]>
Commit | Line | Data |
---|---|---|
6b473aca | 1 | /* |
b186a592 | 2 | * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. |
6b473aca MC |
3 | * |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
f6370040 | 10 | #include <string.h> |
677963e5 | 11 | #include "internal/nelem.h" |
6b473aca MC |
12 | #include "../ssl_locl.h" |
13 | #include "statem_locl.h" | |
14 | ||
1266eefd | 15 | static int final_renegotiate(SSL *s, unsigned int context, int sent, |
805a2e9e | 16 | int *al); |
1266eefd MC |
17 | static int init_server_name(SSL *s, unsigned int context); |
18 | static int final_server_name(SSL *s, unsigned int context, int sent, | |
805a2e9e | 19 | int *al); |
332eb390 | 20 | #ifndef OPENSSL_NO_EC |
1266eefd | 21 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, |
332eb390 MC |
22 | int *al); |
23 | #endif | |
1266eefd | 24 | static int init_session_ticket(SSL *s, unsigned int context); |
8f8c11d8 | 25 | #ifndef OPENSSL_NO_OCSP |
1266eefd | 26 | static int init_status_request(SSL *s, unsigned int context); |
8f8c11d8 | 27 | #endif |
805a2e9e | 28 | #ifndef OPENSSL_NO_NEXTPROTONEG |
1266eefd | 29 | static int init_npn(SSL *s, unsigned int context); |
805a2e9e | 30 | #endif |
1266eefd | 31 | static int init_alpn(SSL *s, unsigned int context); |
630369d9 | 32 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al); |
1266eefd | 33 | static int init_sig_algs(SSL *s, unsigned int context); |
45615c5f | 34 | static int init_certificate_authorities(SSL *s, unsigned int context); |
b186a592 MC |
35 | static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, |
36 | unsigned int context, | |
37 | X509 *x, | |
38 | size_t chainidx, | |
39 | int *al); | |
45615c5f DSH |
40 | static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, |
41 | unsigned int context, X509 *x, | |
42 | size_t chainidx, int *al); | |
805a2e9e | 43 | #ifndef OPENSSL_NO_SRP |
1266eefd | 44 | static int init_srp(SSL *s, unsigned int context); |
805a2e9e | 45 | #endif |
1266eefd MC |
46 | static int init_etm(SSL *s, unsigned int context); |
47 | static int init_ems(SSL *s, unsigned int context); | |
48 | static int final_ems(SSL *s, unsigned int context, int sent, int *al); | |
b2f7e8c0 | 49 | static int init_psk_kex_modes(SSL *s, unsigned int context); |
deb2d5e7 | 50 | #ifndef OPENSSL_NO_EC |
f4bbb37c | 51 | static int final_key_share(SSL *s, unsigned int context, int sent, int *al); |
deb2d5e7 | 52 | #endif |
805a2e9e | 53 | #ifndef OPENSSL_NO_SRTP |
1266eefd | 54 | static int init_srtp(SSL *s, unsigned int context); |
805a2e9e | 55 | #endif |
04904312 | 56 | static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al); |
38df5a45 | 57 | static int final_early_data(SSL *s, unsigned int context, int sent, int *al); |
805a2e9e | 58 | |
70af3d8e | 59 | /* Structure to define a built-in extension */ |
1266eefd MC |
60 | typedef struct extensions_definition_st { |
61 | /* The defined type for the extension */ | |
6b473aca | 62 | unsigned int type; |
1266eefd MC |
63 | /* |
64 | * The context that this extension applies to, e.g. what messages and | |
65 | * protocol versions | |
66 | */ | |
67 | unsigned int context; | |
68db4dda | 68 | /* |
805a2e9e MC |
69 | * Initialise extension before parsing. Always called for relevant contexts |
70 | * even if extension not present | |
68db4dda | 71 | */ |
1266eefd MC |
72 | int (*init)(SSL *s, unsigned int context); |
73 | /* Parse extension sent from client to server */ | |
61138358 MC |
74 | int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
75 | size_t chainidx, int *al); | |
1266eefd | 76 | /* Parse extension send from server to client */ |
61138358 MC |
77 | int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
78 | size_t chainidx, int *al); | |
1266eefd | 79 | /* Construct extension sent from server to client */ |
b186a592 MC |
80 | EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, |
81 | X509 *x, size_t chainidx, int *al); | |
1266eefd | 82 | /* Construct extension sent from client to server */ |
b186a592 MC |
83 | EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, |
84 | X509 *x, size_t chainidx, int *al); | |
68db4dda | 85 | /* |
805a2e9e MC |
86 | * Finalise extension after parsing. Always called where an extensions was |
87 | * initialised even if the extension was not present. |sent| is set to 1 if | |
88 | * the extension was seen, or 0 otherwise. | |
68db4dda | 89 | */ |
1266eefd | 90 | int (*final)(SSL *s, unsigned int context, int sent, int *al); |
6b473aca MC |
91 | } EXTENSION_DEFINITION; |
92 | ||
4b299b8e | 93 | /* |
70af3d8e | 94 | * Definitions of all built-in extensions. NOTE: Changes in the number or order |
bd91e3c8 | 95 | * of these extensions should be mirrored with equivalent changes to the |
3e6c1da8 | 96 | * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h. |
70af3d8e MC |
97 | * Each extension has an initialiser, a client and |
98 | * server side parser and a finaliser. The initialiser is called (if the | |
99 | * extension is relevant to the given context) even if we did not see the | |
100 | * extension in the message that we received. The parser functions are only | |
101 | * called if we see the extension in the message. The finalisers are always | |
102 | * called if the initialiser was called. | |
103 | * There are also server and client side constructor functions which are always | |
104 | * called during message construction if the extension is relevant for the | |
105 | * given context. | |
106 | * The initialisation, parsing, finalisation and construction functions are | |
107 | * always called in the order defined in this list. Some extensions may depend | |
108 | * on others having been processed first, so the order of this list is | |
109 | * significant. | |
110 | * The extension context is defined by a series of flags which specify which | |
111 | * messages the extension is relevant to. These flags also specify whether the | |
3e6c1da8 | 112 | * extension is relevant to a particular protocol or protocol version. |
a1448c26 | 113 | * |
70af3d8e | 114 | * TODO(TLS1.3): Make sure we have a test to check the consistency of these |
10ed1b72 TS |
115 | * |
116 | * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at | |
117 | * the end, keep these extensions before signature_algorithm. | |
4b299b8e | 118 | */ |
0785274c | 119 | #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } |
6b473aca MC |
120 | static const EXTENSION_DEFINITION ext_defs[] = { |
121 | { | |
122 | TLSEXT_TYPE_renegotiate, | |
fe874d27 MC |
123 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
124 | | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY, | |
1266eefd MC |
125 | NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, |
126 | tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, | |
127 | final_renegotiate | |
6b473aca MC |
128 | }, |
129 | { | |
130 | TLSEXT_TYPE_server_name, | |
fe874d27 MC |
131 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
132 | | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, | |
1266eefd MC |
133 | init_server_name, |
134 | tls_parse_ctos_server_name, tls_parse_stoc_server_name, | |
135 | tls_construct_stoc_server_name, tls_construct_ctos_server_name, | |
136 | final_server_name | |
6b473aca MC |
137 | }, |
138 | #ifndef OPENSSL_NO_SRP | |
139 | { | |
140 | TLSEXT_TYPE_srp, | |
fe874d27 | 141 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, |
