]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Make the context available to the extensions parse and construction funcs
[thirdparty/openssl.git] / ssl / statem / extensions.c
CommitLineData
6b473aca
MC		 1/*
2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
6b473aca
MC		 10#include "../ssl_locl.h"
11#include "statem_locl.h"
12
1266eefd 13static int final_renegotiate(SSL *s, unsigned int context, int sent,
805a2e9e 14 int *al);
1266eefd
MC		 15static int init_server_name(SSL *s, unsigned int context);
16static int final_server_name(SSL *s, unsigned int context, int sent,
805a2e9e 17 int *al);
332eb390 18#ifndef OPENSSL_NO_EC
1266eefd 19static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
332eb390
MC		 20 int *al);
21#endif
1266eefd 22static int init_session_ticket(SSL *s, unsigned int context);
8f8c11d8 23#ifndef OPENSSL_NO_OCSP
1266eefd 24static int init_status_request(SSL *s, unsigned int context);
8f8c11d8 25#endif
805a2e9e 26#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 27static int init_npn(SSL *s, unsigned int context);
805a2e9e 28#endif
1266eefd
MC		 29static int init_alpn(SSL *s, unsigned int context);
30static int final_alpn(SSL *s, unsigned int context, int sent, int *al);
31static int init_sig_algs(SSL *s, unsigned int context);
805a2e9e 32#ifndef OPENSSL_NO_SRP
1266eefd 33static int init_srp(SSL *s, unsigned int context);
805a2e9e 34#endif
1266eefd
MC		 35static int init_etm(SSL *s, unsigned int context);
36static int init_ems(SSL *s, unsigned int context);
37static int final_ems(SSL *s, unsigned int context, int sent, int *al);
b2f7e8c0 38static int init_psk_kex_modes(SSL *s, unsigned int context);
f4bbb37c 39static int final_key_share(SSL *s, unsigned int context, int sent, int *al);
805a2e9e 40#ifndef OPENSSL_NO_SRTP
1266eefd 41static int init_srtp(SSL *s, unsigned int context);
805a2e9e 42#endif
04904312 43static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al);
805a2e9e 44
70af3d8e 45/* Structure to define a built-in extension */
1266eefd
MC		 46typedef struct extensions_definition_st {
47 /* The defined type for the extension */
6b473aca 48 unsigned int type;
1266eefd
MC		 49 /*
50 * The context that this extension applies to, e.g. what messages and
51 * protocol versions
52 */
53 unsigned int context;
68db4dda 54 /*
805a2e9e
MC		 55 * Initialise extension before parsing. Always called for relevant contexts
56 * even if extension not present
68db4dda 57 */
1266eefd
MC		 58 int (*init)(SSL *s, unsigned int context);
59 /* Parse extension sent from client to server */
61138358
MC		 60 int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
61 size_t chainidx, int *al);
1266eefd 62 /* Parse extension send from server to client */
61138358
MC		 63 int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
64 size_t chainidx, int *al);
1266eefd 65 /* Construct extension sent from server to client */
61138358
MC		 66 int (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
67 size_t chainidx, int *al);
1266eefd 68 /* Construct extension sent from client to server */
61138358
MC		 69 int (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
70 size_t chainidx, int *al);
68db4dda 71 /*
805a2e9e
MC		 72 * Finalise extension after parsing. Always called where an extensions was
73 * initialised even if the extension was not present. |sent| is set to 1 if
74 * the extension was seen, or 0 otherwise.
68db4dda 75 */
1266eefd 76 int (*final)(SSL *s, unsigned int context, int sent, int *al);
6b473aca
MC		 77} EXTENSION_DEFINITION;
78
4b299b8e 79/*
70af3d8e 80 * Definitions of all built-in extensions. NOTE: Changes in the number or order
3e6c1da8
F		 81 * of these extensions should be mirrored with equivalent changes to the
82 * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
70af3d8e
MC		 83 * Each extension has an initialiser, a client and
84 * server side parser and a finaliser. The initialiser is called (if the
85 * extension is relevant to the given context) even if we did not see the
86 * extension in the message that we received. The parser functions are only
87 * called if we see the extension in the message. The finalisers are always
88 * called if the initialiser was called.
89 * There are also server and client side constructor functions which are always
90 * called during message construction if the extension is relevant for the
91 * given context.
92 * The initialisation, parsing, finalisation and construction functions are
93 * always called in the order defined in this list. Some extensions may depend
94 * on others having been processed first, so the order of this list is
95 * significant.
