extensions.c 59 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693
  1. /*
  2. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include "internal/nelem.h"
  11. #include "internal/cryptlib.h"
  12. #include "../ssl_locl.h"
  13. #include "statem_locl.h"
  14. #include "internal/cryptlib.h"
  15. static int final_renegotiate(SSL *s, unsigned int context, int sent);
  16. static int init_server_name(SSL *s, unsigned int context);
  17. static int final_server_name(SSL *s, unsigned int context, int sent);
  18. #ifndef OPENSSL_NO_EC
  19. static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
  20. #endif
  21. static int init_session_ticket(SSL *s, unsigned int context);
  22. #ifndef OPENSSL_NO_OCSP
  23. static int init_status_request(SSL *s, unsigned int context);
  24. #endif
  25. #ifndef OPENSSL_NO_NEXTPROTONEG
  26. static int init_npn(SSL *s, unsigned int context);
  27. #endif
  28. static int init_alpn(SSL *s, unsigned int context);
  29. static int final_alpn(SSL *s, unsigned int context, int sent);
  30. static int init_sig_algs_cert(SSL *s, unsigned int context);
  31. static int init_sig_algs(SSL *s, unsigned int context);
  32. static int init_certificate_authorities(SSL *s, unsigned int context);
  33. static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
  34. unsigned int context,
  35. X509 *x,
  36. size_t chainidx);
  37. static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
  38. unsigned int context, X509 *x,
  39. size_t chainidx);
  40. #ifndef OPENSSL_NO_SRP
  41. static int init_srp(SSL *s, unsigned int context);
  42. #endif
  43. static int init_etm(SSL *s, unsigned int context);
  44. static int init_ems(SSL *s, unsigned int context);
  45. static int final_ems(SSL *s, unsigned int context, int sent);
  46. static int init_psk_kex_modes(SSL *s, unsigned int context);
  47. #ifndef OPENSSL_NO_EC
  48. static int final_key_share(SSL *s, unsigned int context, int sent);
  49. #endif
  50. #ifndef OPENSSL_NO_SRTP
  51. static int init_srtp(SSL *s, unsigned int context);
  52. #endif
  53. static int final_sig_algs(SSL *s, unsigned int context, int sent);
  54. static int final_early_data(SSL *s, unsigned int context, int sent);
  55. static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
  56. static int init_post_handshake_auth(SSL *s, unsigned int context);
  57. /* Structure to define a built-in extension */
  58. typedef struct extensions_definition_st {
  59. /* The defined type for the extension */
  60. unsigned int type;
  61. /*
  62. * The context that this extension applies to, e.g. what messages and
  63. * protocol versions
  64. */
  65. unsigned int context;
  66. /*
  67. * Initialise extension before parsing. Always called for relevant contexts
  68. * even if extension not present
  69. */
  70. int (*init)(SSL *s, unsigned int context);
  71. /* Parse extension sent from client to server */
  72. int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  73. size_t chainidx);
  74. /* Parse extension send from server to client */
  75. int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  76. size_t chainidx);
  77. /* Construct extension sent from server to client */
  78. EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
  79. X509 *x, size_t chainidx);
  80. /* Construct extension sent from client to server */
  81. EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
  82. X509 *x, size_t chainidx);
  83. /*
  84. * Finalise extension after parsing. Always called where an extensions was
  85. * initialised even if the extension was not present. |sent| is set to 1 if
  86. * the extension was seen, or 0 otherwise.
  87. */
  88. int (*final)(SSL *s, unsigned int context, int sent);
  89. } EXTENSION_DEFINITION;
  90. /*
  91. * Definitions of all built-in extensions. NOTE: Changes in the number or order
  92. * of these extensions should be mirrored with equivalent changes to the
  93. * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
  94. * Each extension has an initialiser, a client and
  95. * server side parser and a finaliser. The initialiser is called (if the
  96. * extension is relevant to the given context) even if we did not see the
  97. * extension in the message that we received. The parser functions are only
  98. * called if we see the extension in the message. The finalisers are always
  99. * called if the initialiser was called.
  100. * There are also server and client side constructor functions which are always
  101. * called during message construction if the extension is relevant for the
  102. * given context.
  103. * The initialisation, parsing, finalisation and construction functions are
  104. * always called in the order defined in this list. Some extensions may depend
  105. * on others having been processed first, so the order of this list is
  106. * significant.
  107. * The extension context is defined by a series of flags which specify which
  108. * messages the extension is relevant to. These flags also specify whether the
  109. * extension is relevant to a particular protocol or protocol version.
  110. *
  111. * TODO(TLS1.3): Make sure we have a test to check the consistency of these
  112. *
  113. * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
  114. * the end, keep these extensions before signature_algorithm.
  115. */
  116. #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
  117. static const EXTENSION_DEFINITION ext_defs[] = {
  118. {
  119. TLSEXT_TYPE_renegotiate,
  120. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  121. | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  122. NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
  123. tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
  124. final_renegotiate
  125. },
  126. {
  127. TLSEXT_TYPE_server_name,
  128. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  129. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  130. init_server_name,
  131. tls_parse_ctos_server_name, tls_parse_stoc_server_name,
  132. tls_construct_stoc_server_name, tls_construct_ctos_server_name,
  133. final_server_name
  134. },
  135. {
  136. TLSEXT_TYPE_max_fragment_length,
  137. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  138. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  139. NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
  140. tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
  141. final_maxfragmentlen
  142. },
  143. #ifndef OPENSSL_NO_SRP
  144. {
  145. TLSEXT_TYPE_srp,
  146. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  147. init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
  148. },
  149. #else
  150. INVALID_EXTENSION,
  151. #endif
  152. #ifndef OPENSSL_NO_EC
  153. {
  154. TLSEXT_TYPE_ec_point_formats,
  155. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  156. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  157. NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
  158. tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
  159. final_ec_pt_formats
  160. },
  161. {
  162. /*
  163. * "supported_groups" is spread across several specifications.
  164. * It was originally specified as "elliptic_curves" in RFC 4492,
  165. * and broadened to include named FFDH groups by RFC 7919.
  166. * Both RFCs 4492 and 7919 do not include a provision for the server
  167. * to indicate to the client the complete list of groups supported
  168. * by the server, with the server instead just indicating the
  169. * selected group for this connection in the ServerKeyExchange
  170. * message. TLS 1.3 adds a scheme for the server to indicate
  171. * to the client its list of supported groups in the
  172. * EncryptedExtensions message, but none of the relevant
  173. * specifications permit sending supported_groups in the ServerHello.
