]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update ServerHello to new draft-22 format
[thirdparty/openssl.git] / ssl / statem / extensions.c
CommitLineData
6b473aca 1/*
b186a592 2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
6b473aca
MC		 3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
f6370040 10#include <string.h>
677963e5 11#include "internal/nelem.h"
88050dd1 12#include "internal/cryptlib.h"
6b473aca
MC		 13#include "../ssl_locl.h"
14#include "statem_locl.h"
15
f63a17d6 16static int final_renegotiate(SSL *s, unsigned int context, int sent);
1266eefd 17static int init_server_name(SSL *s, unsigned int context);
f63a17d6 18static int final_server_name(SSL *s, unsigned int context, int sent);
332eb390 19#ifndef OPENSSL_NO_EC
f63a17d6 20static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
332eb390 21#endif
1266eefd 22static int init_session_ticket(SSL *s, unsigned int context);
8f8c11d8 23#ifndef OPENSSL_NO_OCSP
1266eefd 24static int init_status_request(SSL *s, unsigned int context);
8f8c11d8 25#endif
805a2e9e 26#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 27static int init_npn(SSL *s, unsigned int context);
805a2e9e 28#endif
1266eefd 29static int init_alpn(SSL *s, unsigned int context);
f63a17d6 30static int final_alpn(SSL *s, unsigned int context, int sent);
1266eefd 31static int init_sig_algs(SSL *s, unsigned int context);
45615c5f 32static int init_certificate_authorities(SSL *s, unsigned int context);
b186a592
MC		 33static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
34 unsigned int context,
35 X509 *x,
f63a17d6 36 size_t chainidx);
45615c5f
DSH		 37static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
38 unsigned int context, X509 *x,
f63a17d6 39 size_t chainidx);
805a2e9e 40#ifndef OPENSSL_NO_SRP
1266eefd 41static int init_srp(SSL *s, unsigned int context);
805a2e9e 42#endif
1266eefd
MC		 43static int init_etm(SSL *s, unsigned int context);
44static int init_ems(SSL *s, unsigned int context);
f63a17d6 45static int final_ems(SSL *s, unsigned int context, int sent);
b2f7e8c0 46static int init_psk_kex_modes(SSL *s, unsigned int context);
deb2d5e7 47#ifndef OPENSSL_NO_EC
f63a17d6 48static int final_key_share(SSL *s, unsigned int context, int sent);
deb2d5e7 49#endif
805a2e9e 50#ifndef OPENSSL_NO_SRTP
1266eefd 51static int init_srtp(SSL *s, unsigned int context);
805a2e9e 52#endif
f63a17d6
MC		 53static int final_sig_algs(SSL *s, unsigned int context, int sent);
54static int final_early_data(SSL *s, unsigned int context, int sent);
55static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
805a2e9e 56
70af3d8e 57/* Structure to define a built-in extension */
1266eefd
MC		 58typedef struct extensions_definition_st {
59 /* The defined type for the extension */
6b473aca 60 unsigned int type;
1266eefd
MC		 61 /*
62 * The context that this extension applies to, e.g. what messages and
63 * protocol versions
64 */
65 unsigned int context;
68db4dda 66 /*
805a2e9e
MC		 67 * Initialise extension before parsing. Always called for relevant contexts
68 * even if extension not present
68db4dda 69 */
1266eefd
MC		 70 int (*init)(SSL *s, unsigned int context);
71 /* Parse extension sent from client to server */
61138358 72 int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 73 size_t chainidx);
1266eefd 74 /* Parse extension send from server to client */
61138358 75 int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 76 size_t chainidx);
1266eefd 77 /* Construct extension sent from server to client */
b186a592 78 EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 79 X509 *x, size_t chainidx);
1266eefd 80 /* Construct extension sent from client to server */
b186a592 81 EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 82 X509 *x, size_t chainidx);
68db4dda 83 /*
805a2e9e
MC		 84 * Finalise extension after parsing. Always called where an extensions was
85 * initialised even if the extension was not present. |sent| is set to 1 if
86 * the extension was seen, or 0 otherwise.
68db4dda 87 */
f63a17d6 88 int (*final)(SSL *s, unsigned int context, int sent);
6b473aca
MC		 89} EXTENSION_DEFINITION;
90
4b299b8e 91/*
70af3d8e 92 * Definitions of all built-in extensions. NOTE: Changes in the number or order
bd91e3c8 93 * of these extensions should be mirrored with equivalent changes to the
3e6c1da8 94 * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
70af3d8e
MC		 95 * Each extension has an initialiser, a client and
96 * server side parser and a finaliser. The initialiser is called (if the
97 * extension is relevant to the given context) even if we did not see the
98 * extension in the message that we received. The parser functions are only
99 * called if we see the extension in the message. The finalisers are always
100 * called if the initialiser was called.
