]>
Commit | Line | Data |
---|---|---|
6b473aca MC |
1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
6b473aca MC |
10 | #include "../ssl_locl.h" |
11 | #include "statem_locl.h" | |
12 | ||
1266eefd | 13 | static int final_renegotiate(SSL *s, unsigned int context, int sent, |
805a2e9e | 14 | int *al); |
1266eefd MC |
15 | static int init_server_name(SSL *s, unsigned int context); |
16 | static int final_server_name(SSL *s, unsigned int context, int sent, | |
805a2e9e | 17 | int *al); |
332eb390 | 18 | #ifndef OPENSSL_NO_EC |
1266eefd | 19 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, |
332eb390 MC |
20 | int *al); |
21 | #endif | |
1266eefd | 22 | static int init_session_ticket(SSL *s, unsigned int context); |
8f8c11d8 | 23 | #ifndef OPENSSL_NO_OCSP |
1266eefd | 24 | static int init_status_request(SSL *s, unsigned int context); |
8f8c11d8 | 25 | #endif |
805a2e9e | 26 | #ifndef OPENSSL_NO_NEXTPROTONEG |
1266eefd | 27 | static int init_npn(SSL *s, unsigned int context); |
805a2e9e | 28 | #endif |
1266eefd MC |
29 | static int init_alpn(SSL *s, unsigned int context); |
30 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al); | |
31 | static int init_sig_algs(SSL *s, unsigned int context); | |
805a2e9e | 32 | #ifndef OPENSSL_NO_SRP |
1266eefd | 33 | static int init_srp(SSL *s, unsigned int context); |
805a2e9e | 34 | #endif |
1266eefd MC |
35 | static int init_etm(SSL *s, unsigned int context); |
36 | static int init_ems(SSL *s, unsigned int context); | |
37 | static int final_ems(SSL *s, unsigned int context, int sent, int *al); | |
b2f7e8c0 | 38 | static int init_psk_kex_modes(SSL *s, unsigned int context); |
f4bbb37c | 39 | static int final_key_share(SSL *s, unsigned int context, int sent, int *al); |
805a2e9e | 40 | #ifndef OPENSSL_NO_SRTP |
1266eefd | 41 | static int init_srtp(SSL *s, unsigned int context); |
805a2e9e | 42 | #endif |
04904312 | 43 | static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al); |
805a2e9e | 44 | |
70af3d8e | 45 | /* Structure to define a built-in extension */ |
1266eefd MC |
46 | typedef struct extensions_definition_st { |
47 | /* The defined type for the extension */ | |
6b473aca | 48 | unsigned int type; |
1266eefd MC |
49 | /* |
50 | * The context that this extension applies to, e.g. what messages and | |
51 | * protocol versions | |
52 | */ | |
53 | unsigned int context; | |
68db4dda | 54 | /* |
805a2e9e MC |
55 | * Initialise extension before parsing. Always called for relevant contexts |
56 | * even if extension not present | |
68db4dda | 57 | */ |
1266eefd MC |
58 | int (*init)(SSL *s, unsigned int context); |
59 | /* Parse extension sent from client to server */ | |
61138358 MC |
60 | int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
61 | size_t chainidx, int *al); | |
1266eefd | 62 | /* Parse extension send from server to client */ |
61138358 MC |
63 | int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
64 | size_t chainidx, int *al); | |
1266eefd | 65 | /* Construct extension sent from server to client */ |
61138358 MC |
66 | int (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, |
67 | size_t chainidx, int *al); | |
1266eefd | 68 | /* Construct extension sent from client to server */ |
61138358 MC |
69 | int (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, |
70 | size_t chainidx, int *al); | |
68db4dda | 71 | /* |
805a2e9e MC |
72 | * Finalise extension after parsing. Always called where an extensions was |
73 | * initialised even if the extension was not present. |sent| is set to 1 if | |
74 | * the extension was seen, or 0 otherwise. | |
68db4dda | 75 | */ |
1266eefd | 76 | int (*final)(SSL *s, unsigned int context, int sent, int *al); |
6b473aca MC |
77 | } EXTENSION_DEFINITION; |
78 | ||
4b299b8e | 79 | /* |
70af3d8e | 80 | * Definitions of all built-in extensions. NOTE: Changes in the number or order |
3e6c1da8 F |
81 | * of these extensions should be mirrored with equivalent changes to the |
82 | * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h. | |
70af3d8e MC |
83 | * Each extension has an initialiser, a client and |
84 | * server side parser and a finaliser. The initialiser is called (if the | |
85 | * extension is relevant to the given context) even if we did not see the | |
86 | * extension in the message that we received. The parser functions are only | |
87 | * called if we see the extension in the message. The finalisers are always | |
88 | * called if the initialiser was called. | |
89 | * There are also server and client side constructor functions which are always | |
90 | * called during message construction if the extension is relevant for the | |
91 | * given context. | |
92 | * The initialisation, parsing, finalisation and construction functions are | |
93 | * always called in the order defined in this list. Some extensions may depend | |
94 | * on others having been processed first, so the order of this list is | |
95 | * significant. | |
96 | * The extension context is defined by a series of flags which specify which | |
97 | * messages the extension is relevant to. These flags also specify whether the | |
3e6c1da8 | 98 | * extension is relevant to a particular protocol or protocol version. |
a1448c26 | 99 | * |
70af3d8e | 100 | * TODO(TLS1.3): Make sure we have a test to check the consistency of these |
4b299b8e | 101 | */ |
0785274c | 102 | #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } |
6b473aca MC |
103 | static const EXTENSION_DEFINITION ext_defs[] = { |
104 | { | |
105 | TLSEXT_TYPE_renegotiate, | |
6b473aca | 106 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED |
1266eefd MC |
107 | | EXT_TLS1_2_AND_BELOW_ONLY, |
