]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add a timestamp to the cookie
[thirdparty/openssl.git] / ssl / statem / extensions.c
CommitLineData
6b473aca 1/*
3c7d0945 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
6b473aca
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
f6370040 10#include <string.h>
677963e5 11#include "internal/nelem.h"
88050dd1 12#include "internal/cryptlib.h"
6b473aca
MC		 13#include "../ssl_locl.h"
14#include "statem_locl.h"
c36001c3 15#include "internal/cryptlib.h"
6b473aca 16
f63a17d6 17static int final_renegotiate(SSL *s, unsigned int context, int sent);
1266eefd 18static int init_server_name(SSL *s, unsigned int context);
f63a17d6 19static int final_server_name(SSL *s, unsigned int context, int sent);
332eb390 20#ifndef OPENSSL_NO_EC
f63a17d6 21static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
332eb390 22#endif
1266eefd 23static int init_session_ticket(SSL *s, unsigned int context);
8f8c11d8 24#ifndef OPENSSL_NO_OCSP
1266eefd 25static int init_status_request(SSL *s, unsigned int context);
8f8c11d8 26#endif
805a2e9e 27#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 28static int init_npn(SSL *s, unsigned int context);
805a2e9e 29#endif
1266eefd 30static int init_alpn(SSL *s, unsigned int context);
f63a17d6 31static int final_alpn(SSL *s, unsigned int context, int sent);
1266eefd 32static int init_sig_algs(SSL *s, unsigned int context);
45615c5f 33static int init_certificate_authorities(SSL *s, unsigned int context);
b186a592
MC		 34static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
35 unsigned int context,
36 X509 *x,
f63a17d6 37 size_t chainidx);
45615c5f
DSH		 38static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
39 unsigned int context, X509 *x,
f63a17d6 40 size_t chainidx);
805a2e9e 41#ifndef OPENSSL_NO_SRP
1266eefd 42static int init_srp(SSL *s, unsigned int context);
805a2e9e 43#endif
1266eefd
MC		 44static int init_etm(SSL *s, unsigned int context);
45static int init_ems(SSL *s, unsigned int context);
f63a17d6 46static int final_ems(SSL *s, unsigned int context, int sent);
b2f7e8c0 47static int init_psk_kex_modes(SSL *s, unsigned int context);
deb2d5e7 48#ifndef OPENSSL_NO_EC
f63a17d6 49static int final_key_share(SSL *s, unsigned int context, int sent);
deb2d5e7 50#endif
805a2e9e 51#ifndef OPENSSL_NO_SRTP
1266eefd 52static int init_srtp(SSL *s, unsigned int context);
805a2e9e 53#endif
f63a17d6
MC		 54static int final_sig_algs(SSL *s, unsigned int context, int sent);
55static int final_early_data(SSL *s, unsigned int context, int sent);
56static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
805a2e9e 57
70af3d8e 58/* Structure to define a built-in extension */
1266eefd
MC		 59typedef struct extensions_definition_st {
60 /* The defined type for the extension */
6b473aca 61 unsigned int type;
1266eefd
MC		 62 /*
63 * The context that this extension applies to, e.g. what messages and
64 * protocol versions
65 */
66 unsigned int context;
68db4dda 67 /*
805a2e9e
MC		 68 * Initialise extension before parsing. Always called for relevant contexts
69 * even if extension not present
68db4dda 70 */
1266eefd
MC		 71 int (*init)(SSL *s, unsigned int context);
72 /* Parse extension sent from client to server */
61138358 73 int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 74 size_t chainidx);
1266eefd 75 /* Parse extension send from server to client */
61138358 76 int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 77 size_t chainidx);
1266eefd 78 /* Construct extension sent from server to client */
b186a592 79 EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 80 X509 *x, size_t chainidx);
1266eefd 81 /* Construct extension sent from client to server */
b186a592 82 EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 83 X509 *x, size_t chainidx);
68db4dda 84 /*
805a2e9e
MC		 85 * Finalise extension after parsing. Always called where an extensions was
86 * initialised even if the extension was not present. |sent| is set to 1 if
87 * the extension was seen, or 0 otherwise.
68db4dda 88 */
f63a17d6 89 int (*final)(SSL *s, unsigned int context, int sent);
6b473aca
MC		 90} EXTENSION_DEFINITION;
91
4b299b8e 92/*
70af3d8e 93 * Definitions of all built-in extensions. NOTE: Changes in the number or order
bd91e3c8 94 * of these extensions should be mirrored with equivalent changes to the
3e6c1da8 95 * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
70af3d8e
MC		 96 * Each extension has an initialiser, a client and
97 * server side parser and a finaliser. The initialiser is called (if the
98 * extension is relevant to the given context) even if we did not see the
99 * extension in the message that we received. The parser functions are only
100 * called if we see the extension in the message. The finalisers are always
101 * called if the initialiser was called.
102 * There are also server and client side constructor functions which are always
103 * called during message construction if the extension is relevant for the
104 * given context.
105 * The initialisation, parsing, finalisation and construction functions are
106 * always called in the order defined in this list. Some extensions may depend
107 * on others having been processed first, so the order of this list is
108 * significant.
109 * The extension context is defined by a series of flags which specify which
110 * messages the extension is relevant to. These flags also specify whether the
3e6c1da8 111 * extension is relevant to a particular protocol or protocol version.
a1448c26 112 *
70af3d8e 113 * TODO(TLS1.3): Make sure we have a test to check the consistency of these
10ed1b72
TS		 114 *
115 * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
116 * the end, keep these extensions before signature_algorithm.
4b299b8e 117 */
0785274c 118#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
6b473aca
MC		 119static const EXTENSION_DEFINITION ext_defs[] = {
120 {
121 TLSEXT_TYPE_renegotiate,
fe874d27
MC		 122 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
123 | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 124 NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
125 tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
126 final_renegotiate
6b473aca
MC		 127 },
128 {
129 TLSEXT_TYPE_server_name,
fe874d27
MC		 130 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
131 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
1266eefd
MC		 132 init_server_name,
133 tls_parse_ctos_server_name, tls_parse_stoc_server_name,
134 tls_construct_stoc_server_name, tls_construct_ctos_server_name,
135 final_server_name
6b473aca 136 },
cf72c757
F		 137 {
138 TLSEXT_TYPE_max_fragment_length,
139 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
140 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
141 NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
142 tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
143 final_maxfragmentlen
144 },
6b473aca
MC		 145#ifndef OPENSSL_NO_SRP
146 {
147 TLSEXT_TYPE_srp,
fe874d27 148 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd 149 init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
6b473aca 150 },
0785274c
MC		 151#else
152 INVALID_EXTENSION,
6b473aca
MC		 153#endif
154#ifndef OPENSSL_NO_EC
155 {
156 TLSEXT_TYPE_ec_point_formats,
fe874d27
MC		 157 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
158 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 159 NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
160 tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
161 final_ec_pt_formats
6b473aca
MC		 162 },
163 {
7bc2bddb
BK		 164 /*
165 * "supported_groups" is spread across several specifications.
166 * It was originally specified as "elliptic_curves" in RFC 4492,
167 * and broadened to include named FFDH groups by RFC 7919.
168 * Both RFCs 4492 and 7919 do not include a provision for the server
169 * to indicate to the client the complete list of groups supported
170 * by the server, with the server instead just indicating the
171 * selected group for this connection in the ServerKeyExchange
172 * message. TLS 1.3 adds a scheme for the server to indicate
173 * to the client its list of supported groups in the
174 * EncryptedExtensions message, but none of the relevant
175 * specifications permit sending supported_groups in the ServerHello.
