2
0

extensions.c 61 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747
  1. /*
  2. * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include "internal/nelem.h"
  11. #include "internal/cryptlib.h"
  12. #include "../ssl_local.h"
  13. #include "statem_local.h"
  14. #include "internal/cryptlib.h"
  15. static int final_renegotiate(SSL *s, unsigned int context, int sent);
  16. static int init_server_name(SSL *s, unsigned int context);
  17. static int final_server_name(SSL *s, unsigned int context, int sent);
  18. #ifndef OPENSSL_NO_EC
  19. static int init_ec_point_formats(SSL *s, unsigned int context);
  20. static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
  21. #endif
  22. static int init_session_ticket(SSL *s, unsigned int context);
  23. #ifndef OPENSSL_NO_OCSP
  24. static int init_status_request(SSL *s, unsigned int context);
  25. #endif
  26. #ifndef OPENSSL_NO_NEXTPROTONEG
  27. static int init_npn(SSL *s, unsigned int context);
  28. #endif
  29. static int init_alpn(SSL *s, unsigned int context);
  30. static int final_alpn(SSL *s, unsigned int context, int sent);
  31. static int init_sig_algs_cert(SSL *s, unsigned int context);
  32. static int init_sig_algs(SSL *s, unsigned int context);
  33. static int init_certificate_authorities(SSL *s, unsigned int context);
  34. static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
  35. unsigned int context,
  36. X509 *x,
  37. size_t chainidx);
  38. static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
  39. unsigned int context, X509 *x,
  40. size_t chainidx);
  41. #ifndef OPENSSL_NO_SRP
  42. static int init_srp(SSL *s, unsigned int context);
  43. #endif
  44. static int init_etm(SSL *s, unsigned int context);
  45. static int init_ems(SSL *s, unsigned int context);
  46. static int final_ems(SSL *s, unsigned int context, int sent);
  47. static int init_psk_kex_modes(SSL *s, unsigned int context);
  48. #ifndef OPENSSL_NO_EC
  49. static int final_key_share(SSL *s, unsigned int context, int sent);
  50. #endif
  51. #ifndef OPENSSL_NO_SRTP
  52. static int init_srtp(SSL *s, unsigned int context);
  53. #endif
  54. static int final_sig_algs(SSL *s, unsigned int context, int sent);
  55. static int final_early_data(SSL *s, unsigned int context, int sent);
  56. static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
  57. static int init_post_handshake_auth(SSL *s, unsigned int context);
  58. static int final_psk(SSL *s, unsigned int context, int sent);
  59. /* Structure to define a built-in extension */
  60. typedef struct extensions_definition_st {
  61. /* The defined type for the extension */
  62. unsigned int type;
  63. /*
  64. * The context that this extension applies to, e.g. what messages and
  65. * protocol versions
  66. */
  67. unsigned int context;
  68. /*
  69. * Initialise extension before parsing. Always called for relevant contexts
  70. * even if extension not present
  71. */
  72. int (*init)(SSL *s, unsigned int context);
  73. /* Parse extension sent from client to server */
  74. int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  75. size_t chainidx);
  76. /* Parse extension send from server to client */
  77. int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  78. size_t chainidx);
  79. /* Construct extension sent from server to client */
  80. EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
  81. X509 *x, size_t chainidx);
  82. /* Construct extension sent from client to server */
  83. EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
  84. X509 *x, size_t chainidx);
  85. /*
  86. * Finalise extension after parsing. Always called where an extensions was
  87. * initialised even if the extension was not present. |sent| is set to 1 if
  88. * the extension was seen, or 0 otherwise.
  89. */
  90. int (*final)(SSL *s, unsigned int context, int sent);
  91. } EXTENSION_DEFINITION;
  92. /*
  93. * Definitions of all built-in extensions. NOTE: Changes in the number or order
  94. * of these extensions should be mirrored with equivalent changes to the
  95. * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
  96. * Each extension has an initialiser, a client and
  97. * server side parser and a finaliser. The initialiser is called (if the
  98. * extension is relevant to the given context) even if we did not see the
  99. * extension in the message that we received. The parser functions are only
  100. * called if we see the extension in the message. The finalisers are always
  101. * called if the initialiser was called.
  102. * There are also server and client side constructor functions which are always
  103. * called during message construction if the extension is relevant for the
  104. * given context.
  105. * The initialisation, parsing, finalisation and construction functions are
  106. * always called in the order defined in this list. Some extensions may depend
  107. * on others having been processed first, so the order of this list is
  108. * significant.
  109. * The extension context is defined by a series of flags which specify which
  110. * messages the extension is relevant to. These flags also specify whether the
  111. * extension is relevant to a particular protocol or protocol version.
  112. *
  113. * TODO(TLS1.3): Make sure we have a test to check the consistency of these
  114. *
  115. * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
  116. * the end, keep these extensions before signature_algorithm.
  117. */
  118. #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
  119. static const EXTENSION_DEFINITION ext_defs[] = {
  120. {
  121. TLSEXT_TYPE_renegotiate,
  122. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  123. | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  124. NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
  125. tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
  126. final_renegotiate
  127. },
  128. {
  129. TLSEXT_TYPE_server_name,
  130. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  131. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  132. init_server_name,
  133. tls_parse_ctos_server_name, tls_parse_stoc_server_name,
  134. tls_construct_stoc_server_name, tls_construct_ctos_server_name,
  135. final_server_name
  136. },
  137. {
  138. TLSEXT_TYPE_max_fragment_length,
  139. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  140. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  141. NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
  142. tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
  143. final_maxfragmentlen
  144. },
  145. #ifndef OPENSSL_NO_SRP
  146. {
  147. TLSEXT_TYPE_srp,
  148. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  149. init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
  150. },
  151. #else
  152. INVALID_EXTENSION,
  153. #endif
  154. #ifndef OPENSSL_NO_EC
  155. {
  156. TLSEXT_TYPE_ec_point_formats,
  157. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  158. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  159. init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
  160. tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
  161. final_ec_pt_formats
  162. },
  163. {
  164. /*
  165. * "supported_groups" is spread across several specifications.
  166. * It was originally specified as "elliptic_curves" in RFC 4492,
  167. * and broadened to include named FFDH groups by RFC 7919.
  168. * Both RFCs 4492 and 7919 do not include a provision for the server
  169. * to indicate to the client the complete list of groups supported
  170. * by the server, with the server instead just indicating the
  171. * selected group for this connection in the ServerKeyExchange
  172. * message. TLS 1.3 adds a scheme for the server to indicate
  173. * to the client its list of supported groups in the
  174. * EncryptedExtensions message, but none of the relevant
  175. * specifications permit sending supported_groups in the ServerHello.