108 | NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, | |
109 | tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, | |
110 | final_renegotiate | |
6b473aca MC |
111 | }, |
112 | { | |
113 | TLSEXT_TYPE_server_name, | |
6b473aca | 114 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
115 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
116 | init_server_name, | |
117 | tls_parse_ctos_server_name, tls_parse_stoc_server_name, | |
118 | tls_construct_stoc_server_name, tls_construct_ctos_server_name, | |
119 | final_server_name | |
6b473aca MC |
120 | }, |
121 | #ifndef OPENSSL_NO_SRP | |
122 | { | |
123 | TLSEXT_TYPE_srp, | |
1266eefd MC |
124 | EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
125 | init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL | |
6b473aca | 126 | }, |
0785274c MC |
127 | #else |
128 | INVALID_EXTENSION, | |
6b473aca MC |
129 | #endif |
130 | #ifndef OPENSSL_NO_EC | |
131 | { | |
132 | TLSEXT_TYPE_ec_point_formats, | |
3b58c54f | 133 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
1266eefd MC |
134 | NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, |
135 | tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, | |
136 | final_ec_pt_formats | |
6b473aca MC |
137 | }, |
138 | { | |
139 | TLSEXT_TYPE_supported_groups, | |
1266eefd MC |
140 | EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
141 | NULL, tls_parse_ctos_supported_groups, NULL, | |
7da160b0 | 142 | NULL /* TODO(TLS1.3): Need to add this */, |
1266eefd | 143 | tls_construct_ctos_supported_groups, NULL |
6b473aca | 144 | }, |
0785274c MC |
145 | #else |
146 | INVALID_EXTENSION, | |
147 | INVALID_EXTENSION, | |
6b473aca MC |
148 | #endif |
149 | { | |
150 | TLSEXT_TYPE_session_ticket, | |
1266eefd MC |
151 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
152 | init_session_ticket, tls_parse_ctos_session_ticket, | |
153 | tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, | |
154 | tls_construct_ctos_session_ticket, NULL | |
6b473aca MC |
155 | }, |
156 | { | |
157 | TLSEXT_TYPE_signature_algorithms, | |
1266eefd MC |
158 | EXT_CLIENT_HELLO, |
159 | init_sig_algs, tls_parse_ctos_sig_algs, NULL, NULL, | |
04904312 | 160 | tls_construct_ctos_sig_algs, final_sig_algs |
6b473aca | 161 | }, |
ab83e314 | 162 | #ifndef OPENSSL_NO_OCSP |
6b473aca MC |
163 | { |
164 | TLSEXT_TYPE_status_request, | |
4b299b8e | 165 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
166 | | EXT_TLS1_3_CERTIFICATE, |
167 | init_status_request, tls_parse_ctos_status_request, | |
168 | tls_parse_stoc_status_request, tls_construct_stoc_status_request, | |
f63e4288 | 169 | tls_construct_ctos_status_request, NULL |
6b473aca | 170 | }, |
0785274c MC |
171 | #else |
172 | INVALID_EXTENSION, | |
ab83e314 | 173 | #endif |
6b473aca MC |
174 | #ifndef OPENSSL_NO_NEXTPROTONEG |
175 | { | |
176 | TLSEXT_TYPE_next_proto_neg, | |
1266eefd MC |
177 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
178 | init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, | |
179 | tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL | |
6b473aca | 180 | }, |
0785274c MC |
181 | #else |
182 | INVALID_EXTENSION, | |
6b473aca MC |
183 | #endif |
184 | { | |
02f0274e MC |
185 | /* |
186 | * Must appear in this list after server_name so that finalisation | |
187 | * happens after server_name callbacks | |
188 | */ | |
6b473aca | 189 | TLSEXT_TYPE_application_layer_protocol_negotiation, |
6b473aca | 190 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
191 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
192 | init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, | |
193 | tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn | |
6b473aca | 194 | }, |
7da160b0 | 195 | #ifndef OPENSSL_NO_SRTP |
6b473aca MC |
196 | { |
197 | TLSEXT_TYPE_use_srtp, | |
6b473aca | 198 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
199 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY, |
200 | init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, | |
201 | tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL | |
6b473aca | 202 | }, |
0785274c MC |
203 | #else |
204 | INVALID_EXTENSION, | |
7da160b0 | 205 | #endif |
6b473aca MC |
206 | { |
207 | TLSEXT_TYPE_encrypt_then_mac, | |
1266eefd MC |
208 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
209 | init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, | |
210 | tls_construct_stoc_etm, tls_construct_ctos_etm, NULL | |
6b473aca | 211 | }, |
6dd083fd | 212 | #ifndef OPENSSL_NO_CT |
6b473aca MC |
213 | { |
214 | TLSEXT_TYPE_signed_certificate_timestamp, | |
1266eefd MC |
215 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
216 | | EXT_TLS1_3_CERTIFICATE, | |
68db4dda | 217 | NULL, |
6b473aca MC |
218 | /* |
219 | * No server side support for this, but can be provided by a custom | |
220 | * extension. This is an exception to the rule that custom extensions | |
221 | * cannot override built in ones. | |
222 | */ | |
1266eefd | 223 | NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL |
6b473aca | 224 | }, |
0785274c MC |
225 | #else |
226 | INVALID_EXTENSION, | |
6dd083fd | 227 | #endif |
6b473aca MC |
228 | { |
229 | TLSEXT_TYPE_extended_master_secret, | |
1266eefd MC |
230 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
231 | init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, | |
232 | tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems | |
6b473aca MC |
233 | }, |
234 | { | |
235 | TLSEXT_TYPE_supported_versions, | |
1266eefd | 236 | EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY, |
68db4dda | 237 | NULL, |
6b473aca | 238 | /* Processed inline as part of version selection */ |