176 * Nonetheless (possibly due to the close proximity to the
177 * "ec_point_formats" extension, which is allowed in the ServerHello),
178 * there are several servers that send this extension in the
179 * ServerHello anyway. Up to and including the 1.1.0 release,
180 * we did not check for the presence of nonpermitted extensions,
181 * so to avoid a regression, we must permit this extension in the
182 * TLS 1.2 ServerHello as well.
183 *
184 * Note that there is no tls_parse_stoc_supported_groups function,
185 * so we do not perform any additional parsing, validation, or
186 * processing on the server's group list -- this is just a minimal
187 * change to preserve compatibility with these misbehaving servers.
188 */
6b473aca 189 TLSEXT_TYPE_supported_groups,
7bc2bddb
BK		 190 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
191 | SSL_EXT_TLS1_2_SERVER_HELLO,
1266eefd 192 NULL, tls_parse_ctos_supported_groups, NULL,
6af87546 193 tls_construct_stoc_supported_groups,
1266eefd 194 tls_construct_ctos_supported_groups, NULL
6b473aca 195 },
0785274c
MC		 196#else
197 INVALID_EXTENSION,
198 INVALID_EXTENSION,
6b473aca
MC		 199#endif
200 {
201 TLSEXT_TYPE_session_ticket,
fe874d27
MC		 202 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
203 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 204 init_session_ticket, tls_parse_ctos_session_ticket,
205 tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
206 tls_construct_ctos_session_ticket, NULL
6b473aca 207 },
ab83e314 208#ifndef OPENSSL_NO_OCSP
6b473aca
MC		 209 {
210 TLSEXT_TYPE_status_request,
fe874d27
MC		 211 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
212 | SSL_EXT_TLS1_3_CERTIFICATE,
1266eefd
MC		 213 init_status_request, tls_parse_ctos_status_request,
214 tls_parse_stoc_status_request, tls_construct_stoc_status_request,
f63e4288 215 tls_construct_ctos_status_request, NULL
6b473aca 216 },
0785274c
MC		 217#else
218 INVALID_EXTENSION,
ab83e314 219#endif
6b473aca
MC		 220#ifndef OPENSSL_NO_NEXTPROTONEG
221 {
222 TLSEXT_TYPE_next_proto_neg,
fe874d27
MC		 223 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
224 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 225 init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
226 tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
6b473aca 227 },
0785274c
MC		 228#else
229 INVALID_EXTENSION,
6b473aca
MC		 230#endif
231 {
02f0274e
MC		 232 /*
233 * Must appear in this list after server_name so that finalisation
234 * happens after server_name callbacks
235 */
6b473aca 236 TLSEXT_TYPE_application_layer_protocol_negotiation,
fe874d27
MC		 237 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
238 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
1266eefd 239 init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
630369d9 240 tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
6b473aca 241 },
7da160b0 242#ifndef OPENSSL_NO_SRTP
6b473aca
MC		 243 {
244 TLSEXT_TYPE_use_srtp,
fe874d27
MC		 245 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
246 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
1266eefd
MC		 247 init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
248 tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
6b473aca 249 },
0785274c
MC		 250#else
251 INVALID_EXTENSION,
7da160b0 252#endif
6b473aca
MC		 253 {
254 TLSEXT_TYPE_encrypt_then_mac,
fe874d27
MC		 255 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
256 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 257 init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
258 tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
6b473aca 259 },
6dd083fd 260#ifndef OPENSSL_NO_CT
6b473aca
MC		 261 {
262 TLSEXT_TYPE_signed_certificate_timestamp,
fe874d27
MC		 263 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
264 | SSL_EXT_TLS1_3_CERTIFICATE,
68db4dda 265 NULL,
6b473aca
MC		 266 /*
267 * No server side support for this, but can be provided by a custom
268 * extension. This is an exception to the rule that custom extensions
269 * cannot override built in ones.
270 */
1266eefd 271 NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
6b473aca 272 },
0785274c
MC		 273#else
274 INVALID_EXTENSION,
6dd083fd 275#endif
6b473aca
MC		 276 {
277 TLSEXT_TYPE_extended_master_secret,
fe874d27
MC		 278 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
279 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 280 init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
281 tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
6b473aca 282 },
10ed1b72
TS		 283 {
284 TLSEXT_TYPE_signature_algorithms,
285 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
286 init_sig_algs, tls_parse_ctos_sig_algs,
287 tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
288 tls_construct_ctos_sig_algs, final_sig_algs
289 },
6b473aca
MC		 290 {
291 TLSEXT_TYPE_supported_versions,
88050dd1 292 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
e7dd763e
MC		 293 | SSL_EXT_TLS1_3_SERVER_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
294 | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
68db4dda 295 NULL,
6b473aca 296 /* Processed inline as part of version selection */
88050dd1
MC		 297 NULL, tls_parse_stoc_supported_versions,
298 tls_construct_stoc_supported_versions,
299 tls_construct_ctos_supported_versions, NULL
6b473aca 300 },
b2f7e8c0 301 {
b2f7e8c0 302 TLSEXT_TYPE_psk_kex_modes,
fe874d27
MC		 303 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
304 | SSL_EXT_TLS1_3_ONLY,
b2f7e8c0
MC		 305 init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
306 tls_construct_ctos_psk_kex_modes, NULL
307 },
deb2d5e7 308#ifndef OPENSSL_NO_EC
6b473aca 309 {
70af3d8e
MC		 310 /*
311 * Must be in this list after supported_groups. We need that to have
312 * been parsed before we do this one.
313 */
6b473aca 314 TLSEXT_TYPE_key_share,
fe874d27
MC		 315 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
316 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
317 | SSL_EXT_TLS1_3_ONLY,
1266eefd 318 NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
f4bbb37c
MC		 319 tls_construct_stoc_key_share, tls_construct_ctos_key_share,
320 final_key_share
7da160b0 321 },
deb2d5e7 322#endif
cfef5027
MC		 323 {
324 TLSEXT_TYPE_cookie,
fe874d27
MC		 325 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
326 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
43054d3d
MC		 327 NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
328 tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
cfef5027 329 },
7da160b0
MC		 330 {
331 /*
332 * Special unsolicited ServerHello extension only used when
333 * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
334 */
335 TLSEXT_TYPE_cryptopro_bug,
fe874d27 336 SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd 337 NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
ab83e314 338 },
38df5a45
MC		 339 {
340 TLSEXT_TYPE_early_data,
fe874d27
MC		 341 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
342 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
38df5a45
MC		 343 NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
344 tls_construct_stoc_early_data, tls_construct_ctos_early_data,
345 final_early_data
346 },
45615c5f
DSH		 347 {
348 TLSEXT_TYPE_certificate_authorities,
fe874d27
MC		 349 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
350 | SSL_EXT_TLS1_3_ONLY,
45615c5f
DSH		 351 init_certificate_authorities,
352 tls_parse_certificate_authorities, tls_parse_certificate_authorities,
353 tls_construct_certificate_authorities,
354 tls_construct_certificate_authorities, NULL,
355 },
ab83e314 356 {
ec15acb6 357 /* Must be immediately before pre_shared_key */
ab83e314 358 TLSEXT_TYPE_padding,
fe874d27 359 SSL_EXT_CLIENT_HELLO,
68db4dda 360 NULL,
ab83e314 361 /* We send this, but don't read it */
1266eefd 362 NULL, NULL, NULL, tls_construct_ctos_padding, NULL
ec15acb6
MC		 363 },
364 {
365 /* Required by the TLSv1.3 spec to always be the last extension */
366 TLSEXT_TYPE_psk,
fe874d27
MC		 367 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
368 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
0247086d 369 NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
1053a6e2 370 tls_construct_ctos_psk, NULL
6b473aca
MC		 371 }
372};
373
43ae5eed
MC		 374/* Check whether an extension's context matches the current context */
375static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
376{
377 /* Check we're allowed to use this extension in this context */
378 if ((thisctx & extctx) == 0)
379 return 0;
380
381 if (SSL_IS_DTLS(s)) {
382 if ((extctx & SSL_EXT_TLS_ONLY) != 0)
383 return 0;
384 } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
385 return 0;
386 }
387
388 return 1;
389}
390
88050dd1
MC		 391int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts)
392{
393 size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
394 RAW_EXTENSION *thisext;
395 unsigned int context;
396 ENDPOINT role = ENDPOINT_BOTH;
397
398 if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
399 role = ENDPOINT_SERVER;
400 else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
401 role = ENDPOINT_CLIENT;
402
403 /* Calculate the number of extensions in the extensions list */
404 num_exts = builtin_num + s->cert->custext.meths_count;
405
406 for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
407 if (!thisext->present)
408 continue;
409
410 if (i < builtin_num) {
411 context = ext_defs[i].context;
412 } else {
413 custom_ext_method *meth = NULL;
414
415 meth = custom_ext_find(&s->cert->custext, role, thisext->type,
416 &offset);
417 if (!ossl_assert(meth != NULL))
418 return 0;
419 context = meth->context;
420 }
421
422 if (!validate_context(s, context, thisctx))
423 return 0;
424 }
425
426 return 1;
427}
428
6b473aca
MC		 429/*
430 * Verify whether we are allowed to use the extension |type| in the current
431 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
70af3d8e 432 * indicate the extension is not allowed. If returning 1 then |*found| is set to
69687aa8 433 * the definition for the extension we found.