96 * The extension context is defined by a series of flags which specify which
97 * messages the extension is relevant to. These flags also specify whether the
3e6c1da8 98 * extension is relevant to a particular protocol or protocol version.
a1448c26 99 *
70af3d8e 100 * TODO(TLS1.3): Make sure we have a test to check the consistency of these
4b299b8e 101 */
0785274c 102#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
6b473aca
MC		 103static const EXTENSION_DEFINITION ext_defs[] = {
104 {
105 TLSEXT_TYPE_renegotiate,
6b473aca 106 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED
1266eefd
MC		 107 | EXT_TLS1_2_AND_BELOW_ONLY,
108 NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
109 tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
110 final_renegotiate
6b473aca
MC		 111 },
112 {
113 TLSEXT_TYPE_server_name,
6b473aca 114 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
1266eefd
MC		 115 | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
116 init_server_name,
117 tls_parse_ctos_server_name, tls_parse_stoc_server_name,
118 tls_construct_stoc_server_name, tls_construct_ctos_server_name,
119 final_server_name
6b473aca
MC		 120 },
121#ifndef OPENSSL_NO_SRP
122 {
123 TLSEXT_TYPE_srp,
1266eefd
MC		 124 EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
125 init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
6b473aca 126 },
0785274c
MC		 127#else
128 INVALID_EXTENSION,
6b473aca
MC		 129#endif
130#ifndef OPENSSL_NO_EC
131 {
132 TLSEXT_TYPE_ec_point_formats,
3b58c54f 133 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 134 NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
135 tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
136 final_ec_pt_formats
6b473aca
MC		 137 },
138 {
139 TLSEXT_TYPE_supported_groups,
1266eefd
MC		 140 EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
141 NULL, tls_parse_ctos_supported_groups, NULL,
7da160b0 142 NULL /* TODO(TLS1.3): Need to add this */,
1266eefd 143 tls_construct_ctos_supported_groups, NULL
6b473aca 144 },
0785274c
MC		 145#else
146 INVALID_EXTENSION,
147 INVALID_EXTENSION,
6b473aca
MC		 148#endif
149 {
150 TLSEXT_TYPE_session_ticket,
1266eefd
MC		 151 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
152 init_session_ticket, tls_parse_ctos_session_ticket,
153 tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
154 tls_construct_ctos_session_ticket, NULL
6b473aca
MC		 155 },
156 {
157 TLSEXT_TYPE_signature_algorithms,
1266eefd
MC		 158 EXT_CLIENT_HELLO,
159 init_sig_algs, tls_parse_ctos_sig_algs, NULL, NULL,
04904312 160 tls_construct_ctos_sig_algs, final_sig_algs
6b473aca 161 },
ab83e314 162#ifndef OPENSSL_NO_OCSP
6b473aca
MC		 163 {
164 TLSEXT_TYPE_status_request,
4b299b8e 165 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
1266eefd
MC		 166 | EXT_TLS1_3_CERTIFICATE,
167 init_status_request, tls_parse_ctos_status_request,
168 tls_parse_stoc_status_request, tls_construct_stoc_status_request,
f63e4288 169 tls_construct_ctos_status_request, NULL
6b473aca 170 },
0785274c
MC		 171#else
172 INVALID_EXTENSION,
ab83e314 173#endif
6b473aca
MC		 174#ifndef OPENSSL_NO_NEXTPROTONEG
175 {
176 TLSEXT_TYPE_next_proto_neg,
1266eefd
MC		 177 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
178 init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
179 tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
6b473aca 180 },
0785274c
MC		 181#else
182 INVALID_EXTENSION,
6b473aca
MC		 183#endif
184 {
02f0274e
MC		 185 /*
186 * Must appear in this list after server_name so that finalisation
187 * happens after server_name callbacks
188 */
6b473aca 189 TLSEXT_TYPE_application_layer_protocol_negotiation,
6b473aca 190 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
1266eefd
MC		 191 | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
192 init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
193 tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
6b473aca 194 },
7da160b0 195#ifndef OPENSSL_NO_SRTP
6b473aca
MC		 196 {
197 TLSEXT_TYPE_use_srtp,
6b473aca 198 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
1266eefd
MC		 199 | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY,
200 init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
201 tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
6b473aca 202 },
0785274c
MC		 203#else
204 INVALID_EXTENSION,
7da160b0 205#endif
6b473aca
MC		 206 {
207 TLSEXT_TYPE_encrypt_then_mac,
1266eefd
MC		 208 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
209 init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
210 tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
6b473aca 211 },
6dd083fd 212#ifndef OPENSSL_NO_CT
6b473aca
MC		 213 {
214 TLSEXT_TYPE_signed_certificate_timestamp,
1266eefd
MC		 215 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO
216 | EXT_TLS1_3_CERTIFICATE,
68db4dda 217 NULL,
6b473aca
MC		 218 /*
219 * No server side support for this, but can be provided by a custom
220 * extension. This is an exception to the rule that custom extensions
221 * cannot override built in ones.
222 */
1266eefd 223 NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
6b473aca 224 },
0785274c
MC		 225#else
226 INVALID_EXTENSION,
6dd083fd 227#endif
6b473aca
MC		 228 {
229 TLSEXT_TYPE_extended_master_secret,
1266eefd
MC		 230 EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
231 init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
232 tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
6b473aca
MC		 233 },
234 {
235 TLSEXT_TYPE_supported_versions,
1266eefd 236 EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,
68db4dda 237 NULL,
6b473aca 238 /* Processed inline as part of version selection */
1266eefd 239 NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL
6b473aca 240 },
b2f7e8c0 241 {
b2f7e8c0
MC		 242 TLSEXT_TYPE_psk_kex_modes,
243 EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,
244 init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
245 tls_construct_ctos_psk_kex_modes, NULL
246 },
6b473aca 247 {
70af3d8e
MC		 248 /*
249 * Must be in this list after supported_groups. We need that to have
250 * been parsed before we do this one.