1266eefd | 239 | NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL |
6b473aca | 240 | }, |
b2f7e8c0 | 241 | { |
b2f7e8c0 MC |
242 | TLSEXT_TYPE_psk_kex_modes, |
243 | EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY, | |
244 | init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, | |
245 | tls_construct_ctos_psk_kex_modes, NULL | |
246 | }, | |
6b473aca | 247 | { |
70af3d8e MC |
248 | /* |
249 | * Must be in this list after supported_groups. We need that to have | |
250 | * been parsed before we do this one. | |
251 | */ | |
6b473aca | 252 | TLSEXT_TYPE_key_share, |
6b473aca MC |
253 | EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO |
254 | | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY | |
1266eefd MC |
255 | | EXT_TLS1_3_ONLY, |
256 | NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, | |
f4bbb37c MC |
257 | tls_construct_stoc_key_share, tls_construct_ctos_key_share, |
258 | final_key_share | |
7da160b0 MC |
259 | }, |
260 | { | |
261 | /* | |
262 | * Special unsolicited ServerHello extension only used when | |
263 | * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set | |
264 | */ | |
265 | TLSEXT_TYPE_cryptopro_bug, | |
1266eefd MC |
266 | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
267 | NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL | |
ab83e314 MC |
268 | }, |
269 | { | |
ec15acb6 MC |
270 | /* Must be immediately before pre_shared_key */ |
271 | /* TODO(TLS1.3): Fix me */ | |
ab83e314 | 272 | TLSEXT_TYPE_padding, |
1266eefd | 273 | EXT_CLIENT_HELLO, |
68db4dda | 274 | NULL, |
ab83e314 | 275 | /* We send this, but don't read it */ |
1266eefd | 276 | NULL, NULL, NULL, tls_construct_ctos_padding, NULL |
ec15acb6 MC |
277 | }, |
278 | { | |
279 | /* Required by the TLSv1.3 spec to always be the last extension */ | |
280 | TLSEXT_TYPE_psk, | |
281 | EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | |
282 | | EXT_TLS1_3_ONLY, | |
0247086d | 283 | NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, |
1053a6e2 | 284 | tls_construct_ctos_psk, NULL |
6b473aca MC |
285 | } |
286 | }; | |
287 | ||
6b473aca MC |
288 | /* |
289 | * Verify whether we are allowed to use the extension |type| in the current | |
290 | * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to | |
70af3d8e MC |
291 | * indicate the extension is not allowed. If returning 1 then |*found| is set to |
292 | * 1 if we found a definition for the extension, and |*idx| is set to its index | |
6b473aca | 293 | */ |
70af3d8e | 294 | static int verify_extension(SSL *s, unsigned int context, unsigned int type, |
1266eefd MC |
295 | custom_ext_methods *meths, RAW_EXTENSION *rawexlist, |
296 | RAW_EXTENSION **found) | |
6b473aca MC |
297 | { |
298 | size_t i; | |
70af3d8e | 299 | size_t builtin_num = OSSL_NELEM(ext_defs); |
d270de32 | 300 | const EXTENSION_DEFINITION *thisext; |
6b473aca | 301 | |
1266eefd MC |
302 | for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { |
303 | if (type == thisext->type) { | |
6b473aca | 304 | /* Check we're allowed to use this extension in this context */ |
1266eefd | 305 | if ((context & thisext->context) == 0) |
6b473aca MC |
306 | return 0; |
307 | ||
308 | if (SSL_IS_DTLS(s)) { | |
1266eefd | 309 | if ((thisext->context & EXT_TLS_ONLY) != 0) |
6b473aca | 310 | return 0; |
1266eefd | 311 | } else if ((thisext->context & EXT_DTLS_ONLY) != 0) { |
6b473aca MC |
312 | return 0; |
313 | } | |
314 | ||
1266eefd | 315 | *found = &rawexlist[i]; |
6b473aca MC |
316 | return 1; |
317 | } | |
318 | } | |
319 | ||
70af3d8e MC |
320 | if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) { |
321 | /* | |
322 | * Custom extensions only apply to <=TLS1.2. This extension is unknown | |
323 | * in this context - we allow it | |
324 | */ | |
1266eefd | 325 | *found = NULL; |
70af3d8e MC |
326 | return 1; |
327 | } | |
6b473aca | 328 | |
70af3d8e MC |
329 | /* Check the custom extensions */ |
330 | if (meths != NULL) { | |
331 | for (i = builtin_num; i < builtin_num + meths->meths_count; i++) { | |
332 | if (meths->meths[i - builtin_num].ext_type == type) { | |
1266eefd | 333 | *found = &rawexlist[i]; |
70af3d8e MC |
334 | return 1; |
335 | } | |
6b473aca MC |
336 | } |
337 | } | |
338 | ||
70af3d8e | 339 | /* Unknown extension. We allow it */ |
1266eefd | 340 | *found = NULL; |
70af3d8e | 341 | return 1; |
6b473aca MC |
342 | } |
343 | ||
70af3d8e MC |
344 | /* |
345 | * Check whether the context defined for an extension |extctx| means whether | |
346 | * the extension is relevant for the current context |thisctx| or not. Returns | |
347 | * 1 if the extension is relevant for this context, and 0 otherwise | |
348 | */ | |
805a2e9e MC |
349 | static int extension_is_relevant(SSL *s, unsigned int extctx, |
350 | unsigned int thisctx) | |
351 | { | |
352 | if ((SSL_IS_DTLS(s) | |
353 | && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0) | |
354 | || (s->version == SSL3_VERSION | |
355 | && (extctx & EXT_SSL3_ALLOWED) == 0) | |
356 | || (SSL_IS_TLS13(s) | |
357 | && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0) | |
358 | || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0)) | |
359 | return 0; | |
360 | ||
361 | return 1; | |
362 | } | |
363 | ||
6b473aca MC |
364 | /* |
365 | * Gather a list of all the extensions from the data in |packet]. |context| | |
70af3d8e | 366 | * tells us which message this extension is for. The raw extension data is |
1266eefd MC |
367 | * stored in |*res| on success. In the event of an error the alert type to use |
368 | * is stored in |*al|. We don't actually process the content of the extensions | |
369 | * yet, except to check their types. This function also runs the initialiser | |