6b473aca 434 */
70af3d8e 435static int verify_extension(SSL *s, unsigned int context, unsigned int type,
1266eefd
MC		 436 custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
437 RAW_EXTENSION **found)
6b473aca
MC		 438{
439 size_t i;
70af3d8e 440 size_t builtin_num = OSSL_NELEM(ext_defs);
d270de32 441 const EXTENSION_DEFINITION *thisext;
6b473aca 442
1266eefd
MC		 443 for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
444 if (type == thisext->type) {
43ae5eed 445 if (!validate_context(s, thisext->context, context))
6b473aca
MC		 446 return 0;
447
1266eefd 448 *found = &rawexlist[i];
6b473aca
MC		 449 return 1;
450 }
451 }
452
70af3d8e
MC		 453 /* Check the custom extensions */
454 if (meths != NULL) {
43ae5eed 455 size_t offset = 0;
787d9ec7 456 ENDPOINT role = ENDPOINT_BOTH;
43ae5eed
MC		 457 custom_ext_method *meth = NULL;
458
459 if ((context & SSL_EXT_CLIENT_HELLO) != 0)
787d9ec7 460 role = ENDPOINT_SERVER;
43ae5eed 461 else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
787d9ec7 462 role = ENDPOINT_CLIENT;
43ae5eed 463
787d9ec7 464 meth = custom_ext_find(meths, role, type, &offset);
43ae5eed
MC		 465 if (meth != NULL) {
466 if (!validate_context(s, meth->context, context))
467 return 0;
468 *found = &rawexlist[offset + builtin_num];
469 return 1;
6b473aca
MC		 470 }
471 }
472
70af3d8e 473 /* Unknown extension. We allow it */
1266eefd 474 *found = NULL;
70af3d8e 475 return 1;
6b473aca
MC		 476}
477
70af3d8e
MC		 478/*
479 * Check whether the context defined for an extension |extctx| means whether
480 * the extension is relevant for the current context |thisctx| or not. Returns
481 * 1 if the extension is relevant for this context, and 0 otherwise
482 */
43ae5eed 483int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
805a2e9e 484{
a2b97bdf
MC		 485 int is_tls13;
486
487 /*
488 * For HRR we haven't selected the version yet but we know it will be
489 * TLSv1.3
490 */
491 if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
492 is_tls13 = 1;
493 else
494 is_tls13 = SSL_IS_TLS13(s);
495
805a2e9e 496 if ((SSL_IS_DTLS(s)
fe874d27 497 && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
805a2e9e 498 || (s->version == SSL3_VERSION
fe874d27 499 && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
a2b97bdf
MC		 500 || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
501 || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
43ae5eed 502 || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
805a2e9e
MC		 503 return 0;
504
505 return 1;
506}
507
6b473aca
MC		 508/*
509 * Gather a list of all the extensions from the data in |packet]. |context|
70af3d8e 510 * tells us which message this extension is for. The raw extension data is
29bfd5b7
MC		 511 * stored in |*res| on success. We don't actually process the content of the
512 * extensions yet, except to check their types. This function also runs the
513 * initialiser functions for all known extensions if |init| is nonzero (whether
514 * we have collected them or not). If successful the caller is responsible for
515 * freeing the contents of |*res|.
6b473aca
MC		 516 *
517 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
518 * more than one extension of the same type in a ClientHello or ServerHello.
519 * This function returns 1 if all extensions are unique and we have parsed their
520 * types, and 0 if the extensions contain duplicates, could not be successfully
1266eefd 521 * found, or an internal error occurred. We only check duplicates for
70af3d8e 522 * extensions that we know about. We ignore others.
6b473aca 523 */
6b473aca 524int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
f63a17d6 525 RAW_EXTENSION **res, size_t *len, int init)
6b473aca
MC		 526{
527 PACKET extensions = *packet;
d270de32 528 size_t i = 0;
fc5ece2e 529 size_t num_exts;
43ae5eed 530 custom_ext_methods *exts = &s->cert->custext;
6b473aca 531 RAW_EXTENSION *raw_extensions = NULL;
d270de32 532 const EXTENSION_DEFINITION *thisexd;
6b473aca 533
ecc2f938
MC		 534 *res = NULL;
535
70af3d8e
MC		 536 /*
537 * Initialise server side custom extensions. Client side is done during
538 * construction of extensions for the ClientHello.
539 */
43ae5eed
MC		 540 if ((context & SSL_EXT_CLIENT_HELLO) != 0)
541 custom_ext_init(&s->cert->custext);
70af3d8e 542
fc5ece2e
BK		 543 num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
544 raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
70af3d8e 545 if (raw_extensions == NULL) {
f63a17d6
MC		 546 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
547 ERR_R_MALLOC_FAILURE);
70af3d8e
MC		 548 return 0;
549 }
550
193b5d76 551 i = 0;
6b473aca 552 while (PACKET_remaining(&extensions) > 0) {
b186a592 553 unsigned int type, idx;
6b473aca 554 PACKET extension;
1266eefd 555 RAW_EXTENSION *thisex;
6b473aca
MC		 556
557 if (!PACKET_get_net_2(&extensions, &type) ||
558 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
f63a17d6
MC		 559 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
560 SSL_R_BAD_EXTENSION);
6b473aca
MC		 561 goto err;
562 }
70af3d8e
MC		 563 /*
564 * Verify this extension is allowed. We only check duplicates for
652a6b7e
MC		 565 * extensions that we recognise. We also have a special case for the
566 * PSK extension, which must be the last one in the ClientHello.