1266eefd | 142 | init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL |
6b473aca | 143 | }, |
0785274c MC |
144 | #else |
145 | INVALID_EXTENSION, | |
6b473aca MC |
146 | #endif |
147 | #ifndef OPENSSL_NO_EC | |
148 | { | |
149 | TLSEXT_TYPE_ec_point_formats, | |
fe874d27 MC |
150 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
151 | | SSL_EXT_TLS1_2_AND_BELOW_ONLY, | |
1266eefd MC |
152 | NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, |
153 | tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, | |
154 | final_ec_pt_formats | |
6b473aca MC |
155 | }, |
156 | { | |
157 | TLSEXT_TYPE_supported_groups, | |
fe874d27 | 158 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
1266eefd | 159 | NULL, tls_parse_ctos_supported_groups, NULL, |
6af87546 | 160 | tls_construct_stoc_supported_groups, |
1266eefd | 161 | tls_construct_ctos_supported_groups, NULL |
6b473aca | 162 | }, |
0785274c MC |
163 | #else |
164 | INVALID_EXTENSION, | |
165 | INVALID_EXTENSION, | |
6b473aca MC |
166 | #endif |
167 | { | |
168 | TLSEXT_TYPE_session_ticket, | |
fe874d27 MC |
169 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
170 | | SSL_EXT_TLS1_2_AND_BELOW_ONLY, | |
1266eefd MC |
171 | init_session_ticket, tls_parse_ctos_session_ticket, |
172 | tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, | |
173 | tls_construct_ctos_session_ticket, NULL | |
6b473aca | 174 | }, |
ab83e314 | 175 | #ifndef OPENSSL_NO_OCSP |
6b473aca MC |
176 | { |
177 | TLSEXT_TYPE_status_request, | |
fe874d27 MC |
178 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
179 | | SSL_EXT_TLS1_3_CERTIFICATE, | |
1266eefd MC |
180 | init_status_request, tls_parse_ctos_status_request, |
181 | tls_parse_stoc_status_request, tls_construct_stoc_status_request, | |
f63e4288 | 182 | tls_construct_ctos_status_request, NULL |
6b473aca | 183 | }, |
0785274c MC |
184 | #else |
185 | INVALID_EXTENSION, | |
ab83e314 | 186 | #endif |
6b473aca MC |
187 | #ifndef OPENSSL_NO_NEXTPROTONEG |
188 | { | |
189 | TLSEXT_TYPE_next_proto_neg, | |
fe874d27 MC |
190 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
191 | | SSL_EXT_TLS1_2_AND_BELOW_ONLY, | |
1266eefd MC |
192 | init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, |
193 | tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL | |
6b473aca | 194 | }, |
0785274c MC |
195 | #else |
196 | INVALID_EXTENSION, | |
6b473aca MC |
197 | #endif |
198 | { | |
02f0274e MC |
199 | /* |
200 | * Must appear in this list after server_name so that finalisation | |
201 | * happens after server_name callbacks | |
202 | */ | |
6b473aca | 203 | TLSEXT_TYPE_application_layer_protocol_negotiation, |
fe874d27 MC |
204 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
205 | | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, | |
1266eefd | 206 | init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, |
630369d9 | 207 | tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn |
6b473aca | 208 | }, |
7da160b0 | 209 | #ifndef OPENSSL_NO_SRTP |
6b473aca MC |
210 | { |
211 | TLSEXT_TYPE_use_srtp, | |
fe874d27 MC |
212 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
213 | | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY, | |
1266eefd MC |
214 | init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, |
215 | tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL | |
6b473aca | 216 | }, |
0785274c MC |
217 | #else |
218 | INVALID_EXTENSION, | |
7da160b0 | 219 | #endif |
6b473aca MC |
220 | { |
221 | TLSEXT_TYPE_encrypt_then_mac, | |
fe874d27 MC |
222 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
223 | | SSL_EXT_TLS1_2_AND_BELOW_ONLY, | |
1266eefd MC |
224 | init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, |
225 | tls_construct_stoc_etm, tls_construct_ctos_etm, NULL | |
6b473aca | 226 | }, |
6dd083fd | 227 | #ifndef OPENSSL_NO_CT |
6b473aca MC |
228 | { |
229 | TLSEXT_TYPE_signed_certificate_timestamp, | |
fe874d27 MC |
230 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
231 | | SSL_EXT_TLS1_3_CERTIFICATE, | |
68db4dda | 232 | NULL, |
6b473aca MC |
233 | /* |
234 | * No server side support for this, but can be provided by a custom | |
235 | * extension. This is an exception to the rule that custom extensions | |
236 | * cannot override built in ones. | |
237 | */ | |
1266eefd | 238 | NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL |
6b473aca | 239 | }, |
0785274c MC |
240 | #else |
241 | INVALID_EXTENSION, | |
6dd083fd | 242 | #endif |
6b473aca MC |
243 | { |
244 | TLSEXT_TYPE_extended_master_secret, | |
fe874d27 MC |
245 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO |
246 | | SSL_EXT_TLS1_2_AND_BELOW_ONLY, | |
1266eefd MC |
247 | init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, |
248 | tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems | |
6b473aca | 249 | }, |
10ed1b72 TS |
250 | { |
251 | TLSEXT_TYPE_signature_algorithms, | |
252 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, | |
253 | init_sig_algs, tls_parse_ctos_sig_algs, | |
254 | tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs, | |
255 | tls_construct_ctos_sig_algs, final_sig_algs | |
256 | }, | |
6b473aca MC |
257 | { |
258 | TLSEXT_TYPE_supported_versions, | |
fe874d27 MC |
259 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY |
260 | | SSL_EXT_TLS1_3_ONLY, | |
68db4dda | 261 | NULL, |
6b473aca | 262 | /* Processed inline as part of version selection */ |
1266eefd | 263 | NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL |
6b473aca | 264 | }, |
b2f7e8c0 | 265 | { |
b2f7e8c0 | 266 | TLSEXT_TYPE_psk_kex_modes, |
fe874d27 MC |
267 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY |
268 | | SSL_EXT_TLS1_3_ONLY, | |
b2f7e8c0 MC |
269 | init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, |
270 | tls_construct_ctos_psk_kex_modes, NULL | |
271 | }, | |
deb2d5e7 | 272 | #ifndef OPENSSL_NO_EC |
6b473aca | 273 | { |
70af3d8e MC |
274 | /* |
275 | * Must be in this list after supported_groups. We need that to have | |
276 | * been parsed before we do this one. | |
277 | */ | |
6b473aca | 278 | TLSEXT_TYPE_key_share, |
fe874d27 MC |
279 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO |
280 | | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY | |
281 | | SSL_EXT_TLS1_3_ONLY, | |
1266eefd | 282 | NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, |
f4bbb37c MC |
283 | tls_construct_stoc_key_share, tls_construct_ctos_key_share, |
284 | final_key_share | |
7da160b0 | 285 | }, |
deb2d5e7 | 286 | #endif |
cfef5027 MC |
287 | { |
288 | TLSEXT_TYPE_cookie, | |
fe874d27 MC |
289 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST |
290 | | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, | |
cfef5027 MC |
291 | NULL, NULL, tls_parse_stoc_cookie, NULL, tls_construct_ctos_cookie, |
292 | NULL | |
293 | }, | |
7da160b0 MC |
294 | { |
295 | /* | |
296 | * Special unsolicited ServerHello extension only used when | |
297 | * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set | |
298 | */ | |
299 | TLSEXT_TYPE_cryptopro_bug, | |
fe874d27 | 300 | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, |
1266eefd | 301 | NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL |
ab83e314 | 302 | }, |
38df5a45 MC |
303 | { |
304 | TLSEXT_TYPE_early_data, | |
fe874d27 MC |
305 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS |
306 | | SSL_EXT_TLS1_3_NEW_SESSION_TICKET, | |
38df5a45 MC |
