2
0

extensions.c 61 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730
  1. /*
  2. * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #if defined(__TANDEM) && defined(_SPT_MODEL_)
  10. # include <spthread.h>
  11. # include <spt_extensions.h> /* timeval */
  12. #endif
  13. #include <string.h>
  14. #include "internal/nelem.h"
  15. #include "internal/cryptlib.h"
  16. #include "../ssl_local.h"
  17. #include "statem_local.h"
  18. static int final_renegotiate(SSL_CONNECTION *s, unsigned int context, int sent);
  19. static int init_server_name(SSL_CONNECTION *s, unsigned int context);
  20. static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent);
  21. static int final_ec_pt_formats(SSL_CONNECTION *s, unsigned int context,
  22. int sent);
  23. static int init_session_ticket(SSL_CONNECTION *s, unsigned int context);
  24. #ifndef OPENSSL_NO_OCSP
  25. static int init_status_request(SSL_CONNECTION *s, unsigned int context);
  26. #endif
  27. #ifndef OPENSSL_NO_NEXTPROTONEG
  28. static int init_npn(SSL_CONNECTION *s, unsigned int context);
  29. #endif
  30. static int init_alpn(SSL_CONNECTION *s, unsigned int context);
  31. static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent);
  32. static int init_sig_algs_cert(SSL_CONNECTION *s, unsigned int context);
  33. static int init_sig_algs(SSL_CONNECTION *s, unsigned int context);
  34. static int init_certificate_authorities(SSL_CONNECTION *s,
  35. unsigned int context);
  36. static EXT_RETURN tls_construct_certificate_authorities(SSL_CONNECTION *s,
  37. WPACKET *pkt,
  38. unsigned int context,
  39. X509 *x,
  40. size_t chainidx);
  41. static int tls_parse_certificate_authorities(SSL_CONNECTION *s, PACKET *pkt,
  42. unsigned int context, X509 *x,
  43. size_t chainidx);
  44. #ifndef OPENSSL_NO_SRP
  45. static int init_srp(SSL_CONNECTION *s, unsigned int context);
  46. #endif
  47. static int init_ec_point_formats(SSL_CONNECTION *s, unsigned int context);
  48. static int init_etm(SSL_CONNECTION *s, unsigned int context);
  49. static int init_ems(SSL_CONNECTION *s, unsigned int context);
  50. static int final_ems(SSL_CONNECTION *s, unsigned int context, int sent);
  51. static int init_psk_kex_modes(SSL_CONNECTION *s, unsigned int context);
  52. static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent);
  53. #ifndef OPENSSL_NO_SRTP
  54. static int init_srtp(SSL_CONNECTION *s, unsigned int context);
  55. #endif
  56. static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent);
  57. static int final_early_data(SSL_CONNECTION *s, unsigned int context, int sent);
  58. static int final_maxfragmentlen(SSL_CONNECTION *s, unsigned int context,
  59. int sent);
  60. static int init_post_handshake_auth(SSL_CONNECTION *s, unsigned int context);
  61. static int final_psk(SSL_CONNECTION *s, unsigned int context, int sent);
  62. /* Structure to define a built-in extension */
  63. typedef struct extensions_definition_st {
  64. /* The defined type for the extension */
  65. unsigned int type;
  66. /*
  67. * The context that this extension applies to, e.g. what messages and
  68. * protocol versions
  69. */
  70. unsigned int context;
  71. /*
  72. * Initialise extension before parsing. Always called for relevant contexts
  73. * even if extension not present
  74. */
  75. int (*init)(SSL_CONNECTION *s, unsigned int context);
  76. /* Parse extension sent from client to server */
  77. int (*parse_ctos)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  78. X509 *x, size_t chainidx);
  79. /* Parse extension send from server to client */
  80. int (*parse_stoc)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  81. X509 *x, size_t chainidx);
  82. /* Construct extension sent from server to client */
  83. EXT_RETURN (*construct_stoc)(SSL_CONNECTION *s, WPACKET *pkt,
  84. unsigned int context,
  85. X509 *x, size_t chainidx);
  86. /* Construct extension sent from client to server */
  87. EXT_RETURN (*construct_ctos)(SSL_CONNECTION *s, WPACKET *pkt,
  88. unsigned int context,
  89. X509 *x, size_t chainidx);
  90. /*
  91. * Finalise extension after parsing. Always called where an extensions was
  92. * initialised even if the extension was not present. |sent| is set to 1 if
  93. * the extension was seen, or 0 otherwise.
  94. */
  95. int (*final)(SSL_CONNECTION *s, unsigned int context, int sent);
  96. } EXTENSION_DEFINITION;
  97. /*
  98. * Definitions of all built-in extensions. NOTE: Changes in the number or order
  99. * of these extensions should be mirrored with equivalent changes to the
  100. * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
  101. * Each extension has an initialiser, a client and
  102. * server side parser and a finaliser. The initialiser is called (if the
  103. * extension is relevant to the given context) even if we did not see the
  104. * extension in the message that we received. The parser functions are only
  105. * called if we see the extension in the message. The finalisers are always
  106. * called if the initialiser was called.
  107. * There are also server and client side constructor functions which are always
  108. * called during message construction if the extension is relevant for the
  109. * given context.
  110. * The initialisation, parsing, finalisation and construction functions are
  111. * always called in the order defined in this list. Some extensions may depend
  112. * on others having been processed first, so the order of this list is
  113. * significant.
  114. * The extension context is defined by a series of flags which specify which
  115. * messages the extension is relevant to. These flags also specify whether the
  116. * extension is relevant to a particular protocol or protocol version.
  117. *
  118. * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
  119. * the end, keep these extensions before signature_algorithm.
  120. */
  121. #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
  122. static const EXTENSION_DEFINITION ext_defs[] = {
  123. {
  124. TLSEXT_TYPE_renegotiate,
  125. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  126. | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  127. NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
  128. tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
  129. final_renegotiate
  130. },
  131. {
  132. TLSEXT_TYPE_server_name,
  133. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  134. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  135. init_server_name,
  136. tls_parse_ctos_server_name, tls_parse_stoc_server_name,
  137. tls_construct_stoc_server_name, tls_construct_ctos_server_name,
  138. final_server_name
  139. },
  140. {
  141. TLSEXT_TYPE_max_fragment_length,
  142. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  143. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  144. NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
  145. tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
  146. final_maxfragmentlen
  147. },
  148. #ifndef OPENSSL_NO_SRP
  149. {
  150. TLSEXT_TYPE_srp,
  151. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  152. init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
  153. },
  154. #else
  155. INVALID_EXTENSION,
  156. #endif
  157. {
  158. TLSEXT_TYPE_ec_point_formats,
  159. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  160. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  161. init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
  162. tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
  163. final_ec_pt_formats
  164. },
  165. {
  166. /*
  167. * "supported_groups" is spread across several specifications.
  168. * It was originally specified as "elliptic_curves" in RFC 4492,
  169. * and broadened to include named FFDH groups by RFC 7919.