  174. * Nonetheless (possibly due to the close proximity to the
  175. * "ec_point_formats" extension, which is allowed in the ServerHello),
  176. * there are several servers that send this extension in the
  177. * ServerHello anyway. Up to and including the 1.1.0 release,
  178. * we did not check for the presence of nonpermitted extensions,
  179. * so to avoid a regression, we must permit this extension in the
  180. * TLS 1.2 ServerHello as well.
  181. *
  182. * Note that there is no tls_parse_stoc_supported_groups function,
  183. * so we do not perform any additional parsing, validation, or
  184. * processing on the server's group list -- this is just a minimal
  185. * change to preserve compatibility with these misbehaving servers.
  186. */
  187. TLSEXT_TYPE_supported_groups,
  188. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  189. | SSL_EXT_TLS1_2_SERVER_HELLO,
  190. NULL, tls_parse_ctos_supported_groups, NULL,
  191. tls_construct_stoc_supported_groups,
  192. tls_construct_ctos_supported_groups, NULL
  193. },
  194. #else
  195. INVALID_EXTENSION,
  196. INVALID_EXTENSION,
  197. #endif
  198. {
  199. TLSEXT_TYPE_session_ticket,
  200. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  201. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  202. init_session_ticket, tls_parse_ctos_session_ticket,
  203. tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
  204. tls_construct_ctos_session_ticket, NULL
  205. },
  206. #ifndef OPENSSL_NO_OCSP
  207. {
  208. TLSEXT_TYPE_status_request,
  209. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  210. | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  211. init_status_request, tls_parse_ctos_status_request,
  212. tls_parse_stoc_status_request, tls_construct_stoc_status_request,
  213. tls_construct_ctos_status_request, NULL
  214. },
  215. #else
  216. INVALID_EXTENSION,
  217. #endif
  218. #ifndef OPENSSL_NO_NEXTPROTONEG
  219. {
  220. TLSEXT_TYPE_next_proto_neg,
  221. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  222. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  223. init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
  224. tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
  225. },
  226. #else
  227. INVALID_EXTENSION,
  228. #endif
  229. {
  230. /*
  231. * Must appear in this list after server_name so that finalisation
  232. * happens after server_name callbacks
  233. */
  234. TLSEXT_TYPE_application_layer_protocol_negotiation,
  235. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  236. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  237. init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
  238. tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
  239. },
  240. #ifndef OPENSSL_NO_SRTP
  241. {
  242. TLSEXT_TYPE_use_srtp,
  243. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  244. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
  245. init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
  246. tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
  247. },
  248. #else
  249. INVALID_EXTENSION,
  250. #endif
  251. {
  252. TLSEXT_TYPE_encrypt_then_mac,
  253. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  254. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  255. init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
  256. tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
  257. },
  258. #ifndef OPENSSL_NO_CT
  259. {
  260. TLSEXT_TYPE_signed_certificate_timestamp,
  261. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  262. | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  263. NULL,
  264. /*
  265. * No server side support for this, but can be provided by a custom
  266. * extension. This is an exception to the rule that custom extensions
  267. * cannot override built in ones.
  268. */
  269. NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
  270. },
  271. #else
  272. INVALID_EXTENSION,
  273. #endif
  274. {
  275. TLSEXT_TYPE_extended_master_secret,
  276. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  277. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  278. init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
  279. tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
  280. },
  281. {
  282. TLSEXT_TYPE_signature_algorithms_cert,
  283. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  284. init_sig_algs_cert, tls_parse_ctos_sig_algs_cert,
  285. tls_parse_ctos_sig_algs_cert,
  286. /* We do not generate signature_algorithms_cert at present. */
  287. NULL, NULL, NULL
  288. },
  289. {
  290. TLSEXT_TYPE_post_handshake_auth,
  291. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY,
  292. init_post_handshake_auth,
  293. tls_parse_ctos_post_handshake_auth, NULL,
  294. NULL, tls_construct_ctos_post_handshake_auth,
  295. NULL,
  296. },
  297. {
  298. TLSEXT_TYPE_signature_algorithms,
  299. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  300. init_sig_algs, tls_parse_ctos_sig_algs,
  301. tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
  302. tls_construct_ctos_sig_algs, final_sig_algs
  303. },
  304. {
  305. TLSEXT_TYPE_supported_versions,
  306. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  307. | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
  308. NULL,
  309. /* Processed inline as part of version selection */
  310. NULL, tls_parse_stoc_supported_versions,
  311. tls_construct_stoc_supported_versions,
  312. tls_construct_ctos_supported_versions, NULL
  313. },
  314. {
  315. TLSEXT_TYPE_psk_kex_modes,
  316. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
  317. | SSL_EXT_TLS1_3_ONLY,
  318. init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
  319. tls_construct_ctos_psk_kex_modes, NULL
  320. },
  321. #ifndef OPENSSL_NO_EC
  322. {
  323. /*
  324. * Must be in this list after supported_groups. We need that to have
  325. * been parsed before we do this one.