251 */
6b473aca 252 TLSEXT_TYPE_key_share,
6b473aca
MC		 253 EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO
254 | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY
1266eefd
MC		 255 | EXT_TLS1_3_ONLY,
256 NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
f4bbb37c
MC		 257 tls_construct_stoc_key_share, tls_construct_ctos_key_share,
258 final_key_share
7da160b0
MC		 259 },
260 {
261 /*
262 * Special unsolicited ServerHello extension only used when
263 * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
264 */
265 TLSEXT_TYPE_cryptopro_bug,
1266eefd
MC		 266 EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
267 NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
ab83e314
MC		 268 },
269 {
ec15acb6
MC		 270 /* Must be immediately before pre_shared_key */
271 /* TODO(TLS1.3): Fix me */
ab83e314 272 TLSEXT_TYPE_padding,
1266eefd 273 EXT_CLIENT_HELLO,
68db4dda 274 NULL,
ab83e314 275 /* We send this, but don't read it */
1266eefd 276 NULL, NULL, NULL, tls_construct_ctos_padding, NULL
ec15acb6
MC		 277 },
278 {
279 /* Required by the TLSv1.3 spec to always be the last extension */
280 TLSEXT_TYPE_psk,
281 EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO | EXT_TLS_IMPLEMENTATION_ONLY
282 | EXT_TLS1_3_ONLY,
0247086d 283 NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
1053a6e2 284 tls_construct_ctos_psk, NULL
6b473aca
MC		 285 }
286};
287
6b473aca
MC		 288/*
289 * Verify whether we are allowed to use the extension |type| in the current
290 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
70af3d8e
MC		 291 * indicate the extension is not allowed. If returning 1 then |*found| is set to
292 * 1 if we found a definition for the extension, and |*idx| is set to its index
6b473aca 293 */
70af3d8e 294static int verify_extension(SSL *s, unsigned int context, unsigned int type,
1266eefd
MC		 295 custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
296 RAW_EXTENSION **found)
6b473aca
MC		 297{
298 size_t i;
70af3d8e 299 size_t builtin_num = OSSL_NELEM(ext_defs);
d270de32 300 const EXTENSION_DEFINITION *thisext;
6b473aca 301
1266eefd
MC		 302 for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
303 if (type == thisext->type) {
6b473aca 304 /* Check we're allowed to use this extension in this context */
1266eefd 305 if ((context & thisext->context) == 0)
6b473aca
MC		 306 return 0;
307
308 if (SSL_IS_DTLS(s)) {
1266eefd 309 if ((thisext->context & EXT_TLS_ONLY) != 0)
6b473aca 310 return 0;
1266eefd 311 } else if ((thisext->context & EXT_DTLS_ONLY) != 0) {
6b473aca
MC		 312 return 0;
313 }
314
1266eefd 315 *found = &rawexlist[i];
6b473aca
MC		 316 return 1;
317 }
318 }
319
70af3d8e
MC		 320 if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) {
321 /*
322 * Custom extensions only apply to <=TLS1.2. This extension is unknown
323 * in this context - we allow it
324 */
1266eefd 325 *found = NULL;
70af3d8e
MC		 326 return 1;
327 }
6b473aca 328
70af3d8e
MC		 329 /* Check the custom extensions */
330 if (meths != NULL) {
331 for (i = builtin_num; i < builtin_num + meths->meths_count; i++) {
332 if (meths->meths[i - builtin_num].ext_type == type) {
1266eefd 333 *found = &rawexlist[i];
70af3d8e
MC		 334 return 1;
335 }
6b473aca
MC		 336 }
337 }
338
70af3d8e 339 /* Unknown extension. We allow it */
1266eefd 340 *found = NULL;
70af3d8e 341 return 1;
6b473aca
MC		 342}
343
70af3d8e
MC		 344/*
345 * Check whether the context defined for an extension |extctx| means whether
346 * the extension is relevant for the current context |thisctx| or not. Returns
347 * 1 if the extension is relevant for this context, and 0 otherwise
348 */
805a2e9e
MC		 349static int extension_is_relevant(SSL *s, unsigned int extctx,
350 unsigned int thisctx)
351{
352 if ((SSL_IS_DTLS(s)
353 && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0)
354 || (s->version == SSL3_VERSION
355 && (extctx & EXT_SSL3_ALLOWED) == 0)
356 || (SSL_IS_TLS13(s)
357 && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0)
358 || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0))
359 return 0;
360
361 return 1;
362}
363
6b473aca
MC		 364/*
365 * Gather a list of all the extensions from the data in |packet]. |context|
70af3d8e 366 * tells us which message this extension is for. The raw extension data is
1266eefd
MC		 367 * stored in |*res| on success. In the event of an error the alert type to use
368 * is stored in |*al|. We don't actually process the content of the extensions
369 * yet, except to check their types. This function also runs the initialiser
370 * functions for all known extensions (whether we have collected them or not).
371 * If successful the caller is responsible for freeing the contents of |*res|.