  176. * Nonetheless (possibly due to the close proximity to the
  177. * "ec_point_formats" extension, which is allowed in the ServerHello),
  178. * there are several servers that send this extension in the
  179. * ServerHello anyway. Up to and including the 1.1.0 release,
  180. * we did not check for the presence of nonpermitted extensions,
  181. * so to avoid a regression, we must permit this extension in the
  182. * TLS 1.2 ServerHello as well.
  183. *
  184. * Note that there is no tls_parse_stoc_supported_groups function,
  185. * so we do not perform any additional parsing, validation, or
  186. * processing on the server's group list -- this is just a minimal
  187. * change to preserve compatibility with these misbehaving servers.
  188. */
  189. TLSEXT_TYPE_supported_groups,
  190. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  191. | SSL_EXT_TLS1_2_SERVER_HELLO,
  192. NULL, tls_parse_ctos_supported_groups, NULL,
  193. tls_construct_stoc_supported_groups,
  194. tls_construct_ctos_supported_groups, NULL
  195. },
  196. #else
  197. INVALID_EXTENSION,
  198. INVALID_EXTENSION,
  199. #endif
  200. {
  201. TLSEXT_TYPE_session_ticket,
  202. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  203. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  204. init_session_ticket, tls_parse_ctos_session_ticket,
  205. tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
  206. tls_construct_ctos_session_ticket, NULL
  207. },
  208. #ifndef OPENSSL_NO_OCSP
  209. {
  210. TLSEXT_TYPE_status_request,
  211. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  212. | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  213. init_status_request, tls_parse_ctos_status_request,
  214. tls_parse_stoc_status_request, tls_construct_stoc_status_request,
  215. tls_construct_ctos_status_request, NULL
  216. },
  217. #else
  218. INVALID_EXTENSION,
  219. #endif
  220. #ifndef OPENSSL_NO_NEXTPROTONEG
  221. {
  222. TLSEXT_TYPE_next_proto_neg,
  223. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  224. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  225. init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
  226. tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
  227. },
  228. #else
  229. INVALID_EXTENSION,
  230. #endif
  231. {
  232. /*
  233. * Must appear in this list after server_name so that finalisation
  234. * happens after server_name callbacks
  235. */
  236. TLSEXT_TYPE_application_layer_protocol_negotiation,
  237. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  238. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
  239. init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
  240. tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
  241. },
  242. #ifndef OPENSSL_NO_SRTP
  243. {
  244. TLSEXT_TYPE_use_srtp,
  245. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  246. | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
  247. init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
  248. tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
  249. },
  250. #else
  251. INVALID_EXTENSION,
  252. #endif
  253. {
  254. TLSEXT_TYPE_encrypt_then_mac,
  255. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  256. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  257. init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
  258. tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
  259. },
  260. #ifndef OPENSSL_NO_CT
  261. {
  262. TLSEXT_TYPE_signed_certificate_timestamp,
  263. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  264. | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  265. NULL,
  266. /*
  267. * No server side support for this, but can be provided by a custom
  268. * extension. This is an exception to the rule that custom extensions
  269. * cannot override built in ones.
  270. */
  271. NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
  272. },
  273. #else
  274. INVALID_EXTENSION,
  275. #endif
  276. {
  277. TLSEXT_TYPE_extended_master_secret,
  278. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  279. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  280. init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
  281. tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
  282. },
  283. {
  284. TLSEXT_TYPE_signature_algorithms_cert,
  285. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  286. init_sig_algs_cert, tls_parse_ctos_sig_algs_cert,
  287. tls_parse_ctos_sig_algs_cert,
  288. /* We do not generate signature_algorithms_cert at present. */
  289. NULL, NULL, NULL
  290. },
  291. {
  292. TLSEXT_TYPE_post_handshake_auth,
  293. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY,
  294. init_post_handshake_auth,
  295. tls_parse_ctos_post_handshake_auth, NULL,
  296. NULL, tls_construct_ctos_post_handshake_auth,
  297. NULL,
  298. },
  299. {
  300. TLSEXT_TYPE_signature_algorithms,
  301. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
  302. init_sig_algs, tls_parse_ctos_sig_algs,
  303. tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
  304. tls_construct_ctos_sig_algs, final_sig_algs
  305. },
  306. {
  307. TLSEXT_TYPE_supported_versions,
  308. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  309. | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
  310. NULL,
  311. /* Processed inline as part of version selection */
  312. NULL, tls_parse_stoc_supported_versions,
  313. tls_construct_stoc_supported_versions,
  314. tls_construct_ctos_supported_versions, NULL
  315. },
  316. {
  317. TLSEXT_TYPE_psk_kex_modes,
  318. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
  319. | SSL_EXT_TLS1_3_ONLY,
  320. init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
  321. tls_construct_ctos_psk_kex_modes, NULL
  322. },
  323. #ifndef OPENSSL_NO_EC
  324. {
  325. /*
  326. * Must be in this list after supported_groups. We need that to have
  327. * been parsed before we do this one.
  328. */
  329. TLSEXT_TYPE_key_share,
  330. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  331. | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
  332. | SSL_EXT_TLS1_3_ONLY,
  333. NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
  334. tls_construct_stoc_key_share, tls_construct_ctos_key_share,
  335. final_key_share
  336. },
  337. #else
  338. INVALID_EXTENSION,
  339. #endif
  340. {
  341. /* Must be after key_share */
  342. TLSEXT_TYPE_cookie,
  343. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
  344. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  345. NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
  346. tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
  347. },
  348. {
  349. /*
  350. * Special unsolicited ServerHello extension only used when
  351. * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
  352. * ignore it.