70af3d8e 567 */
1266eefd 568 if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
652a6b7e
MC		 569 || (thisex != NULL && thisex->present == 1)
570 || (type == TLSEXT_TYPE_psk
fe874d27 571 && (context & SSL_EXT_CLIENT_HELLO) != 0
652a6b7e 572 && PACKET_remaining(&extensions) != 0)) {
f63a17d6
MC		 573 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
574 SSL_R_BAD_EXTENSION);
6b473aca
MC		 575 goto err;
576 }
b186a592
MC		 577 idx = thisex - raw_extensions;
578 /*-
579 * Check that we requested this extension (if appropriate). Requests can
580 * be sent in the ClientHello and CertificateRequest. Unsolicited
581 * extensions can be sent in the NewSessionTicket. We only do this for
582 * the built-in extensions. Custom extensions have a different but
583 * similar check elsewhere.
584 * Special cases:
585 * - The HRR cookie extension is unsolicited
586 * - The renegotiate extension is unsolicited (the client signals
587 * support via an SCSV)
588 * - The signed_certificate_timestamp extension can be provided by a
589 * custom extension or by the built-in version. We let the extension
590 * itself handle unsolicited response checks.
591 */
592 if (idx < OSSL_NELEM(ext_defs)
593 && (context & (SSL_EXT_CLIENT_HELLO
594 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
595 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
596 && type != TLSEXT_TYPE_cookie
597 && type != TLSEXT_TYPE_renegotiate
598 && type != TLSEXT_TYPE_signed_certificate_timestamp
599 && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) {
f63a17d6
MC		 600 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
601 SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
b186a592
MC		 602 goto err;
603 }
1266eefd
MC		 604 if (thisex != NULL) {
605 thisex->data = extension;
606 thisex->present = 1;
607 thisex->type = type;
193b5d76 608 thisex->received_order = i++;
b93a295a
TS		 609 if (s->ext.debug_cb)
610 s->ext.debug_cb(s, !s->server, thisex->type,
611 PACKET_data(&thisex->data),
612 PACKET_remaining(&thisex->data),
613 s->ext.debug_arg);
6b473aca
MC		 614 }
615 }
616
735d5b59
TT		 617 if (init) {
618 /*
619 * Initialise all known extensions relevant to this context,
620 * whether we have found them or not
621 */
622 for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
623 i++, thisexd++) {
bf5c84f5
TT		 624 if (thisexd->init != NULL && (thisexd->context & context) != 0
625 && extension_is_relevant(s, thisexd->context, context)
626 && !thisexd->init(s, context)) {
f63a17d6 627 /* SSLfatal() already called */
735d5b59
TT		 628 goto err;
629 }
68db4dda
MC		 630 }
631 }
632
6b473aca 633 *res = raw_extensions;
fc5ece2e
BK		 634 if (len != NULL)
635 *len = num_exts;
6b473aca
MC		 636 return 1;
637
638 err:
639 OPENSSL_free(raw_extensions);
640 return 0;
641}
642
68db4dda 643/*
70af3d8e
MC		 644 * Runs the parser for a given extension with index |idx|. |exts| contains the
645 * list of all parsed extensions previously collected by
646 * tls_collect_extensions(). The parser is only run if it is applicable for the
f97d4c37
MC		 647 * given |context| and the parser has not already been run. If this is for a
648 * Certificate message, then we also provide the parser with the relevant
8521ced6 649 * Certificate |x| and its position in the |chainidx| with 0 being the first
29bfd5b7
MC		 650 * Certificate. Returns 1 on success or 0 on failure. If an extension is not
651 * present this counted as success.
68db4dda 652 */
d270de32 653int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
f63a17d6 654 RAW_EXTENSION *exts, X509 *x, size_t chainidx)
6b473aca 655{
70af3d8e 656 RAW_EXTENSION *currext = &exts[idx];
61138358 657 int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 658 size_t chainidx) = NULL;
6b473aca 659
70af3d8e
MC		 660 /* Skip if the extension is not present */
661 if (!currext->present)
662 return 1;
6b473aca 663
70af3d8e
MC		 664 /* Skip if we've already parsed this extension */
665 if (currext->parsed)
666 return 1;
6b473aca 667
70af3d8e
MC		 668 currext->parsed = 1;
669
670 if (idx < OSSL_NELEM(ext_defs)) {
671 /* We are handling a built-in extension */
672 const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
673
674 /* Check if extension is defined for our protocol. If not, skip */
675 if (!extension_is_relevant(s, extdef->context, context))
676 return 1;
677
1266eefd 678 parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
224135e9 679
1266eefd 680 if (parser != NULL)
f63a17d6 681 return parser(s, &currext->data, context, x, chainidx);
6b473aca 682
70af3d8e
MC		 683 /*
684 * If the parser is NULL we fall through to the custom extension
685 * processing
686 */
6b473aca
MC		 687 }
688
43ae5eed 689 /* Parse custom extensions */
f63a17d6
MC		 690 return custom_ext_parse(s, context, currext->type,
691 PACKET_data(&currext->data),
692 PACKET_remaining(&currext->data),
693 x, chainidx);
805a2e9e
MC		 694}
695
696/*
697 * Parse all remaining extensions that have not yet been parsed. Also calls the
735d5b59
TT		 698 * finalisation for all extensions at the end if |fin| is nonzero, whether we
699 * collected them or not. Returns 1 for success or 0 for failure. If we are
700 * working on a Certificate message then we also pass the Certificate |x| and
29bfd5b7 701 * its position in the |chainidx|, with 0 being the first certificate.
805a2e9e 702 */
f97d4c37 703int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
f63a17d6 704 size_t chainidx, int fin)
805a2e9e 705{
1266eefd 706 size_t i, numexts = OSSL_NELEM(ext_defs);
d270de32 707 const EXTENSION_DEFINITION *thisexd;
805a2e9e 708
70af3d8e 709 /* Calculate the number of extensions in the extensions list */
43ae5eed 710 numexts += s->cert->custext.meths_count;
70af3d8e
MC		 711
712 /* Parse each extension in turn */
1266eefd 713 for (i = 0; i < numexts; i++) {
f63a17d6
MC		 714 if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
715 /* SSLfatal() already called */
70af3d8e 716 return 0;
f63a17d6 717 }
70af3d8e 718 }
805a2e9e 719
735d5b59
TT		 720 if (fin) {
721 /*
722 * Finalise all known extensions relevant to this context,
723 * whether we have found them or not
724 */
725 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
726 i++, thisexd++) {
bf5c84f5 727 if (thisexd->final != NULL && (thisexd->context & context) != 0
f63a17d6
MC		 728 && !thisexd->final(s, context, exts[i].present)) {
729 /* SSLfatal() already called */
735d5b59 730 return 0;
f63a17d6 731 }
735d5b59 732 }
68db4dda
MC		 733 }
734
6b473aca
MC		 735 return 1;
736}
737
43ae5eed
MC		 738int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
739 int max_version)
740{
741 /* Skip if not relevant for our context */
742 if ((extctx & thisctx) == 0)
743 return 0;
744
745 /* Check if this extension is defined for our protocol. If not, skip */
746 if ((SSL_IS_DTLS(s) && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
747 || (s->version == SSL3_VERSION
748 && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
749 || (SSL_IS_TLS13(s)
750 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
751 || (!SSL_IS_TLS13(s)
752 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
753 && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
754 || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
755 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
756 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
757 return 0;
758
759 return 1;
760}
761
6b473aca 762/*
70af3d8e 763 * Construct all the extensions relevant to the current |context| and write
30aeba43 764 * them to |pkt|. If this is an extension for a Certificate in a Certificate
8521ced6
MC		 765 * message, then |x| will be set to the Certificate we are handling, and
766 * |chainidx| will indicate the position in the chainidx we are processing (with
f63a17d6 767 * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
8521ced6 768 * failure construction stops at the first extension to fail to construct.