6b473aca
MC		 372 *
373 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
374 * more than one extension of the same type in a ClientHello or ServerHello.
375 * This function returns 1 if all extensions are unique and we have parsed their
376 * types, and 0 if the extensions contain duplicates, could not be successfully
1266eefd 377 * found, or an internal error occurred. We only check duplicates for
70af3d8e 378 * extensions that we know about. We ignore others.
6b473aca 379 */
6b473aca 380int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
70af3d8e 381 RAW_EXTENSION **res, int *al)
6b473aca
MC		 382{
383 PACKET extensions = *packet;
d270de32 384 size_t i = 0;
70af3d8e 385 custom_ext_methods *exts = NULL;
6b473aca 386 RAW_EXTENSION *raw_extensions = NULL;
d270de32 387 const EXTENSION_DEFINITION *thisexd;
6b473aca 388
ecc2f938
MC		 389 *res = NULL;
390
70af3d8e
MC		 391 /*
392 * Initialise server side custom extensions. Client side is done during
393 * construction of extensions for the ClientHello.
394 */
395 if ((context & EXT_CLIENT_HELLO) != 0) {
396 exts = &s->cert->srv_ext;
397 custom_ext_init(&s->cert->srv_ext);
398 } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
399 exts = &s->cert->cli_ext;
400 }
401
402 raw_extensions = OPENSSL_zalloc((OSSL_NELEM(ext_defs)
403 + (exts != NULL ? exts->meths_count : 0))
1266eefd 404 * sizeof(*raw_extensions));
70af3d8e
MC		 405 if (raw_extensions == NULL) {
406 *al = SSL_AD_INTERNAL_ERROR;
407 SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE);
408 return 0;
409 }
410
6b473aca
MC		 411 while (PACKET_remaining(&extensions) > 0) {
412 unsigned int type;
413 PACKET extension;
1266eefd 414 RAW_EXTENSION *thisex;
6b473aca
MC		 415
416 if (!PACKET_get_net_2(&extensions, &type) ||
417 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
418 SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
70af3d8e 419 *al = SSL_AD_DECODE_ERROR;
6b473aca
MC		 420 goto err;
421 }
70af3d8e
MC		 422 /*
423 * Verify this extension is allowed. We only check duplicates for
424 * extensions that we recognise.
425 */
1266eefd
MC		 426 if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
427 || (thisex != NULL && thisex->present == 1)) {
6b473aca 428 SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
70af3d8e 429 *al = SSL_AD_ILLEGAL_PARAMETER;
6b473aca
MC		 430 goto err;
431 }
1266eefd
MC		 432 if (thisex != NULL) {
433 thisex->data = extension;
434 thisex->present = 1;
435 thisex->type = type;
6b473aca
MC		 436 }
437 }
438
68db4dda
MC		 439 /*
440 * Initialise all known extensions relevant to this context, whether we have
441 * found them or not
442 */
1266eefd
MC		 443 for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
444 if(thisexd->init != NULL && (thisexd->context & context) != 0
445 && extension_is_relevant(s, thisexd->context, context)
446 && !thisexd->init(s, context)) {
70af3d8e 447 *al = SSL_AD_INTERNAL_ERROR;
68db4dda
MC		 448 goto err;
449 }
450 }
451
6b473aca 452 *res = raw_extensions;
6b473aca
MC		 453 return 1;
454
455 err:
456 OPENSSL_free(raw_extensions);
457 return 0;
458}
459
68db4dda 460/*
70af3d8e
MC		 461 * Runs the parser for a given extension with index |idx|. |exts| contains the
462 * list of all parsed extensions previously collected by
463 * tls_collect_extensions(). The parser is only run if it is applicable for the
f97d4c37
MC		 464 * given |context| and the parser has not already been run. If this is for a
465 * Certificate message, then we also provide the parser with the relevant
8521ced6 466 * Certificate |x| and its position in the |chainidx| with 0 being the first
f97d4c37
MC		 467 * Certificate. Returns 1 on success or 0 on failure. In the event of a failure
468 * |*al| is populated with a suitable alert code. If an extension is not present
469 * this counted as success.
68db4dda 470 */
d270de32 471int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
8521ced6 472 RAW_EXTENSION *exts, X509 *x, size_t chainidx, int *al)
6b473aca 473{
70af3d8e 474 RAW_EXTENSION *currext = &exts[idx];
61138358
MC		 475 int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
476 size_t chainidx, int *al) = NULL;
6b473aca 477
70af3d8e
MC		 478 /* Skip if the extension is not present */
479 if (!currext->present)
480 return 1;
6b473aca 481
aff8c126
RS		 482 if (s->ext.debug_cb)
483 s->ext.debug_cb(s, !s->server, currext->type,
484 PACKET_data(&currext->data),
485 PACKET_remaining(&currext->data),
486 s->ext.debug_arg);
6b473aca 487
70af3d8e
MC		 488 /* Skip if we've already parsed this extension */
489 if (currext->parsed)
490 return 1;
6b473aca 491
70af3d8e
MC		 492 currext->parsed = 1;
493
494 if (idx < OSSL_NELEM(ext_defs)) {
495 /* We are handling a built-in extension */
496 const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
497
498 /* Check if extension is defined for our protocol. If not, skip */
499 if (!extension_is_relevant(s, extdef->context, context))
500 return 1;
501
1266eefd 502 parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
224135e9 503
1266eefd 504 if (parser != NULL)
61138358 505 return parser(s, &currext->data, context, x, chainidx, al);
6b473aca 506
70af3d8e
MC		 507 /*
508 * If the parser is NULL we fall through to the custom extension
509 * processing
510 */
6b473aca
MC		 511 }
512
70af3d8e
MC		 513 /*
514 * This is a custom extension. We only allow this if it is a non
515 * resumed session on the server side.