370 | * functions for all known extensions (whether we have collected them or not). | |
371 | * If successful the caller is responsible for freeing the contents of |*res|. | |
6b473aca MC |
372 | * |
373 | * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be | |
374 | * more than one extension of the same type in a ClientHello or ServerHello. | |
375 | * This function returns 1 if all extensions are unique and we have parsed their | |
376 | * types, and 0 if the extensions contain duplicates, could not be successfully | |
1266eefd | 377 | * found, or an internal error occurred. We only check duplicates for |
70af3d8e | 378 | * extensions that we know about. We ignore others. |
6b473aca | 379 | */ |
6b473aca | 380 | int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, |
70af3d8e | 381 | RAW_EXTENSION **res, int *al) |
6b473aca MC |
382 | { |
383 | PACKET extensions = *packet; | |
d270de32 | 384 | size_t i = 0; |
70af3d8e | 385 | custom_ext_methods *exts = NULL; |
6b473aca | 386 | RAW_EXTENSION *raw_extensions = NULL; |
d270de32 | 387 | const EXTENSION_DEFINITION *thisexd; |
6b473aca | 388 | |
ecc2f938 MC |
389 | *res = NULL; |
390 | ||
70af3d8e MC |
391 | /* |
392 | * Initialise server side custom extensions. Client side is done during | |
393 | * construction of extensions for the ClientHello. | |
394 | */ | |
395 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
396 | exts = &s->cert->srv_ext; | |
397 | custom_ext_init(&s->cert->srv_ext); | |
398 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
399 | exts = &s->cert->cli_ext; | |
400 | } | |
401 | ||
402 | raw_extensions = OPENSSL_zalloc((OSSL_NELEM(ext_defs) | |
403 | + (exts != NULL ? exts->meths_count : 0)) | |
1266eefd | 404 | * sizeof(*raw_extensions)); |
70af3d8e MC |
405 | if (raw_extensions == NULL) { |
406 | *al = SSL_AD_INTERNAL_ERROR; | |
407 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE); | |
408 | return 0; | |
409 | } | |
410 | ||
6b473aca MC |
411 | while (PACKET_remaining(&extensions) > 0) { |
412 | unsigned int type; | |
413 | PACKET extension; | |
1266eefd | 414 | RAW_EXTENSION *thisex; |
6b473aca MC |
415 | |
416 | if (!PACKET_get_net_2(&extensions, &type) || | |
417 | !PACKET_get_length_prefixed_2(&extensions, &extension)) { | |
418 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); | |
70af3d8e | 419 | *al = SSL_AD_DECODE_ERROR; |
6b473aca MC |
420 | goto err; |
421 | } | |
70af3d8e MC |
422 | /* |
423 | * Verify this extension is allowed. We only check duplicates for | |
424 | * extensions that we recognise. | |
425 | */ | |
1266eefd MC |
426 | if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) |
427 | || (thisex != NULL && thisex->present == 1)) { | |
6b473aca | 428 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); |
70af3d8e | 429 | *al = SSL_AD_ILLEGAL_PARAMETER; |
6b473aca MC |
430 | goto err; |
431 | } | |
1266eefd MC |
432 | if (thisex != NULL) { |
433 | thisex->data = extension; | |
434 | thisex->present = 1; | |
435 | thisex->type = type; | |
6b473aca MC |
436 | } |
437 | } | |
438 | ||
68db4dda MC |
439 | /* |
440 | * Initialise all known extensions relevant to this context, whether we have | |
441 | * found them or not | |
442 | */ | |
1266eefd MC |
443 | for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
444 | if(thisexd->init != NULL && (thisexd->context & context) != 0 | |
445 | && extension_is_relevant(s, thisexd->context, context) | |
446 | && !thisexd->init(s, context)) { | |
70af3d8e | 447 | *al = SSL_AD_INTERNAL_ERROR; |
68db4dda MC |
448 | goto err; |
449 | } | |
450 | } | |
451 | ||
6b473aca | 452 | *res = raw_extensions; |
6b473aca MC |
453 | return 1; |
454 | ||
455 | err: | |
456 | OPENSSL_free(raw_extensions); | |
457 | return 0; | |
458 | } | |
459 | ||
68db4dda | 460 | /* |
70af3d8e MC |
461 | * Runs the parser for a given extension with index |idx|. |exts| contains the |
462 | * list of all parsed extensions previously collected by | |
463 | * tls_collect_extensions(). The parser is only run if it is applicable for the | |
f97d4c37 MC |
464 | * given |context| and the parser has not already been run. If this is for a |
465 | * Certificate message, then we also provide the parser with the relevant | |
8521ced6 | 466 | * Certificate |x| and its position in the |chainidx| with 0 being the first |
f97d4c37 MC |
467 | * Certificate. Returns 1 on success or 0 on failure. In the event of a failure |
468 | * |*al| is populated with a suitable alert code. If an extension is not present | |
469 | * this counted as success. | |
68db4dda | 470 | */ |
d270de32 | 471 | int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, |
8521ced6 | 472 | RAW_EXTENSION *exts, X509 *x, size_t chainidx, int *al) |
6b473aca | 473 | { |
70af3d8e | 474 | RAW_EXTENSION *currext = &exts[idx]; |
61138358 MC |
475 | int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, |
476 | size_t chainidx, int *al) = NULL; | |
6b473aca | 477 | |
70af3d8e MC |
478 | /* Skip if the extension is not present */ |
479 | if (!currext->present) | |
480 | return 1; | |
6b473aca | 481 | |
aff8c126 RS |
482 | if (s->ext.debug_cb) |
483 | s->ext.debug_cb(s, !s->server, currext->type, | |
484 | PACKET_data(&currext->data), | |
485 | PACKET_remaining(&currext->data), | |
486 | s->ext.debug_arg); | |
6b473aca | 487 | |
70af3d8e MC |
488 | /* Skip if we've already parsed this extension */ |
489 | if (currext->parsed) | |
490 | return 1; | |
6b473aca | 491 | |
70af3d8e MC |
492 | currext->parsed = 1; |
493 | ||
494 | if (idx < OSSL_NELEM(ext_defs)) { | |
495 | /* We are handling a built-in extension */ | |
496 | const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; | |
497 | ||