6b473aca 769 */
224135e9 770int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 771 X509 *x, size_t chainidx)
224135e9 772{
1266eefd 773 size_t i;
f63a17d6 774 int min_version, max_version = 0, reason;
d270de32 775 const EXTENSION_DEFINITION *thisexd;
224135e9
MC		 776
777 if (!WPACKET_start_sub_packet_u16(pkt)
778 /*
779 * If extensions are of zero length then we don't even add the
1c259bb5
BK		 780 * extensions length bytes to a ClientHello/ServerHello
781 * (for non-TLSv1.3).
224135e9 782 */
fe874d27
MC		 783 || ((context &
784 (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
fe874d27 785 && !WPACKET_set_flags(pkt,
224135e9 786 WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
f63a17d6
MC		 787 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
788 ERR_R_INTERNAL_ERROR);
789 return 0;
224135e9
MC		 790 }
791
fe874d27 792 if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
38a73150 793 reason = ssl_get_min_max_version(s, &min_version, &max_version);
ab83e314 794 if (reason != 0) {
f63a17d6
MC		 795 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
796 reason);
797 return 0;
ab83e314
MC		 798 }
799 }
800
801 /* Add custom extensions first */
fe874d27 802 if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
44e69951 803 /* On the server side with initialise during ClientHello parsing */
43ae5eed 804 custom_ext_init(&s->cert->custext);
ab83e314 805 }
f63a17d6
MC		 806 if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
807 /* SSLfatal() already called */
808 return 0;
ab83e314
MC		 809 }
810
1266eefd 811 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
b186a592 812 EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 813 X509 *x, size_t chainidx);
b186a592 814 EXT_RETURN ret;
4b299b8e 815
224135e9 816 /* Skip if not relevant for our context */
43ae5eed 817 if (!should_add_extension(s, thisexd->context, context, max_version))
224135e9
MC		 818 continue;
819
1266eefd
MC		 820 construct = s->server ? thisexd->construct_stoc
821 : thisexd->construct_ctos;
224135e9 822
43ae5eed 823 if (construct == NULL)
224135e9
MC		 824 continue;
825
f63a17d6
MC		 826 ret = construct(s, pkt, context, x, chainidx);
827 if (ret == EXT_RETURN_FAIL) {
828 /* SSLfatal() already called */
829 return 0;
830 }
b186a592
MC		 831 if (ret == EXT_RETURN_SENT
832 && (context & (SSL_EXT_CLIENT_HELLO
833 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
834 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
835 s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
224135e9
MC		 836 }
837
224135e9 838 if (!WPACKET_close(pkt)) {
f63a17d6
MC		 839 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
840 ERR_R_INTERNAL_ERROR);
841 return 0;
224135e9
MC		 842 }
843
844 return 1;
845}
805a2e9e 846
70af3d8e
MC		 847/*
848 * Built in extension finalisation and initialisation functions. All initialise
849 * or finalise the associated extension type for the given |context|. For
850 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
29bfd5b7 851 * otherwise. These functions return 1 on success or 0 on failure.
70af3d8e
MC		 852 */
853
f63a17d6 854static int final_renegotiate(SSL *s, unsigned int context, int sent)
805a2e9e 855{
332eb390
MC		 856 if (!s->server) {
857 /*
858 * Check if we can connect to a server that doesn't support safe
859 * renegotiation
860 */
861 if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
862 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
863 && !sent) {
f63a17d6
MC		 864 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
865 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
332eb390
MC		 866 return 0;
867 }
868
805a2e9e 869 return 1;
332eb390 870 }
805a2e9e
MC		 871
872 /* Need RI if renegotiating */
873 if (s->renegotiate
874 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
875 && !sent) {
f63a17d6
MC		 876 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
877 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
805a2e9e
MC		 878 return 0;
879 }
880
332eb390 881
805a2e9e
MC		 882 return 1;
883}
884
1266eefd 885static int init_server_name(SSL *s, unsigned int context)
805a2e9e
MC		 886{
887 if (s->server)
888 s->servername_done = 0;
889
890 return 1;
891}
892
f63a17d6 893static int final_server_name(SSL *s, unsigned int context, int sent)
805a2e9e 894{
3be08e30 895 int ret = SSL_TLSEXT_ERR_NOACK, discard;
805a2e9e 896 int altmp = SSL_AD_UNRECOGNIZED_NAME;
a84e5c9a 897 int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
805a2e9e 898
aff8c126
RS		 899 if (s->ctx != NULL && s->ctx->ext.servername_cb != 0)
900 ret = s->ctx->ext.servername_cb(s, &altmp,
901 s->ctx->ext.servername_arg);
222da979
TS		 902 else if (s->session_ctx != NULL
903 && s->session_ctx->ext.servername_cb != 0)
904 ret = s->session_ctx->ext.servername_cb(s, &altmp,
905 s->session_ctx->ext.servername_arg);
805a2e9e 906
9fb6cb81
MC		 907 if (!sent) {
908 OPENSSL_free(s->session->ext.hostname);
909 s->session->ext.hostname = NULL;
910 }
911
3be08e30
BK		 912 /*
913 * If we switched contexts (whether here or in the client_hello callback),
914 * move the sess_accept increment from the session_ctx to the new
915 * context, to avoid the confusing situation of having sess_accept_good
916 * exceed sess_accept (zero) for the new context.
917 */
918 if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
919 CRYPTO_atomic_add(&s->ctx->stats.sess_accept, 1, &discard,
920 s->ctx->lock);
921 CRYPTO_atomic_add(&s->session_ctx->stats.sess_accept, -1, &discard,
922 s->session_ctx->lock);
923 }
924
a84e5c9a
TS		 925 /*
926 * If we're expecting to send a ticket, and tickets were previously enabled,
927 * and now tickets are disabled, then turn off expected ticket.
928 * Also, if this is not a resumption, create a new session ID
929 */
930 if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
931 && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
932 s->ext.ticket_expected = 0;
933 if (!s->hit) {
934 SSL_SESSION* ss = SSL_get_session(s);
935
936 if (ss != NULL) {
937 OPENSSL_free(ss->ext.tick);
938 ss->ext.tick = NULL;
939 ss->ext.ticklen = 0;
940 ss->ext.tick_lifetime_hint = 0;
941 ss->ext.tick_age_add = 0;
942 ss->ext.tick_identity = 0;
943 if (!ssl_generate_session_id(s, ss)) {
f63a17d6
MC		 944 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
945 ERR_R_INTERNAL_ERROR);
946 return 0;
a84e5c9a
TS		 947 }
948 } else {
f63a17d6
MC		 949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
950 ERR_R_INTERNAL_ERROR);
951 return 0;
a84e5c9a
TS		 952 }
953 }
954 }
955
805a2e9e
MC		 956 switch (ret) {
957 case SSL_TLSEXT_ERR_ALERT_FATAL:
f63a17d6 958 SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
805a2e9e
MC		 959 return 0;
960
961 case SSL_TLSEXT_ERR_ALERT_WARNING:
f63a17d6 962 ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
805a2e9e
MC		 963 return 1;
964
965 case SSL_TLSEXT_ERR_NOACK:
966 s->servername_done = 0;
967 return 1;
968
969 default:
970 return 1;
971 }
972}
973
332eb390 974#ifndef OPENSSL_NO_EC
f63a17d6 975static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
332eb390
MC		 976{
977 unsigned long alg_k, alg_a;
978
979 if (s->server)
980 return 1;
981
982 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
983 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
984
985 /*
986 * If we are client and using an elliptic curve cryptography cipher
987 * suite, then if server returns an EC point formats lists extension it
988 * must contain uncompressed.