8521ced6 516 *chain
70af3d8e
MC		 517 * TODO(TLS1.3): We only allow old style <=TLS1.2 custom extensions.
518 * We're going to need a new mechanism for TLS1.3 to specify which
519 * messages to add the custom extensions to.
520 */
521 if ((!s->hit || !s->server)
522 && (context
523 & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0
524 && custom_ext_parse(s, s->server, currext->type,
525 PACKET_data(&currext->data),
526 PACKET_remaining(&currext->data),
527 al) <= 0)
528 return 0;
529
805a2e9e
MC		 530 return 1;
531}
532
533/*
534 * Parse all remaining extensions that have not yet been parsed. Also calls the
70af3d8e 535 * finalisation for all extensions at the end, whether we collected them or not.
f97d4c37
MC		 536 * Returns 1 for success or 0 for failure. If we are working on a Certificate
537 * message then we also pass the Certificate |x| and its position in the
8521ced6
MC		 538 * |chainidx|, with 0 being the first certificate. On failure, |*al| is
539 * populated with a suitable alert code.
805a2e9e 540 */
f97d4c37 541int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
8521ced6 542 size_t chainidx, int *al)
805a2e9e 543{
1266eefd 544 size_t i, numexts = OSSL_NELEM(ext_defs);
d270de32 545 const EXTENSION_DEFINITION *thisexd;
805a2e9e 546
70af3d8e
MC		 547 /* Calculate the number of extensions in the extensions list */
548 if ((context & EXT_CLIENT_HELLO) != 0) {
549 numexts += s->cert->srv_ext.meths_count;
550 } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
551 numexts += s->cert->cli_ext.meths_count;
552 }
553
554 /* Parse each extension in turn */
1266eefd 555 for (i = 0; i < numexts; i++) {
8521ced6 556 if (!tls_parse_extension(s, i, context, exts, x, chainidx, al))
70af3d8e
MC		 557 return 0;
558 }
805a2e9e 559
68db4dda
MC		 560 /*
561 * Finalise all known extensions relevant to this context, whether we have
562 * found them or not
563 */
1266eefd
MC		 564 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
565 if(thisexd->final != NULL
566 && (thisexd->context & context) != 0
567 && !thisexd->final(s, context, exts[i].present, al))
68db4dda 568 return 0;
68db4dda
MC		 569 }
570
6b473aca
MC		 571 return 1;
572}
573
574/*
70af3d8e 575 * Construct all the extensions relevant to the current |context| and write
30aeba43 576 * them to |pkt|. If this is an extension for a Certificate in a Certificate
8521ced6
MC		 577 * message, then |x| will be set to the Certificate we are handling, and
578 * |chainidx| will indicate the position in the chainidx we are processing (with
579 * 0 being the first in the chain). Returns 1 on success or 0 on failure. If a
580 * failure occurs then |al| is populated with a suitable alert code. On a
581 * failure construction stops at the first extension to fail to construct.
6b473aca 582 */
224135e9 583int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
8521ced6 584 X509 *x, size_t chainidx, int *al)
224135e9 585{
1266eefd
MC		 586 size_t i;
587 int addcustom = 0, min_version, max_version = 0, reason, tmpal;
d270de32 588 const EXTENSION_DEFINITION *thisexd;
224135e9 589
7da160b0 590 /*
70af3d8e 591 * Normally if something goes wrong during construction it's an internal
7da160b0
MC		 592 * error. We can always override this later.
593 */
70af3d8e 594 tmpal = SSL_AD_INTERNAL_ERROR;
7da160b0 595
224135e9
MC		 596 if (!WPACKET_start_sub_packet_u16(pkt)
597 /*
598 * If extensions are of zero length then we don't even add the
7da160b0 599 * extensions length bytes to a ClientHello/ServerHello in SSLv3
224135e9 600 */
7da160b0
MC		 601 || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0
602 && s->version == SSL3_VERSION
224135e9
MC		 603 && !WPACKET_set_flags(pkt,
604 WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
224135e9 605 SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
70af3d8e 606 goto err;
224135e9
MC		 607 }
608
ab83e314
MC		 609 if ((context & EXT_CLIENT_HELLO) != 0) {
610 reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
611 if (reason != 0) {
612 SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
70af3d8e 613 goto err;
ab83e314
MC		 614 }
615 }
616
617 /* Add custom extensions first */
618 if ((context & EXT_CLIENT_HELLO) != 0) {
619 custom_ext_init(&s->cert->cli_ext);
620 addcustom = 1;
621 } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {
622 /*
623 * We already initialised the custom extensions during ClientHello
624 * parsing.
a1448c26 625 *
ab83e314
MC		 626 * TODO(TLS1.3): We're going to need a new custom extension mechanism
627 * for TLS1.3, so that custom extensions can specify which of the
628 * multiple message they wish to add themselves to.