307 | NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data, |
308 | tls_construct_stoc_early_data, tls_construct_ctos_early_data, | |
309 | final_early_data | |
310 | }, | |
45615c5f DSH |
311 | { |
312 | TLSEXT_TYPE_certificate_authorities, | |
fe874d27 MC |
313 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST |
314 | | SSL_EXT_TLS1_3_ONLY, | |
45615c5f DSH |
315 | init_certificate_authorities, |
316 | tls_parse_certificate_authorities, tls_parse_certificate_authorities, | |
317 | tls_construct_certificate_authorities, | |
318 | tls_construct_certificate_authorities, NULL, | |
319 | }, | |
ab83e314 | 320 | { |
ec15acb6 | 321 | /* Must be immediately before pre_shared_key */ |
ab83e314 | 322 | TLSEXT_TYPE_padding, |
fe874d27 | 323 | SSL_EXT_CLIENT_HELLO, |
68db4dda | 324 | NULL, |
ab83e314 | 325 | /* We send this, but don't read it */ |
1266eefd | 326 | NULL, NULL, NULL, tls_construct_ctos_padding, NULL |
ec15acb6 MC |
327 | }, |
328 | { | |
329 | /* Required by the TLSv1.3 spec to always be the last extension */ | |
330 | TLSEXT_TYPE_psk, | |
fe874d27 MC |
331 | SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO |
332 | | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, | |
0247086d | 333 | NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, |
1053a6e2 | 334 | tls_construct_ctos_psk, NULL |
6b473aca MC |
335 | } |
336 | }; | |
337 | ||
43ae5eed MC |
338 | /* Check whether an extension's context matches the current context */ |
339 | static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx) | |
340 | { | |
341 | /* Check we're allowed to use this extension in this context */ | |
342 | if ((thisctx & extctx) == 0) | |
343 | return 0; | |
344 | ||
345 | if (SSL_IS_DTLS(s)) { | |
346 | if ((extctx & SSL_EXT_TLS_ONLY) != 0) | |
347 | return 0; | |
348 | } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) { | |
349 | return 0; | |
350 | } | |
351 | ||
352 | return 1; | |
353 | } | |
354 | ||
6b473aca MC |
355 | /* |
356 | * Verify whether we are allowed to use the extension |type| in the current | |
357 | * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to | |
70af3d8e | 358 | * indicate the extension is not allowed. If returning 1 then |*found| is set to |
69687aa8 | 359 | * the definition for the extension we found. |
6b473aca | 360 | */ |
70af3d8e | 361 | static int verify_extension(SSL *s, unsigned int context, unsigned int type, |
1266eefd MC |
362 | custom_ext_methods *meths, RAW_EXTENSION *rawexlist, |
363 | RAW_EXTENSION **found) | |
6b473aca MC |
364 | { |
365 | size_t i; | |
70af3d8e | 366 | size_t builtin_num = OSSL_NELEM(ext_defs); |
d270de32 | 367 | const EXTENSION_DEFINITION *thisext; |
6b473aca | 368 | |
1266eefd MC |
369 | for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { |
370 | if (type == thisext->type) { | |
43ae5eed | 371 | if (!validate_context(s, thisext->context, context)) |
6b473aca MC |
372 | return 0; |
373 | ||
1266eefd | 374 | *found = &rawexlist[i]; |
6b473aca MC |
375 | return 1; |
376 | } | |
377 | } | |
378 | ||
70af3d8e MC |
379 | /* Check the custom extensions */ |
380 | if (meths != NULL) { | |
43ae5eed | 381 | size_t offset = 0; |
787d9ec7 | 382 | ENDPOINT role = ENDPOINT_BOTH; |
43ae5eed MC |
383 | custom_ext_method *meth = NULL; |
384 | ||
385 | if ((context & SSL_EXT_CLIENT_HELLO) != 0) | |
787d9ec7 | 386 | role = ENDPOINT_SERVER; |
43ae5eed | 387 | else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) |
787d9ec7 | 388 | role = ENDPOINT_CLIENT; |
43ae5eed | 389 | |
787d9ec7 | 390 | meth = custom_ext_find(meths, role, type, &offset); |
43ae5eed MC |
391 | if (meth != NULL) { |
392 | if (!validate_context(s, meth->context, context)) | |
393 | return 0; | |
394 | *found = &rawexlist[offset + builtin_num]; | |
395 | return 1; | |
6b473aca MC |
396 | } |
397 | } | |
398 | ||
70af3d8e | 399 | /* Unknown extension. We allow it */ |
1266eefd | 400 | *found = NULL; |
70af3d8e | 401 | return 1; |
6b473aca MC |
402 | } |
403 | ||
70af3d8e MC |
404 | /* |
405 | * Check whether the context defined for an extension |extctx| means whether | |
406 | * the extension is relevant for the current context |thisctx| or not. Returns | |
407 | * 1 if the extension is relevant for this context, and 0 otherwise | |
408 | */ | |
43ae5eed | 409 | int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) |
805a2e9e MC |
410 | { |
411 | if ((SSL_IS_DTLS(s) | |
fe874d27 | 412 | && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) |
805a2e9e | 413 | || (s->version == SSL3_VERSION |
fe874d27 | 414 | && (extctx & SSL_EXT_SSL3_ALLOWED) == 0) |
805a2e9e | 415 | || (SSL_IS_TLS13(s) |
fe874d27 | 416 | && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0) |
43ae5eed MC |
417 | || (!SSL_IS_TLS13(s) && (extctx & SSL_EXT_TLS1_3_ONLY) != 0) |
418 | || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0)) | |
805a2e9e MC |
419 | return 0; |
420 | ||
421 | return 1; | |
422 | } | |
423 | ||
6b473aca MC |
424 | /* |
425 | * Gather a list of all the extensions from the data in |packet]. |context| | |
70af3d8e | 426 | * tells us which message this extension is for. The raw extension data is |
1266eefd MC |
427 | * stored in |*res| on success. In the event of an error the alert type to use |
428 | * is stored in |*al|. We don't actually process the content of the extensions | |
429 | * yet, except to check their types. This function also runs the initialiser | |
735d5b59 TT |
430 | * functions for all known extensions if |init| is nonzero (whether we have |
431 | * collected them or not). If successful the caller is responsible for freeing | |
432 | * the contents of |*res|. | |
6b473aca MC |
433 | * |
434 | * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be | |
435 | * more than one extension of the same type in a ClientHello or ServerHello. | |
436 | * This function returns 1 if all extensions are unique and we have parsed their | |
437 | * types, and 0 if the extensions contain duplicates, could not be successfully | |
1266eefd | 438 | * found, or an internal error occurred. We only check duplicates for |
70af3d8e | 439 | * extensions that we know about. We ignore others. |
6b473aca | 440 | */ |
6b473aca | 441 | int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, |
735d5b59 TT |
442 | RAW_EXTENSION **res, int *al, size_t *len, |
443 | int init) | |
6b473aca MC |
444 | { |
445 | PACKET extensions = *packet; | |
d270de32 | 446 | size_t i = 0; |
fc5ece2e | 447 | size_t num_exts; |
43ae5eed | 448 | custom_ext_methods *exts = &s->cert->custext; |
6b473aca | 449 | RAW_EXTENSION *raw_extensions = NULL; |
d270de32 | 450 | const EXTENSION_DEFINITION *thisexd; |
6b473aca | 451 | |
ecc2f938 MC |
452 | *res = NULL; |
453 | ||
70af3d8e MC |
454 | /* |
455 | * Initialise server side custom extensions. Client side is done during | |
456 | * construction of extensions for the ClientHello. | |
457 | */ | |
43ae5eed MC |
458 | if ((context & SSL_EXT_CLIENT_HELLO) != 0) |
459 | custom_ext_init(&s->cert->custext); | |
70af3d8e | 460 | |
fc5ece2e BK |
461 | num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0); |
462 | raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions)); | |
70af3d8e MC |
463 | if (raw_extensions == NULL) { |
464 | *al = SSL_AD_INTERNAL_ERROR; | |
465 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE); | |
466 | return 0; | |
467 | } | |
468 | ||
193b5d76 | 469 | i = 0; |