101 * There are also server and client side constructor functions which are always
102 * called during message construction if the extension is relevant for the
103 * given context.
104 * The initialisation, parsing, finalisation and construction functions are
105 * always called in the order defined in this list. Some extensions may depend
106 * on others having been processed first, so the order of this list is
107 * significant.
108 * The extension context is defined by a series of flags which specify which
109 * messages the extension is relevant to. These flags also specify whether the
3e6c1da8 110 * extension is relevant to a particular protocol or protocol version.
a1448c26 111 *
70af3d8e 112 * TODO(TLS1.3): Make sure we have a test to check the consistency of these
10ed1b72
TS		 113 *
114 * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
115 * the end, keep these extensions before signature_algorithm.
4b299b8e 116 */
0785274c 117#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
6b473aca
MC		 118static const EXTENSION_DEFINITION ext_defs[] = {
119 {
120 TLSEXT_TYPE_renegotiate,
fe874d27
MC		 121 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
122 | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 123 NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
124 tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
125 final_renegotiate
6b473aca
MC		 126 },
127 {
128 TLSEXT_TYPE_server_name,
fe874d27
MC		 129 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
130 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
1266eefd
MC		 131 init_server_name,
132 tls_parse_ctos_server_name, tls_parse_stoc_server_name,
133 tls_construct_stoc_server_name, tls_construct_ctos_server_name,
134 final_server_name
6b473aca 135 },
cf72c757
F		 136 {
137 TLSEXT_TYPE_max_fragment_length,
138 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
139 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
140 NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
141 tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
142 final_maxfragmentlen
143 },
6b473aca
MC		 144#ifndef OPENSSL_NO_SRP
145 {
146 TLSEXT_TYPE_srp,
fe874d27 147 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd 148 init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
6b473aca 149 },
0785274c
MC		 150#else
151 INVALID_EXTENSION,
6b473aca
MC		 152#endif
153#ifndef OPENSSL_NO_EC
154 {
155 TLSEXT_TYPE_ec_point_formats,
fe874d27
MC		 156 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
157 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 158 NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
159 tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
160 final_ec_pt_formats
6b473aca
MC		 161 },
162 {
163 TLSEXT_TYPE_supported_groups,
fe874d27 164 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
1266eefd 165 NULL, tls_parse_ctos_supported_groups, NULL,
6af87546 166 tls_construct_stoc_supported_groups,
1266eefd 167 tls_construct_ctos_supported_groups, NULL
6b473aca 168 },
0785274c
MC		 169#else
170 INVALID_EXTENSION,
171 INVALID_EXTENSION,
6b473aca
MC		 172#endif
173 {
174 TLSEXT_TYPE_session_ticket,
fe874d27
MC		 175 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
176 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 177 init_session_ticket, tls_parse_ctos_session_ticket,
178 tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
179 tls_construct_ctos_session_ticket, NULL
6b473aca 180 },
ab83e314 181#ifndef OPENSSL_NO_OCSP
6b473aca
MC		 182 {
183 TLSEXT_TYPE_status_request,
fe874d27
MC		 184 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
185 | SSL_EXT_TLS1_3_CERTIFICATE,
1266eefd
MC		 186 init_status_request, tls_parse_ctos_status_request,
187 tls_parse_stoc_status_request, tls_construct_stoc_status_request,
f63e4288 188 tls_construct_ctos_status_request, NULL
6b473aca 189 },
0785274c
MC		 190#else
191 INVALID_EXTENSION,
ab83e314 192#endif
6b473aca
MC		 193#ifndef OPENSSL_NO_NEXTPROTONEG
194 {
195 TLSEXT_TYPE_next_proto_neg,
fe874d27
MC		 196 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
197 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 198 init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
199 tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
6b473aca 200 },
0785274c
MC		 201#else
202 INVALID_EXTENSION,
6b473aca
MC		 203#endif
204 {
02f0274e
MC		 205 /*
206 * Must appear in this list after server_name so that finalisation
207 * happens after server_name callbacks
208 */
6b473aca 209 TLSEXT_TYPE_application_layer_protocol_negotiation,
fe874d27
MC		 210 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
211 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
1266eefd 212 init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
630369d9 213 tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
6b473aca 214 },
7da160b0 215#ifndef OPENSSL_NO_SRTP
6b473aca
MC		 216 {
217 TLSEXT_TYPE_use_srtp,
fe874d27
MC		 218 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
219 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
1266eefd
MC		 220 init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
221 tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
6b473aca 222 },
0785274c
MC		 223#else
224 INVALID_EXTENSION,
7da160b0 225#endif
6b473aca
MC		 226 {
227 TLSEXT_TYPE_encrypt_then_mac,
fe874d27
MC		 228 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
229 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 230 init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
231 tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
6b473aca 232 },
6dd083fd 233#ifndef OPENSSL_NO_CT
6b473aca
MC		 234 {
235 TLSEXT_TYPE_signed_certificate_timestamp,
fe874d27
MC		 236 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
237 | SSL_EXT_TLS1_3_CERTIFICATE,
68db4dda 238 NULL,
6b473aca
MC		 239 /*
240 * No server side support for this, but can be provided by a custom
241 * extension. This is an exception to the rule that custom extensions
242 * cannot override built in ones.