  326. */
  327. TLSEXT_TYPE_key_share,
  328. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  329. | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
  330. | SSL_EXT_TLS1_3_ONLY,
  331. NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
  332. tls_construct_stoc_key_share, tls_construct_ctos_key_share,
  333. final_key_share
  334. },
  335. #endif
  336. {
  337. /* Must be after key_share */
  338. TLSEXT_TYPE_cookie,
  339. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  340. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  341. NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
  342. tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
  343. },
  344. {
  345. /*
  346. * Special unsolicited ServerHello extension only used when
  347. * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
  348. */
  349. TLSEXT_TYPE_cryptopro_bug,
  350. SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  351. NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
  352. },
  353. {
  354. TLSEXT_TYPE_early_data,
  355. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  356. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
  357. NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
  358. tls_construct_stoc_early_data, tls_construct_ctos_early_data,
  359. final_early_data
  360. },
  361. {
  362. TLSEXT_TYPE_certificate_authorities,
  363. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  364. | SSL_EXT_TLS1_3_ONLY,
  365. init_certificate_authorities,
  366. tls_parse_certificate_authorities, tls_parse_certificate_authorities,
  367. tls_construct_certificate_authorities,
  368. tls_construct_certificate_authorities, NULL,
  369. },
  370. {
  371. /* Must be immediately before pre_shared_key */
  372. TLSEXT_TYPE_padding,
  373. SSL_EXT_CLIENT_HELLO,
  374. NULL,
  375. /* We send this, but don't read it */
  376. NULL, NULL, NULL, tls_construct_ctos_padding, NULL
  377. },
  378. {
  379. /* Required by the TLSv1.3 spec to always be the last extension */
  380. TLSEXT_TYPE_psk,
  381. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  382. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  383. NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
  384. tls_construct_ctos_psk, NULL
  385. }
  386. };
  387. /* Check whether an extension's context matches the current context */
  388. static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
  389. {
  390. /* Check we're allowed to use this extension in this context */
  391. if ((thisctx & extctx) == 0)
  392. return 0;
  393. if (SSL_IS_DTLS(s)) {
  394. if ((extctx & SSL_EXT_TLS_ONLY) != 0)
  395. return 0;
  396. } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
  397. return 0;
  398. }
  399. return 1;
  400. }
  401. int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts)
  402. {
  403. size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
  404. RAW_EXTENSION *thisext;
  405. unsigned int context;
  406. ENDPOINT role = ENDPOINT_BOTH;
  407. if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
  408. role = ENDPOINT_SERVER;
  409. else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
  410. role = ENDPOINT_CLIENT;
  411. /* Calculate the number of extensions in the extensions list */
  412. num_exts = builtin_num + s->cert->custext.meths_count;
  413. for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
  414. if (!thisext->present)
  415. continue;
  416. if (i < builtin_num) {
  417. context = ext_defs[i].context;
  418. } else {
  419. custom_ext_method *meth = NULL;
  420. meth = custom_ext_find(&s->cert->custext, role, thisext->type,
  421. &offset);
  422. if (!ossl_assert(meth != NULL))
  423. return 0;
  424. context = meth->context;
  425. }
  426. if (!validate_context(s, context, thisctx))
  427. return 0;
  428. }
  429. return 1;
  430. }
  431. /*
  432. * Verify whether we are allowed to use the extension |type| in the current
  433. * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
  434. * indicate the extension is not allowed. If returning 1 then |*found| is set to
  435. * the definition for the extension we found.
  436. */
  437. static int verify_extension(SSL *s, unsigned int context, unsigned int type,
  438. custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
  439. RAW_EXTENSION **found)
  440. {
  441. size_t i;
  442. size_t builtin_num = OSSL_NELEM(ext_defs);
  443. const EXTENSION_DEFINITION *thisext;
  444. for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
  445. if (type == thisext->type) {
  446. if (!validate_context(s, thisext->context, context))
  447. return 0;
  448. *found = &rawexlist[i];
  449. return 1;
  450. }
  451. }
  452. /* Check the custom extensions */
  453. if (meths != NULL) {
  454. size_t offset = 0;
  455. ENDPOINT role = ENDPOINT_BOTH;
  456. custom_ext_method *meth = NULL;
  457. if ((context & SSL_EXT_CLIENT_HELLO) != 0)
  458. role = ENDPOINT_SERVER;
  459. else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
  460. role = ENDPOINT_CLIENT;
  461. meth = custom_ext_find(meths, role, type, &offset);
  462. if (meth != NULL) {
  463. if (!validate_context(s, meth->context, context))
  464. return 0;
  465. *found = &rawexlist[offset + builtin_num];
  466. return 1;
  467. }
  468. }
  469. /* Unknown extension. We allow it */
  470. *found = NULL;
  471. return 1;
  472. }
  473. /*
  474. * Check whether the context defined for an extension |extctx| means whether
  475. * the extension is relevant for the current context |thisctx| or not. Returns
  476. * 1 if the extension is relevant for this context, and 0 otherwise
  477. */
  478. int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
  479. {
  480. int is_tls13;
  481. /*
  482. * For HRR we haven't selected the version yet but we know it will be
  483. * TLSv1.3
  484. */
  485. if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
  486. is_tls13 = 1;
  487. else
  488. is_tls13 = SSL_IS_TLS13(s);
  489. if ((SSL_IS_DTLS(s)
  490. && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
  491. || (s->version == SSL3_VERSION
  492. && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
  493. /*
  494. * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated",
  495. * which is never true when generating the ClientHello.
  496. * However, version negotiation *has* occurred by the time the
  497. * ClientHello extensions are being parsed.
  498. * Be careful to allow TLS 1.3-only extensions when generating
  499. * the ClientHello.
  500. */
  501. || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
  502. || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
  503. && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
  504. || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
  505. || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
  506. return 0;
  507. return 1;
  508. }
  509. /*
  510. * Gather a list of all the extensions from the data in |packet]. |context|
  511. * tells us which message this extension is for. The raw extension data is
  512. * stored in |*res| on success. We don't actually process the content of the
  513. * extensions yet, except to check their types. This function also runs the
  514. * initialiser functions for all known extensions if |init| is nonzero (whether
  515. * we have collected them or not). If successful the caller is responsible for
  516. * freeing the contents of |*res|.
  517. *
  518. * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
  519. * more than one extension of the same type in a ClientHello or ServerHello.
  520. * This function returns 1 if all extensions are unique and we have parsed their
  521. * types, and 0 if the extensions contain duplicates, could not be successfully
  522. * found, or an internal error occurred. We only check duplicates for
  523. * extensions that we know about. We ignore others.
  524. */
  525. int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
  526. RAW_EXTENSION **res, size_t *len, int init)
  527. {
  528. PACKET extensions = *packet;
  529. size_t i = 0;
  530. size_t num_exts;
  531. custom_ext_methods *exts = &s->cert->custext;
  532. RAW_EXTENSION *raw_extensions = NULL;
  533. const EXTENSION_DEFINITION *thisexd;
  534. *res = NULL;
  535. /*
  536. * Initialise server side custom extensions. Client side is done during
  537. * construction of extensions for the ClientHello.
  538. */
  539. if ((context & SSL_EXT_CLIENT_HELLO) != 0)
  540. custom_ext_init(&s->cert->custext);
  541. num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
  542. raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
  543. if (raw_extensions == NULL) {
  544. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
  545. ERR_R_MALLOC_FAILURE);
  546. return 0;
  547. }
  548. i = 0;
  549. while (PACKET_remaining(&extensions) > 0) {
  550. unsigned int type, idx;
  551. PACKET extension;
  552. RAW_EXTENSION *thisex;
  553. if (!PACKET_get_net_2(&extensions, &type) ||
  554. !PACKET_get_length_prefixed_2(&extensions, &extension)) {
  555. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
  556. SSL_R_BAD_EXTENSION);
  557. goto err;
  558. }
  559. /*
  560. * Verify this extension is allowed. We only check duplicates for
  561. * extensions that we recognise. We also have a special case for the
  562. * PSK extension, which must be the last one in the ClientHello.