6b473aca | 470 | while (PACKET_remaining(&extensions) > 0) { |
b186a592 | 471 | unsigned int type, idx; |
6b473aca | 472 | PACKET extension; |
1266eefd | 473 | RAW_EXTENSION *thisex; |
6b473aca MC |
474 | |
475 | if (!PACKET_get_net_2(&extensions, &type) || | |
476 | !PACKET_get_length_prefixed_2(&extensions, &extension)) { | |
477 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); | |
70af3d8e | 478 | *al = SSL_AD_DECODE_ERROR; |
6b473aca MC |
479 | goto err; |
480 | } | |
70af3d8e MC |
481 | /* |
482 | * Verify this extension is allowed. We only check duplicates for | |
652a6b7e MC |
483 | * extensions that we recognise. We also have a special case for the |
484 | * PSK extension, which must be the last one in the ClientHello. | |
70af3d8e | 485 | */ |
1266eefd | 486 | if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) |
652a6b7e MC |
487 | || (thisex != NULL && thisex->present == 1) |
488 | || (type == TLSEXT_TYPE_psk | |
fe874d27 | 489 | && (context & SSL_EXT_CLIENT_HELLO) != 0 |
652a6b7e | 490 | && PACKET_remaining(&extensions) != 0)) { |
6b473aca | 491 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); |
70af3d8e | 492 | *al = SSL_AD_ILLEGAL_PARAMETER; |
6b473aca MC |
493 | goto err; |
494 | } | |
b186a592 MC |
495 | idx = thisex - raw_extensions; |
496 | /*- | |
497 | * Check that we requested this extension (if appropriate). Requests can | |
498 | * be sent in the ClientHello and CertificateRequest. Unsolicited | |
499 | * extensions can be sent in the NewSessionTicket. We only do this for | |
500 | * the built-in extensions. Custom extensions have a different but | |
501 | * similar check elsewhere. | |
502 | * Special cases: | |
503 | * - The HRR cookie extension is unsolicited | |
504 | * - The renegotiate extension is unsolicited (the client signals | |
505 | * support via an SCSV) | |
506 | * - The signed_certificate_timestamp extension can be provided by a | |
507 | * custom extension or by the built-in version. We let the extension | |
508 | * itself handle unsolicited response checks. | |
509 | */ | |
510 | if (idx < OSSL_NELEM(ext_defs) | |
511 | && (context & (SSL_EXT_CLIENT_HELLO | |
512 | | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST | |
513 | | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0 | |
514 | && type != TLSEXT_TYPE_cookie | |
515 | && type != TLSEXT_TYPE_renegotiate | |
516 | && type != TLSEXT_TYPE_signed_certificate_timestamp | |
517 | && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) { | |
355a0d10 | 518 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION); |
b186a592 MC |
519 | *al = SSL_AD_UNSUPPORTED_EXTENSION; |
520 | goto err; | |
521 | } | |
1266eefd MC |
522 | if (thisex != NULL) { |
523 | thisex->data = extension; | |
524 | thisex->present = 1; | |
525 | thisex->type = type; | |
193b5d76 | 526 | thisex->received_order = i++; |
b93a295a TS |
527 | if (s->ext.debug_cb) |
528 | s->ext.debug_cb(s, !s->server, thisex->type, | |
529 | PACKET_data(&thisex->data), | |
530 | PACKET_remaining(&thisex->data), | |
531 | s->ext.debug_arg); | |
6b473aca MC |
532 | } |
533 | } | |
534 | ||
735d5b59 TT |
535 | if (init) { |
536 | /* | |
537 | * Initialise all known extensions relevant to this context, | |
538 | * whether we have found them or not | |
539 | */ | |
540 | for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); | |
541 | i++, thisexd++) { | |
bf5c84f5 TT |
542 | if (thisexd->init != NULL && (thisexd->context & context) != 0 |
543 | && extension_is_relevant(s, thisexd->context, context) | |
544 | && !thisexd->init(s, context)) { | |
735d5b59 TT |
545 | *al = SSL_AD_INTERNAL_ERROR; |
546 | goto err; | |
547 | } | |
68db4dda MC |
548 | } |
549 | } | |
550 | ||
6b473aca | 551 | *res = raw_extensions; |
fc5ece2e BK |
552 | if (len != NULL) |
553 | *len = num_exts; | |
6b473aca MC |
554 | return 1; |
555 | ||
556 | err: | |
557 | OPENSSL_free(raw_extensions); | |
558 | return 0; | |
559 | } | |
560 | ||
68db4dda | 561 | /* |
70af3d8e MC |
562 | * Runs the parser for a given extension with index |idx|. |exts| contains the |
563 | * list of all parsed extensions previously collected by | |
564 | * tls_collect_extensions(). The parser is only run if it is applicable for the | |
f97d4c37 MC |
565 | * given |context| and the parser has not already been run. If this is for a |
566 | * Certificate message, then we also provide the parser with the relevant | |
8521ced6 | 567 | * Certificate |x| and its position in the |chainidx| with 0 being the first |
f97d4c37 MC |
568 | * Certificate. Returns 1 on success or 0 on failure. In the event of a failure |
569 | * |*al| is populated with a suitable alert code. If an extension is not present | |
570 | * this counted as success. | |
68db4dda | 571 | */ |
d270de32 | 572 | int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, |
8521ced6 | 573 | RAW_EXTENSION *exts, X509 *x, size_t chainidx, int *al) |
6b473aca | 574 | { |
70af3d8e | 575 | RAW_EXTENSION *currext = &exts[idx]; |
61138358 MC |
576 | int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
577 | size_t chainidx, int *al) = NULL; | |
6b473aca | 578 | |
70af3d8e MC |
579 | /* Skip if the extension is not present */ |
580 | if (!currext->present) | |
581 | return 1; | |
6b473aca | 582 | |
70af3d8e MC |
583 | /* Skip if we've already parsed this extension */ |
584 | if (currext->parsed) | |
585 | return 1; | |
6b473aca | 586 | |
70af3d8e MC |
587 | currext->parsed = 1; |
588 | ||
589 | if (idx < OSSL_NELEM(ext_defs)) { | |
590 | /* We are handling a built-in extension */ | |
591 | const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; | |
592 | ||
593 | /* Check if extension is defined for our protocol. If not, skip */ | |
594 | if (!extension_is_relevant(s, extdef->context, context)) | |
595 | return 1; | |
596 | ||
1266eefd | 597 | parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; |
224135e9 | 598 | |
1266eefd | 599 | if (parser != NULL) |
61138358 | 600 | return parser(s, &currext->data, context, x, chainidx, al); |
6b473aca | 601 | |
70af3d8e MC |
602 | /* |
603 | * If the parser is NULL we fall through to the custom extension | |
604 | * processing | |
605 | */ | |
6b473aca MC |
606 | } |
607 | ||
43ae5eed MC |
608 | /* Parse custom extensions */ |
609 | if (custom_ext_parse(s, context, currext->type, | |
610 | PACKET_data(&currext->data), | |
611 | PACKET_remaining(&currext->data), | |
612 | x, chainidx, al) <= 0) | |
70af3d8e MC |
613 | return 0; |
614 | ||
805a2e9e MC |
615 | return 1; |
616 | } | |
617 | ||
618 | /* | |
619 | * Parse all remaining extensions that have not yet been parsed. Also calls the | |
735d5b59 TT |
620 | * finalisation for all extensions at the end if |fin| is nonzero, whether we |
621 | * collected them or not. Returns 1 for success or 0 for failure. If we are | |
622 | * working on a Certificate message then we also pass the Certificate |x| and | |
623 | * its position in the |chainidx|, with 0 being the first certificate. On | |
624 | * failure, |*al| is populated with a suitable alert code. | |
805a2e9e | 625 | */ |
f97d4c37 | 626 | int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, |
735d5b59 | 627 | size_t chainidx, int *al, int fin) |
805a2e9e | 628 | { |
1266eefd | 629 | size_t i, numexts = OSSL_NELEM(ext_defs); |
d270de32 | 630 | const EXTENSION_DEFINITION *thisexd; |
805a2e9e | 631 | |
70af3d8e | 632 | /* Calculate the number of extensions in the extensions list */ |