498 | /* Check if extension is defined for our protocol. If not, skip */ | |
499 | if (!extension_is_relevant(s, extdef->context, context)) | |
500 | return 1; | |
501 | ||
1266eefd | 502 | parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; |
224135e9 | 503 | |
1266eefd | 504 | if (parser != NULL) |
61138358 | 505 | return parser(s, &currext->data, context, x, chainidx, al); |
6b473aca | 506 | |
70af3d8e MC |
507 | /* |
508 | * If the parser is NULL we fall through to the custom extension | |
509 | * processing | |
510 | */ | |
6b473aca MC |
511 | } |
512 | ||
70af3d8e MC |
513 | /* |
514 | * This is a custom extension. We only allow this if it is a non | |
515 | * resumed session on the server side. | |
8521ced6 | 516 | *chain |
70af3d8e MC |
517 | * TODO(TLS1.3): We only allow old style <=TLS1.2 custom extensions. |
518 | * We're going to need a new mechanism for TLS1.3 to specify which | |
519 | * messages to add the custom extensions to. | |
520 | */ | |
521 | if ((!s->hit || !s->server) | |
522 | && (context | |
523 | & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 | |
524 | && custom_ext_parse(s, s->server, currext->type, | |
525 | PACKET_data(&currext->data), | |
526 | PACKET_remaining(&currext->data), | |
527 | al) <= 0) | |
528 | return 0; | |
529 | ||
805a2e9e MC |
530 | return 1; |
531 | } | |
532 | ||
533 | /* | |
534 | * Parse all remaining extensions that have not yet been parsed. Also calls the | |
70af3d8e | 535 | * finalisation for all extensions at the end, whether we collected them or not. |
f97d4c37 MC |
536 | * Returns 1 for success or 0 for failure. If we are working on a Certificate |
537 | * message then we also pass the Certificate |x| and its position in the | |
8521ced6 MC |
538 | * |chainidx|, with 0 being the first certificate. On failure, |*al| is |
539 | * populated with a suitable alert code. | |
805a2e9e | 540 | */ |
f97d4c37 | 541 | int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, |
8521ced6 | 542 | size_t chainidx, int *al) |
805a2e9e | 543 | { |
1266eefd | 544 | size_t i, numexts = OSSL_NELEM(ext_defs); |
d270de32 | 545 | const EXTENSION_DEFINITION *thisexd; |
805a2e9e | 546 | |
70af3d8e MC |
547 | /* Calculate the number of extensions in the extensions list */ |
548 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
549 | numexts += s->cert->srv_ext.meths_count; | |
550 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
551 | numexts += s->cert->cli_ext.meths_count; | |
552 | } | |
553 | ||
554 | /* Parse each extension in turn */ | |
1266eefd | 555 | for (i = 0; i < numexts; i++) { |
8521ced6 | 556 | if (!tls_parse_extension(s, i, context, exts, x, chainidx, al)) |
70af3d8e MC |
557 | return 0; |
558 | } | |
805a2e9e | 559 | |
68db4dda MC |
560 | /* |
561 | * Finalise all known extensions relevant to this context, whether we have | |
562 | * found them or not | |
563 | */ | |
1266eefd MC |
564 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
565 | if(thisexd->final != NULL | |
566 | && (thisexd->context & context) != 0 | |
567 | && !thisexd->final(s, context, exts[i].present, al)) | |
68db4dda | 568 | return 0; |
68db4dda MC |
569 | } |
570 | ||
6b473aca MC |
571 | return 1; |
572 | } | |
573 | ||
574 | /* | |
70af3d8e | 575 | * Construct all the extensions relevant to the current |context| and write |
30aeba43 | 576 | * them to |pkt|. If this is an extension for a Certificate in a Certificate |
8521ced6 MC |
577 | * message, then |x| will be set to the Certificate we are handling, and |
578 | * |chainidx| will indicate the position in the chainidx we are processing (with | |
579 | * 0 being the first in the chain). Returns 1 on success or 0 on failure. If a | |
580 | * failure occurs then |al| is populated with a suitable alert code. On a | |
581 | * failure construction stops at the first extension to fail to construct. | |
6b473aca | 582 | */ |
224135e9 | 583 | int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, |
8521ced6 | 584 | X509 *x, size_t chainidx, int *al) |
224135e9 | 585 | { |
1266eefd MC |
586 | size_t i; |
587 | int addcustom = 0, min_version, max_version = 0, reason, tmpal; | |
d270de32 | 588 | const EXTENSION_DEFINITION *thisexd; |
224135e9 | 589 | |
7da160b0 | 590 | /* |
70af3d8e | 591 | * Normally if something goes wrong during construction it's an internal |
7da160b0 MC |
592 | * error. We can always override this later. |
593 | */ | |
70af3d8e | 594 | tmpal = SSL_AD_INTERNAL_ERROR; |
7da160b0 | 595 | |
224135e9 MC |
596 | if (!WPACKET_start_sub_packet_u16(pkt) |
597 | /* | |
598 | * If extensions are of zero length then we don't even add the | |
7da160b0 | 599 | * extensions length bytes to a ClientHello/ServerHello in SSLv3 |
224135e9 | 600 | */ |
7da160b0 MC |
601 | || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 |
602 | && s->version == SSL3_VERSION | |
224135e9 MC |
603 | && !WPACKET_set_flags(pkt, |
604 | WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { | |
224135e9 | 605 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 606 | goto err; |
224135e9 MC |
607 | } |
608 | ||
ab83e314 MC |
609 | if ((context & EXT_CLIENT_HELLO) != 0) { |
610 | reason = ssl_get_client_min_max_version(s, &min_version, &max_version); | |
611 | if (reason != 0) { | |
612 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason); | |
70af3d8e | 613 | goto err; |
ab83e314 MC |
614 | } |
615 | } | |
616 | ||
617 | /* Add custom extensions first */ | |
618 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
619 | custom_ext_init(&s->cert->cli_ext); | |
620 | addcustom = 1; | |
621 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
622 | /* | |
623 | * We already initialised the custom extensions during ClientHello | |