  170. * Both RFCs 4492 and 7919 do not include a provision for the server
  171. * to indicate to the client the complete list of groups supported
  172. * by the server, with the server instead just indicating the
  173. * selected group for this connection in the ServerKeyExchange
  174. * message. TLS 1.3 adds a scheme for the server to indicate
  175. * to the client its list of supported groups in the
  176. * EncryptedExtensions message, but none of the relevant
  177. * specifications permit sending supported_groups in the ServerHello.
  178. * Nonetheless (possibly due to the close proximity to the
  179. * "ec_point_formats" extension, which is allowed in the ServerHello),
  180. * there are several servers that send this extension in the
  181. * ServerHello anyway. Up to and including the 1.1.0 release,
  182. * we did not check for the presence of nonpermitted extensions,
  183. * so to avoid a regression, we must permit this extension in the
  184. * TLS 1.2 ServerHello as well.
  185. *
  186. * Note that there is no tls_parse_stoc_supported_groups function,
  187. * so we do not perform any additional parsing, validation, or
  188. * processing on the server's group list -- this is just a minimal
  189. * change to preserve compatibility with these misbehaving servers.
  190. */
  191. TLSEXT_TYPE_supported_groups,
  192. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  193. | SSL_EXT_TLS1_2_SERVER_HELLO,
  194. NULL, tls_parse_ctos_supported_groups, NULL,
  195. tls_construct_stoc_supported_groups,
  196. tls_construct_ctos_supported_groups, NULL
  197. },
  198. {
  199. TLSEXT_TYPE_session_ticket,
  200. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  201. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  202. init_session_ticket, tls_parse_ctos_session_ticket,
  203. tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
  204. tls_construct_ctos_session_ticket, NULL
  205. },
  206. #ifndef OPENSSL_NO_OCSP
  207. {
  208. TLSEXT_TYPE_status_request,
  209. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  210. | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  211. init_status_request, tls_parse_ctos_status_request,
  212. tls_parse_stoc_status_request, tls_construct_stoc_status_request,
  213. tls_construct_ctos_status_request, NULL
  214. },
  215. #else
  216. INVALID_EXTENSION,
  217. #endif
  218. #ifndef OPENSSL_NO_NEXTPROTONEG
  219. {
  220. TLSEXT_TYPE_next_proto_neg,
  221. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  222. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  223. init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
  224. tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
  225. },
  226. #else
  227. INVALID_EXTENSION,
  228. #endif
  229. {
  230. /*
  231. * Must appear in this list after server_name so that finalisation
  232. * happens after server_name callbacks
  233. */
  234. TLSEXT_TYPE_application_layer_protocol_negotiation,
  235. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  236. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  237. init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
  238. tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
  239. },
  240. #ifndef OPENSSL_NO_SRTP
  241. {
  242. TLSEXT_TYPE_use_srtp,
  243. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  244. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
  245. init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
  246. tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
  247. },
  248. #else
  249. INVALID_EXTENSION,
  250. #endif
  251. {
  252. TLSEXT_TYPE_encrypt_then_mac,
  253. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  254. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  255. init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
  256. tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
  257. },
  258. #ifndef OPENSSL_NO_CT
  259. {
  260. TLSEXT_TYPE_signed_certificate_timestamp,
  261. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  262. | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  263. NULL,
  264. /*
  265. * No server side support for this, but can be provided by a custom
  266. * extension. This is an exception to the rule that custom extensions
  267. * cannot override built in ones.
  268. */
  269. NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
  270. },
  271. #else
  272. INVALID_EXTENSION,
  273. #endif
  274. {
  275. TLSEXT_TYPE_extended_master_secret,
  276. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  277. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  278. init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
  279. tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
  280. },
  281. {
  282. TLSEXT_TYPE_signature_algorithms_cert,
  283. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  284. init_sig_algs_cert, tls_parse_ctos_sig_algs_cert,
  285. tls_parse_ctos_sig_algs_cert,
  286. /* We do not generate signature_algorithms_cert at present. */
  287. NULL, NULL, NULL
  288. },
  289. {
  290. TLSEXT_TYPE_post_handshake_auth,
  291. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY,
  292. init_post_handshake_auth,
  293. tls_parse_ctos_post_handshake_auth, NULL,
  294. NULL, tls_construct_ctos_post_handshake_auth,
  295. NULL,
  296. },
  297. {
  298. TLSEXT_TYPE_signature_algorithms,
  299. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  300. init_sig_algs, tls_parse_ctos_sig_algs,
  301. tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
  302. tls_construct_ctos_sig_algs, final_sig_algs
  303. },
  304. {
  305. TLSEXT_TYPE_supported_versions,
  306. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  307. | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
  308. NULL,
  309. /* Processed inline as part of version selection */
  310. NULL, tls_parse_stoc_supported_versions,
  311. tls_construct_stoc_supported_versions,
  312. tls_construct_ctos_supported_versions, NULL
  313. },
  314. {
  315. TLSEXT_TYPE_psk_kex_modes,
  316. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
  317. | SSL_EXT_TLS1_3_ONLY,
  318. init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
  319. tls_construct_ctos_psk_kex_modes, NULL
  320. },
  321. {
  322. /*
  323. * Must be in this list after supported_groups. We need that to have
  324. * been parsed before we do this one.
  325. */
  326. TLSEXT_TYPE_key_share,
  327. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  328. | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
  329. | SSL_EXT_TLS1_3_ONLY,
  330. NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
  331. tls_construct_stoc_key_share, tls_construct_ctos_key_share,
  332. final_key_share
  333. },
  334. {
  335. /* Must be after key_share */
  336. TLSEXT_TYPE_cookie,
  337. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  338. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  339. NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
  340. tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
  341. },
  342. {
  343. /*
  344. * Special unsolicited ServerHello extension only used when
  345. * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
  346. * ignore it.