  563. */
  564. if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
  565. || (thisex != NULL && thisex->present == 1)
  566. || (type == TLSEXT_TYPE_psk
  567. && (context & SSL_EXT_CLIENT_HELLO) != 0
  568. && PACKET_remaining(&extensions) != 0)) {
  569. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
  570. SSL_R_BAD_EXTENSION);
  571. goto err;
  572. }
  573. idx = thisex - raw_extensions;
  574. /*-
  575. * Check that we requested this extension (if appropriate). Requests can
  576. * be sent in the ClientHello and CertificateRequest. Unsolicited
  577. * extensions can be sent in the NewSessionTicket. We only do this for
  578. * the built-in extensions. Custom extensions have a different but
  579. * similar check elsewhere.
  580. * Special cases:
  581. * - The HRR cookie extension is unsolicited
  582. * - The renegotiate extension is unsolicited (the client signals
  583. * support via an SCSV)
  584. * - The signed_certificate_timestamp extension can be provided by a
  585. * custom extension or by the built-in version. We let the extension
  586. * itself handle unsolicited response checks.
  587. */
  588. if (idx < OSSL_NELEM(ext_defs)
  589. && (context & (SSL_EXT_CLIENT_HELLO
  590. | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  591. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
  592. && type != TLSEXT_TYPE_cookie
  593. && type != TLSEXT_TYPE_renegotiate
  594. && type != TLSEXT_TYPE_signed_certificate_timestamp
  595. && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) {
  596. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
  597. SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
  598. goto err;
  599. }
  600. if (thisex != NULL) {
  601. thisex->data = extension;
  602. thisex->present = 1;
  603. thisex->type = type;
  604. thisex->received_order = i++;
  605. if (s->ext.debug_cb)
  606. s->ext.debug_cb(s, !s->server, thisex->type,
  607. PACKET_data(&thisex->data),
  608. PACKET_remaining(&thisex->data),
  609. s->ext.debug_arg);
  610. }
  611. }
  612. if (init) {
  613. /*
  614. * Initialise all known extensions relevant to this context,
  615. * whether we have found them or not
  616. */
  617. for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
  618. i++, thisexd++) {
  619. if (thisexd->init != NULL && (thisexd->context & context) != 0
  620. && extension_is_relevant(s, thisexd->context, context)
  621. && !thisexd->init(s, context)) {
  622. /* SSLfatal() already called */
  623. goto err;
  624. }
  625. }
  626. }
  627. *res = raw_extensions;
  628. if (len != NULL)
  629. *len = num_exts;
  630. return 1;
  631. err:
  632. OPENSSL_free(raw_extensions);
  633. return 0;
  634. }
  635. /*
  636. * Runs the parser for a given extension with index |idx|. |exts| contains the
  637. * list of all parsed extensions previously collected by
  638. * tls_collect_extensions(). The parser is only run if it is applicable for the
  639. * given |context| and the parser has not already been run. If this is for a
  640. * Certificate message, then we also provide the parser with the relevant
  641. * Certificate |x| and its position in the |chainidx| with 0 being the first
  642. * Certificate. Returns 1 on success or 0 on failure. If an extension is not
  643. * present this counted as success.
  644. */
  645. int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
  646. RAW_EXTENSION *exts, X509 *x, size_t chainidx)
  647. {
  648. RAW_EXTENSION *currext = &exts[idx];
  649. int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  650. size_t chainidx) = NULL;
  651. /* Skip if the extension is not present */
  652. if (!currext->present)
  653. return 1;
  654. /* Skip if we've already parsed this extension */
  655. if (currext->parsed)
  656. return 1;
  657. currext->parsed = 1;
  658. if (idx < OSSL_NELEM(ext_defs)) {
  659. /* We are handling a built-in extension */
  660. const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
  661. /* Check if extension is defined for our protocol. If not, skip */
  662. if (!extension_is_relevant(s, extdef->context, context))
  663. return 1;
  664. parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
  665. if (parser != NULL)
  666. return parser(s, &currext->data, context, x, chainidx);
  667. /*
  668. * If the parser is NULL we fall through to the custom extension
  669. * processing
  670. */
  671. }
  672. /* Parse custom extensions */
  673. return custom_ext_parse(s, context, currext->type,
  674. PACKET_data(&currext->data),
  675. PACKET_remaining(&currext->data),
  676. x, chainidx);
  677. }
  678. /*
  679. * Parse all remaining extensions that have not yet been parsed. Also calls the
  680. * finalisation for all extensions at the end if |fin| is nonzero, whether we
  681. * collected them or not. Returns 1 for success or 0 for failure. If we are
  682. * working on a Certificate message then we also pass the Certificate |x| and
  683. * its position in the |chainidx|, with 0 being the first certificate.
  684. */
  685. int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
  686. size_t chainidx, int fin)
  687. {
  688. size_t i, numexts = OSSL_NELEM(ext_defs);
  689. const EXTENSION_DEFINITION *thisexd;
  690. /* Calculate the number of extensions in the extensions list */
  691. numexts += s->cert->custext.meths_count;
  692. /* Parse each extension in turn */
  693. for (i = 0; i < numexts; i++) {
  694. if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
  695. /* SSLfatal() already called */
  696. return 0;
  697. }
  698. }
  699. if (fin) {
  700. /*
  701. * Finalise all known extensions relevant to this context,
  702. * whether we have found them or not
  703. */
  704. for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
  705. i++, thisexd++) {
  706. if (thisexd->final != NULL && (thisexd->context & context) != 0
  707. && !thisexd->final(s, context, exts[i].present)) {
  708. /* SSLfatal() already called */
  709. return 0;
  710. }
  711. }
  712. }
  713. return 1;
  714. }
  715. int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
  716. int max_version)
  717. {
  718. /* Skip if not relevant for our context */
  719. if ((extctx & thisctx) == 0)
  720. return 0;
  721. /* Check if this extension is defined for our protocol. If not, skip */
  722. if (!extension_is_relevant(s, extctx, thisctx)
  723. || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
  724. && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
  725. && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
  726. return 0;
  727. return 1;
  728. }
  729. /*
  730. * Construct all the extensions relevant to the current |context| and write
  731. * them to |pkt|. If this is an extension for a Certificate in a Certificate
  732. * message, then |x| will be set to the Certificate we are handling, and
  733. * |chainidx| will indicate the position in the chainidx we are processing (with
  734. * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
  735. * failure construction stops at the first extension to fail to construct.