629 */
630 addcustom = 1;
631 }
632
70af3d8e 633 if (addcustom && !custom_ext_add(s, s->server, pkt, &tmpal)) {
ab83e314 634 SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
70af3d8e 635 goto err;
ab83e314
MC		 636 }
637
1266eefd 638 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
61138358
MC		 639 int (*construct)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
640 size_t chainidx, int *al);
4b299b8e 641
224135e9 642 /* Skip if not relevant for our context */
d270de32 643 if ((thisexd->context & context) == 0)
224135e9
MC		 644 continue;
645
1266eefd
MC		 646 construct = s->server ? thisexd->construct_stoc
647 : thisexd->construct_ctos;
224135e9
MC		 648
649 /* Check if this extension is defined for our protocol. If not, skip */
650 if ((SSL_IS_DTLS(s)
1266eefd 651 && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY)
4b299b8e 652 != 0)
224135e9 653 || (s->version == SSL3_VERSION
1266eefd 654 && (thisexd->context & EXT_SSL3_ALLOWED) == 0)
224135e9 655 || (SSL_IS_TLS13(s)
1266eefd 656 && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY)
4b299b8e 657 != 0)
224135e9 658 || (!SSL_IS_TLS13(s)
1266eefd 659 && (thisexd->context & EXT_TLS1_3_ONLY) != 0
4b299b8e 660 && (context & EXT_CLIENT_HELLO) == 0)
1266eefd 661 || ((thisexd->context & EXT_TLS1_3_ONLY) != 0
ab83e314
MC		 662 && (context & EXT_CLIENT_HELLO) != 0
663 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))
224135e9
MC		 664 || construct == NULL)
665 continue;
666
61138358 667 if (!construct(s, pkt, context, x, chainidx, &tmpal))
70af3d8e 668 goto err;
224135e9
MC		 669 }
670
224135e9 671 if (!WPACKET_close(pkt)) {
224135e9 672 SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR);
70af3d8e 673 goto err;
224135e9
MC		 674 }
675
676 return 1;
70af3d8e
MC		 677
678 err:
679 *al = tmpal;
680 return 0;
224135e9 681}
805a2e9e 682
70af3d8e
MC		 683/*
684 * Built in extension finalisation and initialisation functions. All initialise
685 * or finalise the associated extension type for the given |context|. For
686 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
687 * otherwise. These functions return 1 on success or 0 on failure. In the event
688 * of a failure then |*al| is populated with a suitable error code.
689 */
690
1266eefd 691static int final_renegotiate(SSL *s, unsigned int context, int sent,
805a2e9e
MC		 692 int *al)
693{
332eb390
MC		 694 if (!s->server) {
695 /*
696 * Check if we can connect to a server that doesn't support safe
697 * renegotiation
698 */
699 if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
700 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
701 && !sent) {
702 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 703 SSLerr(SSL_F_FINAL_RENEGOTIATE,
332eb390
MC		 704 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
705 return 0;
706 }
707
805a2e9e 708 return 1;
332eb390 709 }
805a2e9e
MC		 710
711 /* Need RI if renegotiating */
712 if (s->renegotiate
713 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
714 && !sent) {
715 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 716 SSLerr(SSL_F_FINAL_RENEGOTIATE,
805a2e9e
MC		 717 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
718 return 0;
719 }
720
332eb390 721
805a2e9e
MC		 722 return 1;
723}
724
1266eefd 725static int init_server_name(SSL *s, unsigned int context)
805a2e9e
MC		 726{
727 if (s->server)
728 s->servername_done = 0;
729
730 return 1;
731}
732
1266eefd 733static int final_server_name(SSL *s, unsigned int context, int sent,
805a2e9e
MC		 734 int *al)
735{
736 int ret = SSL_TLSEXT_ERR_NOACK;
737 int altmp = SSL_AD_UNRECOGNIZED_NAME;
738
aff8c126
RS		 739 if (s->ctx != NULL && s->ctx->ext.servername_cb != 0)
740 ret = s->ctx->ext.servername_cb(s, &altmp,
741 s->ctx->ext.servername_arg);
222da979
TS		 742 else if (s->session_ctx != NULL
743 && s->session_ctx->ext.servername_cb != 0)
744 ret = s->session_ctx->ext.servername_cb(s, &altmp,
745 s->session_ctx->ext.servername_arg);
805a2e9e
MC		 746
747 switch (ret) {
748 case SSL_TLSEXT_ERR_ALERT_FATAL:
749 *al = altmp;
750 return 0;
751
752 case SSL_TLSEXT_ERR_ALERT_WARNING:
753 *al = altmp;
754 return 1;
755
756 case SSL_TLSEXT_ERR_NOACK:
757 s->servername_done = 0;
758 return 1;
759
760 default:
761 return 1;
762 }
763}
764
332eb390 765#ifndef OPENSSL_NO_EC
1266eefd 766static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
332eb390
MC		 767 int *al)
768{
769 unsigned long alg_k, alg_a;
770
771 if (s->server)
772 return 1;
773
774 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
775 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
776
777 /*
778 * If we are client and using an elliptic curve cryptography cipher
779 * suite, then if server returns an EC point formats lists extension it
780 * must contain uncompressed.