  353. */
  354. TLSEXT_TYPE_cryptopro_bug,
  355. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
  356. | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
  357. NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
  358. },
  359. {
  360. TLSEXT_TYPE_early_data,
  361. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  362. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
  363. NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
  364. tls_construct_stoc_early_data, tls_construct_ctos_early_data,
  365. final_early_data
  366. },
  367. {
  368. TLSEXT_TYPE_certificate_authorities,
  369. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  370. | SSL_EXT_TLS1_3_ONLY,
  371. init_certificate_authorities,
  372. tls_parse_certificate_authorities, tls_parse_certificate_authorities,
  373. tls_construct_certificate_authorities,
  374. tls_construct_certificate_authorities, NULL,
  375. },
  376. {
  377. /* Must be immediately before pre_shared_key */
  378. TLSEXT_TYPE_padding,
  379. SSL_EXT_CLIENT_HELLO,
  380. NULL,
  381. /* We send this, but don't read it */
  382. NULL, NULL, NULL, tls_construct_ctos_padding, NULL
  383. },
  384. {
  385. /* Required by the TLSv1.3 spec to always be the last extension */
  386. TLSEXT_TYPE_psk,
  387. SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
  388. | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
  389. NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
  390. tls_construct_ctos_psk, final_psk
  391. }
  392. };
  393. /* Check whether an extension's context matches the current context */
  394. static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
  395. {
  396. /* Check we're allowed to use this extension in this context */
  397. if ((thisctx & extctx) == 0)
  398. return 0;
  399. if (SSL_IS_DTLS(s)) {
  400. if ((extctx & SSL_EXT_TLS_ONLY) != 0)
  401. return 0;
  402. } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
  403. return 0;
  404. }
  405. return 1;
  406. }
  407. int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts)
  408. {
  409. size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
  410. RAW_EXTENSION *thisext;
  411. unsigned int context;
  412. ENDPOINT role = ENDPOINT_BOTH;
  413. if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
  414. role = ENDPOINT_SERVER;
  415. else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
  416. role = ENDPOINT_CLIENT;
  417. /* Calculate the number of extensions in the extensions list */
  418. num_exts = builtin_num + s->cert->custext.meths_count;
  419. for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
  420. if (!thisext->present)
  421. continue;
  422. if (i < builtin_num) {
  423. context = ext_defs[i].context;
  424. } else {
  425. custom_ext_method *meth = NULL;
  426. meth = custom_ext_find(&s->cert->custext, role, thisext->type,
  427. &offset);
  428. if (!ossl_assert(meth != NULL))
  429. return 0;
  430. context = meth->context;
  431. }
  432. if (!validate_context(s, context, thisctx))
  433. return 0;
  434. }
  435. return 1;
  436. }
  437. /*
  438. * Verify whether we are allowed to use the extension |type| in the current
  439. * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
  440. * indicate the extension is not allowed. If returning 1 then |*found| is set to
  441. * the definition for the extension we found.
  442. */
  443. static int verify_extension(SSL *s, unsigned int context, unsigned int type,
  444. custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
  445. RAW_EXTENSION **found)
  446. {
  447. size_t i;
  448. size_t builtin_num = OSSL_NELEM(ext_defs);
  449. const EXTENSION_DEFINITION *thisext;
  450. for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
  451. if (type == thisext->type) {
  452. if (!validate_context(s, thisext->context, context))
  453. return 0;
  454. *found = &rawexlist[i];
  455. return 1;
  456. }
  457. }
  458. /* Check the custom extensions */
  459. if (meths != NULL) {
  460. size_t offset = 0;
  461. ENDPOINT role = ENDPOINT_BOTH;
  462. custom_ext_method *meth = NULL;
  463. if ((context & SSL_EXT_CLIENT_HELLO) != 0)
  464. role = ENDPOINT_SERVER;
  465. else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
  466. role = ENDPOINT_CLIENT;
  467. meth = custom_ext_find(meths, role, type, &offset);
  468. if (meth != NULL) {
  469. if (!validate_context(s, meth->context, context))
  470. return 0;
  471. *found = &rawexlist[offset + builtin_num];
  472. return 1;
  473. }
  474. }
  475. /* Unknown extension. We allow it */
  476. *found = NULL;
  477. return 1;
  478. }
  479. /*
  480. * Check whether the context defined for an extension |extctx| means whether
  481. * the extension is relevant for the current context |thisctx| or not. Returns
  482. * 1 if the extension is relevant for this context, and 0 otherwise
  483. */
  484. int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
  485. {
  486. int is_tls13;
  487. /*
  488. * For HRR we haven't selected the version yet but we know it will be
  489. * TLSv1.3
  490. */
  491. if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
  492. is_tls13 = 1;
  493. else
  494. is_tls13 = SSL_IS_TLS13(s);
  495. if ((SSL_IS_DTLS(s)
  496. && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
  497. || (s->version == SSL3_VERSION
  498. && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
  499. /*
  500. * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated",
  501. * which is never true when generating the ClientHello.
  502. * However, version negotiation *has* occurred by the time the
  503. * ClientHello extensions are being parsed.
  504. * Be careful to allow TLS 1.3-only extensions when generating
  505. * the ClientHello.
  506. */
  507. || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
  508. || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
  509. && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
  510. || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
  511. || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
  512. return 0;
  513. return 1;
  514. }
  515. /*
  516. * Gather a list of all the extensions from the data in |packet]. |context|
  517. * tells us which message this extension is for. The raw extension data is
  518. * stored in |*res| on success. We don't actually process the content of the
  519. * extensions yet, except to check their types. This function also runs the
  520. * initialiser functions for all known extensions if |init| is nonzero (whether
  521. * we have collected them or not). If successful the caller is responsible for
  522. * freeing the contents of |*res|.
  523. *
  524. * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
  525. * more than one extension of the same type in a ClientHello or ServerHello.
  526. * This function returns 1 if all extensions are unique and we have parsed their
  527. * types, and 0 if the extensions contain duplicates, could not be successfully
  528. * found, or an internal error occurred. We only check duplicates for
  529. * extensions that we know about. We ignore others.
  530. */
  531. int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
  532. RAW_EXTENSION **res, size_t *len, int init)
  533. {
  534. PACKET extensions = *packet;
  535. size_t i = 0;
  536. size_t num_exts;
  537. custom_ext_methods *exts = &s->cert->custext;
  538. RAW_EXTENSION *raw_extensions = NULL;
  539. const EXTENSION_DEFINITION *thisexd;
  540. *res = NULL;
  541. /*
  542. * Initialise server side custom extensions. Client side is done during
  543. * construction of extensions for the ClientHello.
  544. */
  545. if ((context & SSL_EXT_CLIENT_HELLO) != 0)
  546. custom_ext_init(&s->cert->custext);
  547. num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
  548. raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
  549. if (raw_extensions == NULL) {
  550. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
  551. ERR_R_MALLOC_FAILURE);
  552. return 0;
  553. }
  554. i = 0;
  555. while (PACKET_remaining(&extensions) > 0) {
  556. unsigned int type, idx;
  557. PACKET extension;
  558. RAW_EXTENSION *thisex;
  559. if (!PACKET_get_net_2(&extensions, &type) ||
  560. !PACKET_get_length_prefixed_2(&extensions, &extension)) {
  561. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
  562. SSL_R_BAD_EXTENSION);
  563. goto err;
  564. }
  565. /*
  566. * Verify this extension is allowed. We only check duplicates for
  567. * extensions that we recognise. We also have a special case for the
  568. * PSK extension, which must be the last one in the ClientHello.
  569. */
  570. if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
  571. || (thisex != NULL && thisex->present == 1)
  572. || (type == TLSEXT_TYPE_psk
  573. && (context & SSL_EXT_CLIENT_HELLO) != 0
  574. && PACKET_remaining(&extensions) != 0)) {
  575. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
  576. SSL_R_BAD_EXTENSION);
  577. goto err;
  578. }
  579. idx = thisex - raw_extensions;
  580. /*-
  581. * Check that we requested this extension (if appropriate). Requests can
  582. * be sent in the ClientHello and CertificateRequest. Unsolicited
  583. * extensions can be sent in the NewSessionTicket. We only do this for
  584. * the built-in extensions. Custom extensions have a different but
  585. * similar check elsewhere.