  736. */
  737. int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
  738. X509 *x, size_t chainidx)
  739. {
  740. size_t i;
  741. int min_version, max_version = 0, reason;
  742. const EXTENSION_DEFINITION *thisexd;
  743. if (!WPACKET_start_sub_packet_u16(pkt)
  744. /*
  745. * If extensions are of zero length then we don't even add the
  746. * extensions length bytes to a ClientHello/ServerHello
  747. * (for non-TLSv1.3).
  748. */
  749. || ((context &
  750. (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
  751. && !WPACKET_set_flags(pkt,
  752. WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
  753. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
  754. ERR_R_INTERNAL_ERROR);
  755. return 0;
  756. }
  757. if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
  758. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  759. if (reason != 0) {
  760. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
  761. reason);
  762. return 0;
  763. }
  764. }
  765. /* Add custom extensions first */
  766. if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
  767. /* On the server side with initialise during ClientHello parsing */
  768. custom_ext_init(&s->cert->custext);
  769. }
  770. if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
  771. /* SSLfatal() already called */
  772. return 0;
  773. }
  774. for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
  775. EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
  776. X509 *x, size_t chainidx);
  777. EXT_RETURN ret;
  778. /* Skip if not relevant for our context */
  779. if (!should_add_extension(s, thisexd->context, context, max_version))
  780. continue;
  781. construct = s->server ? thisexd->construct_stoc
  782. : thisexd->construct_ctos;
  783. if (construct == NULL)
  784. continue;
  785. ret = construct(s, pkt, context, x, chainidx);
  786. if (ret == EXT_RETURN_FAIL) {
  787. /* SSLfatal() already called */
  788. return 0;
  789. }
  790. if (ret == EXT_RETURN_SENT
  791. && (context & (SSL_EXT_CLIENT_HELLO
  792. | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  793. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
  794. s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
  795. }
  796. if (!WPACKET_close(pkt)) {
  797. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
  798. ERR_R_INTERNAL_ERROR);
  799. return 0;
  800. }
  801. return 1;
  802. }
  803. /*
  804. * Built in extension finalisation and initialisation functions. All initialise
  805. * or finalise the associated extension type for the given |context|. For
  806. * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
  807. * otherwise. These functions return 1 on success or 0 on failure.
  808. */
  809. static int final_renegotiate(SSL *s, unsigned int context, int sent)
  810. {
  811. if (!s->server) {
  812. /*
  813. * Check if we can connect to a server that doesn't support safe
  814. * renegotiation
  815. */
  816. if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
  817. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  818. && !sent) {
  819. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
  820. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  821. return 0;
  822. }
  823. return 1;
  824. }
  825. /* Need RI if renegotiating */
  826. if (s->renegotiate
  827. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  828. && !sent) {
  829. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
  830. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  831. return 0;
  832. }
  833. return 1;
  834. }
  835. static int init_server_name(SSL *s, unsigned int context)
  836. {
  837. if (s->server) {
  838. s->servername_done = 0;
  839. OPENSSL_free(s->ext.hostname);
  840. s->ext.hostname = NULL;
  841. }
  842. return 1;
  843. }
  844. static int final_server_name(SSL *s, unsigned int context, int sent)
  845. {
  846. int ret = SSL_TLSEXT_ERR_NOACK;
  847. int altmp = SSL_AD_UNRECOGNIZED_NAME;
  848. int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
  849. if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
  850. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
  851. ERR_R_INTERNAL_ERROR);
  852. return 0;
  853. }
  854. if (s->ctx->ext.servername_cb != NULL)
  855. ret = s->ctx->ext.servername_cb(s, &altmp,
  856. s->ctx->ext.servername_arg);
  857. else if (s->session_ctx->ext.servername_cb != NULL)
  858. ret = s->session_ctx->ext.servername_cb(s, &altmp,
  859. s->session_ctx->ext.servername_arg);
  860. /*
  861. * For servers, propagate the SNI hostname from the temporary
  862. * storage in the SSL to the persistent SSL_SESSION, now that we
  863. * know we accepted it.
  864. * Clients make this copy when parsing the server's response to
  865. * the extension, which is when they find out that the negotiation
  866. * was successful.
  867. */
  868. if (s->server) {
  869. /* TODO(OpenSSL1.2) revisit !sent case */
  870. if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) {
  871. /* Only store the hostname in the session if we accepted it. */
  872. OPENSSL_free(s->session->ext.hostname);
  873. s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
  874. if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
  875. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
  876. ERR_R_INTERNAL_ERROR);
  877. }
  878. }
  879. }
  880. /*
  881. * If we switched contexts (whether here or in the client_hello callback),
  882. * move the sess_accept increment from the session_ctx to the new
  883. * context, to avoid the confusing situation of having sess_accept_good
  884. * exceed sess_accept (zero) for the new context.
  885. */
  886. if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
  887. tsan_counter(&s->ctx->stats.sess_accept);
  888. tsan_decr(&s->session_ctx->stats.sess_accept);
  889. }
  890. /*
  891. * If we're expecting to send a ticket, and tickets were previously enabled,
  892. * and now tickets are disabled, then turn off expected ticket.
  893. * Also, if this is not a resumption, create a new session ID
  894. */
  895. if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
  896. && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
  897. s->ext.ticket_expected = 0;
  898. if (!s->hit) {
  899. SSL_SESSION* ss = SSL_get_session(s);
  900. if (ss != NULL) {
  901. OPENSSL_free(ss->ext.tick);
  902. ss->ext.tick = NULL;
  903. ss->ext.ticklen = 0;
  904. ss->ext.tick_lifetime_hint = 0;
  905. ss->ext.tick_age_add = 0;
  906. ss->ext.tick_identity = 0;
  907. if (!ssl_generate_session_id(s, ss)) {
  908. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
  909. ERR_R_INTERNAL_ERROR);
  910. return 0;
  911. }
  912. } else {
  913. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
  914. ERR_R_INTERNAL_ERROR);
  915. return 0;
  916. }
  917. }
  918. }
  919. switch (ret) {
  920. case SSL_TLSEXT_ERR_ALERT_FATAL:
  921. SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
  922. return 0;
  923. case SSL_TLSEXT_ERR_ALERT_WARNING:
  924. /* TLSv1.3 doesn't have warning alerts so we suppress this */
  925. if (!SSL_IS_TLS13(s))
  926. ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
  927. return 1;
  928. case SSL_TLSEXT_ERR_NOACK:
  929. s->servername_done = 0;
  930. return 1;
  931. default:
  932. return 1;
  933. }
  934. }
  935. #ifndef OPENSSL_NO_EC
  936. static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
  937. {
  938. unsigned long alg_k, alg_a;
  939. if (s->server)
  940. return 1;
  941. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  942. alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  943. /*
  944. * If we are client and using an elliptic curve cryptography cipher
  945. * suite, then if server returns an EC point formats lists extension it
  946. * must contain uncompressed.