  347. */
  348. TLSEXT_TYPE_cryptopro_bug,
  349. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  350. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  351. NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
  352. },
  353. {
  354. TLSEXT_TYPE_early_data,
  355. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  356. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
  357. NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
  358. tls_construct_stoc_early_data, tls_construct_ctos_early_data,
  359. final_early_data
  360. },
  361. {
  362. TLSEXT_TYPE_certificate_authorities,
  363. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  364. | SSL_EXT_TLS1_3_ONLY,
  365. init_certificate_authorities,
  366. tls_parse_certificate_authorities, tls_parse_certificate_authorities,
  367. tls_construct_certificate_authorities,
  368. tls_construct_certificate_authorities, NULL,
  369. },
  370. {
  371. /* Must be immediately before pre_shared_key */
  372. TLSEXT_TYPE_padding,
  373. SSL_EXT_CLIENT_HELLO,
  374. NULL,
  375. /* We send this, but don't read it */
  376. NULL, NULL, NULL, tls_construct_ctos_padding, NULL
  377. },
  378. {
  379. /* Required by the TLSv1.3 spec to always be the last extension */
  380. TLSEXT_TYPE_psk,
  381. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  382. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  383. NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
  384. tls_construct_ctos_psk, final_psk
  385. }
  386. };
  387. /* Check whether an extension's context matches the current context */
  388. static int validate_context(SSL_CONNECTION *s, unsigned int extctx,
  389. unsigned int thisctx)
  390. {
  391. /* Check we're allowed to use this extension in this context */
  392. if ((thisctx & extctx) == 0)
  393. return 0;
  394. if (SSL_CONNECTION_IS_DTLS(s)) {
  395. if ((extctx & SSL_EXT_TLS_ONLY) != 0)
  396. return 0;
  397. } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
  398. return 0;
  399. }
  400. return 1;
  401. }
  402. int tls_validate_all_contexts(SSL_CONNECTION *s, unsigned int thisctx,
  403. RAW_EXTENSION *exts)
  404. {
  405. size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
  406. RAW_EXTENSION *thisext;
  407. unsigned int context;
  408. ENDPOINT role = ENDPOINT_BOTH;
  409. if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
  410. role = ENDPOINT_SERVER;
  411. else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
  412. role = ENDPOINT_CLIENT;
  413. /* Calculate the number of extensions in the extensions list */
  414. num_exts = builtin_num + s->cert->custext.meths_count;
  415. for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
  416. if (!thisext->present)
  417. continue;
  418. if (i < builtin_num) {
  419. context = ext_defs[i].context;
  420. } else {
  421. custom_ext_method *meth = NULL;
  422. meth = custom_ext_find(&s->cert->custext, role, thisext->type,
  423. &offset);
  424. if (!ossl_assert(meth != NULL))
  425. return 0;
  426. context = meth->context;
  427. }
  428. if (!validate_context(s, context, thisctx))
  429. return 0;
  430. }
  431. return 1;
  432. }
  433. /*
  434. * Verify whether we are allowed to use the extension |type| in the current
  435. * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
  436. * indicate the extension is not allowed. If returning 1 then |*found| is set to
  437. * the definition for the extension we found.
  438. */
  439. static int verify_extension(SSL_CONNECTION *s, unsigned int context,
  440. unsigned int type, custom_ext_methods *meths,
  441. RAW_EXTENSION *rawexlist, RAW_EXTENSION **found)
  442. {
  443. size_t i;
  444. size_t builtin_num = OSSL_NELEM(ext_defs);
  445. const EXTENSION_DEFINITION *thisext;
  446. for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
  447. if (type == thisext->type) {
  448. if (!validate_context(s, thisext->context, context))
  449. return 0;
  450. *found = &rawexlist[i];
  451. return 1;
  452. }
  453. }
  454. /* Check the custom extensions */
  455. if (meths != NULL) {
  456. size_t offset = 0;
  457. ENDPOINT role = ENDPOINT_BOTH;
  458. custom_ext_method *meth = NULL;
  459. if ((context & SSL_EXT_CLIENT_HELLO) != 0)
  460. role = ENDPOINT_SERVER;
  461. else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
  462. role = ENDPOINT_CLIENT;
  463. meth = custom_ext_find(meths, role, type, &offset);
  464. if (meth != NULL) {
  465. if (!validate_context(s, meth->context, context))
  466. return 0;
  467. *found = &rawexlist[offset + builtin_num];
  468. return 1;
  469. }
  470. }
  471. /* Unknown extension. We allow it */
  472. *found = NULL;
  473. return 1;
  474. }
  475. /*
  476. * Check whether the context defined for an extension |extctx| means whether
  477. * the extension is relevant for the current context |thisctx| or not. Returns
  478. * 1 if the extension is relevant for this context, and 0 otherwise
  479. */
  480. int extension_is_relevant(SSL_CONNECTION *s, unsigned int extctx,
  481. unsigned int thisctx)
  482. {
  483. int is_tls13;
  484. /*
  485. * For HRR we haven't selected the version yet but we know it will be
  486. * TLSv1.3
  487. */
  488. if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
  489. is_tls13 = 1;
  490. else
  491. is_tls13 = SSL_CONNECTION_IS_TLS13(s);
  492. if ((SSL_CONNECTION_IS_DTLS(s)
  493. && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
  494. || (s->version == SSL3_VERSION
  495. && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
  496. /*
  497. * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated",
  498. * which is never true when generating the ClientHello.
  499. * However, version negotiation *has* occurred by the time the
  500. * ClientHello extensions are being parsed.
  501. * Be careful to allow TLS 1.3-only extensions when generating
  502. * the ClientHello.
  503. */
  504. || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
  505. || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
  506. && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
  507. || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
  508. || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
  509. return 0;
  510. return 1;
  511. }
  512. /*
  513. * Gather a list of all the extensions from the data in |packet]. |context|
  514. * tells us which message this extension is for. The raw extension data is
  515. * stored in |*res| on success. We don't actually process the content of the
  516. * extensions yet, except to check their types. This function also runs the
  517. * initialiser functions for all known extensions if |init| is nonzero (whether
  518. * we have collected them or not). If successful the caller is responsible for
  519. * freeing the contents of |*res|.
  520. *
  521. * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
  522. * more than one extension of the same type in a ClientHello or ServerHello.
  523. * This function returns 1 if all extensions are unique and we have parsed their
  524. * types, and 0 if the extensions contain duplicates, could not be successfully
  525. * found, or an internal error occurred. We only check duplicates for
  526. * extensions that we know about. We ignore others.
  527. */
  528. int tls_collect_extensions(SSL_CONNECTION *s, PACKET *packet,
  529. unsigned int context,
  530. RAW_EXTENSION **res, size_t *len, int init)
  531. {
  532. PACKET extensions = *packet;
  533. size_t i = 0;
  534. size_t num_exts;
  535. custom_ext_methods *exts = &s->cert->custext;
  536. RAW_EXTENSION *raw_extensions = NULL;
  537. const EXTENSION_DEFINITION *thisexd;
  538. *res = NULL;
  539. /*
  540. * Initialise server side custom extensions. Client side is done during
  541. * construction of extensions for the ClientHello.
  542. */
  543. if ((context & SSL_EXT_CLIENT_HELLO) != 0)
  544. custom_ext_init(&s->cert->custext);
  545. num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
  546. raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
  547. if (raw_extensions == NULL) {
  548. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  549. return 0;
  550. }
  551. i = 0;
  552. while (PACKET_remaining(&extensions) > 0) {
  553. unsigned int type, idx;
  554. PACKET extension;
  555. RAW_EXTENSION *thisex;
  556. if (!PACKET_get_net_2(&extensions, &type) ||
  557. !PACKET_get_length_prefixed_2(&extensions, &extension)) {
  558. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  559. goto err;
  560. }
  561. /*
  562. * Verify this extension is allowed. We only check duplicates for
  563. * extensions that we recognise. We also have a special case for the
  564. * PSK extension, which must be the last one in the ClientHello.