43ae5eed | 633 | numexts += s->cert->custext.meths_count; |
70af3d8e MC |
634 | |
635 | /* Parse each extension in turn */ | |
1266eefd | 636 | for (i = 0; i < numexts; i++) { |
8521ced6 | 637 | if (!tls_parse_extension(s, i, context, exts, x, chainidx, al)) |
70af3d8e MC |
638 | return 0; |
639 | } | |
805a2e9e | 640 | |
735d5b59 TT |
641 | if (fin) { |
642 | /* | |
643 | * Finalise all known extensions relevant to this context, | |
644 | * whether we have found them or not | |
645 | */ | |
646 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); | |
647 | i++, thisexd++) { | |
bf5c84f5 TT |
648 | if (thisexd->final != NULL && (thisexd->context & context) != 0 |
649 | && !thisexd->final(s, context, exts[i].present, al)) | |
735d5b59 TT |
650 | return 0; |
651 | } | |
68db4dda MC |
652 | } |
653 | ||
6b473aca MC |
654 | return 1; |
655 | } | |
656 | ||
43ae5eed MC |
657 | int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, |
658 | int max_version) | |
659 | { | |
660 | /* Skip if not relevant for our context */ | |
661 | if ((extctx & thisctx) == 0) | |
662 | return 0; | |
663 | ||
664 | /* Check if this extension is defined for our protocol. If not, skip */ | |
665 | if ((SSL_IS_DTLS(s) && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) | |
666 | || (s->version == SSL3_VERSION | |
667 | && (extctx & SSL_EXT_SSL3_ALLOWED) == 0) | |
668 | || (SSL_IS_TLS13(s) | |
669 | && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0) | |
670 | || (!SSL_IS_TLS13(s) | |
671 | && (extctx & SSL_EXT_TLS1_3_ONLY) != 0 | |
672 | && (thisctx & SSL_EXT_CLIENT_HELLO) == 0) | |
673 | || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0 | |
674 | && (thisctx & SSL_EXT_CLIENT_HELLO) != 0 | |
675 | && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))) | |
676 | return 0; | |
677 | ||
678 | return 1; | |
679 | } | |
680 | ||
6b473aca | 681 | /* |
70af3d8e | 682 | * Construct all the extensions relevant to the current |context| and write |
30aeba43 | 683 | * them to |pkt|. If this is an extension for a Certificate in a Certificate |
8521ced6 MC |
684 | * message, then |x| will be set to the Certificate we are handling, and |
685 | * |chainidx| will indicate the position in the chainidx we are processing (with | |
686 | * 0 being the first in the chain). Returns 1 on success or 0 on failure. If a | |
687 | * failure occurs then |al| is populated with a suitable alert code. On a | |
688 | * failure construction stops at the first extension to fail to construct. | |
6b473aca | 689 | */ |
224135e9 | 690 | int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, |
8521ced6 | 691 | X509 *x, size_t chainidx, int *al) |
224135e9 | 692 | { |
1266eefd | 693 | size_t i; |
43ae5eed | 694 | int min_version, max_version = 0, reason, tmpal; |
d270de32 | 695 | const EXTENSION_DEFINITION *thisexd; |
224135e9 | 696 | |
7da160b0 | 697 | /* |
70af3d8e | 698 | * Normally if something goes wrong during construction it's an internal |
7da160b0 MC |
699 | * error. We can always override this later. |
700 | */ | |
70af3d8e | 701 | tmpal = SSL_AD_INTERNAL_ERROR; |
7da160b0 | 702 | |
224135e9 MC |
703 | if (!WPACKET_start_sub_packet_u16(pkt) |
704 | /* | |
705 | * If extensions are of zero length then we don't even add the | |
7da160b0 | 706 | * extensions length bytes to a ClientHello/ServerHello in SSLv3 |
224135e9 | 707 | */ |
fe874d27 MC |
708 | || ((context & |
709 | (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0 | |
710 | && s->version == SSL3_VERSION | |
711 | && !WPACKET_set_flags(pkt, | |
224135e9 | 712 | WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { |
224135e9 | 713 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 714 | goto err; |
224135e9 MC |
715 | } |
716 | ||
fe874d27 | 717 | if ((context & SSL_EXT_CLIENT_HELLO) != 0) { |
38a73150 | 718 | reason = ssl_get_min_max_version(s, &min_version, &max_version); |
ab83e314 MC |
719 | if (reason != 0) { |
720 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason); | |
70af3d8e | 721 | goto err; |
ab83e314 MC |
722 | } |
723 | } | |
724 | ||
725 | /* Add custom extensions first */ | |
fe874d27 | 726 | if ((context & SSL_EXT_CLIENT_HELLO) != 0) { |
44e69951 | 727 | /* On the server side with initialise during ClientHello parsing */ |
43ae5eed | 728 | custom_ext_init(&s->cert->custext); |
ab83e314 | 729 | } |
43ae5eed | 730 | if (!custom_ext_add(s, context, pkt, x, chainidx, max_version, &tmpal)) { |
ab83e314 | 731 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 732 | goto err; |
ab83e314 MC |
733 | } |
734 | ||
1266eefd | 735 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
b186a592 MC |
736 | EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context, |
737 | X509 *x, size_t chainidx, int *al); | |
738 | EXT_RETURN ret; | |
4b299b8e | 739 | |
224135e9 | 740 | /* Skip if not relevant for our context */ |
43ae5eed | 741 | if (!should_add_extension(s, thisexd->context, context, max_version)) |
224135e9 MC |
742 | continue; |
743 | ||
1266eefd MC |
744 | construct = s->server ? thisexd->construct_stoc |
745 | : thisexd->construct_ctos; | |
224135e9 | 746 | |
43ae5eed | 747 | if (construct == NULL) |
224135e9 MC |
748 | continue; |
749 | ||
b186a592 MC |
750 | ret = construct(s, pkt, context, x, chainidx, &tmpal); |
751 | if (ret == EXT_RETURN_FAIL) | |
70af3d8e | 752 | goto err; |
b186a592 MC |
753 | if (ret == EXT_RETURN_SENT |
754 | && (context & (SSL_EXT_CLIENT_HELLO | |
755 | | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST | |
756 | | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0) | |
757 | s->ext.extflags[i] |= SSL_EXT_FLAG_SENT; | |
224135e9 MC |
758 | } |
759 | ||
224135e9 | 760 | if (!WPACKET_close(pkt)) { |
224135e9 | 761 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 762 | goto err; |
224135e9 MC |
763 | } |
764 | ||
765 | return 1; | |
70af3d8e MC |
766 | |
767 | err: | |
768 | *al = tmpal; | |
769 | return 0; | |
224135e9 | 770 | } |
805a2e9e | 771 | |
70af3d8e MC |
772 | /* |
773 | * Built in extension finalisation and initialisation functions. All initialise | |
774 | * or finalise the associated extension type for the given |context|. For | |
775 | * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 | |
776 | * otherwise. These functions return 1 on success or 0 on failure. In the event | |
777 | * of a failure then |*al| is populated with a suitable error code. | |
778 | */ | |
779 | ||
1266eefd | 780 | static int final_renegotiate(SSL *s, unsigned int context, int sent, |
805a2e9e MC |
781 | int *al) |
782 | { | |
332eb390 MC |
783 | if (!s->server) { |
784 | /* | |
785 | * Check if we can connect to a server that doesn't support safe | |
786 | * renegotiation | |
787 | */ | |
788 | if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) | |
789 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
790 | && !sent) { | |
791 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 792 | SSLerr(SSL_F_FINAL_RENEGOTIATE, |
332eb390 MC |
793 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
794 | return 0; | |
795 | } | |
796 | ||
805a2e9e | 797 | return 1; |
332eb390 | 798 | } |
805a2e9e MC |
799 | |
800 | /* Need RI if renegotiating */ | |
801 | if (s->renegotiate | |
802 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
803 | && !sent) { | |
804 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 805 | SSLerr(SSL_F_FINAL_RENEGOTIATE, |