989 */
aff8c126
RS		 990 if (s->ext.ecpointformats != NULL
991 && s->ext.ecpointformats_len > 0
992 && s->session->ext.ecpointformats != NULL
993 && s->session->ext.ecpointformats_len > 0
1266eefd 994 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
332eb390
MC		 995 /* we are using an ECC cipher */
996 size_t i;
aff8c126 997 unsigned char *list = s->session->ext.ecpointformats;
1266eefd 998
aff8c126 999 for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
1266eefd 1000 if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
332eb390 1001 break;
332eb390 1002 }
aff8c126 1003 if (i == s->session->ext.ecpointformats_len) {
f63a17d6
MC		 1004 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
1005 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
332eb390
MC		 1006 return 0;
1007 }
1008 }
1009
1010 return 1;
1011}
1012#endif
1013
1266eefd 1014static int init_session_ticket(SSL *s, unsigned int context)
332eb390
MC		 1015{
1016 if (!s->server)
aff8c126 1017 s->ext.ticket_expected = 0;
332eb390
MC		 1018
1019 return 1;
1020}
1021
8f8c11d8 1022#ifndef OPENSSL_NO_OCSP
1266eefd 1023static int init_status_request(SSL *s, unsigned int context)
805a2e9e 1024{
f63e4288 1025 if (s->server) {
aff8c126 1026 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
f63e4288
MC		 1027 } else {
1028 /*
1029 * Ensure we get sensible values passed to tlsext_status_cb in the event
1030 * that we don't receive a status message
1031 */
8cbfcc70
RS		 1032 OPENSSL_free(s->ext.ocsp.resp);
1033 s->ext.ocsp.resp = NULL;
1034 s->ext.ocsp.resp_len = 0;
f63e4288 1035 }
332eb390
MC		 1036
1037 return 1;
1038}
8f8c11d8 1039#endif
332eb390 1040
805a2e9e 1041#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 1042static int init_npn(SSL *s, unsigned int context)
805a2e9e 1043{
aff8c126 1044 s->s3->npn_seen = 0;
805a2e9e
MC		 1045
1046 return 1;
1047}
1048#endif
1049
1266eefd 1050static int init_alpn(SSL *s, unsigned int context)
805a2e9e 1051{
332eb390
MC		 1052 OPENSSL_free(s->s3->alpn_selected);
1053 s->s3->alpn_selected = NULL;
a5bb1aa1 1054 s->s3->alpn_selected_len = 0;
805a2e9e 1055 if (s->server) {
805a2e9e
MC		 1056 OPENSSL_free(s->s3->alpn_proposed);
1057 s->s3->alpn_proposed = NULL;
1058 s->s3->alpn_proposed_len = 0;
1059 }
805a2e9e
MC		 1060 return 1;
1061}
1062
f63a17d6 1063static int final_alpn(SSL *s, unsigned int context, int sent)
630369d9 1064{
4be3a7c7
MC		 1065 if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
1066 s->ext.early_data_ok = 0;
1067
630369d9
MC		 1068 if (!s->server || !SSL_IS_TLS13(s))
1069 return 1;
1070
1071 /*
1072 * Call alpn_select callback if needed. Has to be done after SNI and
1073 * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
1074 * we also have to do this before we decide whether to accept early_data.
1075 * In TLSv1.3 we've already negotiated our cipher so we do this call now.
1076 * For < TLSv1.3 we defer it until after cipher negotiation.
56d36288 1077 *
f63a17d6 1078 * On failure SSLfatal() already called.
630369d9 1079 */
f63a17d6 1080 return tls_handle_alpn(s);
630369d9
MC		 1081}
1082
1266eefd 1083static int init_sig_algs(SSL *s, unsigned int context)
805a2e9e
MC		 1084{
1085 /* Clear any signature algorithms extension received */
1086 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1087 s->s3->tmp.peer_sigalgs = NULL;
1088
1089 return 1;
1090}
1091
1092#ifndef OPENSSL_NO_SRP
1266eefd 1093static int init_srp(SSL *s, unsigned int context)
805a2e9e
MC		 1094{
1095 OPENSSL_free(s->srp_ctx.login);
1096 s->srp_ctx.login = NULL;
1097
1098 return 1;
1099}
1100#endif
1101
1266eefd 1102static int init_etm(SSL *s, unsigned int context)
805a2e9e 1103{
28a31a0a 1104 s->ext.use_etm = 0;
332eb390
MC		 1105
1106 return 1;
1107}
1108
1266eefd 1109static int init_ems(SSL *s, unsigned int context)
332eb390
MC		 1110{
1111 if (!s->server)
1112 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
1113
1114 return 1;
1115}
1116
f63a17d6 1117static int final_ems(SSL *s, unsigned int context, int sent)
332eb390
MC		 1118{
1119 if (!s->server && s->hit) {
1120 /*
1121 * Check extended master secret extension is consistent with
1122 * original session.
1123 */
1124 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
1125 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
f63a17d6
MC		 1126 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
1127 SSL_R_INCONSISTENT_EXTMS);
332eb390
MC		 1128 return 0;
1129 }
1130 }
805a2e9e
MC		 1131
1132 return 1;
1133}
1134
45615c5f
DSH		 1135static int init_certificate_authorities(SSL *s, unsigned int context)
1136{
fa7c2637
DSH		 1137 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
1138 s->s3->tmp.peer_ca_names = NULL;
45615c5f
DSH		 1139 return 1;
1140}
1141
b186a592
MC		 1142static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
1143 unsigned int context,
1144 X509 *x,
f63a17d6 1145 size_t chainidx)
45615c5f 1146{
9784ec04 1147 const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
45615c5f
DSH		 1148
1149 if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
b186a592 1150 return EXT_RETURN_NOT_SENT;
45615c5f
DSH		 1151
1152 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
f63a17d6
MC		 1153 || !WPACKET_start_sub_packet_u16(pkt)) {
1154 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1155 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
45615c5f 1156 ERR_R_INTERNAL_ERROR);
b186a592 1157 return EXT_RETURN_FAIL;
45615c5f
DSH		 1158 }
1159
f63a17d6
MC		 1160 if (!construct_ca_names(s, pkt)) {
1161 /* SSLfatal() already called */
1162 return EXT_RETURN_FAIL;
1163 }
1164
1165 if (!WPACKET_close(pkt)) {
1166 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1167 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
1168 ERR_R_INTERNAL_ERROR);
1169 return EXT_RETURN_FAIL;
1170 }
1171
b186a592 1172 return EXT_RETURN_SENT;
45615c5f
DSH		 1173}
1174
1175static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
1176 unsigned int context, X509 *x,
f63a17d6 1177 size_t chainidx)
45615c5f 1178{
f63a17d6 1179 if (!parse_ca_names(s, pkt))
45615c5f
DSH		 1180 return 0;
1181 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1182 SSLfatal(s, SSL_AD_DECODE_ERROR,
1183 SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
45615c5f
DSH		 1184 return 0;
1185 }
1186 return 1;
1187}
1188
805a2e9e 1189#ifndef OPENSSL_NO_SRTP
1266eefd 1190static int init_srtp(SSL *s, unsigned int context)
805a2e9e
MC		 1191{
1192 if (s->server)
1193 s->srtp_profile = NULL;
1194
1195 return 1;
1196}
1197#endif
04904312 1198
f63a17d6 1199static int final_sig_algs(SSL *s, unsigned int context, int sent)
04904312 1200{
108d45df 1201 if (!sent && SSL_IS_TLS13(s) && !s->hit) {
f63a17d6
MC		 1202 SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
1203 SSL_R_MISSING_SIGALGS_EXTENSION);
04904312
MC		 1204 return 0;
1205 }
1206
1207 return 1;
1208}
b2f7e8c0 1209
deb2d5e7 1210#ifndef OPENSSL_NO_EC
f63a17d6 1211static int final_key_share(SSL *s, unsigned int context, int sent)
f4bbb37c
MC		 1212{
1213 if (!SSL_IS_TLS13(s))
1214 return 1;
1215
07d447a6
MC		 1216 /* Nothing to do for key_share in an HRR */