  947. */
  948. if (s->ext.ecpointformats != NULL
  949. && s->ext.ecpointformats_len > 0
  950. && s->session->ext.ecpointformats != NULL
  951. && s->session->ext.ecpointformats_len > 0
  952. && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
  953. /* we are using an ECC cipher */
  954. size_t i;
  955. unsigned char *list = s->session->ext.ecpointformats;
  956. for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
  957. if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
  958. break;
  959. }
  960. if (i == s->session->ext.ecpointformats_len) {
  961. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
  962. SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  963. return 0;
  964. }
  965. }
  966. return 1;
  967. }
  968. #endif
  969. static int init_session_ticket(SSL *s, unsigned int context)
  970. {
  971. if (!s->server)
  972. s->ext.ticket_expected = 0;
  973. return 1;
  974. }
  975. #ifndef OPENSSL_NO_OCSP
  976. static int init_status_request(SSL *s, unsigned int context)
  977. {
  978. if (s->server) {
  979. s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
  980. } else {
  981. /*
  982. * Ensure we get sensible values passed to tlsext_status_cb in the event
  983. * that we don't receive a status message
  984. */
  985. OPENSSL_free(s->ext.ocsp.resp);
  986. s->ext.ocsp.resp = NULL;
  987. s->ext.ocsp.resp_len = 0;
  988. }
  989. return 1;
  990. }
  991. #endif
  992. #ifndef OPENSSL_NO_NEXTPROTONEG
  993. static int init_npn(SSL *s, unsigned int context)
  994. {
  995. s->s3->npn_seen = 0;
  996. return 1;
  997. }
  998. #endif
  999. static int init_alpn(SSL *s, unsigned int context)
  1000. {
  1001. OPENSSL_free(s->s3->alpn_selected);
  1002. s->s3->alpn_selected = NULL;
  1003. s->s3->alpn_selected_len = 0;
  1004. if (s->server) {
  1005. OPENSSL_free(s->s3->alpn_proposed);
  1006. s->s3->alpn_proposed = NULL;
  1007. s->s3->alpn_proposed_len = 0;
  1008. }
  1009. return 1;
  1010. }
  1011. static int final_alpn(SSL *s, unsigned int context, int sent)
  1012. {
  1013. if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
  1014. s->ext.early_data_ok = 0;
  1015. if (!s->server || !SSL_IS_TLS13(s))
  1016. return 1;
  1017. /*
  1018. * Call alpn_select callback if needed. Has to be done after SNI and
  1019. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  1020. * we also have to do this before we decide whether to accept early_data.
  1021. * In TLSv1.3 we've already negotiated our cipher so we do this call now.
  1022. * For < TLSv1.3 we defer it until after cipher negotiation.
  1023. *
  1024. * On failure SSLfatal() already called.
  1025. */
  1026. return tls_handle_alpn(s);
  1027. }
  1028. static int init_sig_algs(SSL *s, unsigned int context)
  1029. {
  1030. /* Clear any signature algorithms extension received */
  1031. OPENSSL_free(s->s3->tmp.peer_sigalgs);
  1032. s->s3->tmp.peer_sigalgs = NULL;
  1033. return 1;
  1034. }
  1035. static int init_sig_algs_cert(SSL *s, unsigned int context)
  1036. {
  1037. /* Clear any signature algorithms extension received */
  1038. OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
  1039. s->s3->tmp.peer_cert_sigalgs = NULL;
  1040. return 1;
  1041. }
  1042. #ifndef OPENSSL_NO_SRP
  1043. static int init_srp(SSL *s, unsigned int context)
  1044. {
  1045. OPENSSL_free(s->srp_ctx.login);
  1046. s->srp_ctx.login = NULL;
  1047. return 1;
  1048. }
  1049. #endif
  1050. static int init_etm(SSL *s, unsigned int context)
  1051. {
  1052. s->ext.use_etm = 0;
  1053. return 1;
  1054. }
  1055. static int init_ems(SSL *s, unsigned int context)
  1056. {
  1057. if (!s->server)
  1058. s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
  1059. return 1;
  1060. }
  1061. static int final_ems(SSL *s, unsigned int context, int sent)
  1062. {
  1063. if (!s->server && s->hit) {
  1064. /*
  1065. * Check extended master secret extension is consistent with
  1066. * original session.
  1067. */
  1068. if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
  1069. !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
  1070. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
  1071. SSL_R_INCONSISTENT_EXTMS);
  1072. return 0;
  1073. }
  1074. }
  1075. return 1;
  1076. }
  1077. static int init_certificate_authorities(SSL *s, unsigned int context)
  1078. {
  1079. sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
  1080. s->s3->tmp.peer_ca_names = NULL;
  1081. return 1;
  1082. }
  1083. static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
  1084. unsigned int context,
  1085. X509 *x,
  1086. size_t chainidx)
  1087. {
  1088. const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
  1089. if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
  1090. return EXT_RETURN_NOT_SENT;
  1091. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
  1092. || !WPACKET_start_sub_packet_u16(pkt)) {
  1093. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1094. SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
  1095. ERR_R_INTERNAL_ERROR);
  1096. return EXT_RETURN_FAIL;
  1097. }
  1098. if (!construct_ca_names(s, ca_sk, pkt)) {
  1099. /* SSLfatal() already called */
  1100. return EXT_RETURN_FAIL;
  1101. }
  1102. if (!WPACKET_close(pkt)) {
  1103. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1104. SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
  1105. ERR_R_INTERNAL_ERROR);
  1106. return EXT_RETURN_FAIL;
  1107. }
  1108. return EXT_RETURN_SENT;
  1109. }
  1110. static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
  1111. unsigned int context, X509 *x,
  1112. size_t chainidx)
  1113. {
  1114. if (!parse_ca_names(s, pkt))
  1115. return 0;
  1116. if (PACKET_remaining(pkt) != 0) {
  1117. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1118. SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
  1119. return 0;
  1120. }
  1121. return 1;
  1122. }
  1123. #ifndef OPENSSL_NO_SRTP
  1124. static int init_srtp(SSL *s, unsigned int context)
  1125. {
  1126. if (s->server)
  1127. s->srtp_profile = NULL;
  1128. return 1;
  1129. }
  1130. #endif
  1131. static int final_sig_algs(SSL *s, unsigned int context, int sent)
  1132. {
  1133. if (!sent && SSL_IS_TLS13(s) && !s->hit) {
  1134. SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
  1135. SSL_R_MISSING_SIGALGS_EXTENSION);
  1136. return 0;
  1137. }
  1138. return 1;
  1139. }
  1140. #ifndef OPENSSL_NO_EC
  1141. static int final_key_share(SSL *s, unsigned int context, int sent)
  1142. {
  1143. if (!SSL_IS_TLS13(s))
  1144. return 1;
  1145. /* Nothing to do for key_share in an HRR */
  1146. if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