805a2e9e MC |
806 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
807 | return 0; | |
808 | } | |
809 | ||
332eb390 | 810 | |
805a2e9e MC |
811 | return 1; |
812 | } | |
813 | ||
1266eefd | 814 | static int init_server_name(SSL *s, unsigned int context) |
805a2e9e MC |
815 | { |
816 | if (s->server) | |
817 | s->servername_done = 0; | |
818 | ||
819 | return 1; | |
820 | } | |
821 | ||
1266eefd | 822 | static int final_server_name(SSL *s, unsigned int context, int sent, |
805a2e9e MC |
823 | int *al) |
824 | { | |
825 | int ret = SSL_TLSEXT_ERR_NOACK; | |
826 | int altmp = SSL_AD_UNRECOGNIZED_NAME; | |
827 | ||
aff8c126 RS |
828 | if (s->ctx != NULL && s->ctx->ext.servername_cb != 0) |
829 | ret = s->ctx->ext.servername_cb(s, &altmp, | |
830 | s->ctx->ext.servername_arg); | |
222da979 TS |
831 | else if (s->session_ctx != NULL |
832 | && s->session_ctx->ext.servername_cb != 0) | |
833 | ret = s->session_ctx->ext.servername_cb(s, &altmp, | |
834 | s->session_ctx->ext.servername_arg); | |
805a2e9e MC |
835 | |
836 | switch (ret) { | |
837 | case SSL_TLSEXT_ERR_ALERT_FATAL: | |
838 | *al = altmp; | |
839 | return 0; | |
840 | ||
841 | case SSL_TLSEXT_ERR_ALERT_WARNING: | |
842 | *al = altmp; | |
843 | return 1; | |
844 | ||
845 | case SSL_TLSEXT_ERR_NOACK: | |
846 | s->servername_done = 0; | |
630369d9 MC |
847 | if (s->session->ext.hostname != NULL) |
848 | s->ext.early_data_ok = 0; | |
805a2e9e MC |
849 | return 1; |
850 | ||
851 | default: | |
852 | return 1; | |
853 | } | |
854 | } | |
855 | ||
332eb390 | 856 | #ifndef OPENSSL_NO_EC |
1266eefd | 857 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, |
332eb390 MC |
858 | int *al) |
859 | { | |
860 | unsigned long alg_k, alg_a; | |
861 | ||
862 | if (s->server) | |
863 | return 1; | |
864 | ||
865 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
866 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |
867 | ||
868 | /* | |
869 | * If we are client and using an elliptic curve cryptography cipher | |
870 | * suite, then if server returns an EC point formats lists extension it | |
871 | * must contain uncompressed. | |
872 | */ | |
aff8c126 RS |
873 | if (s->ext.ecpointformats != NULL |
874 | && s->ext.ecpointformats_len > 0 | |
875 | && s->session->ext.ecpointformats != NULL | |
876 | && s->session->ext.ecpointformats_len > 0 | |
1266eefd | 877 | && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { |
332eb390 MC |
878 | /* we are using an ECC cipher */ |
879 | size_t i; | |
aff8c126 | 880 | unsigned char *list = s->session->ext.ecpointformats; |
1266eefd | 881 | |
aff8c126 | 882 | for (i = 0; i < s->session->ext.ecpointformats_len; i++) { |
1266eefd | 883 | if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) |
332eb390 | 884 | break; |
332eb390 | 885 | } |
aff8c126 | 886 | if (i == s->session->ext.ecpointformats_len) { |
7fe97c07 | 887 | SSLerr(SSL_F_FINAL_EC_PT_FORMATS, |
332eb390 MC |
888 | SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); |
889 | return 0; | |
890 | } | |
891 | } | |
892 | ||
893 | return 1; | |
894 | } | |
895 | #endif | |
896 | ||
1266eefd | 897 | static int init_session_ticket(SSL *s, unsigned int context) |
332eb390 MC |
898 | { |
899 | if (!s->server) | |
aff8c126 | 900 | s->ext.ticket_expected = 0; |
332eb390 MC |
901 | |
902 | return 1; | |
903 | } | |
904 | ||
8f8c11d8 | 905 | #ifndef OPENSSL_NO_OCSP |
1266eefd | 906 | static int init_status_request(SSL *s, unsigned int context) |
805a2e9e | 907 | { |
f63e4288 | 908 | if (s->server) { |
aff8c126 | 909 | s->ext.status_type = TLSEXT_STATUSTYPE_nothing; |
f63e4288 MC |
910 | } else { |
911 | /* | |
912 | * Ensure we get sensible values passed to tlsext_status_cb in the event | |
913 | * that we don't receive a status message | |
914 | */ | |
8cbfcc70 RS |
915 | OPENSSL_free(s->ext.ocsp.resp); |
916 | s->ext.ocsp.resp = NULL; | |
917 | s->ext.ocsp.resp_len = 0; | |
f63e4288 | 918 | } |
332eb390 MC |
919 | |
920 | return 1; | |
921 | } | |
8f8c11d8 | 922 | #endif |
332eb390 | 923 | |
805a2e9e | 924 | #ifndef OPENSSL_NO_NEXTPROTONEG |
1266eefd | 925 | static int init_npn(SSL *s, unsigned int context) |
805a2e9e | 926 | { |
aff8c126 | 927 | s->s3->npn_seen = 0; |
805a2e9e MC |
928 | |
929 | return 1; | |
930 | } | |
931 | #endif | |
932 | ||
1266eefd | 933 | static int init_alpn(SSL *s, unsigned int context) |
805a2e9e | 934 | { |
332eb390 MC |
935 | OPENSSL_free(s->s3->alpn_selected); |
936 | s->s3->alpn_selected = NULL; | |
a5bb1aa1 | 937 | s->s3->alpn_selected_len = 0; |
805a2e9e | 938 | if (s->server) { |
805a2e9e MC |
939 | OPENSSL_free(s->s3->alpn_proposed); |
940 | s->s3->alpn_proposed = NULL; | |
941 | s->s3->alpn_proposed_len = 0; | |
942 | } | |
805a2e9e MC |
943 | return 1; |
944 | } | |
945 | ||
630369d9 MC |
946 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al) |
947 | { | |
948 | if (!s->server || !SSL_IS_TLS13(s)) | |
949 | return 1; | |
950 | ||
951 | /* | |
952 | * Call alpn_select callback if needed. Has to be done after SNI and | |
953 | * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 | |
954 | * we also have to do this before we decide whether to accept early_data. | |
955 | * In TLSv1.3 we've already negotiated our cipher so we do this call now. | |
956 | * For < TLSv1.3 we defer it until after cipher negotiation. | |
957 | */ | |
958 | return tls_handle_alpn(s, al); | |
959 | } | |
960 | ||
1266eefd | 961 | static int init_sig_algs(SSL *s, unsigned int context) |
805a2e9e MC |
962 | { |
963 | /* Clear any signature algorithms extension received */ | |
964 | OPENSSL_free(s->s3->tmp.peer_sigalgs); | |
965 | s->s3->tmp.peer_sigalgs = NULL; | |
966 | ||
967 | return 1; | |
968 | } | |
969 | ||
970 | #ifndef OPENSSL_NO_SRP | |
1266eefd | 971 | static int init_srp(SSL *s, unsigned int context) |
805a2e9e MC |
972 | { |
973 | OPENSSL_free(s->srp_ctx.login); | |
974 | s->srp_ctx.login = NULL; | |
975 | ||
976 | return 1; | |
977 | } | |
978 | #endif | |
979 | ||
1266eefd | 980 | static int init_etm(SSL *s, unsigned int context) |
805a2e9e | 981 | { |
28a31a0a | 982 | s->ext.use_etm = 0; |
332eb390 MC |
983 | |
984 | return 1; | |
985 | } | |
986 | ||
1266eefd | 987 | static int init_ems(SSL *s, unsigned int context) |
332eb390 MC |
988 | { |
989 | if (!s->server) | |
990 | s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; | |
991 | ||
992 | return 1; | |
993 | } | |
994 | ||
1266eefd | 995 | static int final_ems(SSL *s, unsigned int context, int sent, int *al) |
332eb390 MC |
996 | { |
997 | if (!s->server && s->hit) { | |
998 | /* | |
999 | * Check extended master secret extension is consistent with | |
1000 | * original session. | |
1001 | */ | |
1002 | if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != | |
1003 | !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { | |
1004 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 1005 | SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS); |
332eb390 MC |
1006 | return 0; |
1007 | } | |
1008 | } | |
805a2e9e MC |
1009 | |
1010 | return 1; | |
1011 | } | |
1012 | ||
45615c5f DSH |
1013 | static int init_certificate_authorities(SSL *s, unsigned int context) |
1014 | { | |
fa7c2637 DSH |
1015 | sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); |
1016 | s->s3->tmp.peer_ca_names = NULL; | |
45615c5f DSH |
1017 | return 1; |
1018 | } | |
1019 | ||
b186a592 MC |
1020 | static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, |
