_id) {1955valid_ks_id = group_id;1956ckey = s->s3.tmp.ks_pkey[i];1957s->s3.group_id = group_id;1958s->s3.tmp.pkey = ckey;1959break;1960}1961}1962if (valid_ks_id == 0) {1963/*1964* This isn't for the group that we sent in the original1965* key_share!1966*/1967SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);1968return 0;1969}1970/* Retain this group in the SSL_SESSION */1971if (!s->hit) {1972s->session->kex_group = group_id;1973} else if (group_id != s->session->kex_group) {1974/*1975* If this is a resumption but changed what group was used, we need1976* to record the new group in the session, but the session is not1977* a new session and could be in use by other threads. So, make1978* a copy of the session to record the new information so that it's1979* useful for any sessions resumed from tickets issued on this1980* connection.1981*/1982SSL_SESSION *new_sess;19831984if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {1985SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);1986return 0;1987}1988SSL_SESSION_free(s->session);1989s->session = new_sess;1990s->session->kex_group = group_id;1991}19921993if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),1994group_id)) == NULL) {1995SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);1996return 0;1997}19981999if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)2000|| PACKET_remaining(&encoded_pt) == 0) {2001SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);2002return 0;2003}20042005if (!ginf->is_kem) {2006/* Regular KEX */2007skey = EVP_PKEY_new();2008if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {2009SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);2010EVP_PKEY_free(skey);2011return 0;2012}20132014if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),2015PACKET_remaining(&encoded_pt)) <= 0) {2016SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);2017EVP_PKEY_free(skey);2018return 0;2019}20202021if (ssl_derive(s, ckey, skey, 1) == 0) {2022/* SSLfatal() already called */2023EVP_PKEY_free(skey);2024return 0;2025}2026s->s3.peer_tmp = skey;2027} else {2028/* KEM Mode */2029const unsigned char *ct = PACKET_data(&encoded_pt);2030size_t ctlen = PACKET_remaining(&encoded_pt);20312032if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {2033/* SSLfatal() already called */2034return 0;2035}2036}2037s->s3.did_kex = 1;2038#endif20392040return 1;2041}20422043int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,2044X509 *x, size_t chainidx)2045{2046PACKET cookie;20472048if (!PACKET_as_length_prefixed_2(pkt, &cookie)2049|| !PACKET_memdup(&cookie, &s->ext.tls13_cookie,2050&s->ext.tls13_cookie_len)) {2051SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);2052return 0;2053}20542055return 1;2056}20572058int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,2059unsigned int context,2060X509 *x, size_t chainidx)2061{2062if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {2063unsigned long max_early_data;20642065if (!PACKET_get_net_4(pkt, &max_early_data)2066|| PACKET_remaining(pkt) != 0) {2067SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);2068return 0;2069}20702071s->session->ext.max_early_data = max_early_data;20722073if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) {2074/*2075* QUIC allows missing max_early_data, or a max_early_data value2076* of 0xffffffff. Missing max_early_data is stored in the session2077* as 0. This is indistinguishable in OpenSSL from a present2078* max_early_data value that was 0. In order that later checks for2079* invalid max_early_data correctly treat as an error the case where2080* max_early_data is present and it is 0, we store any invalid2081* value in the same (non-zero) way. Otherwise we would have to2082* introduce a new flag just for this.2083*/2084s->session->ext.max_early_data = 1;2085SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);2086return 0;2087}20882089return 1;2090}20912092if (PACKET_remaining(pkt) != 0) {2093SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2094return 0;2095}20962097if (!s->ext.early_data_ok2098|| !s->hit) {2099/*2100* If we get here then we didn't send early data, or we didn't resume2101* using the first identity, or the SNI/ALPN is not consistent so the2102* server should not be accepting it.2103*/2104SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);2105return 0;2106}21072108s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;21092110return 1;2111}21122113int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,2114unsigned int context, X509 *x,2115size_t chainidx)2116{2117#ifndef OPENSSL_NO_TLS1_32118unsigned int identity;21192120if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {2121SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);2122return 0;2123}21242125if (identity >= (unsigned int)s->ext.tick_identity) {2126SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);2127return 0;2128}21292130/*2131* Session resumption tickets are always sent before PSK tickets. If the2132* ticket index is 0 then it must be for a session resumption ticket if we2133* sent two tickets, or if we didn't send a PSK ticket.2134*/2135if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {2136s->hit = 1;2137SSL_SESSION_free(s->psksession);2138s->psksession = NULL;2139return 1;2140}21412142if (s->psksession == NULL) {2143/* Should never happen */2144SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);2145return 0;2146}21472148/*2149* If we used the external PSK for sending early_data then s->early_secret2150* is already set up, so don't overwrite it. Otherwise we copy the2151* early_secret across that we generated earlier.2152*/2153if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY2154&& s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)2155|| s->session->ext.max_early_data > 02156|| s->psksession->ext.max_early_data == 0)2157memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);21582159SSL_SESSION_free(s->session);2160s->session = s->psksession;2161s->psksession = NULL;2162s->hit = 1;2163/* Early data is only allowed if we used the first ticket */2164if (identity != 0)2165s->ext.early_data_ok = 0;2166#endif21672168return 1;2169}21702171EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,2172unsigned int context,2173X509 *x, size_t chainidx)2174{2175sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;2176if (sc->client_cert_type == NULL)2177return EXT_RETURN_NOT_SENT;21782179if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)2180|| !WPACKET_start_sub_packet_u16(pkt)2181|| !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len)2182|| !WPACKET_close(pkt)) {2183SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);2184return EXT_RETURN_FAIL;2185}2186sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;2187return EXT_RETURN_SENT;2188}21892190int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,2191unsigned int context,2192X509 *x, size_t chainidx)2193{2194unsigned int type;21952196if (PACKET_remaining(pkt) != 1) {2197SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2198return 0;2199}2200if (!PACKET_get_1(pkt, &type)) {2201SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2202return 0;2203}2204/* We did not send/ask for this */2205if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {2206SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2207return 0;2208}2209/* We don't have this enabled */2210if (sc->client_cert_type == NULL) {2211SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2212return 0;2213}2214/* Given back a value we didn't configure */2215if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) {2216SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);2217return 0;2218}2219sc->ext.client_cert_type = type;2220return 1;2221}22222223EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,2224unsigned int context,2225X509 *x, size_t chainidx)2226{2227sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;2228if (sc->server_cert_type == NULL)2229return EXT_RETURN_NOT_SENT;22302231if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)2232|| !WPACKET_start_sub_packet_u16(pkt)2233|| !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len)2234|| !WPACKET_close(pkt)) {2235SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);2236return EXT_RETURN_FAIL;2237}2238sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;2239return EXT_RETURN_SENT;2240}22412242int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,2243unsigned int context,2244X509 *x, size_t chainidx)2245{2246unsigned int type;22472248if (PACKET_remaining(pkt) != 1) {2249SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2250return 0;2251}2252if (!PACKET_get_1(pkt, &type)) {2253SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2254return 0;2255}2256/* We did not send/ask for this */2257if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {2258SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2259return 0;2260}2261/* We don't have this enabled */2262if (sc->server_cert_type == NULL) {2263SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);2264return 0;2265}2266/* Given back a value we didn't configure */2267if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) {2268SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);2269return 0;2270}2271sc->ext.server_cert_type = type;2272return 1;2273}227422752276