  565. */
  566. if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
  567. || (thisex != NULL && thisex->present == 1)
  568. || (type == TLSEXT_TYPE_psk
  569. && (context & SSL_EXT_CLIENT_HELLO) != 0
  570. && PACKET_remaining(&extensions) != 0)) {
  571. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
  572. goto err;
  573. }
  574. idx = thisex - raw_extensions;
  575. /*-
  576. * Check that we requested this extension (if appropriate). Requests can
  577. * be sent in the ClientHello and CertificateRequest. Unsolicited
  578. * extensions can be sent in the NewSessionTicket. We only do this for
  579. * the built-in extensions. Custom extensions have a different but
  580. * similar check elsewhere.
  581. * Special cases:
  582. * - The HRR cookie extension is unsolicited
  583. * - The renegotiate extension is unsolicited (the client signals
  584. * support via an SCSV)
  585. * - The signed_certificate_timestamp extension can be provided by a
  586. * custom extension or by the built-in version. We let the extension
  587. * itself handle unsolicited response checks.
  588. */
  589. if (idx < OSSL_NELEM(ext_defs)
  590. && (context & (SSL_EXT_CLIENT_HELLO
  591. | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  592. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
  593. && type != TLSEXT_TYPE_cookie
  594. && type != TLSEXT_TYPE_renegotiate
  595. && type != TLSEXT_TYPE_signed_certificate_timestamp
  596. && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
  597. #ifndef OPENSSL_NO_GOST
  598. && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
  599. && type == TLSEXT_TYPE_cryptopro_bug)
  600. #endif
  601. ) {
  602. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
  603. SSL_R_UNSOLICITED_EXTENSION);
  604. goto err;
  605. }
  606. if (thisex != NULL) {
  607. thisex->data = extension;
  608. thisex->present = 1;
  609. thisex->type = type;
  610. thisex->received_order = i++;
  611. if (s->ext.debug_cb)
  612. s->ext.debug_cb(SSL_CONNECTION_GET_SSL(s), !s->server,
  613. thisex->type, PACKET_data(&thisex->data),
  614. PACKET_remaining(&thisex->data),
  615. s->ext.debug_arg);
  616. }
  617. }
  618. if (init) {
  619. /*
  620. * Initialise all known extensions relevant to this context,
  621. * whether we have found them or not
  622. */
  623. for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
  624. i++, thisexd++) {
  625. if (thisexd->init != NULL && (thisexd->context & context) != 0
  626. && extension_is_relevant(s, thisexd->context, context)
  627. && !thisexd->init(s, context)) {
  628. /* SSLfatal() already called */
  629. goto err;
  630. }
  631. }
  632. }
  633. *res = raw_extensions;
  634. if (len != NULL)
  635. *len = num_exts;
  636. return 1;
  637. err:
  638. OPENSSL_free(raw_extensions);
  639. return 0;
  640. }
  641. /*
  642. * Runs the parser for a given extension with index |idx|. |exts| contains the
  643. * list of all parsed extensions previously collected by
  644. * tls_collect_extensions(). The parser is only run if it is applicable for the
  645. * given |context| and the parser has not already been run. If this is for a
  646. * Certificate message, then we also provide the parser with the relevant
  647. * Certificate |x| and its position in the |chainidx| with 0 being the first
  648. * Certificate. Returns 1 on success or 0 on failure. If an extension is not
  649. * present this counted as success.
  650. */
  651. int tls_parse_extension(SSL_CONNECTION *s, TLSEXT_INDEX idx, int context,
  652. RAW_EXTENSION *exts, X509 *x, size_t chainidx)
  653. {
  654. RAW_EXTENSION *currext = &exts[idx];
  655. int (*parser)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x,
  656. size_t chainidx) = NULL;
  657. /* Skip if the extension is not present */
  658. if (!currext->present)
  659. return 1;
  660. /* Skip if we've already parsed this extension */
  661. if (currext->parsed)
  662. return 1;
  663. currext->parsed = 1;
  664. if (idx < OSSL_NELEM(ext_defs)) {
  665. /* We are handling a built-in extension */
  666. const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
  667. /* Check if extension is defined for our protocol. If not, skip */
  668. if (!extension_is_relevant(s, extdef->context, context))
  669. return 1;
  670. parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
  671. if (parser != NULL)
  672. return parser(s, &currext->data, context, x, chainidx);
  673. /*
  674. * If the parser is NULL we fall through to the custom extension
  675. * processing
  676. */
  677. }
  678. /* Parse custom extensions */
  679. return custom_ext_parse(s, context, currext->type,
  680. PACKET_data(&currext->data),
  681. PACKET_remaining(&currext->data),
  682. x, chainidx);
  683. }
  684. /*
  685. * Parse all remaining extensions that have not yet been parsed. Also calls the
  686. * finalisation for all extensions at the end if |fin| is nonzero, whether we
  687. * collected them or not. Returns 1 for success or 0 for failure. If we are
  688. * working on a Certificate message then we also pass the Certificate |x| and
  689. * its position in the |chainidx|, with 0 being the first certificate.
  690. */
  691. int tls_parse_all_extensions(SSL_CONNECTION *s, int context,
  692. RAW_EXTENSION *exts, X509 *x,
  693. size_t chainidx, int fin)
  694. {
  695. size_t i, numexts = OSSL_NELEM(ext_defs);
  696. const EXTENSION_DEFINITION *thisexd;
  697. /* Calculate the number of extensions in the extensions list */
  698. numexts += s->cert->custext.meths_count;
  699. /* Parse each extension in turn */
  700. for (i = 0; i < numexts; i++) {
  701. if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
  702. /* SSLfatal() already called */
  703. return 0;
  704. }
  705. }
  706. if (fin) {
  707. /*
  708. * Finalise all known extensions relevant to this context,
  709. * whether we have found them or not
  710. */
  711. for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
  712. i++, thisexd++) {
  713. if (thisexd->final != NULL && (thisexd->context & context) != 0
  714. && !thisexd->final(s, context, exts[i].present)) {
  715. /* SSLfatal() already called */
  716. return 0;
  717. }
  718. }
  719. }
  720. return 1;
  721. }
  722. int should_add_extension(SSL_CONNECTION *s, unsigned int extctx,
  723. unsigned int thisctx, int max_version)
  724. {
  725. /* Skip if not relevant for our context */
  726. if ((extctx & thisctx) == 0)
  727. return 0;
  728. /* Check if this extension is defined for our protocol. If not, skip */
  729. if (!extension_is_relevant(s, extctx, thisctx)
  730. || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
  731. && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
  732. && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
  733. return 0;
  734. return 1;
  735. }
  736. /*
  737. * Construct all the extensions relevant to the current |context| and write
  738. * them to |pkt|. If this is an extension for a Certificate in a Certificate
  739. * message, then |x| will be set to the Certificate we are handling, and
  740. * |chainidx| will indicate the position in the chainidx we are processing (with
  741. * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
  742. * failure construction stops at the first extension to fail to construct.
  743. */
  744. int tls_construct_extensions(SSL_CONNECTION *s, WPACKET *pkt,
  745. unsigned int context,
  746. X509 *x, size_t chainidx)
  747. {
  748. size_t i;
  749. int min_version, max_version = 0, reason;
  750. const EXTENSION_DEFINITION *thisexd;
  751. if (!WPACKET_start_sub_packet_u16(pkt)
  752. /*
  753. * If extensions are of zero length then we don't even add the
  754. * extensions length bytes to a ClientHello/ServerHello
  755. * (for non-TLSv1.3).