1021 | unsigned int context, | |
1022 | X509 *x, | |
1023 | size_t chainidx, | |
1024 | int *al) | |
45615c5f | 1025 | { |
9784ec04 | 1026 | const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s); |
45615c5f DSH |
1027 | |
1028 | if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0) | |
b186a592 | 1029 | return EXT_RETURN_NOT_SENT; |
45615c5f DSH |
1030 | |
1031 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities) | |
1032 | || !WPACKET_start_sub_packet_u16(pkt) | |
1033 | || !construct_ca_names(s, pkt) | |
1034 | || !WPACKET_close(pkt)) { | |
1035 | SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, | |
1036 | ERR_R_INTERNAL_ERROR); | |
b186a592 | 1037 | return EXT_RETURN_FAIL; |
45615c5f DSH |
1038 | } |
1039 | ||
b186a592 | 1040 | return EXT_RETURN_SENT; |
45615c5f DSH |
1041 | } |
1042 | ||
1043 | static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, | |
1044 | unsigned int context, X509 *x, | |
1045 | size_t chainidx, int *al) | |
1046 | { | |
1047 | if (!parse_ca_names(s, pkt, al)) | |
1048 | return 0; | |
1049 | if (PACKET_remaining(pkt) != 0) { | |
1050 | *al = SSL_AD_DECODE_ERROR; | |
1051 | return 0; | |
1052 | } | |
1053 | return 1; | |
1054 | } | |
1055 | ||
805a2e9e | 1056 | #ifndef OPENSSL_NO_SRTP |
1266eefd | 1057 | static int init_srtp(SSL *s, unsigned int context) |
805a2e9e MC |
1058 | { |
1059 | if (s->server) | |
1060 | s->srtp_profile = NULL; | |
1061 | ||
1062 | return 1; | |
1063 | } | |
1064 | #endif | |
04904312 MC |
1065 | |
1066 | static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al) | |
1067 | { | |
108d45df | 1068 | if (!sent && SSL_IS_TLS13(s) && !s->hit) { |
04904312 MC |
1069 | *al = TLS13_AD_MISSING_EXTENSION; |
1070 | SSLerr(SSL_F_FINAL_SIG_ALGS, SSL_R_MISSING_SIGALGS_EXTENSION); | |
1071 | return 0; | |
1072 | } | |
1073 | ||
1074 | return 1; | |
1075 | } | |
b2f7e8c0 | 1076 | |
deb2d5e7 | 1077 | #ifndef OPENSSL_NO_EC |
f4bbb37c MC |
1078 | static int final_key_share(SSL *s, unsigned int context, int sent, int *al) |
1079 | { | |
1080 | if (!SSL_IS_TLS13(s)) | |
1081 | return 1; | |
1082 | ||
07d447a6 MC |
1083 | /* Nothing to do for key_share in an HRR */ |
1084 | if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) | |
1085 | return 1; | |
1086 | ||
f4bbb37c MC |
1087 | /* |
1088 | * If | |
aff9929b MC |
1089 | * we are a client |
1090 | * AND | |
f4bbb37c MC |
1091 | * we have no key_share |
1092 | * AND | |
1093 | * (we are not resuming | |
1094 | * OR the kex_mode doesn't allow non key_share resumes) | |
1095 | * THEN | |
aff9929b | 1096 | * fail; |
f4bbb37c | 1097 | */ |
aff9929b MC |
1098 | if (!s->server |
1099 | && !sent | |
f4bbb37c MC |
1100 | && (!s->hit |
1101 | || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) { | |
7d061fce | 1102 | /* Nothing left we can do - just fail */ |
fb34a0f4 | 1103 | *al = SSL_AD_MISSING_EXTENSION; |
f4bbb37c MC |
1104 | SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); |
1105 | return 0; | |
1106 | } | |
aff9929b MC |
1107 | /* |
1108 | * If | |
1109 | * we are a server | |
1110 | * AND | |
1111 | * we have no key_share | |
1112 | * THEN | |
1113 | * If | |
1114 | * we didn't already send a HelloRetryRequest | |
1115 | * AND | |
1116 | * the client sent a key_share extension | |
1117 | * AND | |
1118 | * (we are not resuming | |
1119 | * OR the kex_mode allows key_share resumes) | |
1120 | * AND | |
1121 | * a shared group exists | |
1122 | * THEN | |
1123 | * send a HelloRetryRequest | |
1124 | * ELSE If | |
1125 | * we are not resuming | |
1126 | * OR | |
1127 | * the kex_mode doesn't allow non key_share resumes | |
1128 | * THEN | |
1129 | * fail; | |
1130 | */ | |
1131 | if (s->server && s->s3->peer_tmp == NULL) { | |
1132 | /* No suitable share */ | |
1133 | if (s->hello_retry_request == 0 && sent | |
1134 | && (!s->hit | |
1135 | || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) | |
1136 | != 0)) { | |
1137 | const unsigned char *pcurves, *pcurvestmp, *clntcurves; | |
1138 | size_t num_curves, clnt_num_curves, i; | |
319a33d0 | 1139 | unsigned int group_id = 0; |
aff9929b | 1140 | |
2248dbeb | 1141 | /* Check if a shared group exists */ |
aff9929b MC |
1142 | |
1143 | /* Get the clients list of supported groups. */ | |
1144 | if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) { | |
1145 | *al = SSL_AD_INTERNAL_ERROR; | |
1146 | SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR); | |
1147 | return 0; | |
1148 | } | |
1149 | ||
1150 | /* Get our list of available groups */ | |
1151 | if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) { | |
1152 | *al = SSL_AD_INTERNAL_ERROR; | |
1153 | SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR); | |
1154 | return 0; | |
1155 | } | |
1156 | ||
1157 | /* Find the first group we allow that is also in client's list */ | |
1158 | for (i = 0, pcurvestmp = pcurves; i < num_curves; | |
1159 | i++, pcurvestmp += 2) { | |
0dd7ba24 | 1160 | group_id = bytestogroup(pcurvestmp); |
aff9929b MC |
1161 | |
1162 | if (check_in_list(s, group_id, clntcurves, clnt_num_curves, 1)) | |
1163 | break; | |
1164 | } | |
1165 | ||
1166 | if (i < num_curves) { | |
1167 | /* A shared group exists so send a HelloRetryRequest */ | |
1168 | s->s3->group_id = group_id; | |
1169 | s->hello_retry_request = 1; | |
1170 | return 1; | |
1171 | } | |
1172 | } | |
1173 | if (!s->hit | |
1174 | || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) { | |
1175 | /* Nothing left we can do - just fail */ | |
b6fdc12d MC |
1176 | if (!sent) |
1177 | *al = SSL_AD_MISSING_EXTENSION; | |
1178 | else | |
1179 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
aff9929b MC |
1180 | SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); |
1181 | return 0; | |
1182 | } | |
1183 | } | |
1184 | ||
1185 | /* We have a key_share so don't send any more HelloRetryRequest messages */ | |
1186 | if (s->server) | |
1187 | s->hello_retry_request = 0; | |
f4bbb37c MC |
1188 | |
1189 | /* | |
1190 | * For a client side resumption with no key_share we need to generate | |
1191 | * the handshake secret (otherwise this is done during key_share | |
1192 | * processing). | |
1193 | */ | |
1194 | if (!sent && !s->server && !tls13_generate_handshake_secret(s, NULL, 0)) { | |
1195 | *al = SSL_AD_INTERNAL_ERROR; | |
1196 | SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR); | |
1197 | return 0; | |
1198 | } | |
1199 | ||
1200 | return 1; | |
1201 | } | |
deb2d5e7 | 1202 | #endif |
f4bbb37c | 1203 | |
b2f7e8c0 MC |
1204 | static int init_psk_kex_modes(SSL *s, unsigned int context) |
1205 | { | |
1206 | s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE; | |
b2f7e8c0 MC |
1207 | return 1; |
1208 | } | |
1053a6e2 MC |
1209 | |
1210 | int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, | |
1211 | size_t binderoffset, const unsigned char *binderin, | |
3a7c56b2 MC |
1212 | unsigned char *binderout, SSL_SESSION *sess, int sign, |
1213 | int external) | |
1053a6e2 MC |
1214 | { |
1215 | EVP_PKEY *mackey = NULL; | |
1216 | EVP_MD_CTX *mctx = NULL; | |
1217 | unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; | |
1218 | unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; | |
b81bd336 MC |
1219 | unsigned char tmppsk[EVP_MAX_MD_SIZE]; |
1220 | unsigned char *early_secret, *psk; | |
17aa119e | 1221 | const char resumption_label[] = "res binder"; |