243 */
1266eefd 244 NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
6b473aca 245 },
0785274c
MC		 246#else
247 INVALID_EXTENSION,
6dd083fd 248#endif
6b473aca
MC		 249 {
250 TLSEXT_TYPE_extended_master_secret,
fe874d27
MC		 251 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
252 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd
MC		 253 init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
254 tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
6b473aca 255 },
10ed1b72
TS		 256 {
257 TLSEXT_TYPE_signature_algorithms,
258 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
259 init_sig_algs, tls_parse_ctos_sig_algs,
260 tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
261 tls_construct_ctos_sig_algs, final_sig_algs
262 },
6b473aca
MC		 263 {
264 TLSEXT_TYPE_supported_versions,
88050dd1
MC		 265 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
266 | SSL_EXT_TLS1_3_SERVER_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
68db4dda 267 NULL,
6b473aca 268 /* Processed inline as part of version selection */
88050dd1
MC		 269 NULL, tls_parse_stoc_supported_versions,
270 tls_construct_stoc_supported_versions,
271 tls_construct_ctos_supported_versions, NULL
6b473aca 272 },
b2f7e8c0 273 {
b2f7e8c0 274 TLSEXT_TYPE_psk_kex_modes,
fe874d27
MC		 275 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
276 | SSL_EXT_TLS1_3_ONLY,
b2f7e8c0
MC		 277 init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
278 tls_construct_ctos_psk_kex_modes, NULL
279 },
deb2d5e7 280#ifndef OPENSSL_NO_EC
6b473aca 281 {
70af3d8e
MC		 282 /*
283 * Must be in this list after supported_groups. We need that to have
284 * been parsed before we do this one.
285 */
6b473aca 286 TLSEXT_TYPE_key_share,
fe874d27
MC		 287 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
288 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
289 | SSL_EXT_TLS1_3_ONLY,
1266eefd 290 NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
f4bbb37c
MC		 291 tls_construct_stoc_key_share, tls_construct_ctos_key_share,
292 final_key_share
7da160b0 293 },
deb2d5e7 294#endif
cfef5027
MC		 295 {
296 TLSEXT_TYPE_cookie,
fe874d27
MC		 297 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
298 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
cfef5027
MC		 299 NULL, NULL, tls_parse_stoc_cookie, NULL, tls_construct_ctos_cookie,
300 NULL
301 },
7da160b0
MC		 302 {
303 /*
304 * Special unsolicited ServerHello extension only used when
305 * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
306 */
307 TLSEXT_TYPE_cryptopro_bug,
fe874d27 308 SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
1266eefd 309 NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
ab83e314 310 },
38df5a45
MC		 311 {
312 TLSEXT_TYPE_early_data,
fe874d27
MC		 313 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
314 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
38df5a45
MC		 315 NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
316 tls_construct_stoc_early_data, tls_construct_ctos_early_data,
317 final_early_data
318 },
45615c5f
DSH		 319 {
320 TLSEXT_TYPE_certificate_authorities,
fe874d27
MC		 321 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
322 | SSL_EXT_TLS1_3_ONLY,
45615c5f
DSH		 323 init_certificate_authorities,
324 tls_parse_certificate_authorities, tls_parse_certificate_authorities,
325 tls_construct_certificate_authorities,
326 tls_construct_certificate_authorities, NULL,
327 },
ab83e314 328 {
ec15acb6 329 /* Must be immediately before pre_shared_key */
ab83e314 330 TLSEXT_TYPE_padding,
fe874d27 331 SSL_EXT_CLIENT_HELLO,
68db4dda 332 NULL,
ab83e314 333 /* We send this, but don't read it */
1266eefd 334 NULL, NULL, NULL, tls_construct_ctos_padding, NULL
ec15acb6
MC		 335 },
336 {
337 /* Required by the TLSv1.3 spec to always be the last extension */
338 TLSEXT_TYPE_psk,
fe874d27
MC		 339 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
340 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
0247086d 341 NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
1053a6e2 342 tls_construct_ctos_psk, NULL
6b473aca
MC		 343 }
344};
345
43ae5eed
MC		 346/* Check whether an extension's context matches the current context */
347static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
348{
349 /* Check we're allowed to use this extension in this context */
350 if ((thisctx & extctx) == 0)
351 return 0;
352
353 if (SSL_IS_DTLS(s)) {
354 if ((extctx & SSL_EXT_TLS_ONLY) != 0)
355 return 0;
356 } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
357 return 0;
358 }
359
360 return 1;
361}
362
88050dd1
MC		 363int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts)
364{
365 size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
366 RAW_EXTENSION *thisext;
367 unsigned int context;
368 ENDPOINT role = ENDPOINT_BOTH;
369
370 if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
371 role = ENDPOINT_SERVER;
372 else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
373 role = ENDPOINT_CLIENT;
374
375 /* Calculate the number of extensions in the extensions list */
376 num_exts = builtin_num + s->cert->custext.meths_count;
377
378 for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
379 if (!thisext->present)
380 continue;
381
382 if (i < builtin_num) {
383 context = ext_defs[i].context;
384 } else {
385 custom_ext_method *meth = NULL;
386
387 meth = custom_ext_find(&s->cert->custext, role, thisext->type,
388 &offset);
389 if (!ossl_assert(meth != NULL))
390 return 0;
391 context = meth->context;
392 }
393
394 if (!validate_context(s, context, thisctx))
395 return 0;
396 }
397
398 return 1;
399}
400
6b473aca
MC		 401/*
402 * Verify whether we are allowed to use the extension |type| in the current
403 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
70af3d8e 404 * indicate the extension is not allowed. If returning 1 then |*found| is set to
69687aa8 405 * the definition for the extension we found.