  756. */
  757. || ((context &
  758. (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
  759. && !WPACKET_set_flags(pkt,
  760. WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
  761. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  762. return 0;
  763. }
  764. if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
  765. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  766. if (reason != 0) {
  767. SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
  768. return 0;
  769. }
  770. }
  771. /* Add custom extensions first */
  772. if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
  773. /* On the server side with initialise during ClientHello parsing */
  774. custom_ext_init(&s->cert->custext);
  775. }
  776. if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
  777. /* SSLfatal() already called */
  778. return 0;
  779. }
  780. for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
  781. EXT_RETURN (*construct)(SSL_CONNECTION *s, WPACKET *pkt,
  782. unsigned int context,
  783. X509 *x, size_t chainidx);
  784. EXT_RETURN ret;
  785. /* Skip if not relevant for our context */
  786. if (!should_add_extension(s, thisexd->context, context, max_version))
  787. continue;
  788. construct = s->server ? thisexd->construct_stoc
  789. : thisexd->construct_ctos;
  790. if (construct == NULL)
  791. continue;
  792. ret = construct(s, pkt, context, x, chainidx);
  793. if (ret == EXT_RETURN_FAIL) {
  794. /* SSLfatal() already called */
  795. return 0;
  796. }
  797. if (ret == EXT_RETURN_SENT
  798. && (context & (SSL_EXT_CLIENT_HELLO
  799. | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  800. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
  801. s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
  802. }
  803. if (!WPACKET_close(pkt)) {
  804. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  805. return 0;
  806. }
  807. return 1;
  808. }
  809. /*
  810. * Built in extension finalisation and initialisation functions. All initialise
  811. * or finalise the associated extension type for the given |context|. For
  812. * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
  813. * otherwise. These functions return 1 on success or 0 on failure.
  814. */
  815. static int final_renegotiate(SSL_CONNECTION *s, unsigned int context, int sent)
  816. {
  817. if (!s->server) {
  818. /*
  819. * Check if we can connect to a server that doesn't support safe
  820. * renegotiation
  821. */
  822. if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
  823. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  824. && !sent) {
  825. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  826. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  827. return 0;
  828. }
  829. return 1;
  830. }
  831. /* Need RI if renegotiating */
  832. if (s->renegotiate
  833. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  834. && !sent) {
  835. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
  836. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  837. return 0;
  838. }
  839. return 1;
  840. }
  841. static ossl_inline void ssl_tsan_decr(const SSL_CTX *ctx,
  842. TSAN_QUALIFIER int *stat)
  843. {
  844. if (ssl_tsan_lock(ctx)) {
  845. tsan_decr(stat);
  846. ssl_tsan_unlock(ctx);
  847. }
  848. }
  849. static int init_server_name(SSL_CONNECTION *s, unsigned int context)
  850. {
  851. if (s->server) {
  852. s->servername_done = 0;
  853. OPENSSL_free(s->ext.hostname);
  854. s->ext.hostname = NULL;
  855. }
  856. return 1;
  857. }
  858. static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent)
  859. {
  860. int ret = SSL_TLSEXT_ERR_NOACK;
  861. int altmp = SSL_AD_UNRECOGNIZED_NAME;
  862. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  863. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  864. int was_ticket = (SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0;
  865. if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
  866. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  867. return 0;
  868. }
  869. if (sctx->ext.servername_cb != NULL)
  870. ret = sctx->ext.servername_cb(ssl, &altmp,
  871. sctx->ext.servername_arg);
  872. else if (s->session_ctx->ext.servername_cb != NULL)
  873. ret = s->session_ctx->ext.servername_cb(ssl, &altmp,
  874. s->session_ctx->ext.servername_arg);
  875. /*
  876. * For servers, propagate the SNI hostname from the temporary
  877. * storage in the SSL to the persistent SSL_SESSION, now that we
  878. * know we accepted it.
  879. * Clients make this copy when parsing the server's response to
  880. * the extension, which is when they find out that the negotiation
  881. * was successful.
  882. */
  883. if (s->server) {
  884. if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
  885. /* Only store the hostname in the session if we accepted it. */
  886. OPENSSL_free(s->session->ext.hostname);
  887. s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
  888. if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
  889. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  890. }
  891. }
  892. }
  893. /*
  894. * If we switched contexts (whether here or in the client_hello callback),
  895. * move the sess_accept increment from the session_ctx to the new
  896. * context, to avoid the confusing situation of having sess_accept_good
  897. * exceed sess_accept (zero) for the new context.
  898. */
  899. if (SSL_IS_FIRST_HANDSHAKE(s) && sctx != s->session_ctx
  900. && s->hello_retry_request == SSL_HRR_NONE) {
  901. ssl_tsan_counter(sctx, &sctx->stats.sess_accept);
  902. ssl_tsan_decr(s->session_ctx, &s->session_ctx->stats.sess_accept);
  903. }
  904. /*
  905. * If we're expecting to send a ticket, and tickets were previously enabled,
  906. * and now tickets are disabled, then turn off expected ticket.
  907. * Also, if this is not a resumption, create a new session ID
  908. */
  909. if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
  910. && was_ticket && (SSL_get_options(ssl) & SSL_OP_NO_TICKET) != 0) {
  911. s->ext.ticket_expected = 0;
  912. if (!s->hit) {
  913. SSL_SESSION* ss = SSL_get_session(ssl);
  914. if (ss != NULL) {
  915. OPENSSL_free(ss->ext.tick);
  916. ss->ext.tick = NULL;
  917. ss->ext.ticklen = 0;
  918. ss->ext.tick_lifetime_hint = 0;
  919. ss->ext.tick_age_add = 0;
  920. if (!ssl_generate_session_id(s, ss)) {
  921. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  922. return 0;
  923. }
  924. } else {
  925. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  926. return 0;
  927. }
  928. }
  929. }
  930. switch (ret) {
  931. case SSL_TLSEXT_ERR_ALERT_FATAL:
  932. SSLfatal(s, altmp, SSL_R_CALLBACK_FAILED);
  933. return 0;
  934. case SSL_TLSEXT_ERR_ALERT_WARNING:
  935. /* TLSv1.3 doesn't have warning alerts so we suppress this */
  936. if (!SSL_CONNECTION_IS_TLS13(s))
  937. ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
  938. s->servername_done = 0;
  939. return 1;
  940. case SSL_TLSEXT_ERR_NOACK:
  941. s->servername_done = 0;
  942. return 1;
  943. default:
  944. return 1;
  945. }
  946. }
  947. static int final_ec_pt_formats(SSL_CONNECTION *s, unsigned int context,
  948. int sent)
  949. {
  950. unsigned long alg_k, alg_a;
  951. if (s->server)
  952. return 1;
  953. alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  954. alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  955. /*
  956. * If we are client and using an elliptic curve cryptography cipher
  957. * suite, then if server returns an EC point formats lists extension it
  958. * must contain uncompressed.