624 | * parsing. | |
a1448c26 | 625 | * |
ab83e314 MC |
626 | * TODO(TLS1.3): We're going to need a new custom extension mechanism |
627 | * for TLS1.3, so that custom extensions can specify which of the | |
628 | * multiple message they wish to add themselves to. | |
629 | */ | |
630 | addcustom = 1; | |
631 | } | |
632 | ||
70af3d8e | 633 | if (addcustom && !custom_ext_add(s, s->server, pkt, &tmpal)) { |
ab83e314 | 634 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 635 | goto err; |
ab83e314 MC |
636 | } |
637 | ||
1266eefd | 638 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
61138358 MC |
639 | int (*construct)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, |
640 | size_t chainidx, int *al); | |
4b299b8e | 641 | |
224135e9 | 642 | /* Skip if not relevant for our context */ |
d270de32 | 643 | if ((thisexd->context & context) == 0) |
224135e9 MC |
644 | continue; |
645 | ||
1266eefd MC |
646 | construct = s->server ? thisexd->construct_stoc |
647 | : thisexd->construct_ctos; | |
224135e9 MC |
648 | |
649 | /* Check if this extension is defined for our protocol. If not, skip */ | |
650 | if ((SSL_IS_DTLS(s) | |
1266eefd | 651 | && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY) |
4b299b8e | 652 | != 0) |
224135e9 | 653 | || (s->version == SSL3_VERSION |
1266eefd | 654 | && (thisexd->context & EXT_SSL3_ALLOWED) == 0) |
224135e9 | 655 | || (SSL_IS_TLS13(s) |
1266eefd | 656 | && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY) |
4b299b8e | 657 | != 0) |
224135e9 | 658 | || (!SSL_IS_TLS13(s) |
1266eefd | 659 | && (thisexd->context & EXT_TLS1_3_ONLY) != 0 |
4b299b8e | 660 | && (context & EXT_CLIENT_HELLO) == 0) |
1266eefd | 661 | || ((thisexd->context & EXT_TLS1_3_ONLY) != 0 |
ab83e314 MC |
662 | && (context & EXT_CLIENT_HELLO) != 0 |
663 | && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)) | |
224135e9 MC |
664 | || construct == NULL) |
665 | continue; | |
666 | ||
61138358 | 667 | if (!construct(s, pkt, context, x, chainidx, &tmpal)) |
70af3d8e | 668 | goto err; |
224135e9 MC |
669 | } |
670 | ||
224135e9 | 671 | if (!WPACKET_close(pkt)) { |
224135e9 | 672 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 673 | goto err; |
224135e9 MC |
674 | } |
675 | ||
676 | return 1; | |
70af3d8e MC |
677 | |
678 | err: | |
679 | *al = tmpal; | |
680 | return 0; | |
224135e9 | 681 | } |
805a2e9e | 682 | |
70af3d8e MC |
683 | /* |
684 | * Built in extension finalisation and initialisation functions. All initialise | |
685 | * or finalise the associated extension type for the given |context|. For | |
686 | * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 | |
687 | * otherwise. These functions return 1 on success or 0 on failure. In the event | |
688 | * of a failure then |*al| is populated with a suitable error code. | |
689 | */ | |
690 | ||
1266eefd | 691 | static int final_renegotiate(SSL *s, unsigned int context, int sent, |
805a2e9e MC |
692 | int *al) |
693 | { | |
332eb390 MC |
694 | if (!s->server) { |
695 | /* | |
696 | * Check if we can connect to a server that doesn't support safe | |
697 | * renegotiation | |
698 | */ | |
699 | if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) | |
700 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
701 | && !sent) { | |
702 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 703 | SSLerr(SSL_F_FINAL_RENEGOTIATE, |
332eb390 MC |
704 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
705 | return 0; | |
706 | } | |
707 | ||
805a2e9e | 708 | return 1; |
332eb390 | 709 | } |
805a2e9e MC |
710 | |
711 | /* Need RI if renegotiating */ | |
712 | if (s->renegotiate | |
713 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
714 | && !sent) { | |
715 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 716 | SSLerr(SSL_F_FINAL_RENEGOTIATE, |
805a2e9e MC |
717 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
718 | return 0; | |
719 | } | |
720 | ||
332eb390 | 721 | |
805a2e9e MC |
722 | return 1; |
723 | } | |
724 | ||
1266eefd | 725 | static int init_server_name(SSL *s, unsigned int context) |
805a2e9e MC |
726 | { |
727 | if (s->server) | |
728 | s->servername_done = 0; | |
729 | ||
730 | return 1; | |
731 | } | |
732 | ||
1266eefd | 733 | static int final_server_name(SSL *s, unsigned int context, int sent, |
805a2e9e MC |
734 | int *al) |
735 | { | |
736 | int ret = SSL_TLSEXT_ERR_NOACK; | |
737 | int altmp = SSL_AD_UNRECOGNIZED_NAME; | |
738 | ||
aff8c126 RS |
739 | if (s->ctx != NULL && s->ctx->ext.servername_cb != 0) |
740 | ret = s->ctx->ext.servername_cb(s, &altmp, | |
741 | s->ctx->ext.servername_arg); | |
222da979 TS |
742 | else if (s->session_ctx != NULL |
743 | && s->session_ctx->ext.servername_cb != 0) | |
744 | ret = s->session_ctx->ext.servername_cb(s, &altmp, | |
745 | s->session_ctx->ext.servername_arg); | |
805a2e9e MC |
746 | |
747 | switch (ret) { | |
748 | case SSL_TLSEXT_ERR_ALERT_FATAL: | |
749 | *al = altmp; | |
750 | return 0; | |
751 | ||
752 | case SSL_TLSEXT_ERR_ALERT_WARNING: | |
753 | *al = altmp; | |
754 | return 1; | |
755 | ||
756 | case SSL_TLSEXT_ERR_NOACK: | |
757 | s->servername_done = 0; | |
758 | return 1; | |
759 | ||
760 | default: | |
761 | return 1; | |
762 | } | |
763 | } | |
764 | ||
332eb390 | 765 | #ifndef OPENSSL_NO_EC |
1266eefd | 766 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, |
332eb390 MC |
767 | int *al) |
768 | { | |
769 | unsigned long alg_k, alg_a; | |
770 | ||
771 | if (s->server) | |
772 | return 1; | |
773 | ||
774 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
775 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |
776 | ||
777 | /* | |
778 | * If we are client and using an elliptic curve cryptography cipher | |