  586. * Special cases:
  587. * - The HRR cookie extension is unsolicited
  588. * - The renegotiate extension is unsolicited (the client signals
  589. * support via an SCSV)
  590. * - The signed_certificate_timestamp extension can be provided by a
  591. * custom extension or by the built-in version. We let the extension
  592. * itself handle unsolicited response checks.
  593. */
  594. if (idx < OSSL_NELEM(ext_defs)
  595. && (context & (SSL_EXT_CLIENT_HELLO
  596. | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  597. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
  598. && type != TLSEXT_TYPE_cookie
  599. && type != TLSEXT_TYPE_renegotiate
  600. && type != TLSEXT_TYPE_signed_certificate_timestamp
  601. && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
  602. #ifndef OPENSSL_NO_GOST
  603. && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
  604. && type == TLSEXT_TYPE_cryptopro_bug)
  605. #endif
  606. ) {
  607. SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
  608. SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
  609. goto err;
  610. }
  611. if (thisex != NULL) {
  612. thisex->data = extension;
  613. thisex->present = 1;
  614. thisex->type = type;
  615. thisex->received_order = i++;
  616. if (s->ext.debug_cb)
  617. s->ext.debug_cb(s, !s->server, thisex->type,
  618. PACKET_data(&thisex->data),
  619. PACKET_remaining(&thisex->data),
  620. s->ext.debug_arg);
  621. }
  622. }
  623. if (init) {
  624. /*
  625. * Initialise all known extensions relevant to this context,
  626. * whether we have found them or not
  627. */
  628. for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
  629. i++, thisexd++) {
  630. if (thisexd->init != NULL && (thisexd->context & context) != 0
  631. && extension_is_relevant(s, thisexd->context, context)
  632. && !thisexd->init(s, context)) {
  633. /* SSLfatal() already called */
  634. goto err;
  635. }
  636. }
  637. }
  638. *res = raw_extensions;
  639. if (len != NULL)
  640. *len = num_exts;
  641. return 1;
  642. err:
  643. OPENSSL_free(raw_extensions);
  644. return 0;
  645. }
  646. /*
  647. * Runs the parser for a given extension with index |idx|. |exts| contains the
  648. * list of all parsed extensions previously collected by
  649. * tls_collect_extensions(). The parser is only run if it is applicable for the
  650. * given |context| and the parser has not already been run. If this is for a
  651. * Certificate message, then we also provide the parser with the relevant
  652. * Certificate |x| and its position in the |chainidx| with 0 being the first
  653. * Certificate. Returns 1 on success or 0 on failure. If an extension is not
  654. * present this counted as success.
  655. */
  656. int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
  657. RAW_EXTENSION *exts, X509 *x, size_t chainidx)
  658. {
  659. RAW_EXTENSION *currext = &exts[idx];
  660. int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
  661. size_t chainidx) = NULL;
  662. /* Skip if the extension is not present */
  663. if (!currext->present)
  664. return 1;
  665. /* Skip if we've already parsed this extension */
  666. if (currext->parsed)
  667. return 1;
  668. currext->parsed = 1;
  669. if (idx < OSSL_NELEM(ext_defs)) {
  670. /* We are handling a built-in extension */
  671. const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
  672. /* Check if extension is defined for our protocol. If not, skip */
  673. if (!extension_is_relevant(s, extdef->context, context))
  674. return 1;
  675. parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
  676. if (parser != NULL)
  677. return parser(s, &currext->data, context, x, chainidx);
  678. /*
  679. * If the parser is NULL we fall through to the custom extension
  680. * processing
  681. */
  682. }
  683. /* Parse custom extensions */
  684. return custom_ext_parse(s, context, currext->type,
  685. PACKET_data(&currext->data),
  686. PACKET_remaining(&currext->data),
  687. x, chainidx);
  688. }
  689. /*
  690. * Parse all remaining extensions that have not yet been parsed. Also calls the
  691. * finalisation for all extensions at the end if |fin| is nonzero, whether we
  692. * collected them or not. Returns 1 for success or 0 for failure. If we are
  693. * working on a Certificate message then we also pass the Certificate |x| and
  694. * its position in the |chainidx|, with 0 being the first certificate.
  695. */
  696. int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
  697. size_t chainidx, int fin)
  698. {
  699. size_t i, numexts = OSSL_NELEM(ext_defs);
  700. const EXTENSION_DEFINITION *thisexd;
  701. /* Calculate the number of extensions in the extensions list */
  702. numexts += s->cert->custext.meths_count;
  703. /* Parse each extension in turn */
  704. for (i = 0; i < numexts; i++) {
  705. if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
  706. /* SSLfatal() already called */
  707. return 0;
  708. }
  709. }
  710. if (fin) {
  711. /*
  712. * Finalise all known extensions relevant to this context,
  713. * whether we have found them or not
  714. */
  715. for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
  716. i++, thisexd++) {
  717. if (thisexd->final != NULL && (thisexd->context & context) != 0
  718. && !thisexd->final(s, context, exts[i].present)) {
  719. /* SSLfatal() already called */
  720. return 0;
  721. }
  722. }
  723. }
  724. return 1;
  725. }
  726. int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
  727. int max_version)
  728. {
  729. /* Skip if not relevant for our context */
  730. if ((extctx & thisctx) == 0)
  731. return 0;
  732. /* Check if this extension is defined for our protocol. If not, skip */
  733. if (!extension_is_relevant(s, extctx, thisctx)
  734. || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
  735. && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
  736. && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
  737. return 0;
  738. return 1;
  739. }
  740. /*
  741. * Construct all the extensions relevant to the current |context| and write
  742. * them to |pkt|. If this is an extension for a Certificate in a Certificate
  743. * message, then |x| will be set to the Certificate we are handling, and
  744. * |chainidx| will indicate the position in the chainidx we are processing (with
  745. * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
  746. * failure construction stops at the first extension to fail to construct.
  747. */
  748. int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
  749. X509 *x, size_t chainidx)
  750. {
  751. size_t i;
  752. int min_version, max_version = 0, reason;
  753. const EXTENSION_DEFINITION *thisexd;
  754. if (!WPACKET_start_sub_packet_u16(pkt)
  755. /*
  756. * If extensions are of zero length then we don't even add the
  757. * extensions length bytes to a ClientHello/ServerHello
  758. * (for non-TLSv1.3).