  959. */
  960. if (s->ext.ecpointformats != NULL
  961. && s->ext.ecpointformats_len > 0
  962. && s->ext.peer_ecpointformats != NULL
  963. && s->ext.peer_ecpointformats_len > 0
  964. && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
  965. /* we are using an ECC cipher */
  966. size_t i;
  967. unsigned char *list = s->ext.peer_ecpointformats;
  968. for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
  969. if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
  970. break;
  971. }
  972. if (i == s->ext.peer_ecpointformats_len) {
  973. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  974. SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  975. return 0;
  976. }
  977. }
  978. return 1;
  979. }
  980. static int init_session_ticket(SSL_CONNECTION *s, unsigned int context)
  981. {
  982. if (!s->server)
  983. s->ext.ticket_expected = 0;
  984. return 1;
  985. }
  986. #ifndef OPENSSL_NO_OCSP
  987. static int init_status_request(SSL_CONNECTION *s, unsigned int context)
  988. {
  989. if (s->server) {
  990. s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
  991. } else {
  992. /*
  993. * Ensure we get sensible values passed to tlsext_status_cb in the event
  994. * that we don't receive a status message
  995. */
  996. OPENSSL_free(s->ext.ocsp.resp);
  997. s->ext.ocsp.resp = NULL;
  998. s->ext.ocsp.resp_len = 0;
  999. }
  1000. return 1;
  1001. }
  1002. #endif
  1003. #ifndef OPENSSL_NO_NEXTPROTONEG
  1004. static int init_npn(SSL_CONNECTION *s, unsigned int context)
  1005. {
  1006. s->s3.npn_seen = 0;
  1007. return 1;
  1008. }
  1009. #endif
  1010. static int init_alpn(SSL_CONNECTION *s, unsigned int context)
  1011. {
  1012. OPENSSL_free(s->s3.alpn_selected);
  1013. s->s3.alpn_selected = NULL;
  1014. s->s3.alpn_selected_len = 0;
  1015. if (s->server) {
  1016. OPENSSL_free(s->s3.alpn_proposed);
  1017. s->s3.alpn_proposed = NULL;
  1018. s->s3.alpn_proposed_len = 0;
  1019. }
  1020. return 1;
  1021. }
  1022. static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent)
  1023. {
  1024. if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
  1025. s->ext.early_data_ok = 0;
  1026. if (!s->server || !SSL_CONNECTION_IS_TLS13(s))
  1027. return 1;
  1028. /*
  1029. * Call alpn_select callback if needed. Has to be done after SNI and
  1030. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  1031. * we also have to do this before we decide whether to accept early_data.
  1032. * In TLSv1.3 we've already negotiated our cipher so we do this call now.
  1033. * For < TLSv1.3 we defer it until after cipher negotiation.
  1034. *
  1035. * On failure SSLfatal() already called.
  1036. */
  1037. return tls_handle_alpn(s);
  1038. }
  1039. static int init_sig_algs(SSL_CONNECTION *s, unsigned int context)
  1040. {
  1041. /* Clear any signature algorithms extension received */
  1042. OPENSSL_free(s->s3.tmp.peer_sigalgs);
  1043. s->s3.tmp.peer_sigalgs = NULL;
  1044. s->s3.tmp.peer_sigalgslen = 0;
  1045. return 1;
  1046. }
  1047. static int init_sig_algs_cert(SSL_CONNECTION *s,
  1048. ossl_unused unsigned int context)
  1049. {
  1050. /* Clear any signature algorithms extension received */
  1051. OPENSSL_free(s->s3.tmp.peer_cert_sigalgs);
  1052. s->s3.tmp.peer_cert_sigalgs = NULL;
  1053. s->s3.tmp.peer_cert_sigalgslen = 0;
  1054. return 1;
  1055. }
  1056. #ifndef OPENSSL_NO_SRP
  1057. static int init_srp(SSL_CONNECTION *s, unsigned int context)
  1058. {
  1059. OPENSSL_free(s->srp_ctx.login);
  1060. s->srp_ctx.login = NULL;
  1061. return 1;
  1062. }
  1063. #endif
  1064. static int init_ec_point_formats(SSL_CONNECTION *s, unsigned int context)
  1065. {
  1066. OPENSSL_free(s->ext.peer_ecpointformats);
  1067. s->ext.peer_ecpointformats = NULL;
  1068. s->ext.peer_ecpointformats_len = 0;
  1069. return 1;
  1070. }
  1071. static int init_etm(SSL_CONNECTION *s, unsigned int context)
  1072. {
  1073. s->ext.use_etm = 0;
  1074. return 1;
  1075. }
  1076. static int init_ems(SSL_CONNECTION *s, unsigned int context)
  1077. {
  1078. if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) {
  1079. s->s3.flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
  1080. s->s3.flags |= TLS1_FLAGS_REQUIRED_EXTMS;
  1081. }
  1082. return 1;
  1083. }
  1084. static int final_ems(SSL_CONNECTION *s, unsigned int context, int sent)
  1085. {
  1086. /*
  1087. * Check extended master secret extension is not dropped on
  1088. * renegotiation.
  1089. */
  1090. if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)
  1091. && (s->s3.flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
  1092. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
  1093. return 0;
  1094. }
  1095. if (!s->server && s->hit) {
  1096. /*
  1097. * Check extended master secret extension is consistent with
  1098. * original session.