779 | * suite, then if server returns an EC point formats lists extension it | |
780 | * must contain uncompressed. | |
781 | */ | |
aff8c126 RS |
782 | if (s->ext.ecpointformats != NULL |
783 | && s->ext.ecpointformats_len > 0 | |
784 | && s->session->ext.ecpointformats != NULL | |
785 | && s->session->ext.ecpointformats_len > 0 | |
1266eefd | 786 | && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { |
332eb390 MC |
787 | /* we are using an ECC cipher */ |
788 | size_t i; | |
aff8c126 | 789 | unsigned char *list = s->session->ext.ecpointformats; |
1266eefd | 790 | |
aff8c126 | 791 | for (i = 0; i < s->session->ext.ecpointformats_len; i++) { |
1266eefd | 792 | if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) |
332eb390 | 793 | break; |
332eb390 | 794 | } |
aff8c126 | 795 | if (i == s->session->ext.ecpointformats_len) { |
7fe97c07 | 796 | SSLerr(SSL_F_FINAL_EC_PT_FORMATS, |
332eb390 MC |
797 | SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); |
798 | return 0; | |
799 | } | |
800 | } | |
801 | ||
802 | return 1; | |
803 | } | |
804 | #endif | |
805 | ||
1266eefd | 806 | static int init_session_ticket(SSL *s, unsigned int context) |
332eb390 MC |
807 | { |
808 | if (!s->server) | |
aff8c126 | 809 | s->ext.ticket_expected = 0; |
332eb390 MC |
810 | |
811 | return 1; | |
812 | } | |
813 | ||
8f8c11d8 | 814 | #ifndef OPENSSL_NO_OCSP |
1266eefd | 815 | static int init_status_request(SSL *s, unsigned int context) |
805a2e9e | 816 | { |
f63e4288 | 817 | if (s->server) { |
aff8c126 | 818 | s->ext.status_type = TLSEXT_STATUSTYPE_nothing; |
f63e4288 MC |
819 | } else { |
820 | /* | |
821 | * Ensure we get sensible values passed to tlsext_status_cb in the event | |
822 | * that we don't receive a status message | |
823 | */ | |
8cbfcc70 RS |
824 | OPENSSL_free(s->ext.ocsp.resp); |
825 | s->ext.ocsp.resp = NULL; | |
826 | s->ext.ocsp.resp_len = 0; | |
f63e4288 | 827 | } |
332eb390 MC |
828 | |
829 | return 1; | |
830 | } | |
8f8c11d8 | 831 | #endif |
332eb390 | 832 | |
805a2e9e | 833 | #ifndef OPENSSL_NO_NEXTPROTONEG |
1266eefd | 834 | static int init_npn(SSL *s, unsigned int context) |
805a2e9e | 835 | { |
aff8c126 | 836 | s->s3->npn_seen = 0; |
805a2e9e MC |
837 | |
838 | return 1; | |
839 | } | |
840 | #endif | |
841 | ||
1266eefd | 842 | static int init_alpn(SSL *s, unsigned int context) |
805a2e9e | 843 | { |
332eb390 MC |
844 | OPENSSL_free(s->s3->alpn_selected); |
845 | s->s3->alpn_selected = NULL; | |
805a2e9e | 846 | if (s->server) { |
805a2e9e MC |
847 | s->s3->alpn_selected_len = 0; |
848 | OPENSSL_free(s->s3->alpn_proposed); | |
849 | s->s3->alpn_proposed = NULL; | |
850 | s->s3->alpn_proposed_len = 0; | |
851 | } | |
805a2e9e MC |
852 | return 1; |
853 | } | |
854 | ||
1266eefd | 855 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al) |
02f0274e MC |
856 | { |
857 | const unsigned char *selected = NULL; | |
858 | unsigned char selected_len = 0; | |
859 | ||
860 | if (!s->server) | |
861 | return 1; | |
862 | ||
aff8c126 RS |
863 | if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { |
864 | int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len, | |
865 | s->s3->alpn_proposed, | |
866 | (unsigned int)s->s3->alpn_proposed_len, | |
867 | s->ctx->ext.alpn_select_cb_arg); | |
02f0274e MC |
868 | |
869 | if (r == SSL_TLSEXT_ERR_OK) { | |
870 | OPENSSL_free(s->s3->alpn_selected); | |
871 | s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); | |
872 | if (s->s3->alpn_selected == NULL) { | |
873 | *al = SSL_AD_INTERNAL_ERROR; | |
874 | return 0; | |
875 | } | |
876 | s->s3->alpn_selected_len = selected_len; | |
877 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
878 | /* ALPN takes precedence over NPN. */ | |
aff8c126 | 879 | s->s3->npn_seen = 0; |
02f0274e MC |
880 | #endif |
881 | } else { | |
882 | *al = SSL_AD_NO_APPLICATION_PROTOCOL; | |
883 | return 0; | |
884 | } | |
885 | } | |
886 | ||
887 | return 1; | |
888 | } | |
889 | ||
1266eefd | 890 | static int init_sig_algs(SSL *s, unsigned int context) |
805a2e9e MC |
891 | { |
892 | /* Clear any signature algorithms extension received */ | |
893 | OPENSSL_free(s->s3->tmp.peer_sigalgs); | |
894 | s->s3->tmp.peer_sigalgs = NULL; | |
895 | ||
896 | return 1; | |
897 | } | |
898 | ||
899 | #ifndef OPENSSL_NO_SRP | |
1266eefd | 900 | static int init_srp(SSL *s, unsigned int context) |
805a2e9e MC |
901 | { |
902 | OPENSSL_free(s->srp_ctx.login); | |
903 | s->srp_ctx.login = NULL; | |
904 | ||
905 | return 1; | |
906 | } | |
907 | #endif | |
908 | ||
1266eefd | 909 | static int init_etm(SSL *s, unsigned int context) |
805a2e9e | 910 | { |
332eb390 MC |
911 | s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; |
912 | ||
913 | return 1; | |
914 | } | |
915 | ||
1266eefd | 916 | static int init_ems(SSL *s, unsigned int context) |
332eb390 MC |
917 | { |
918 | if (!s->server) | |
919 | s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; | |
920 | ||
921 | return 1; | |
922 | } | |
923 | ||
1266eefd | 924 | static int final_ems(SSL *s, unsigned int context, int sent, int *al) |
332eb390 MC |
925 | { |
926 | if (!s->server && s->hit) { | |
927 | /* | |
928 | * Check extended master secret extension is consistent with | |
929 | * original session. | |
930 | */ | |
931 | if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != | |
932 | !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { | |
933 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 934 | SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS); |
332eb390 MC |
935 | return 0; |
936 | } | |
937 | } | |
805a2e9e MC |
938 | |
939 | return 1; | |
940 | } | |
941 | ||
942 | #ifndef OPENSSL_NO_SRTP | |