3a7c56b2 | 1222 | const char external_label[] = "ext binder"; |
b81bd336 | 1223 | const char nonce_label[] = "resumption"; |
3a7c56b2 MC |
1224 | const char *label; |
1225 | size_t bindersize, labelsize, hashsize = EVP_MD_size(md); | |
1053a6e2 | 1226 | int ret = -1; |
add8d0e9 MC |
1227 | int usepskfored = 0; |
1228 | ||
1229 | if (external | |
1230 | && s->early_data_state == SSL_EARLY_DATA_CONNECTING | |
1231 | && s->session->ext.max_early_data == 0 | |
1232 | && sess->ext.max_early_data > 0) | |
1233 | usepskfored = 1; | |
1053a6e2 | 1234 | |
3a7c56b2 MC |
1235 | if (external) { |
1236 | label = external_label; | |
1237 | labelsize = sizeof(external_label) - 1; | |
1238 | } else { | |
1239 | label = resumption_label; | |
1240 | labelsize = sizeof(resumption_label) - 1; | |
1241 | } | |
1242 | ||
b81bd336 MC |
1243 | if (sess->master_key_length != hashsize) { |
1244 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK); | |
1245 | goto err; | |
1246 | } | |
1247 | ||
1248 | if (external) { | |
1249 | psk = sess->master_key; | |
1250 | } else { | |
b81bd336 MC |
1251 | psk = tmppsk; |
1252 | if (!tls13_hkdf_expand(s, md, sess->master_key, | |
1253 | (const unsigned char *)nonce_label, | |
1254 | sizeof(nonce_label) - 1, sess->ext.tick_nonce, | |
1255 | sess->ext.tick_nonce_len, psk, hashsize)) { | |
1256 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1257 | goto err; | |
1258 | } | |
1259 | } | |
1260 | ||
9368f865 MC |
1261 | /* |
1262 | * Generate the early_secret. On the server side we've selected a PSK to | |
1263 | * resume with (internal or external) so we always do this. On the client | |
add8d0e9 MC |
1264 | * side we do this for a non-external (i.e. resumption) PSK or external PSK |
1265 | * that will be used for early_data so that it is in place for sending early | |
1266 | * data. For client side external PSK not being used for early_data we | |
9368f865 MC |
1267 | * generate it but store it away for later use. |
1268 | */ | |
add8d0e9 | 1269 | if (s->server || !external || usepskfored) |
9368f865 MC |
1270 | early_secret = (unsigned char *)s->early_secret; |
1271 | else | |
1272 | early_secret = (unsigned char *)sess->early_secret; | |
b81bd336 | 1273 | if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) { |
1053a6e2 MC |
1274 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); |
1275 | goto err; | |
1276 | } | |
1277 | ||
1278 | /* | |
1279 | * Create the handshake hash for the binder key...the messages so far are | |
1280 | * empty! | |
1281 | */ | |
1282 | mctx = EVP_MD_CTX_new(); | |
1283 | if (mctx == NULL | |
1284 | || EVP_DigestInit_ex(mctx, md, NULL) <= 0 | |
1285 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { | |
1286 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1287 | goto err; | |
1288 | } | |
1289 | ||
1290 | /* Generate the binder key */ | |
9368f865 | 1291 | if (!tls13_hkdf_expand(s, md, early_secret, (unsigned char *)label, |
a19ae67d | 1292 | labelsize, hash, hashsize, binderkey, hashsize)) { |
1053a6e2 MC |
1293 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); |
1294 | goto err; | |
1295 | } | |
1296 | ||
1297 | /* Generate the finished key */ | |
1298 | if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) { | |
1299 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1300 | goto err; | |
1301 | } | |
1302 | ||
aff9929b MC |
1303 | if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) { |
1304 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1305 | goto err; | |
1306 | } | |
1307 | ||
1053a6e2 | 1308 | /* |
aff9929b MC |
1309 | * Get a hash of the ClientHello up to the start of the binders. If we are |
1310 | * following a HelloRetryRequest then this includes the hash of the first | |
1311 | * ClientHello and the HelloRetryRequest itself. | |
1053a6e2 | 1312 | */ |
aff9929b MC |
1313 | if (s->hello_retry_request) { |
1314 | size_t hdatalen; | |
1315 | void *hdata; | |
1316 | ||
1317 | hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); | |
1318 | if (hdatalen <= 0) { | |
1319 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_HANDSHAKE_LENGTH); | |
1320 | goto err; | |
1321 | } | |
1322 | ||
1323 | /* | |
1324 | * For servers the handshake buffer data will include the second | |
1325 | * ClientHello - which we don't want - so we need to take that bit off. | |
1326 | */ | |
1327 | if (s->server) { | |
77815a02 MC |
1328 | PACKET hashprefix, msg; |
1329 | ||
1330 | /* Find how many bytes are left after the first two messages */ | |
1331 | if (!PACKET_buf_init(&hashprefix, hdata, hdatalen) | |
1332 | || !PACKET_forward(&hashprefix, 1) | |
1333 | || !PACKET_get_length_prefixed_3(&hashprefix, &msg) | |
1334 | || !PACKET_forward(&hashprefix, 1) | |
1335 | || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) { | |
aff9929b MC |
1336 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); |
1337 | goto err; | |
1338 | } | |
77815a02 | 1339 | hdatalen -= PACKET_remaining(&hashprefix); |
aff9929b MC |
1340 | } |
1341 | ||
1342 | if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) { | |
1343 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1344 | goto err; | |
1345 | } | |
1346 | } | |
1347 | ||
1348 | if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0 | |
1053a6e2 MC |
1349 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { |
1350 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1351 | goto err; | |
1352 | } | |
1353 | ||
1354 | mackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, finishedkey, hashsize); | |
1355 | if (mackey == NULL) { | |
1356 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1357 | goto err; | |
1358 | } | |
1359 | ||
1360 | if (!sign) | |
1361 | binderout = tmpbinder; | |
1362 | ||
1363 | bindersize = hashsize; | |
1364 | if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0 | |
1365 | || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0 | |
1366 | || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0 | |
1367 | || bindersize != hashsize) { | |
1368 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1369 | goto err; | |
1370 | } | |
1371 | ||
1372 | if (sign) { | |
1373 | ret = 1; | |
1374 | } else { | |
1375 | /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */ | |
1376 | ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0); | |
1377 | } | |
1378 | ||
1379 | err: | |
1380 | OPENSSL_cleanse(binderkey, sizeof(binderkey)); | |
1381 | OPENSSL_cleanse(finishedkey, sizeof(finishedkey)); | |
1382 | EVP_PKEY_free(mackey); | |
1383 | EVP_MD_CTX_free(mctx); | |
1384 | ||
1385 | return ret; | |
1386 | } | |
38df5a45 MC |
1387 | |
1388 | static int final_early_data(SSL *s, unsigned int context, int sent, int *al) | |
1389 | { | |
1390 | if (!s->server || !sent) | |
1391 | return 1; | |
1392 | ||
1393 | if (s->max_early_data == 0 | |
1394 | || !s->hit | |
1395 | || s->session->ext.tick_identity != 0 | |
1396 | || s->early_data_state != SSL_EARLY_DATA_ACCEPTING | |
1397 | || !s->ext.early_data_ok | |
630369d9 | 1398 | || s->hello_retry_request) { |
38df5a45 MC |
1399 | s->ext.early_data = SSL_EARLY_DATA_REJECTED; |
1400 | } else { | |
1401 | s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; | |
1402 | ||
1403 | if (!tls13_change_cipher_state(s, | |
1404 | SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) { | |
1405 | *al = SSL_AD_INTERNAL_ERROR; | |
1406 | return 0; | |
1407 | } | |
1408 | } | |
1409 | ||
1410 | return 1; | |
1411 | } |