  1099. */
  1100. if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
  1101. !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
  1102. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
  1103. return 0;
  1104. }
  1105. }
  1106. return 1;
  1107. }
  1108. static int init_certificate_authorities(SSL_CONNECTION *s, unsigned int context)
  1109. {
  1110. sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
  1111. s->s3.tmp.peer_ca_names = NULL;
  1112. return 1;
  1113. }
  1114. static EXT_RETURN tls_construct_certificate_authorities(SSL_CONNECTION *s,
  1115. WPACKET *pkt,
  1116. unsigned int context,
  1117. X509 *x,
  1118. size_t chainidx)
  1119. {
  1120. const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
  1121. if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
  1122. return EXT_RETURN_NOT_SENT;
  1123. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
  1124. || !WPACKET_start_sub_packet_u16(pkt)) {
  1125. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1126. return EXT_RETURN_FAIL;
  1127. }
  1128. if (!construct_ca_names(s, ca_sk, pkt)) {
  1129. /* SSLfatal() already called */
  1130. return EXT_RETURN_FAIL;
  1131. }
  1132. if (!WPACKET_close(pkt)) {
  1133. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1134. return EXT_RETURN_FAIL;
  1135. }
  1136. return EXT_RETURN_SENT;
  1137. }
  1138. static int tls_parse_certificate_authorities(SSL_CONNECTION *s, PACKET *pkt,
  1139. unsigned int context, X509 *x,
  1140. size_t chainidx)
  1141. {
  1142. if (!parse_ca_names(s, pkt))
  1143. return 0;
  1144. if (PACKET_remaining(pkt) != 0) {
  1145. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1146. return 0;
  1147. }
  1148. return 1;
  1149. }
  1150. #ifndef OPENSSL_NO_SRTP
  1151. static int init_srtp(SSL_CONNECTION *s, unsigned int context)
  1152. {
  1153. if (s->server)
  1154. s->srtp_profile = NULL;
  1155. return 1;
  1156. }
  1157. #endif
  1158. static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent)
  1159. {
  1160. if (!sent && SSL_CONNECTION_IS_TLS13(s) && !s->hit) {
  1161. SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
  1162. SSL_R_MISSING_SIGALGS_EXTENSION);
  1163. return 0;
  1164. }
  1165. return 1;
  1166. }
  1167. static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
  1168. {
  1169. #if !defined(OPENSSL_NO_TLS1_3)
  1170. if (!SSL_CONNECTION_IS_TLS13(s))
  1171. return 1;
  1172. /* Nothing to do for key_share in an HRR */
  1173. if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
  1174. return 1;
  1175. /*
  1176. * If
  1177. * we are a client
  1178. * AND
  1179. * we have no key_share
  1180. * AND
  1181. * (we are not resuming
  1182. * OR the kex_mode doesn't allow non key_share resumes)
  1183. * THEN
  1184. * fail;
  1185. */
  1186. if (!s->server
  1187. && !sent
  1188. && (!s->hit
  1189. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
  1190. /* Nothing left we can do - just fail */
  1191. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_NO_SUITABLE_KEY_SHARE);
  1192. return 0;
  1193. }
  1194. /*
  1195. * IF
  1196. * we are a server
  1197. * THEN
  1198. * IF
  1199. * we have a suitable key_share
  1200. * THEN
  1201. * IF
  1202. * we are stateless AND we have no cookie
  1203. * THEN
  1204. * send a HelloRetryRequest
  1205. * ELSE
  1206. * IF
  1207. * we didn't already send a HelloRetryRequest
  1208. * AND
  1209. * the client sent a key_share extension
  1210. * AND
  1211. * (we are not resuming
  1212. * OR the kex_mode allows key_share resumes)
  1213. * AND
  1214. * a shared group exists
  1215. * THEN
  1216. * send a HelloRetryRequest
  1217. * ELSE IF
  1218. * we are not resuming
  1219. * OR
  1220. * the kex_mode doesn't allow non key_share resumes
  1221. * THEN
  1222. * fail
  1223. * ELSE IF
  1224. * we are stateless AND we have no cookie
  1225. * THEN
  1226. * send a HelloRetryRequest
  1227. */
  1228. if (s->server) {
  1229. if (s->s3.peer_tmp != NULL) {
  1230. /* We have a suitable key_share */
  1231. if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
  1232. && !s->ext.cookieok) {
  1233. if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
  1234. /*
  1235. * If we are stateless then we wouldn't know about any
  1236. * previously sent HRR - so how can this be anything other
  1237. * than 0?
  1238. */
  1239. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1240. return 0;
  1241. }
  1242. s->hello_retry_request = SSL_HRR_PENDING;
  1243. return 1;
  1244. }
  1245. } else {
  1246. /* No suitable key_share */
  1247. if (s->hello_retry_request == SSL_HRR_NONE && sent
  1248. && (!s->hit
  1249. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
  1250. != 0)) {
  1251. const uint16_t *pgroups, *clntgroups;
  1252. size_t num_groups, clnt_num_groups, i;
  1253. unsigned int group_id = 0;
  1254. /* Check if a shared group exists */
  1255. /* Get the clients list of supported groups. */
  1256. tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
  1257. tls1_get_supported_groups(s, &pgroups, &num_groups);
  1258. /*
  1259. * Find the first group we allow that is also in client's list
  1260. */
  1261. for (i = 0; i < num_groups; i++) {
  1262. group_id = pgroups[i];
  1263. if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
  1264. 2))
  1265. break;
  1266. }
  1267. if (i < num_groups) {
  1268. /* A shared group exists so send a HelloRetryRequest */
  1269. s->s3.group_id = group_id;
  1270. s->hello_retry_request = SSL_HRR_PENDING;
  1271. return 1;
  1272. }
  1273. }
  1274. if (!s->hit
  1275. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
  1276. /* Nothing left we can do - just fail */
  1277. SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
  1278. : SSL_AD_MISSING_EXTENSION,
  1279. SSL_R_NO_SUITABLE_KEY_SHARE);
  1280. return 0;
  1281. }
  1282. if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
  1283. && !s->ext.cookieok) {
  1284. if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
  1285. /*
  1286. * If we are stateless then we wouldn't know about any
  1287. * previously sent HRR - so how can this be anything other
  1288. * than 0?
  1289. */
  1290. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1291. return 0;
  1292. }
  1293. s->hello_retry_request = SSL_HRR_PENDING;
  1294. return 1;
  1295. }
  1296. }
  1297. /*
  1298. * We have a key_share so don't send any more HelloRetryRequest
  1299. * messages
  1300. */
  1301. if (s->hello_retry_request == SSL_HRR_PENDING)
  1302. s->hello_retry_request = SSL_HRR_COMPLETE;
  1303. } else {
  1304. /*
  1305. * For a client side resumption with no key_share we need to generate
  1306. * the handshake secret (otherwise this is done during key_share
  1307. * processing).
  1308. */
  1309. if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
  1310. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1311. return 0;
  1312. }
  1313. }
  1314. #endif /* !defined(OPENSSL_NO_TLS1_3) */
  1315. return 1;
  1316. }
  1317. static int init_psk_kex_modes(SSL_CONNECTION *s, unsigned int context)
  1318. {
  1319. s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
  1320. return 1;
  1321. }
  1322. int tls_psk_do_binder(SSL_CONNECTION *s, const EVP_MD *md,
  1323. const unsigned char *msgstart,
  1324. size_t binderoffset, const unsigned char *binderin,
  1325. unsigned char *binderout, SSL_SESSION *sess, int sign,
  1326. int external)
  1327. {
  1328. EVP_PKEY *mackey = NULL;
  1329. EVP_MD_CTX *mctx = NULL;
  1330. unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
  1331. unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
  1332. unsigned char *early_secret;
  1333. /* ASCII: "res binder", in hex for EBCDIC compatibility */
  1334. static const unsigned char resumption_label[] = "\x72\x65\x73\x20\x62\x69\x6E\x64\x65\x72";
  1335. /* ASCII: "ext binder", in hex for EBCDIC compatibility */
  1336. static const unsigned char external_label[] = "\x65\x78\x74\x20\x62\x69\x6E\x64\x65\x72";
  1337. const unsigned char *label;
  1338. size_t bindersize, labelsize, hashsize;
  1339. int hashsizei = EVP_MD_get_size(md);
  1340. int ret = -1;
  1341. int usepskfored = 0;
  1342. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1343. /* Ensure cast to size_t is safe */
  1344. if (!ossl_assert(hashsizei >= 0)) {
  1345. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1346. goto err;
  1347. }
  1348. hashsize = (size_t)hashsizei;
  1349. if (external
  1350. && s->early_data_state == SSL_EARLY_DATA_CONNECTING
  1351. && s->session->ext.max_early_data == 0
  1352. && sess->ext.max_early_data > 0)
  1353. usepskfored = 1;
  1354. if (external) {
  1355. label = external_label;
  1356. labelsize = sizeof(external_label) - 1;
  1357. } else {
  1358. label = resumption_label;
  1359. labelsize = sizeof(resumption_label) - 1;
  1360. }
  1361. /*
  1362. * Generate the early_secret. On the server side we've selected a PSK to
  1363. * resume with (internal or external) so we always do this. On the client
  1364. * side we do this for a non-external (i.e. resumption) PSK or external PSK
  1365. * that will be used for early_data so that it is in place for sending early
  1366. * data. For client side external PSK not being used for early_data we
  1367. * generate it but store it away for later use.