6b473aca 406 */
70af3d8e 407static int verify_extension(SSL *s, unsigned int context, unsigned int type,
1266eefd
MC		 408 custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
409 RAW_EXTENSION **found)
6b473aca
MC		 410{
411 size_t i;
70af3d8e 412 size_t builtin_num = OSSL_NELEM(ext_defs);
d270de32 413 const EXTENSION_DEFINITION *thisext;
6b473aca 414
1266eefd
MC		 415 for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
416 if (type == thisext->type) {
43ae5eed 417 if (!validate_context(s, thisext->context, context))
6b473aca
MC		 418 return 0;
419
1266eefd 420 *found = &rawexlist[i];
6b473aca
MC		 421 return 1;
422 }
423 }
424
70af3d8e
MC		 425 /* Check the custom extensions */
426 if (meths != NULL) {
43ae5eed 427 size_t offset = 0;
787d9ec7 428 ENDPOINT role = ENDPOINT_BOTH;
43ae5eed
MC		 429 custom_ext_method *meth = NULL;
430
431 if ((context & SSL_EXT_CLIENT_HELLO) != 0)
787d9ec7 432 role = ENDPOINT_SERVER;
43ae5eed 433 else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
787d9ec7 434 role = ENDPOINT_CLIENT;
43ae5eed 435
787d9ec7 436 meth = custom_ext_find(meths, role, type, &offset);
43ae5eed
MC		 437 if (meth != NULL) {
438 if (!validate_context(s, meth->context, context))
439 return 0;
440 *found = &rawexlist[offset + builtin_num];
441 return 1;
6b473aca
MC		 442 }
443 }
444
70af3d8e 445 /* Unknown extension. We allow it */
1266eefd 446 *found = NULL;
70af3d8e 447 return 1;
6b473aca
MC		 448}
449
70af3d8e
MC		 450/*
451 * Check whether the context defined for an extension |extctx| means whether
452 * the extension is relevant for the current context |thisctx| or not. Returns
453 * 1 if the extension is relevant for this context, and 0 otherwise
454 */
43ae5eed 455int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
805a2e9e 456{
a2b97bdf
MC		 457 int is_tls13;
458
459 /*
460 * For HRR we haven't selected the version yet but we know it will be
461 * TLSv1.3
462 */
463 if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
464 is_tls13 = 1;
465 else
466 is_tls13 = SSL_IS_TLS13(s);
467
805a2e9e 468 if ((SSL_IS_DTLS(s)
fe874d27 469 && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
805a2e9e 470 || (s->version == SSL3_VERSION
fe874d27 471 && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
a2b97bdf
MC		 472 || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
473 || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
43ae5eed 474 || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
805a2e9e
MC		 475 return 0;
476
477 return 1;
478}
479
6b473aca
MC		 480/*
481 * Gather a list of all the extensions from the data in |packet]. |context|
70af3d8e 482 * tells us which message this extension is for. The raw extension data is
29bfd5b7
MC		 483 * stored in |*res| on success. We don't actually process the content of the
484 * extensions yet, except to check their types. This function also runs the
485 * initialiser functions for all known extensions if |init| is nonzero (whether
486 * we have collected them or not). If successful the caller is responsible for
487 * freeing the contents of |*res|.
6b473aca
MC		 488 *
489 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
490 * more than one extension of the same type in a ClientHello or ServerHello.