1217 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
1218 return 1;
1219
f4bbb37c
MC		 1220 /*
1221 * If
aff9929b
MC		 1222 * we are a client
1223 * AND
f4bbb37c
MC		 1224 * we have no key_share
1225 * AND
1226 * (we are not resuming
1227 * OR the kex_mode doesn't allow non key_share resumes)
1228 * THEN
aff9929b 1229 * fail;
f4bbb37c 1230 */
aff9929b
MC		 1231 if (!s->server
1232 && !sent
f4bbb37c
MC		 1233 && (!s->hit
1234 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
7d061fce 1235 /* Nothing left we can do - just fail */
f63a17d6
MC		 1236 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
1237 SSL_R_NO_SUITABLE_KEY_SHARE);
f4bbb37c
MC		 1238 return 0;
1239 }
aff9929b 1240 /*
c36001c3 1241 * IF
aff9929b 1242 * we are a server
aff9929b 1243 * THEN
c36001c3
MC		 1244 * IF
1245 * we have a suitable key_share
aff9929b 1246 * THEN
c36001c3
MC		 1247 * IF
1248 * we are stateless AND we have no cookie
1249 * THEN
1250 * send a HelloRetryRequest
1251 * ELSE
1252 * IF
1253 * we didn't already send a HelloRetryRequest
1254 * AND
1255 * the client sent a key_share extension
1256 * AND
1257 * (we are not resuming
1258 * OR the kex_mode allows key_share resumes)
1259 * AND
1260 * a shared group exists
1261 * THEN
1262 * send a HelloRetryRequest
1263 * ELSE IF
1264 * we are not resuming
1265 * OR
1266 * the kex_mode doesn't allow non key_share resumes
1267 * THEN
1268 * fail
1269 * ELSE IF
1270 * we are stateless AND we have no cookie
1271 * THEN
1272 * send a HelloRetryRequest
aff9929b 1273 */
c36001c3
MC		 1274 if (s->server) {
1275 if (s->s3->peer_tmp != NULL) {
1276 /* We have a suitable key_share */
1277 if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
1278 && !s->ext.cookieok) {
1279 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1280 /*
1281 * If we are stateless then we wouldn't know about any
1282 * previously sent HRR - so how can this be anything other
1283 * than 0?
1284 */
1285 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1286 ERR_R_INTERNAL_ERROR);
1287 return 0;
1288 }
1289 s->hello_retry_request = SSL_HRR_PENDING;
1290 return 1;
1291 }
1292 } else {
1293 /* No suitable key_share */
1294 if (s->hello_retry_request == SSL_HRR_NONE && sent
1295 && (!s->hit
1296 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
1297 != 0)) {
1298 const uint16_t *pgroups, *clntgroups;
1299 size_t num_groups, clnt_num_groups, i;
1300 unsigned int group_id = 0;
1301
1302 /* Check if a shared group exists */
1303
1304 /* Get the clients list of supported groups. */
1305 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
1306 tls1_get_supported_groups(s, &pgroups, &num_groups);
1307
1308 /*
1309 * Find the first group we allow that is also in client's list
1310 */
1311 for (i = 0; i < num_groups; i++) {
1312 group_id = pgroups[i];
1313
1314 if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
1315 1))
1316 break;
1317 }
1318
1319 if (i < num_groups) {
1320 /* A shared group exists so send a HelloRetryRequest */
1321 s->s3->group_id = group_id;
1322 s->hello_retry_request = SSL_HRR_PENDING;
1323 return 1;
1324 }
1325 }
1326 if (!s->hit
1327 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
1328 /* Nothing left we can do - just fail */
1329 SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
1330 : SSL_AD_MISSING_EXTENSION,
1331 SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
1332 return 0;
aff9929b
MC		 1333 }
1334
c36001c3
MC		 1335 if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
1336 && !s->ext.cookieok) {
1337 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1338 /*
1339 * If we are stateless then we wouldn't know about any
1340 * previously sent HRR - so how can this be anything other
1341 * than 0?
1342 */
1343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1344 ERR_R_INTERNAL_ERROR);
1345 return 0;
1346 }
fc7129dc 1347 s->hello_retry_request = SSL_HRR_PENDING;
aff9929b
MC		 1348 return 1;
1349 }
1350 }
c36001c3
MC		 1351
1352 /*
1353 * We have a key_share so don't send any more HelloRetryRequest
1354 * messages
1355 */
1356 if (s->hello_retry_request == SSL_HRR_PENDING)
1357 s->hello_retry_request = SSL_HRR_COMPLETE;
1358 } else {
1359 /*
1360 * For a client side resumption with no key_share we need to generate
1361 * the handshake secret (otherwise this is done during key_share
1362 * processing).
1363 */
1364 if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
1365 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1366 ERR_R_INTERNAL_ERROR);
aff9929b
MC		 1367 return 0;
1368 }
1369 }
1370
f4bbb37c
MC		 1371 return 1;
1372}
deb2d5e7 1373#endif
f4bbb37c 1374
b2f7e8c0
MC		 1375static int init_psk_kex_modes(SSL *s, unsigned int context)
1376{
1377 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
b2f7e8c0
MC		 1378 return 1;
1379}
1053a6e2
MC		 1380
1381int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
1382 size_t binderoffset, const unsigned char *binderin,
3a7c56b2
MC		 1383 unsigned char *binderout, SSL_SESSION *sess, int sign,
1384 int external)
1053a6e2
MC		 1385{
1386 EVP_PKEY *mackey = NULL;
1387 EVP_MD_CTX *mctx = NULL;
1388 unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
1389 unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
b81bd336
MC		 1390 unsigned char tmppsk[EVP_MAX_MD_SIZE];
1391 unsigned char *early_secret, *psk;
17aa119e 1392 const char resumption_label[] = "res binder";
3a7c56b2 1393 const char external_label[] = "ext binder";
b81bd336 1394 const char nonce_label[] = "resumption";
3a7c56b2
MC		 1395 const char *label;
1396 size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
1053a6e2 1397 int ret = -1;
add8d0e9
MC		 1398 int usepskfored = 0;
1399
1400 if (external
1401 && s->early_data_state == SSL_EARLY_DATA_CONNECTING
1402 && s->session->ext.max_early_data == 0
1403 && sess->ext.max_early_data > 0)
1404 usepskfored = 1;
1053a6e2 1405
3a7c56b2
MC		 1406 if (external) {
1407 label = external_label;
1408 labelsize = sizeof(external_label) - 1;
1409 } else {
1410 label = resumption_label;
1411 labelsize = sizeof(resumption_label) - 1;
1412 }
1413
b81bd336 1414 if (sess->master_key_length != hashsize) {
635c8f77
MC		 1415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1416 SSL_R_BAD_PSK);
b81bd336
MC		 1417 goto err;
1418 }
1419
1420 if (external) {
1421 psk = sess->master_key;
1422 } else {
b81bd336
MC		 1423 psk = tmppsk;
1424 if (!tls13_hkdf_expand(s, md, sess->master_key,
1425 (const unsigned char *)nonce_label,
1426 sizeof(nonce_label) - 1, sess->ext.tick_nonce,
1427 sess->ext.tick_nonce_len, psk, hashsize)) {
635c8f77 1428 /* SSLfatal() already called */
b81bd336
MC		 1429 goto err;
1430 }
1431 }
1432
9368f865
MC		 1433 /*
1434 * Generate the early_secret. On the server side we've selected a PSK to
1435 * resume with (internal or external) so we always do this. On the client
add8d0e9
MC		 1436 * side we do this for a non-external (i.e. resumption) PSK or external PSK
1437 * that will be used for early_data so that it is in place for sending early
1438 * data. For client side external PSK not being used for early_data we
9368f865
MC		 1439 * generate it but store it away for later use.