  1368. */
  1369. if (s->server || !external || usepskfored)
  1370. early_secret = (unsigned char *)s->early_secret;
  1371. else
  1372. early_secret = (unsigned char *)sess->early_secret;
  1373. if (!tls13_generate_secret(s, md, NULL, sess->master_key,
  1374. sess->master_key_length, early_secret)) {
  1375. /* SSLfatal() already called */
  1376. goto err;
  1377. }
  1378. /*
  1379. * Create the handshake hash for the binder key...the messages so far are
  1380. * empty!
  1381. */
  1382. mctx = EVP_MD_CTX_new();
  1383. if (mctx == NULL
  1384. || EVP_DigestInit_ex(mctx, md, NULL) <= 0
  1385. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  1386. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1387. goto err;
  1388. }
  1389. /* Generate the binder key */
  1390. if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
  1391. hashsize, binderkey, hashsize, 1)) {
  1392. /* SSLfatal() already called */
  1393. goto err;
  1394. }
  1395. /* Generate the finished key */
  1396. if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
  1397. /* SSLfatal() already called */
  1398. goto err;
  1399. }
  1400. if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
  1401. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1402. goto err;
  1403. }
  1404. /*
  1405. * Get a hash of the ClientHello up to the start of the binders. If we are
  1406. * following a HelloRetryRequest then this includes the hash of the first
  1407. * ClientHello and the HelloRetryRequest itself.
  1408. */
  1409. if (s->hello_retry_request == SSL_HRR_PENDING) {
  1410. size_t hdatalen;
  1411. long hdatalen_l;
  1412. void *hdata;
  1413. hdatalen = hdatalen_l =
  1414. BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
  1415. if (hdatalen_l <= 0) {
  1416. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH);
  1417. goto err;
  1418. }
  1419. /*
  1420. * For servers the handshake buffer data will include the second
  1421. * ClientHello - which we don't want - so we need to take that bit off.
  1422. */
  1423. if (s->server) {
  1424. PACKET hashprefix, msg;
  1425. /* Find how many bytes are left after the first two messages */
  1426. if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
  1427. || !PACKET_forward(&hashprefix, 1)
  1428. || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
  1429. || !PACKET_forward(&hashprefix, 1)
  1430. || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
  1431. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1432. goto err;
  1433. }
  1434. hdatalen -= PACKET_remaining(&hashprefix);
  1435. }
  1436. if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
  1437. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1438. goto err;
  1439. }
  1440. }
  1441. if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
  1442. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  1443. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1444. goto err;
  1445. }
  1446. mackey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
  1447. sctx->propq, finishedkey,
  1448. hashsize);
  1449. if (mackey == NULL) {
  1450. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1451. goto err;
  1452. }
  1453. if (!sign)
  1454. binderout = tmpbinder;
  1455. bindersize = hashsize;
  1456. if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_get0_name(md), sctx->libctx,
  1457. sctx->propq, mackey, NULL) <= 0
  1458. || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
  1459. || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
  1460. || bindersize != hashsize) {
  1461. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1462. goto err;
  1463. }
  1464. if (sign) {
  1465. ret = 1;
  1466. } else {
  1467. /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
  1468. ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
  1469. if (!ret)
  1470. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BINDER_DOES_NOT_VERIFY);
  1471. }
  1472. err:
  1473. OPENSSL_cleanse(binderkey, sizeof(binderkey));
  1474. OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
  1475. EVP_PKEY_free(mackey);
  1476. EVP_MD_CTX_free(mctx);
  1477. return ret;
  1478. }
  1479. static int final_early_data(SSL_CONNECTION *s, unsigned int context, int sent)
  1480. {
  1481. if (!sent)
  1482. return 1;
  1483. if (!s->server) {
  1484. if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  1485. && sent
  1486. && !s->ext.early_data_ok) {
  1487. /*
  1488. * If we get here then the server accepted our early_data but we
  1489. * later realised that it shouldn't have done (e.g. inconsistent
  1490. * ALPN)
  1491. */
  1492. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EARLY_DATA);
  1493. return 0;
  1494. }
  1495. return 1;
  1496. }
  1497. if (s->max_early_data == 0
  1498. || !s->hit
  1499. || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  1500. || !s->ext.early_data_ok
  1501. || s->hello_retry_request != SSL_HRR_NONE
  1502. || (s->allow_early_data_cb != NULL
  1503. && !s->allow_early_data_cb(SSL_CONNECTION_GET_SSL(s),
  1504. s->allow_early_data_cb_data))) {
  1505. s->ext.early_data = SSL_EARLY_DATA_REJECTED;
  1506. } else {
  1507. s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
  1508. if (!tls13_change_cipher_state(s,
  1509. SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  1510. /* SSLfatal() already called */
  1511. return 0;
  1512. }
  1513. }
  1514. return 1;
  1515. }
  1516. static int final_maxfragmentlen(SSL_CONNECTION *s, unsigned int context,
  1517. int sent)
  1518. {
  1519. /*
  1520. * Session resumption on server-side with MFL extension active
  1521. * BUT MFL extension packet was not resent (i.e. sent == 0)
  1522. */
  1523. if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  1524. && !sent ) {
  1525. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_BAD_EXTENSION);
  1526. return 0;
  1527. }
  1528. /* Current SSL buffer is lower than requested MFL */
  1529. if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  1530. && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
  1531. /* trigger a larger buffer reallocation */
  1532. if (!ssl3_setup_buffers(s)) {
  1533. /* SSLfatal() already called */
  1534. return 0;
  1535. }
  1536. return 1;
  1537. }
  1538. static int init_post_handshake_auth(SSL_CONNECTION *s,
  1539. ossl_unused unsigned int context)
  1540. {
  1541. s->post_handshake_auth = SSL_PHA_NONE;
  1542. return 1;
  1543. }
  1544. /*
  1545. * If clients offer "pre_shared_key" without a "psk_key_exchange_modes"
  1546. * extension, servers MUST abort the handshake.
  1547. */
  1548. static int final_psk(SSL_CONNECTION *s, unsigned int context, int sent)
  1549. {
  1550. if (s->server && sent && s->clienthello != NULL
  1551. && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) {
  1552. SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
  1553. SSL_R_MISSING_PSK_KEX_MODES_EXTENSION);
  1554. return 0;
  1555. }
  1556. return 1;
  1557. }