491 * This function returns 1 if all extensions are unique and we have parsed their
492 * types, and 0 if the extensions contain duplicates, could not be successfully
1266eefd 493 * found, or an internal error occurred. We only check duplicates for
70af3d8e 494 * extensions that we know about. We ignore others.
6b473aca 495 */
6b473aca 496int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
f63a17d6 497 RAW_EXTENSION **res, size_t *len, int init)
6b473aca
MC		 498{
499 PACKET extensions = *packet;
d270de32 500 size_t i = 0;
fc5ece2e 501 size_t num_exts;
43ae5eed 502 custom_ext_methods *exts = &s->cert->custext;
6b473aca 503 RAW_EXTENSION *raw_extensions = NULL;
d270de32 504 const EXTENSION_DEFINITION *thisexd;
6b473aca 505
ecc2f938
MC		 506 *res = NULL;
507
70af3d8e
MC		 508 /*
509 * Initialise server side custom extensions. Client side is done during
510 * construction of extensions for the ClientHello.
511 */
43ae5eed
MC		 512 if ((context & SSL_EXT_CLIENT_HELLO) != 0)
513 custom_ext_init(&s->cert->custext);
70af3d8e 514
fc5ece2e
BK		 515 num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
516 raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
70af3d8e 517 if (raw_extensions == NULL) {
f63a17d6
MC		 518 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
519 ERR_R_MALLOC_FAILURE);
70af3d8e
MC		 520 return 0;
521 }
522
193b5d76 523 i = 0;
6b473aca 524 while (PACKET_remaining(&extensions) > 0) {
b186a592 525 unsigned int type, idx;
6b473aca 526 PACKET extension;
1266eefd 527 RAW_EXTENSION *thisex;
6b473aca
MC		 528
529 if (!PACKET_get_net_2(&extensions, &type) ||
530 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
f63a17d6
MC		 531 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
532 SSL_R_BAD_EXTENSION);
6b473aca
MC		 533 goto err;
534 }
70af3d8e
MC		 535 /*
536 * Verify this extension is allowed. We only check duplicates for
652a6b7e
MC		 537 * extensions that we recognise. We also have a special case for the
538 * PSK extension, which must be the last one in the ClientHello.
70af3d8e 539 */
1266eefd 540 if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
652a6b7e
MC		 541 || (thisex != NULL && thisex->present == 1)
542 || (type == TLSEXT_TYPE_psk
fe874d27 543 && (context & SSL_EXT_CLIENT_HELLO) != 0
652a6b7e 544 && PACKET_remaining(&extensions) != 0)) {
f63a17d6
MC		 545 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
546 SSL_R_BAD_EXTENSION);
6b473aca
MC		 547 goto err;
548 }
b186a592
MC		 549 idx = thisex - raw_extensions;
550 /*-
551 * Check that we requested this extension (if appropriate). Requests can
552 * be sent in the ClientHello and CertificateRequest. Unsolicited
553 * extensions can be sent in the NewSessionTicket. We only do this for
554 * the built-in extensions. Custom extensions have a different but
555 * similar check elsewhere.
556 * Special cases:
557 * - The HRR cookie extension is unsolicited
558 * - The renegotiate extension is unsolicited (the client signals
559 * support via an SCSV)
560 * - The signed_certificate_timestamp extension can be provided by a
561 * custom extension or by the built-in version. We let the extension
562 * itself handle unsolicited response checks.
563 */
564 if (idx < OSSL_NELEM(ext_defs)
565 && (context & (SSL_EXT_CLIENT_HELLO
566 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
567 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
568 && type != TLSEXT_TYPE_cookie
569 && type != TLSEXT_TYPE_renegotiate
570 && type != TLSEXT_TYPE_signed_certificate_timestamp
571 && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) {
f63a17d6
MC		 572 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
573 SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
b186a592
MC		 574 goto err;
575 }
1266eefd
MC		 576 if (thisex != NULL) {
577 thisex->data = extension;
578 thisex->present = 1;
579 thisex->type = type;
193b5d76 580 thisex->received_order = i++;
b93a295a
TS		 581 if (s->ext.debug_cb)
582 s->ext.debug_cb(s, !s->server, thisex->type,
583 PACKET_data(&thisex->data),
584 PACKET_remaining(&thisex->data),
585 s->ext.debug_arg);
6b473aca
MC		 586 }
587 }
588
735d5b59
TT		 589 if (init) {
590 /*
591 * Initialise all known extensions relevant to this context,
592 * whether we have found them or not
593 */
594 for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
595 i++, thisexd++) {
bf5c84f5
TT		 596 if (thisexd->init != NULL && (thisexd->context & context) != 0
597 && extension_is_relevant(s, thisexd->context, context)
598 && !thisexd->init(s, context)) {
f63a17d6 599 /* SSLfatal() already called */
735d5b59
TT		 600 goto err;
601 }
68db4dda
MC		 602 }
603 }
604
6b473aca 605 *res = raw_extensions;
fc5ece2e
BK		 606 if (len != NULL)
607 *len = num_exts;
6b473aca
MC		 608 return 1;
609
610 err:
611 OPENSSL_free(raw_extensions);
612 return 0;
613}
614
68db4dda 615/*
70af3d8e
MC		 616 * Runs the parser for a given extension with index |idx|. |exts| contains the
617 * list of all parsed extensions previously collected by
618 * tls_collect_extensions(). The parser is only run if it is applicable for the
f97d4c37
MC		 619 * given |context| and the parser has not already been run. If this is for a
620 * Certificate message, then we also provide the parser with the relevant
8521ced6 621 * Certificate |x| and its position in the |chainidx| with 0 being the first
29bfd5b7
MC		 622 * Certificate. Returns 1 on success or 0 on failure. If an extension is not
623 * present this counted as success.