  759. */
  760. || ((context &
  761. (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
  762. && !WPACKET_set_flags(pkt,
  763. WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
  764. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
  765. ERR_R_INTERNAL_ERROR);
  766. return 0;
  767. }
  768. if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
  769. reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
  770. if (reason != 0) {
  771. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
  772. reason);
  773. return 0;
  774. }
  775. }
  776. /* Add custom extensions first */
  777. if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
  778. /* On the server side with initialise during ClientHello parsing */
  779. custom_ext_init(&s->cert->custext);
  780. }
  781. if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
  782. /* SSLfatal() already called */
  783. return 0;
  784. }
  785. for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
  786. EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
  787. X509 *x, size_t chainidx);
  788. EXT_RETURN ret;
  789. /* Skip if not relevant for our context */
  790. if (!should_add_extension(s, thisexd->context, context, max_version))
  791. continue;
  792. construct = s->server ? thisexd->construct_stoc
  793. : thisexd->construct_ctos;
  794. if (construct == NULL)
  795. continue;
  796. ret = construct(s, pkt, context, x, chainidx);
  797. if (ret == EXT_RETURN_FAIL) {
  798. /* SSLfatal() already called */
  799. return 0;
  800. }
  801. if (ret == EXT_RETURN_SENT
  802. && (context & (SSL_EXT_CLIENT_HELLO
  803. | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
  804. | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
  805. s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
  806. }
  807. if (!WPACKET_close(pkt)) {
  808. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
  809. ERR_R_INTERNAL_ERROR);
  810. return 0;
  811. }
  812. return 1;
  813. }
  814. /*
  815. * Built in extension finalisation and initialisation functions. All initialise
  816. * or finalise the associated extension type for the given |context|. For
  817. * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
  818. * otherwise. These functions return 1 on success or 0 on failure.
  819. */
  820. static int final_renegotiate(SSL *s, unsigned int context, int sent)
  821. {
  822. if (!s->server) {
  823. /*
  824. * Check if we can connect to a server that doesn't support safe
  825. * renegotiation
  826. */
  827. if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
  828. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  829. && !sent) {
  830. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
  831. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  832. return 0;
  833. }
  834. return 1;
  835. }
  836. /* Need RI if renegotiating */
  837. if (s->renegotiate
  838. && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
  839. && !sent) {
  840. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
  841. SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
  842. return 0;
  843. }
  844. return 1;
  845. }
  846. static int init_server_name(SSL *s, unsigned int context)
  847. {
  848. if (s->server) {
  849. s->servername_done = 0;
  850. OPENSSL_free(s->ext.hostname);
  851. s->ext.hostname = NULL;
  852. }
  853. return 1;
  854. }
  855. static int final_server_name(SSL *s, unsigned int context, int sent)
  856. {
  857. int ret = SSL_TLSEXT_ERR_NOACK;
  858. int altmp = SSL_AD_UNRECOGNIZED_NAME;
  859. int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
  860. if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
  861. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
  862. ERR_R_INTERNAL_ERROR);
  863. return 0;
  864. }
  865. if (s->ctx->ext.servername_cb != NULL)
  866. ret = s->ctx->ext.servername_cb(s, &altmp,
  867. s->ctx->ext.servername_arg);
  868. else if (s->session_ctx->ext.servername_cb != NULL)
  869. ret = s->session_ctx->ext.servername_cb(s, &altmp,
  870. s->session_ctx->ext.servername_arg);
  871. /*
  872. * For servers, propagate the SNI hostname from the temporary
  873. * storage in the SSL to the persistent SSL_SESSION, now that we
  874. * know we accepted it.
  875. * Clients make this copy when parsing the server's response to
  876. * the extension, which is when they find out that the negotiation
  877. * was successful.
  878. */
  879. if (s->server) {
  880. if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
  881. /* Only store the hostname in the session if we accepted it. */
  882. OPENSSL_free(s->session->ext.hostname);
  883. s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
  884. if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
  885. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
  886. ERR_R_INTERNAL_ERROR);
  887. }
  888. }
  889. }
  890. /*
  891. * If we switched contexts (whether here or in the client_hello callback),
  892. * move the sess_accept increment from the session_ctx to the new
  893. * context, to avoid the confusing situation of having sess_accept_good
  894. * exceed sess_accept (zero) for the new context.
  895. */
  896. if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
  897. && s->hello_retry_request == SSL_HRR_NONE) {
  898. tsan_counter(&s->ctx->stats.sess_accept);
  899. tsan_decr(&s->session_ctx->stats.sess_accept);
  900. }
  901. /*
  902. * If we're expecting to send a ticket, and tickets were previously enabled,
  903. * and now tickets are disabled, then turn off expected ticket.
  904. * Also, if this is not a resumption, create a new session ID
  905. */
  906. if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
  907. && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
  908. s->ext.ticket_expected = 0;
  909. if (!s->hit) {
  910. SSL_SESSION* ss = SSL_get_session(s);
  911. if (ss != NULL) {
  912. OPENSSL_free(ss->ext.tick);
  913. ss->ext.tick = NULL;
  914. ss->ext.ticklen = 0;
  915. ss->ext.tick_lifetime_hint = 0;
  916. ss->ext.tick_age_add = 0;
  917. if (!ssl_generate_session_id(s, ss)) {
  918. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
  919. ERR_R_INTERNAL_ERROR);
  920. return 0;
  921. }
  922. } else {
  923. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
  924. ERR_R_INTERNAL_ERROR);
  925. return 0;
  926. }
  927. }
  928. }
  929. switch (ret) {
  930. case SSL_TLSEXT_ERR_ALERT_FATAL:
  931. SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
  932. return 0;
  933. case SSL_TLSEXT_ERR_ALERT_WARNING:
  934. /* TLSv1.3 doesn't have warning alerts so we suppress this */
  935. if (!SSL_IS_TLS13(s))
  936. ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
  937. s->servername_done = 0;
  938. return 1;
  939. case SSL_TLSEXT_ERR_NOACK:
  940. s->servername_done = 0;
  941. return 1;
  942. default:
  943. return 1;
  944. }
  945. }
  946. #ifndef OPENSSL_NO_EC
  947. static int init_ec_point_formats(SSL *s, unsigned int context)
  948. {
  949. OPENSSL_free(s->ext.peer_ecpointformats);
  950. s->ext.peer_ecpointformats = NULL;
  951. s->ext.peer_ecpointformats_len = 0;
  952. return 1;
  953. }
  954. static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
  955. {
  956. unsigned long alg_k, alg_a;
  957. if (s->server)
  958. return 1;
  959. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  960. alg_a = s->s3->tmp.new_cipher->algorithm_auth;
  961. /*
  962. * If we are client and using an elliptic curve cryptography cipher
  963. * suite, then if server returns an EC point formats lists extension it
  964. * must contain uncompressed.