1266eefd | 943 | static int init_srtp(SSL *s, unsigned int context) |
805a2e9e MC |
944 | { |
945 | if (s->server) | |
946 | s->srtp_profile = NULL; | |
947 | ||
948 | return 1; | |
949 | } | |
950 | #endif | |
04904312 MC |
951 | |
952 | static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al) | |
953 | { | |
954 | if (!sent && SSL_IS_TLS13(s)) { | |
955 | *al = TLS13_AD_MISSING_EXTENSION; | |
956 | SSLerr(SSL_F_FINAL_SIG_ALGS, SSL_R_MISSING_SIGALGS_EXTENSION); | |
957 | return 0; | |
958 | } | |
959 | ||
960 | return 1; | |
961 | } | |
b2f7e8c0 | 962 | |
f4bbb37c MC |
963 | |
964 | static int final_key_share(SSL *s, unsigned int context, int sent, int *al) | |
965 | { | |
966 | if (!SSL_IS_TLS13(s)) | |
967 | return 1; | |
968 | ||
969 | /* | |
970 | * If | |
971 | * we have no key_share | |
972 | * AND | |
973 | * (we are not resuming | |
974 | * OR the kex_mode doesn't allow non key_share resumes) | |
975 | * THEN | |
976 | * fail | |
977 | */ | |
978 | if (((s->server && s->s3->peer_tmp == NULL) || (!s->server && !sent)) | |
979 | && (!s->hit | |
980 | || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) { | |
981 | /* No suitable share */ | |
982 | /* TODO(TLS1.3): Send a HelloRetryRequest */ | |
983 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
984 | SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); | |
985 | return 0; | |
986 | } | |
987 | ||
988 | /* | |
989 | * For a client side resumption with no key_share we need to generate | |
990 | * the handshake secret (otherwise this is done during key_share | |
991 | * processing). | |
992 | */ | |
993 | if (!sent && !s->server && !tls13_generate_handshake_secret(s, NULL, 0)) { | |
994 | *al = SSL_AD_INTERNAL_ERROR; | |
995 | SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR); | |
996 | return 0; | |
997 | } | |
998 | ||
999 | return 1; | |
1000 | } | |
1001 | ||
b2f7e8c0 MC |
1002 | static int init_psk_kex_modes(SSL *s, unsigned int context) |
1003 | { | |
1004 | s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE; | |
b2f7e8c0 MC |
1005 | return 1; |
1006 | } | |
1053a6e2 MC |
1007 | |
1008 | int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, | |
1009 | size_t binderoffset, const unsigned char *binderin, | |
1010 | unsigned char *binderout, | |
1011 | SSL_SESSION *sess, int sign) | |
1012 | { | |
1013 | EVP_PKEY *mackey = NULL; | |
1014 | EVP_MD_CTX *mctx = NULL; | |
1015 | unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; | |
1016 | unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; | |
1017 | const char resumption_label[] = "resumption psk binder key"; | |
1f5b44e9 | 1018 | size_t bindersize, hashsize = EVP_MD_size(md); |
1053a6e2 MC |
1019 | int ret = -1; |
1020 | ||
1021 | /* Generate the early_secret */ | |
1022 | if (!tls13_generate_secret(s, md, NULL, sess->master_key, | |
1023 | sess->master_key_length, | |
1024 | (unsigned char *)&s->early_secret)) { | |
1025 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1026 | goto err; | |
1027 | } | |
1028 | ||
1029 | /* | |
1030 | * Create the handshake hash for the binder key...the messages so far are | |
1031 | * empty! | |
1032 | */ | |
1033 | mctx = EVP_MD_CTX_new(); | |
1034 | if (mctx == NULL | |
1035 | || EVP_DigestInit_ex(mctx, md, NULL) <= 0 | |
1036 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { | |
1037 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1038 | goto err; | |
1039 | } | |
1040 | ||
1041 | /* Generate the binder key */ | |
1042 | if (!tls13_hkdf_expand(s, md, s->early_secret, | |
1043 | (unsigned char *)resumption_label, | |
1044 | sizeof(resumption_label) - 1, hash, binderkey, | |
1045 | hashsize)) { | |
1046 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1047 | goto err; | |
1048 | } | |
1049 | ||
1050 | /* Generate the finished key */ | |
1051 | if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) { | |
1052 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1053 | goto err; | |
1054 | } | |
1055 | ||
1056 | /* | |
1057 | * Get a hash of the ClientHello up to the start of the binders. | |
1058 | * TODO(TLS1.3): This will need to be tweaked when we implement | |
1059 | * HelloRetryRequest to include the digest of the previous messages here. | |
1060 | */ | |
1061 | if (EVP_DigestInit_ex(mctx, md, NULL) <= 0 | |
1062 | || EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0 | |
1063 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { | |
1064 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1065 | goto err; | |
1066 | } | |
1067 | ||
1068 | mackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, finishedkey, hashsize); | |
1069 | if (mackey == NULL) { | |
1070 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1071 | goto err; | |
1072 | } | |
1073 | ||
1074 | if (!sign) | |
1075 | binderout = tmpbinder; | |
1076 | ||
1077 | bindersize = hashsize; | |
1078 | if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0 | |
1079 | || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0 | |
1080 | || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0 | |
1081 | || bindersize != hashsize) { | |
1082 | SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR); | |
1083 | goto err; | |
1084 | } | |
1085 | ||
1086 | if (sign) { | |
1087 | ret = 1; | |
1088 | } else { | |
1089 | /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */ | |
1090 | ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0); | |
1091 | } | |
1092 | ||
1093 | err: | |
1094 | OPENSSL_cleanse(binderkey, sizeof(binderkey)); | |
1095 | OPENSSL_cleanse(finishedkey, sizeof(finishedkey)); | |
1096 | EVP_PKEY_free(mackey); | |
1097 | EVP_MD_CTX_free(mctx); | |
1098 | ||
1099 | return ret; | |
1100 | } |