68db4dda 624 */
d270de32 625int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
f63a17d6 626 RAW_EXTENSION *exts, X509 *x, size_t chainidx)
6b473aca 627{
70af3d8e 628 RAW_EXTENSION *currext = &exts[idx];
61138358 629 int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 630 size_t chainidx) = NULL;
6b473aca 631
70af3d8e
MC		 632 /* Skip if the extension is not present */
633 if (!currext->present)
634 return 1;
6b473aca 635
70af3d8e
MC		 636 /* Skip if we've already parsed this extension */
637 if (currext->parsed)
638 return 1;
6b473aca 639
70af3d8e
MC		 640 currext->parsed = 1;
641
642 if (idx < OSSL_NELEM(ext_defs)) {
643 /* We are handling a built-in extension */
644 const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
645
646 /* Check if extension is defined for our protocol. If not, skip */
647 if (!extension_is_relevant(s, extdef->context, context))
648 return 1;
649
1266eefd 650 parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
224135e9 651
1266eefd 652 if (parser != NULL)
f63a17d6 653 return parser(s, &currext->data, context, x, chainidx);
6b473aca 654
70af3d8e
MC		 655 /*
656 * If the parser is NULL we fall through to the custom extension
657 * processing
658 */
6b473aca
MC		 659 }
660
43ae5eed 661 /* Parse custom extensions */
f63a17d6
MC		 662 return custom_ext_parse(s, context, currext->type,
663 PACKET_data(&currext->data),
664 PACKET_remaining(&currext->data),
665 x, chainidx);
805a2e9e
MC		 666}
667
668/*
669 * Parse all remaining extensions that have not yet been parsed. Also calls the
735d5b59
TT		 670 * finalisation for all extensions at the end if |fin| is nonzero, whether we
671 * collected them or not. Returns 1 for success or 0 for failure. If we are
672 * working on a Certificate message then we also pass the Certificate |x| and
29bfd5b7 673 * its position in the |chainidx|, with 0 being the first certificate.
805a2e9e 674 */
f97d4c37 675int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
f63a17d6 676 size_t chainidx, int fin)
805a2e9e 677{
1266eefd 678 size_t i, numexts = OSSL_NELEM(ext_defs);
d270de32 679 const EXTENSION_DEFINITION *thisexd;
805a2e9e 680
70af3d8e 681 /* Calculate the number of extensions in the extensions list */
43ae5eed 682 numexts += s->cert->custext.meths_count;
70af3d8e
MC		 683
684 /* Parse each extension in turn */
1266eefd 685 for (i = 0; i < numexts; i++) {
f63a17d6
MC		 686 if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
687 /* SSLfatal() already called */
70af3d8e 688 return 0;
f63a17d6 689 }
70af3d8e 690 }
805a2e9e 691
735d5b59
TT		 692 if (fin) {
693 /*
694 * Finalise all known extensions relevant to this context,
695 * whether we have found them or not
696 */
697 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
698 i++, thisexd++) {
bf5c84f5 699 if (thisexd->final != NULL && (thisexd->context & context) != 0
f63a17d6
MC		 700 && !thisexd->final(s, context, exts[i].present)) {
701 /* SSLfatal() already called */
735d5b59 702 return 0;
f63a17d6 703 }
735d5b59 704 }
68db4dda
MC		 705 }
706
6b473aca
MC		 707 return 1;
708}
709
43ae5eed
MC		 710int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
711 int max_version)
712{
713 /* Skip if not relevant for our context */
714 if ((extctx & thisctx) == 0)
715 return 0;
716
717 /* Check if this extension is defined for our protocol. If not, skip */
718 if ((SSL_IS_DTLS(s) && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
719 || (s->version == SSL3_VERSION
720 && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
721 || (SSL_IS_TLS13(s)
722 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
723 || (!SSL_IS_TLS13(s)
724 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
725 && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
726 || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
727 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
728 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
729 return 0;
730
731 return 1;
732}
733
6b473aca 734/*
70af3d8e 735 * Construct all the extensions relevant to the current |context| and write
30aeba43 736 * them to |pkt|. If this is an extension for a Certificate in a Certificate
8521ced6
MC		 737 * message, then |x| will be set to the Certificate we are handling, and
738 * |chainidx| will indicate the position in the chainidx we are processing (with
f63a17d6 739 * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
8521ced6 740 * failure construction stops at the first extension to fail to construct.