  965. */
  966. if (s->ext.ecpointformats != NULL
  967. && s->ext.ecpointformats_len > 0
  968. && s->ext.peer_ecpointformats != NULL
  969. && s->ext.peer_ecpointformats_len > 0
  970. && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
  971. /* we are using an ECC cipher */
  972. size_t i;
  973. unsigned char *list = s->ext.peer_ecpointformats;
  974. for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
  975. if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
  976. break;
  977. }
  978. if (i == s->ext.peer_ecpointformats_len) {
  979. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
  980. SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
  981. return 0;
  982. }
  983. }
  984. return 1;
  985. }
  986. #endif
  987. static int init_session_ticket(SSL *s, unsigned int context)
  988. {
  989. if (!s->server)
  990. s->ext.ticket_expected = 0;
  991. return 1;
  992. }
  993. #ifndef OPENSSL_NO_OCSP
  994. static int init_status_request(SSL *s, unsigned int context)
  995. {
  996. if (s->server) {
  997. s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
  998. } else {
  999. /*
  1000. * Ensure we get sensible values passed to tlsext_status_cb in the event
  1001. * that we don't receive a status message
  1002. */
  1003. OPENSSL_free(s->ext.ocsp.resp);
  1004. s->ext.ocsp.resp = NULL;
  1005. s->ext.ocsp.resp_len = 0;
  1006. }
  1007. return 1;
  1008. }
  1009. #endif
  1010. #ifndef OPENSSL_NO_NEXTPROTONEG
  1011. static int init_npn(SSL *s, unsigned int context)
  1012. {
  1013. s->s3->npn_seen = 0;
  1014. return 1;
  1015. }
  1016. #endif
  1017. static int init_alpn(SSL *s, unsigned int context)
  1018. {
  1019. OPENSSL_free(s->s3->alpn_selected);
  1020. s->s3->alpn_selected = NULL;
  1021. s->s3->alpn_selected_len = 0;
  1022. if (s->server) {
  1023. OPENSSL_free(s->s3->alpn_proposed);
  1024. s->s3->alpn_proposed = NULL;
  1025. s->s3->alpn_proposed_len = 0;
  1026. }
  1027. return 1;
  1028. }
  1029. static int final_alpn(SSL *s, unsigned int context, int sent)
  1030. {
  1031. if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
  1032. s->ext.early_data_ok = 0;
  1033. if (!s->server || !SSL_IS_TLS13(s))
  1034. return 1;
  1035. /*
  1036. * Call alpn_select callback if needed. Has to be done after SNI and
  1037. * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
  1038. * we also have to do this before we decide whether to accept early_data.
  1039. * In TLSv1.3 we've already negotiated our cipher so we do this call now.
  1040. * For < TLSv1.3 we defer it until after cipher negotiation.
  1041. *
  1042. * On failure SSLfatal() already called.
  1043. */
  1044. return tls_handle_alpn(s);
  1045. }
  1046. static int init_sig_algs(SSL *s, unsigned int context)
  1047. {
  1048. /* Clear any signature algorithms extension received */
  1049. OPENSSL_free(s->s3->tmp.peer_sigalgs);
  1050. s->s3->tmp.peer_sigalgs = NULL;
  1051. s->s3->tmp.peer_sigalgslen = 0;
  1052. return 1;
  1053. }
  1054. static int init_sig_algs_cert(SSL *s, unsigned int context)
  1055. {
  1056. /* Clear any signature algorithms extension received */
  1057. OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
  1058. s->s3->tmp.peer_cert_sigalgs = NULL;
  1059. s->s3->tmp.peer_cert_sigalgslen = 0;
  1060. return 1;
  1061. }
  1062. #ifndef OPENSSL_NO_SRP
  1063. static int init_srp(SSL *s, unsigned int context)
  1064. {
  1065. OPENSSL_free(s->srp_ctx.login);
  1066. s->srp_ctx.login = NULL;
  1067. return 1;
  1068. }
  1069. #endif
  1070. static int init_etm(SSL *s, unsigned int context)
  1071. {
  1072. s->ext.use_etm = 0;
  1073. return 1;
  1074. }
  1075. static int init_ems(SSL *s, unsigned int context)
  1076. {
  1077. if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
  1078. s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
  1079. s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
  1080. }
  1081. return 1;
  1082. }
  1083. static int final_ems(SSL *s, unsigned int context, int sent)
  1084. {
  1085. /*
  1086. * Check extended master secret extension is not dropped on
  1087. * renegotiation.
  1088. */
  1089. if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
  1090. && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
  1091. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
  1092. SSL_R_INCONSISTENT_EXTMS);
  1093. return 0;
  1094. }
  1095. if (!s->server && s->hit) {
  1096. /*
  1097. * Check extended master secret extension is consistent with
  1098. * original session.
  1099. */
  1100. if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
  1101. !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
  1102. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
  1103. SSL_R_INCONSISTENT_EXTMS);
  1104. return 0;
  1105. }
  1106. }
  1107. return 1;
  1108. }
  1109. static int init_certificate_authorities(SSL *s, unsigned int context)
  1110. {
  1111. sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
  1112. s->s3->tmp.peer_ca_names = NULL;
  1113. return 1;
  1114. }
  1115. static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
  1116. unsigned int context,
  1117. X509 *x,
  1118. size_t chainidx)
  1119. {
  1120. const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
  1121. if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
  1122. return EXT_RETURN_NOT_SENT;
  1123. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
  1124. || !WPACKET_start_sub_packet_u16(pkt)) {
  1125. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1126. SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
  1127. ERR_R_INTERNAL_ERROR);
  1128. return EXT_RETURN_FAIL;
  1129. }
  1130. if (!construct_ca_names(s, ca_sk, pkt)) {
  1131. /* SSLfatal() already called */
  1132. return EXT_RETURN_FAIL;
  1133. }
  1134. if (!WPACKET_close(pkt)) {
  1135. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  1136. SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
  1137. ERR_R_INTERNAL_ERROR);
  1138. return EXT_RETURN_FAIL;
  1139. }
  1140. return EXT_RETURN_SENT;
  1141. }
  1142. static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
  1143. unsigned int context, X509 *x,
  1144. size_t chainidx)
  1145. {
  1146. if (!parse_ca_names(s, pkt))
  1147. return 0;
  1148. if (PACKET_remaining(pkt) != 0) {
  1149. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1150. SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
  1151. return 0;
  1152. }
  1153. return 1;
  1154. }
  1155. #ifndef OPENSSL_NO_SRTP
  1156. static int init_srtp(SSL *s, unsigned int context)
  1157. {
  1158. if (s->server)
  1159. s->srtp_profile = NULL;
  1160. return 1;
  1161. }
  1162. #endif
  1163. static int final_sig_algs(SSL *s, unsigned int context, int sent)
  1164. {
  1165. if (!sent && SSL_IS_TLS13(s) && !s->hit) {
  1166. SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
  1167. SSL_R_MISSING_SIGALGS_EXTENSION);
  1168. return 0;
  1169. }
  1170. return 1;
  1171. }
  1172. #ifndef OPENSSL_NO_EC
  1173. static int final_key_share(SSL *s, unsigned int context, int sent)