  1147. return 1;
  1148. /*
  1149. * If
  1150. * we are a client
  1151. * AND
  1152. * we have no key_share
  1153. * AND
  1154. * (we are not resuming
  1155. * OR the kex_mode doesn't allow non key_share resumes)
  1156. * THEN
  1157. * fail;
  1158. */
  1159. if (!s->server
  1160. && !sent
  1161. && (!s->hit
  1162. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
  1163. /* Nothing left we can do - just fail */
  1164. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
  1165. SSL_R_NO_SUITABLE_KEY_SHARE);
  1166. return 0;
  1167. }
  1168. /*
  1169. * IF
  1170. * we are a server
  1171. * THEN
  1172. * IF
  1173. * we have a suitable key_share
  1174. * THEN
  1175. * IF
  1176. * we are stateless AND we have no cookie
  1177. * THEN
  1178. * send a HelloRetryRequest
  1179. * ELSE
  1180. * IF
  1181. * we didn't already send a HelloRetryRequest
  1182. * AND
  1183. * the client sent a key_share extension
  1184. * AND
  1185. * (we are not resuming
  1186. * OR the kex_mode allows key_share resumes)
  1187. * AND
  1188. * a shared group exists
  1189. * THEN
  1190. * send a HelloRetryRequest
  1191. * ELSE IF
  1192. * we are not resuming
  1193. * OR
  1194. * the kex_mode doesn't allow non key_share resumes
  1195. * THEN
  1196. * fail
  1197. * ELSE IF
  1198. * we are stateless AND we have no cookie
  1199. * THEN
  1200. * send a HelloRetryRequest
  1201. */
  1202. if (s->server) {
  1203. if (s->s3->peer_tmp != NULL) {
  1204. /* We have a suitable key_share */
  1205. if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
  1206. && !s->ext.cookieok) {
  1207. if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
  1208. /*
  1209. * If we are stateless then we wouldn't know about any
  1210. * previously sent HRR - so how can this be anything other
  1211. * than 0?
  1212. */
  1213. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
  1214. ERR_R_INTERNAL_ERROR);
  1215. return 0;
  1216. }
  1217. s->hello_retry_request = SSL_HRR_PENDING;
  1218. return 1;
  1219. }
  1220. } else {
  1221. /* No suitable key_share */
  1222. if (s->hello_retry_request == SSL_HRR_NONE && sent
  1223. && (!s->hit
  1224. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
  1225. != 0)) {
  1226. const uint16_t *pgroups, *clntgroups;
  1227. size_t num_groups, clnt_num_groups, i;
  1228. unsigned int group_id = 0;
  1229. /* Check if a shared group exists */
  1230. /* Get the clients list of supported groups. */
  1231. tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
  1232. tls1_get_supported_groups(s, &pgroups, &num_groups);
  1233. /*
  1234. * Find the first group we allow that is also in client's list
  1235. */
  1236. for (i = 0; i < num_groups; i++) {
  1237. group_id = pgroups[i];
  1238. if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
  1239. 1))
  1240. break;
  1241. }
  1242. if (i < num_groups) {
  1243. /* A shared group exists so send a HelloRetryRequest */
  1244. s->s3->group_id = group_id;
  1245. s->hello_retry_request = SSL_HRR_PENDING;
  1246. return 1;
  1247. }
  1248. }
  1249. if (!s->hit
  1250. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
  1251. /* Nothing left we can do - just fail */
  1252. SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
  1253. : SSL_AD_MISSING_EXTENSION,
  1254. SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
  1255. return 0;
  1256. }
  1257. if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
  1258. && !s->ext.cookieok) {
  1259. if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
  1260. /*
  1261. * If we are stateless then we wouldn't know about any
  1262. * previously sent HRR - so how can this be anything other
  1263. * than 0?
  1264. */
  1265. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
  1266. ERR_R_INTERNAL_ERROR);
  1267. return 0;
  1268. }
  1269. s->hello_retry_request = SSL_HRR_PENDING;
  1270. return 1;
  1271. }
  1272. }
  1273. /*
  1274. * We have a key_share so don't send any more HelloRetryRequest
  1275. * messages
  1276. */
  1277. if (s->hello_retry_request == SSL_HRR_PENDING)
  1278. s->hello_retry_request = SSL_HRR_COMPLETE;
  1279. } else {
  1280. /*
  1281. * For a client side resumption with no key_share we need to generate
  1282. * the handshake secret (otherwise this is done during key_share
  1283. * processing).
  1284. */
  1285. if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
  1286. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
  1287. ERR_R_INTERNAL_ERROR);
  1288. return 0;
  1289. }
  1290. }
  1291. return 1;
  1292. }
  1293. #endif
  1294. static int init_psk_kex_modes(SSL *s, unsigned int context)
  1295. {
  1296. s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
  1297. return 1;
  1298. }
  1299. int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
  1300. size_t binderoffset, const unsigned char *binderin,
  1301. unsigned char *binderout, SSL_SESSION *sess, int sign,
  1302. int external)
  1303. {
  1304. EVP_PKEY *mackey = NULL;
  1305. EVP_MD_CTX *mctx = NULL;
  1306. unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
  1307. unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
  1308. unsigned char *early_secret;
  1309. static const unsigned char resumption_label[] = "res binder";
  1310. static const unsigned char external_label[] = "ext binder";
  1311. const unsigned char *label;
  1312. size_t bindersize, labelsize, hashsize;
  1313. int hashsizei = EVP_MD_size(md);
  1314. int ret = -1;
  1315. int usepskfored = 0;
  1316. /* Ensure cast to size_t is safe */
  1317. if (!ossl_assert(hashsizei >= 0)) {
  1318. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1319. ERR_R_INTERNAL_ERROR);
  1320. goto err;
  1321. }
  1322. hashsize = (size_t)hashsizei;
  1323. if (external
  1324. && s->early_data_state == SSL_EARLY_DATA_CONNECTING
  1325. && s->session->ext.max_early_data == 0
  1326. && sess->ext.max_early_data > 0)
  1327. usepskfored = 1;
  1328. if (external) {
  1329. label = external_label;
  1330. labelsize = sizeof(external_label) - 1;
  1331. } else {
  1332. label = resumption_label;
  1333. labelsize = sizeof(resumption_label) - 1;
  1334. }
  1335. /*
  1336. * Generate the early_secret. On the server side we've selected a PSK to
  1337. * resume with (internal or external) so we always do this. On the client
  1338. * side we do this for a non-external (i.e. resumption) PSK or external PSK
  1339. * that will be used for early_data so that it is in place for sending early
  1340. * data. For client side external PSK not being used for early_data we
  1341. * generate it but store it away for later use.