6b473aca 741 */
224135e9 742int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 743 X509 *x, size_t chainidx)
224135e9 744{
1266eefd 745 size_t i;
f63a17d6 746 int min_version, max_version = 0, reason;
d270de32 747 const EXTENSION_DEFINITION *thisexd;
224135e9
MC		 748
749 if (!WPACKET_start_sub_packet_u16(pkt)
750 /*
751 * If extensions are of zero length then we don't even add the
1c259bb5
BK		 752 * extensions length bytes to a ClientHello/ServerHello
753 * (for non-TLSv1.3).
224135e9 754 */
fe874d27
MC		 755 || ((context &
756 (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
fe874d27 757 && !WPACKET_set_flags(pkt,
224135e9 758 WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
f63a17d6
MC		 759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
760 ERR_R_INTERNAL_ERROR);
761 return 0;
224135e9
MC		 762 }
763
fe874d27 764 if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
38a73150 765 reason = ssl_get_min_max_version(s, &min_version, &max_version);
ab83e314 766 if (reason != 0) {
f63a17d6
MC		 767 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
768 reason);
769 return 0;
ab83e314
MC		 770 }
771 }
772
773 /* Add custom extensions first */
fe874d27 774 if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
44e69951 775 /* On the server side with initialise during ClientHello parsing */
43ae5eed 776 custom_ext_init(&s->cert->custext);
ab83e314 777 }
f63a17d6
MC		 778 if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
779 /* SSLfatal() already called */
780 return 0;
ab83e314
MC		 781 }
782
1266eefd 783 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
b186a592 784 EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 785 X509 *x, size_t chainidx);
b186a592 786 EXT_RETURN ret;
4b299b8e 787
224135e9 788 /* Skip if not relevant for our context */
43ae5eed 789 if (!should_add_extension(s, thisexd->context, context, max_version))
224135e9
MC		 790 continue;
791
1266eefd
MC		 792 construct = s->server ? thisexd->construct_stoc
793 : thisexd->construct_ctos;
224135e9 794
43ae5eed 795 if (construct == NULL)
224135e9
MC		 796 continue;
797
f63a17d6
MC		 798 ret = construct(s, pkt, context, x, chainidx);
799 if (ret == EXT_RETURN_FAIL) {
800 /* SSLfatal() already called */
801 return 0;
802 }
b186a592
MC		 803 if (ret == EXT_RETURN_SENT
804 && (context & (SSL_EXT_CLIENT_HELLO
805 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
806 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
807 s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
224135e9
MC		 808 }
809
224135e9 810 if (!WPACKET_close(pkt)) {
f63a17d6
MC		 811 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
812 ERR_R_INTERNAL_ERROR);
813 return 0;
224135e9
MC		 814 }
815
816 return 1;
817}
805a2e9e 818
70af3d8e
MC		 819/*
820 * Built in extension finalisation and initialisation functions. All initialise
821 * or finalise the associated extension type for the given |context|. For
822 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
29bfd5b7 823 * otherwise. These functions return 1 on success or 0 on failure.