  1174. {
  1175. if (!SSL_IS_TLS13(s))
  1176. return 1;
  1177. /* Nothing to do for key_share in an HRR */
  1178. if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
  1179. return 1;
  1180. /*
  1181. * If
  1182. * we are a client
  1183. * AND
  1184. * we have no key_share
  1185. * AND
  1186. * (we are not resuming
  1187. * OR the kex_mode doesn't allow non key_share resumes)
  1188. * THEN
  1189. * fail;
  1190. */
  1191. if (!s->server
  1192. && !sent
  1193. && (!s->hit
  1194. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
  1195. /* Nothing left we can do - just fail */
  1196. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
  1197. SSL_R_NO_SUITABLE_KEY_SHARE);
  1198. return 0;
  1199. }
  1200. /*
  1201. * IF
  1202. * we are a server
  1203. * THEN
  1204. * IF
  1205. * we have a suitable key_share
  1206. * THEN
  1207. * IF
  1208. * we are stateless AND we have no cookie
  1209. * THEN
  1210. * send a HelloRetryRequest
  1211. * ELSE
  1212. * IF
  1213. * we didn't already send a HelloRetryRequest
  1214. * AND
  1215. * the client sent a key_share extension
  1216. * AND
  1217. * (we are not resuming
  1218. * OR the kex_mode allows key_share resumes)
  1219. * AND
  1220. * a shared group exists
  1221. * THEN
  1222. * send a HelloRetryRequest
  1223. * ELSE IF
  1224. * we are not resuming
  1225. * OR
  1226. * the kex_mode doesn't allow non key_share resumes
  1227. * THEN
  1228. * fail
  1229. * ELSE IF
  1230. * we are stateless AND we have no cookie
  1231. * THEN
  1232. * send a HelloRetryRequest
  1233. */
  1234. if (s->server) {
  1235. if (s->s3->peer_tmp != NULL) {
  1236. /* We have a suitable key_share */
  1237. if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
  1238. && !s->ext.cookieok) {
  1239. if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
  1240. /*
  1241. * If we are stateless then we wouldn't know about any
  1242. * previously sent HRR - so how can this be anything other
  1243. * than 0?
  1244. */
  1245. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
  1246. ERR_R_INTERNAL_ERROR);
  1247. return 0;
  1248. }
  1249. s->hello_retry_request = SSL_HRR_PENDING;
  1250. return 1;
  1251. }
  1252. } else {
  1253. /* No suitable key_share */
  1254. if (s->hello_retry_request == SSL_HRR_NONE && sent
  1255. && (!s->hit
  1256. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
  1257. != 0)) {
  1258. const uint16_t *pgroups, *clntgroups;
  1259. size_t num_groups, clnt_num_groups, i;
  1260. unsigned int group_id = 0;
  1261. /* Check if a shared group exists */
  1262. /* Get the clients list of supported groups. */
  1263. tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
  1264. tls1_get_supported_groups(s, &pgroups, &num_groups);
  1265. /*
  1266. * Find the first group we allow that is also in client's list
  1267. */
  1268. for (i = 0; i < num_groups; i++) {
  1269. group_id = pgroups[i];
  1270. if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
  1271. 1))
  1272. break;
  1273. }
  1274. if (i < num_groups) {
  1275. /* A shared group exists so send a HelloRetryRequest */
  1276. s->s3->group_id = group_id;
  1277. s->hello_retry_request = SSL_HRR_PENDING;
  1278. return 1;
  1279. }
  1280. }
  1281. if (!s->hit
  1282. || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
  1283. /* Nothing left we can do - just fail */
  1284. SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
  1285. : SSL_AD_MISSING_EXTENSION,
  1286. SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
  1287. return 0;
  1288. }
  1289. if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
  1290. && !s->ext.cookieok) {
  1291. if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
  1292. /*
  1293. * If we are stateless then we wouldn't know about any
  1294. * previously sent HRR - so how can this be anything other
  1295. * than 0?
  1296. */
  1297. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
  1298. ERR_R_INTERNAL_ERROR);
  1299. return 0;
  1300. }
  1301. s->hello_retry_request = SSL_HRR_PENDING;
  1302. return 1;
  1303. }
  1304. }
  1305. /*
  1306. * We have a key_share so don't send any more HelloRetryRequest
  1307. * messages
  1308. */
  1309. if (s->hello_retry_request == SSL_HRR_PENDING)
  1310. s->hello_retry_request = SSL_HRR_COMPLETE;
  1311. } else {
  1312. /*
  1313. * For a client side resumption with no key_share we need to generate
  1314. * the handshake secret (otherwise this is done during key_share
  1315. * processing).
  1316. */
  1317. if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
  1318. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
  1319. ERR_R_INTERNAL_ERROR);
  1320. return 0;
  1321. }
  1322. }
  1323. return 1;
  1324. }
  1325. #endif
  1326. static int init_psk_kex_modes(SSL *s, unsigned int context)
  1327. {
  1328. s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
  1329. return 1;
  1330. }
  1331. int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
  1332. size_t binderoffset, const unsigned char *binderin,
  1333. unsigned char *binderout, SSL_SESSION *sess, int sign,
  1334. int external)
  1335. {
  1336. EVP_PKEY *mackey = NULL;
  1337. EVP_MD_CTX *mctx = NULL;
  1338. unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
  1339. unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
  1340. unsigned char *early_secret;
  1341. #ifdef CHARSET_EBCDIC
  1342. static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
  1343. static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
  1344. #else
  1345. static const unsigned char resumption_label[] = "res binder";
  1346. static const unsigned char external_label[] = "ext binder";
  1347. #endif
  1348. const unsigned char *label;
  1349. size_t bindersize, labelsize, hashsize;
  1350. int hashsizei = EVP_MD_size(md);
  1351. int ret = -1;
  1352. int usepskfored = 0;
  1353. /* Ensure cast to size_t is safe */
  1354. if (!ossl_assert(hashsizei >= 0)) {
  1355. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1356. ERR_R_INTERNAL_ERROR);
  1357. goto err;
  1358. }
  1359. hashsize = (size_t)hashsizei;
  1360. if (external
  1361. && s->early_data_state == SSL_EARLY_DATA_CONNECTING
  1362. && s->session->ext.max_early_data == 0
  1363. && sess->ext.max_early_data > 0)
  1364. usepskfored = 1;
  1365. if (external) {
  1366. label = external_label;
  1367. labelsize = sizeof(external_label) - 1;
  1368. } else {
  1369. label = resumption_label;
  1370. labelsize = sizeof(resumption_label) - 1;
  1371. }
  1372. /*
  1373. * Generate the early_secret. On the server side we've selected a PSK to
  1374. * resume with (internal or external) so we always do this. On the client
  1375. * side we do this for a non-external (i.e. resumption) PSK or external PSK
  1376. * that will be used for early_data so that it is in place for sending early
  1377. * data. For client side external PSK not being used for early_data we
  1378. * generate it but store it away for later use.