781 */
aff8c126
RS		 782 if (s->ext.ecpointformats != NULL
783 && s->ext.ecpointformats_len > 0
784 && s->session->ext.ecpointformats != NULL
785 && s->session->ext.ecpointformats_len > 0
1266eefd 786 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
332eb390
MC		 787 /* we are using an ECC cipher */
788 size_t i;
aff8c126 789 unsigned char *list = s->session->ext.ecpointformats;
1266eefd 790
aff8c126 791 for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
1266eefd 792 if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
332eb390 793 break;
332eb390 794 }
aff8c126 795 if (i == s->session->ext.ecpointformats_len) {
7fe97c07 796 SSLerr(SSL_F_FINAL_EC_PT_FORMATS,
332eb390
MC		 797 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
798 return 0;
799 }
800 }
801
802 return 1;
803}
804#endif
805
1266eefd 806static int init_session_ticket(SSL *s, unsigned int context)
332eb390
MC		 807{
808 if (!s->server)
aff8c126 809 s->ext.ticket_expected = 0;
332eb390
MC		 810
811 return 1;
812}
813
8f8c11d8 814#ifndef OPENSSL_NO_OCSP
1266eefd 815static int init_status_request(SSL *s, unsigned int context)
805a2e9e 816{
f63e4288 817 if (s->server) {
aff8c126 818 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
f63e4288
MC		 819 } else {
820 /*
821 * Ensure we get sensible values passed to tlsext_status_cb in the event
822 * that we don't receive a status message
823 */
8cbfcc70
RS		 824 OPENSSL_free(s->ext.ocsp.resp);
825 s->ext.ocsp.resp = NULL;
826 s->ext.ocsp.resp_len = 0;
f63e4288 827 }
332eb390
MC		 828
829 return 1;
830}
8f8c11d8 831#endif
332eb390 832
805a2e9e 833#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 834static int init_npn(SSL *s, unsigned int context)
805a2e9e 835{
aff8c126 836 s->s3->npn_seen = 0;
805a2e9e
MC		 837
838 return 1;
839}
840#endif
841
1266eefd 842static int init_alpn(SSL *s, unsigned int context)
805a2e9e 843{
332eb390
MC		 844 OPENSSL_free(s->s3->alpn_selected);
845 s->s3->alpn_selected = NULL;
805a2e9e 846 if (s->server) {
805a2e9e
MC		 847 s->s3->alpn_selected_len = 0;
848 OPENSSL_free(s->s3->alpn_proposed);
849 s->s3->alpn_proposed = NULL;
850 s->s3->alpn_proposed_len = 0;
851 }
805a2e9e
MC		 852 return 1;
853}
854
1266eefd 855static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
02f0274e
MC		 856{
857 const unsigned char *selected = NULL;
858 unsigned char selected_len = 0;
859
860 if (!s->server)
861 return 1;
862
aff8c126
RS		 863 if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
864 int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
865 s->s3->alpn_proposed,
866 (unsigned int)s->s3->alpn_proposed_len,
867 s->ctx->ext.alpn_select_cb_arg);
02f0274e
MC		 868
869 if (r == SSL_TLSEXT_ERR_OK) {
870 OPENSSL_free(s->s3->alpn_selected);
871 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
872 if (s->s3->alpn_selected == NULL) {
873 *al = SSL_AD_INTERNAL_ERROR;
874 return 0;
875 }
876 s->s3->alpn_selected_len = selected_len;
877#ifndef OPENSSL_NO_NEXTPROTONEG
878 /* ALPN takes precedence over NPN. */
aff8c126 879 s->s3->npn_seen = 0;
02f0274e
MC		 880#endif
881 } else {
882 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
883 return 0;
884 }
885 }
886
887 return 1;
888}
889
1266eefd 890static int init_sig_algs(SSL *s, unsigned int context)
805a2e9e
MC		 891{
892 /* Clear any signature algorithms extension received */
893 OPENSSL_free(s->s3->tmp.peer_sigalgs);
894 s->s3->tmp.peer_sigalgs = NULL;
895
896 return 1;
897}
898
899#ifndef OPENSSL_NO_SRP
1266eefd 900static int init_srp(SSL *s, unsigned int context)
805a2e9e
MC		 901{
902 OPENSSL_free(s->srp_ctx.login);
903 s->srp_ctx.login = NULL;
904
905 return 1;
906}
907#endif
908
1266eefd 909static int init_etm(SSL *s, unsigned int context)
805a2e9e 910{
332eb390
MC		 911 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
912
913 return 1;
914}
915
1266eefd 916static int init_ems(SSL *s, unsigned int context)
332eb390
MC		 917{
918 if (!s->server)
919 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
920
921 return 1;
922}
923
1266eefd 924static int final_ems(SSL *s, unsigned int context, int sent, int *al)
332eb390
MC		 925{
926 if (!s->server && s->hit) {
927 /*
928 * Check extended master secret extension is consistent with
929 * original session.