  1342. */
  1343. if (s->server || !external || usepskfored)
  1344. early_secret = (unsigned char *)s->early_secret;
  1345. else
  1346. early_secret = (unsigned char *)sess->early_secret;
  1347. if (!tls13_generate_secret(s, md, NULL, sess->master_key,
  1348. sess->master_key_length, early_secret)) {
  1349. /* SSLfatal() already called */
  1350. goto err;
  1351. }
  1352. /*
  1353. * Create the handshake hash for the binder key...the messages so far are
  1354. * empty!
  1355. */
  1356. mctx = EVP_MD_CTX_new();
  1357. if (mctx == NULL
  1358. || EVP_DigestInit_ex(mctx, md, NULL) <= 0
  1359. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  1360. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1361. ERR_R_INTERNAL_ERROR);
  1362. goto err;
  1363. }
  1364. /* Generate the binder key */
  1365. if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
  1366. hashsize, binderkey, hashsize, 1)) {
  1367. /* SSLfatal() already called */
  1368. goto err;
  1369. }
  1370. /* Generate the finished key */
  1371. if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
  1372. /* SSLfatal() already called */
  1373. goto err;
  1374. }
  1375. if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
  1376. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1377. ERR_R_INTERNAL_ERROR);
  1378. goto err;
  1379. }
  1380. /*
  1381. * Get a hash of the ClientHello up to the start of the binders. If we are
  1382. * following a HelloRetryRequest then this includes the hash of the first
  1383. * ClientHello and the HelloRetryRequest itself.
  1384. */
  1385. if (s->hello_retry_request == SSL_HRR_PENDING) {
  1386. size_t hdatalen;
  1387. long hdatalen_l;
  1388. void *hdata;
  1389. hdatalen = hdatalen_l =
  1390. BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
  1391. if (hdatalen_l <= 0) {
  1392. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1393. SSL_R_BAD_HANDSHAKE_LENGTH);
  1394. goto err;
  1395. }
  1396. /*
  1397. * For servers the handshake buffer data will include the second
  1398. * ClientHello - which we don't want - so we need to take that bit off.
  1399. */
  1400. if (s->server) {
  1401. PACKET hashprefix, msg;
  1402. /* Find how many bytes are left after the first two messages */
  1403. if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
  1404. || !PACKET_forward(&hashprefix, 1)
  1405. || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
  1406. || !PACKET_forward(&hashprefix, 1)
  1407. || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
  1408. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1409. ERR_R_INTERNAL_ERROR);
  1410. goto err;
  1411. }
  1412. hdatalen -= PACKET_remaining(&hashprefix);
  1413. }
  1414. if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
  1415. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1416. ERR_R_INTERNAL_ERROR);
  1417. goto err;
  1418. }
  1419. }
  1420. if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
  1421. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  1422. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1423. ERR_R_INTERNAL_ERROR);
  1424. goto err;
  1425. }
  1426. mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey,
  1427. hashsize);
  1428. if (mackey == NULL) {
  1429. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1430. ERR_R_INTERNAL_ERROR);
  1431. goto err;
  1432. }
  1433. if (!sign)
  1434. binderout = tmpbinder;
  1435. bindersize = hashsize;
  1436. if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
  1437. || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
  1438. || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
  1439. || bindersize != hashsize) {
  1440. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1441. ERR_R_INTERNAL_ERROR);
  1442. goto err;
  1443. }
  1444. if (sign) {
  1445. ret = 1;
  1446. } else {
  1447. /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
  1448. ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
  1449. if (!ret)
  1450. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
  1451. SSL_R_BINDER_DOES_NOT_VERIFY);
  1452. }
  1453. err:
  1454. OPENSSL_cleanse(binderkey, sizeof(binderkey));
  1455. OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
  1456. EVP_PKEY_free(mackey);
  1457. EVP_MD_CTX_free(mctx);
  1458. return ret;
  1459. }
  1460. static int final_early_data(SSL *s, unsigned int context, int sent)
  1461. {
  1462. if (!sent)
  1463. return 1;
  1464. if (!s->server) {
  1465. if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  1466. && sent
  1467. && !s->ext.early_data_ok) {
  1468. /*
  1469. * If we get here then the server accepted our early_data but we
  1470. * later realised that it shouldn't have done (e.g. inconsistent
  1471. * ALPN)
  1472. */
  1473. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
  1474. SSL_R_BAD_EARLY_DATA);
  1475. return 0;
  1476. }
  1477. return 1;
  1478. }
  1479. if (s->max_early_data == 0
  1480. || !s->hit
  1481. || s->session->ext.tick_identity != 0
  1482. || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  1483. || !s->ext.early_data_ok
  1484. || s->hello_retry_request != SSL_HRR_NONE
  1485. || (s->ctx->allow_early_data_cb != NULL
  1486. && !s->ctx->allow_early_data_cb(s,
  1487. s->ctx->allow_early_data_cb_data))) {
  1488. s->ext.early_data = SSL_EARLY_DATA_REJECTED;
  1489. } else {
  1490. s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
  1491. if (!tls13_change_cipher_state(s,
  1492. SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  1493. /* SSLfatal() already called */
  1494. return 0;
  1495. }
  1496. }
  1497. return 1;
  1498. }
  1499. static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
  1500. {
  1501. /*
  1502. * Session resumption on server-side with MFL extension active
  1503. * BUT MFL extension packet was not resent (i.e. sent == 0)
  1504. */
  1505. if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  1506. && !sent ) {
  1507. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
  1508. SSL_R_BAD_EXTENSION);
  1509. return 0;
  1510. }
  1511. /* Current SSL buffer is lower than requested MFL */
  1512. if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  1513. && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
  1514. /* trigger a larger buffer reallocation */
  1515. if (!ssl3_setup_buffers(s)) {
  1516. /* SSLfatal() already called */
  1517. return 0;
  1518. }
  1519. return 1;
  1520. }
  1521. static int init_post_handshake_auth(SSL *s, unsigned int context)
  1522. {
  1523. s->post_handshake_auth = SSL_PHA_NONE;
  1524. return 1;
  1525. }