  1379. */
  1380. if (s->server || !external || usepskfored)
  1381. early_secret = (unsigned char *)s->early_secret;
  1382. else
  1383. early_secret = (unsigned char *)sess->early_secret;
  1384. if (!tls13_generate_secret(s, md, NULL, sess->master_key,
  1385. sess->master_key_length, early_secret)) {
  1386. /* SSLfatal() already called */
  1387. goto err;
  1388. }
  1389. /*
  1390. * Create the handshake hash for the binder key...the messages so far are
  1391. * empty!
  1392. */
  1393. mctx = EVP_MD_CTX_new();
  1394. if (mctx == NULL
  1395. || EVP_DigestInit_ex(mctx, md, NULL) <= 0
  1396. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  1397. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1398. ERR_R_INTERNAL_ERROR);
  1399. goto err;
  1400. }
  1401. /* Generate the binder key */
  1402. if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
  1403. hashsize, binderkey, hashsize, 1)) {
  1404. /* SSLfatal() already called */
  1405. goto err;
  1406. }
  1407. /* Generate the finished key */
  1408. if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
  1409. /* SSLfatal() already called */
  1410. goto err;
  1411. }
  1412. if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
  1413. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1414. ERR_R_INTERNAL_ERROR);
  1415. goto err;
  1416. }
  1417. /*
  1418. * Get a hash of the ClientHello up to the start of the binders. If we are
  1419. * following a HelloRetryRequest then this includes the hash of the first
  1420. * ClientHello and the HelloRetryRequest itself.
  1421. */
  1422. if (s->hello_retry_request == SSL_HRR_PENDING) {
  1423. size_t hdatalen;
  1424. long hdatalen_l;
  1425. void *hdata;
  1426. hdatalen = hdatalen_l =
  1427. BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
  1428. if (hdatalen_l <= 0) {
  1429. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1430. SSL_R_BAD_HANDSHAKE_LENGTH);
  1431. goto err;
  1432. }
  1433. /*
  1434. * For servers the handshake buffer data will include the second
  1435. * ClientHello - which we don't want - so we need to take that bit off.
  1436. */
  1437. if (s->server) {
  1438. PACKET hashprefix, msg;
  1439. /* Find how many bytes are left after the first two messages */
  1440. if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
  1441. || !PACKET_forward(&hashprefix, 1)
  1442. || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
  1443. || !PACKET_forward(&hashprefix, 1)
  1444. || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
  1445. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1446. ERR_R_INTERNAL_ERROR);
  1447. goto err;
  1448. }
  1449. hdatalen -= PACKET_remaining(&hashprefix);
  1450. }
  1451. if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
  1452. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1453. ERR_R_INTERNAL_ERROR);
  1454. goto err;
  1455. }
  1456. }
  1457. if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
  1458. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  1459. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1460. ERR_R_INTERNAL_ERROR);
  1461. goto err;
  1462. }
  1463. mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey,
  1464. hashsize);
  1465. if (mackey == NULL) {
  1466. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1467. ERR_R_INTERNAL_ERROR);
  1468. goto err;
  1469. }
  1470. if (!sign)
  1471. binderout = tmpbinder;
  1472. bindersize = hashsize;
  1473. if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
  1474. || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
  1475. || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
  1476. || bindersize != hashsize) {
  1477. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
  1478. ERR_R_INTERNAL_ERROR);
  1479. goto err;
  1480. }
  1481. if (sign) {
  1482. ret = 1;
  1483. } else {
  1484. /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
  1485. ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
  1486. if (!ret)
  1487. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
  1488. SSL_R_BINDER_DOES_NOT_VERIFY);
  1489. }
  1490. err:
  1491. OPENSSL_cleanse(binderkey, sizeof(binderkey));
  1492. OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
  1493. EVP_PKEY_free(mackey);
  1494. EVP_MD_CTX_free(mctx);
  1495. return ret;
  1496. }
  1497. static int final_early_data(SSL *s, unsigned int context, int sent)
  1498. {
  1499. if (!sent)
  1500. return 1;
  1501. if (!s->server) {
  1502. if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
  1503. && sent
  1504. && !s->ext.early_data_ok) {
  1505. /*
  1506. * If we get here then the server accepted our early_data but we
  1507. * later realised that it shouldn't have done (e.g. inconsistent
  1508. * ALPN)
  1509. */
  1510. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
  1511. SSL_R_BAD_EARLY_DATA);
  1512. return 0;
  1513. }
  1514. return 1;
  1515. }
  1516. if (s->max_early_data == 0
  1517. || !s->hit
  1518. || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
  1519. || !s->ext.early_data_ok
  1520. || s->hello_retry_request != SSL_HRR_NONE
  1521. || (s->allow_early_data_cb != NULL
  1522. && !s->allow_early_data_cb(s,
  1523. s->allow_early_data_cb_data))) {
  1524. s->ext.early_data = SSL_EARLY_DATA_REJECTED;
  1525. } else {
  1526. s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
  1527. if (!tls13_change_cipher_state(s,
  1528. SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
  1529. /* SSLfatal() already called */
  1530. return 0;
  1531. }
  1532. }
  1533. return 1;
  1534. }
  1535. static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
  1536. {
  1537. /*
  1538. * Session resumption on server-side with MFL extension active
  1539. * BUT MFL extension packet was not resent (i.e. sent == 0)
  1540. */
  1541. if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  1542. && !sent ) {
  1543. SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
  1544. SSL_R_BAD_EXTENSION);
  1545. return 0;
  1546. }
  1547. /* Current SSL buffer is lower than requested MFL */
  1548. if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
  1549. && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
  1550. /* trigger a larger buffer reallocation */
  1551. if (!ssl3_setup_buffers(s)) {
  1552. /* SSLfatal() already called */
  1553. return 0;
  1554. }
  1555. return 1;
  1556. }
  1557. static int init_post_handshake_auth(SSL *s, unsigned int context)
  1558. {
  1559. s->post_handshake_auth = SSL_PHA_NONE;
  1560. return 1;
  1561. }
  1562. /*
  1563. * If clients offer "pre_shared_key" without a "psk_key_exchange_modes"
  1564. * extension, servers MUST abort the handshake.
  1565. */
  1566. static int final_psk(SSL *s, unsigned int context, int sent)
  1567. {
  1568. if (s->server && sent && s->clienthello != NULL
  1569. && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) {
  1570. SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_PSK,
  1571. SSL_R_MISSING_PSK_KEX_MODES_EXTENSION);
  1572. return 0;
  1573. }
  1574. return 1;
  1575. }