1440 */
add8d0e9 1441 if (s->server || !external || usepskfored)
9368f865
MC		 1442 early_secret = (unsigned char *)s->early_secret;
1443 else
1444 early_secret = (unsigned char *)sess->early_secret;
b81bd336 1445 if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {
635c8f77 1446 /* SSLfatal() already called */
1053a6e2
MC		 1447 goto err;
1448 }
1449
1450 /*
1451 * Create the handshake hash for the binder key...the messages so far are
1452 * empty!
1453 */
1454 mctx = EVP_MD_CTX_new();
1455 if (mctx == NULL
1456 || EVP_DigestInit_ex(mctx, md, NULL) <= 0
1457 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
635c8f77
MC		 1458 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1459 ERR_R_INTERNAL_ERROR);
1053a6e2
MC		 1460 goto err;
1461 }
1462
1463 /* Generate the binder key */
9368f865 1464 if (!tls13_hkdf_expand(s, md, early_secret, (unsigned char *)label,
a19ae67d 1465 labelsize, hash, hashsize, binderkey, hashsize)) {
635c8f77 1466 /* SSLfatal() already called */
1053a6e2
MC		 1467 goto err;
1468 }
1469
1470 /* Generate the finished key */
1471 if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
635c8f77 1472 /* SSLfatal() already called */
1053a6e2
MC		 1473 goto err;
1474 }
1475
aff9929b 1476 if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
635c8f77
MC		 1477 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1478 ERR_R_INTERNAL_ERROR);
aff9929b
MC		 1479 goto err;
1480 }
1481
1053a6e2 1482 /*
aff9929b
MC		 1483 * Get a hash of the ClientHello up to the start of the binders. If we are
1484 * following a HelloRetryRequest then this includes the hash of the first
1485 * ClientHello and the HelloRetryRequest itself.
1053a6e2 1486 */
fc7129dc 1487 if (s->hello_retry_request == SSL_HRR_PENDING) {
aff9929b
MC		 1488 size_t hdatalen;
1489 void *hdata;
1490
1491 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
1492 if (hdatalen <= 0) {
635c8f77
MC		 1493 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1494 SSL_R_BAD_HANDSHAKE_LENGTH);
aff9929b
MC		 1495 goto err;
1496 }
1497
1498 /*
1499 * For servers the handshake buffer data will include the second
1500 * ClientHello - which we don't want - so we need to take that bit off.
1501 */
1502 if (s->server) {
77815a02
MC		 1503 PACKET hashprefix, msg;
1504
1505 /* Find how many bytes are left after the first two messages */
1506 if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
1507 || !PACKET_forward(&hashprefix, 1)
1508 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
1509 || !PACKET_forward(&hashprefix, 1)
1510 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
635c8f77
MC		 1511 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1512 ERR_R_INTERNAL_ERROR);
aff9929b
MC		 1513 goto err;
1514 }
77815a02 1515 hdatalen -= PACKET_remaining(&hashprefix);
aff9929b
MC		 1516 }
1517
1518 if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
635c8f77
MC		 1519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1520 ERR_R_INTERNAL_ERROR);
aff9929b
MC		 1521 goto err;
1522 }
1523 }
1524
1525 if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
1053a6e2 1526 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
635c8f77
MC		 1527 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1528 ERR_R_INTERNAL_ERROR);
1053a6e2
MC		 1529 goto err;
1530 }
1531
1532 mackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, finishedkey, hashsize);
1533 if (mackey == NULL) {
635c8f77
MC		 1534 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1535 ERR_R_INTERNAL_ERROR);
1053a6e2
MC		 1536 goto err;
1537 }
1538
1539 if (!sign)
1540 binderout = tmpbinder;
1541
1542 bindersize = hashsize;
1543 if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
1544 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
1545 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
1546 || bindersize != hashsize) {
635c8f77
MC		 1547 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1548 ERR_R_INTERNAL_ERROR);
1053a6e2
MC		 1549 goto err;
1550 }
1551
1552 if (sign) {
1553 ret = 1;
1554 } else {
1555 /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
1556 ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
635c8f77
MC		 1557 if (!ret)
1558 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
1559 SSL_R_BINDER_DOES_NOT_VERIFY);
1053a6e2
MC		 1560 }
1561
1562 err:
1563 OPENSSL_cleanse(binderkey, sizeof(binderkey));
1564 OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
1565 EVP_PKEY_free(mackey);
1566 EVP_MD_CTX_free(mctx);
1567
1568 return ret;
1569}
38df5a45 1570
f63a17d6 1571static int final_early_data(SSL *s, unsigned int context, int sent)
38df5a45 1572{
4be3a7c7
MC		 1573 if (!sent)
1574 return 1;
1575
1576 if (!s->server) {
1577 if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
1578 && sent
1579 && !s->ext.early_data_ok) {
1580 /*
1581 * If we get here then the server accepted our early_data but we
1582 * later realised that it shouldn't have done (e.g. inconsistent
1583 * ALPN)
1584 */
f63a17d6
MC		 1585 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
1586 SSL_R_BAD_EARLY_DATA);
4be3a7c7
MC		 1587 return 0;
1588 }
1589
38df5a45 1590 return 1;
4be3a7c7 1591 }
38df5a45
MC		 1592
1593 if (s->max_early_data == 0
1594 || !s->hit
1595 || s->session->ext.tick_identity != 0
1596 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
1597 || !s->ext.early_data_ok
fc7129dc 1598 || s->hello_retry_request != SSL_HRR_NONE) {
38df5a45
MC		 1599 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
1600 } else {
1601 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1602
1603 if (!tls13_change_cipher_state(s,
1604 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6 1605 /* SSLfatal() already called */
38df5a45
MC		 1606 return 0;
1607 }
1608 }
1609
1610 return 1;
1611}
cf72c757 1612
f63a17d6 1613static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
cf72c757
F		 1614{
1615 /*
1616 * Session resumption on server-side with MFL extension active
1617 * BUT MFL extension packet was not resent (i.e. sent == 0)
1618 */
f63a17d6 1619 if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
cf72c757 1620 && !sent ) {
f63a17d6
MC		 1621 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
1622 SSL_R_BAD_EXTENSION);
cf72c757
F		 1623 return 0;
1624 }
1625
1626 /* Current SSL buffer is lower than requested MFL */
f63a17d6
MC		 1627 if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1628 && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
cf72c757 1629 /* trigger a larger buffer reallocation */
f63a17d6
MC		 1630 if (!ssl3_setup_buffers(s)) {
1631 /* SSLfatal() already called */
cf72c757 1632 return 0;
f63a17d6 1633 }
cf72c757
F		 1634
1635 return 1;
1636}
A mirror of the official openssl repository