930 */
931 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
932 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
933 *al = SSL_AD_HANDSHAKE_FAILURE;
7fe97c07 934 SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS);
332eb390
MC		 935 return 0;
936 }
937 }
805a2e9e
MC		 938
939 return 1;
940}
941
942#ifndef OPENSSL_NO_SRTP
1266eefd 943static int init_srtp(SSL *s, unsigned int context)
805a2e9e
MC		 944{
945 if (s->server)
946 s->srtp_profile = NULL;
947
948 return 1;
949}
950#endif
04904312
MC		 951
952static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al)
953{
954 if (!sent && SSL_IS_TLS13(s)) {
955 *al = TLS13_AD_MISSING_EXTENSION;
956 SSLerr(SSL_F_FINAL_SIG_ALGS, SSL_R_MISSING_SIGALGS_EXTENSION);
957 return 0;
958 }
959
960 return 1;
961}
b2f7e8c0 962
f4bbb37c
MC		 963
964static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
965{
966 if (!SSL_IS_TLS13(s))
967 return 1;
968
969 /*
970 * If
971 * we have no key_share
972 * AND
973 * (we are not resuming
974 * OR the kex_mode doesn't allow non key_share resumes)
975 * THEN
976 * fail
977 */
978 if (((s->server && s->s3->peer_tmp == NULL) || (!s->server && !sent))
979 && (!s->hit
980 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
981 /* No suitable share */
982 /* TODO(TLS1.3): Send a HelloRetryRequest */
983 *al = SSL_AD_HANDSHAKE_FAILURE;
984 SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
985 return 0;
986 }
987
988 /*
989 * For a client side resumption with no key_share we need to generate
990 * the handshake secret (otherwise this is done during key_share
991 * processing).
992 */
993 if (!sent && !s->server && !tls13_generate_handshake_secret(s, NULL, 0)) {
994 *al = SSL_AD_INTERNAL_ERROR;
995 SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR);
996 return 0;
997 }
998
999 return 1;
1000}
1001
b2f7e8c0
MC		 1002static int init_psk_kex_modes(SSL *s, unsigned int context)
1003{
1004 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
b2f7e8c0
MC		 1005 return 1;
1006}
1053a6e2
MC		 1007
1008int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
1009 size_t binderoffset, const unsigned char *binderin,
1010 unsigned char *binderout,
1011 SSL_SESSION *sess, int sign)
1012{
1013 EVP_PKEY *mackey = NULL;
1014 EVP_MD_CTX *mctx = NULL;
1015 unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
1016 unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
1017 const char resumption_label[] = "resumption psk binder key";
1f5b44e9 1018 size_t bindersize, hashsize = EVP_MD_size(md);
1053a6e2
MC		 1019 int ret = -1;
1020
1021 /* Generate the early_secret */
1022 if (!tls13_generate_secret(s, md, NULL, sess->master_key,
1023 sess->master_key_length,
1024 (unsigned char *)&s->early_secret)) {
1025 SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
1026 goto err;
1027 }
1028
1029 /*
1030 * Create the handshake hash for the binder key...the messages so far are
1031 * empty!
1032 */
1033 mctx = EVP_MD_CTX_new();
1034 if (mctx == NULL
1035 || EVP_DigestInit_ex(mctx, md, NULL) <= 0
1036 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1037 SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
1038 goto err;
1039 }
1040
1041 /* Generate the binder key */
1042 if (!tls13_hkdf_expand(s, md, s->early_secret,
1043 (unsigned char *)resumption_label,
1044 sizeof(resumption_label) - 1, hash, binderkey,
1045 hashsize)) {
1046 SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
1047 goto err;
1048 }
1049
1050 /* Generate the finished key */
1051 if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
1052 SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
1053 goto err;
1054 }
1055
1056 /*
1057 * Get a hash of the ClientHello up to the start of the binders.
1058 * TODO(TLS1.3): This will need to be tweaked when we implement
1059 * HelloRetryRequest to include the digest of the previous messages here.
1060 */
1061 if (EVP_DigestInit_ex(mctx, md, NULL) <= 0
1062 || EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
1063 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1064 SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
1065 goto err;
1066 }
1067
1068 mackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, finishedkey, hashsize);
1069 if (mackey == NULL) {
1070 SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
1071 goto err;
1072 }
1073
1074 if (!sign)
1075 binderout = tmpbinder;
1076
1077 bindersize = hashsize;
1078 if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
1079 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
1080 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
1081 || bindersize != hashsize) {
1082 SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
1083 goto err;
1084 }
1085
1086 if (sign) {
1087 ret = 1;
1088 } else {
1089 /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
1090 ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
1091 }
1092
1093 err:
1094 OPENSSL_cleanse(binderkey, sizeof(binderkey));
1095 OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
1096 EVP_PKEY_free(mackey);
1097 EVP_MD_CTX_free(mctx);
1098
1099 return ret;
1100}
A mirror of the official openssl repository