70af3d8e
MC		 824 */
825
f63a17d6 826static int final_renegotiate(SSL *s, unsigned int context, int sent)
805a2e9e 827{
332eb390
MC		 828 if (!s->server) {
829 /*
830 * Check if we can connect to a server that doesn't support safe
831 * renegotiation
832 */
833 if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
834 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
835 && !sent) {
f63a17d6
MC		 836 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
837 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
332eb390
MC		 838 return 0;
839 }
840
805a2e9e 841 return 1;
332eb390 842 }
805a2e9e
MC		 843
844 /* Need RI if renegotiating */
845 if (s->renegotiate
846 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
847 && !sent) {
f63a17d6
MC		 848 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
849 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
805a2e9e
MC		 850 return 0;
851 }
852
332eb390 853
805a2e9e
MC		 854 return 1;
855}
856
1266eefd 857static int init_server_name(SSL *s, unsigned int context)
805a2e9e
MC		 858{
859 if (s->server)
860 s->servername_done = 0;
861
862 return 1;
863}
864
f63a17d6 865static int final_server_name(SSL *s, unsigned int context, int sent)
805a2e9e 866{
3be08e30 867 int ret = SSL_TLSEXT_ERR_NOACK, discard;
805a2e9e 868 int altmp = SSL_AD_UNRECOGNIZED_NAME;
a84e5c9a 869 int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
805a2e9e 870
aff8c126
RS		 871 if (s->ctx != NULL && s->ctx->ext.servername_cb != 0)
872 ret = s->ctx->ext.servername_cb(s, &altmp,
873 s->ctx->ext.servername_arg);
222da979
TS		 874 else if (s->session_ctx != NULL
875 && s->session_ctx->ext.servername_cb != 0)
876 ret = s->session_ctx->ext.servername_cb(s, &altmp,
877 s->session_ctx->ext.servername_arg);
805a2e9e 878
9fb6cb81
MC		 879 if (!sent) {
880 OPENSSL_free(s->session->ext.hostname);
881 s->session->ext.hostname = NULL;
882 }
883
3be08e30
BK		 884 /*
885 * If we switched contexts (whether here or in the client_hello callback),
886 * move the sess_accept increment from the session_ctx to the new
887 * context, to avoid the confusing situation of having sess_accept_good
888 * exceed sess_accept (zero) for the new context.
889 */
890 if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
891 CRYPTO_atomic_add(&s->ctx->stats.sess_accept, 1, &discard,
892 s->ctx->lock);
893 CRYPTO_atomic_add(&s->session_ctx->stats.sess_accept, -1, &discard,
894 s->session_ctx->lock);
895 }
896
a84e5c9a
TS		 897 /*
898 * If we're expecting to send a ticket, and tickets were previously enabled,
899 * and now tickets are disabled, then turn off expected ticket.
900 * Also, if this is not a resumption, create a new session ID
901 */
902 if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
903 && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
904 s->ext.ticket_expected = 0;
905 if (!s->hit) {
906 SSL_SESSION* ss = SSL_get_session(s);
907
908 if (ss != NULL) {
909 OPENSSL_free(ss->ext.tick);
910 ss->ext.tick = NULL;
911 ss->ext.ticklen = 0;
912 ss->ext.tick_lifetime_hint = 0;
913 ss->ext.tick_age_add = 0;
914 ss->ext.tick_identity = 0;
915 if (!ssl_generate_session_id(s, ss)) {
f63a17d6
MC		 916 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
917 ERR_R_INTERNAL_ERROR);
918 return 0;
a84e5c9a
TS		 919 }
920 } else {
f63a17d6
MC		 921 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
922 ERR_R_INTERNAL_ERROR);
923 return 0;
a84e5c9a
TS		 924 }
925 }
926 }
927
805a2e9e
MC		 928 switch (ret) {
929 case SSL_TLSEXT_ERR_ALERT_FATAL:
f63a17d6 930 SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
805a2e9e
MC		 931 return 0;
932
933 case SSL_TLSEXT_ERR_ALERT_WARNING:
f63a17d6 934 ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
805a2e9e
MC		 935 return 1;
936
937 case SSL_TLSEXT_ERR_NOACK:
938 s->servername_done = 0;
939 return 1;
940
941 default:
942 return 1;
943 }
944}
945
332eb390 946#ifndef OPENSSL_NO_EC
f63a17d6 947static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
332eb390
MC		 948{
949 unsigned long alg_k, alg_a;
950
951 if (s->server)
952 return 1;
953
954 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
955 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
956
957 /*
958 * If we are client and using an elliptic curve cryptography cipher
959 * suite, then if server returns an EC point formats lists extension it
960 * must contain uncompressed.
961 */
aff8c126
RS		 962 if (s->ext.ecpointformats != NULL
963 && s->ext.ecpointformats_len > 0
964 && s->session->ext.ecpointformats != NULL
965 && s->session->ext.ecpointformats_len > 0
1266eefd 966 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
332eb390
MC		 967 /* we are using an ECC cipher */
968 size_t i;
aff8c126 969 unsigned char *list = s->session->ext.ecpointformats;
1266eefd 970
aff8c126 971 for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
1266eefd 972 if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
332eb390 973 break;
332eb390 974 }
aff8c126 975 if (i == s->session->ext.ecpointformats_len) {
f63a17d6
MC		 976 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
977 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
332eb390
MC		 978 return 0;
979 }
980 }
981
982 return 1;
983}
984#endif
985
1266eefd 986static int init_session_ticket(SSL *s, unsigned int context)
332eb390
MC		 987{
988 if (!s->server)
aff8c126 989 s->ext.ticket_expected = 0;
332eb390
MC		 990
991 return 1;
992}
993
8f8c11d8 994#ifndef OPENSSL_NO_OCSP
1266eefd 995static int init_status_request(SSL *s, unsigned int context)
805a2e9e 996{
f63e4288 997 if (s->server) {
aff8c126 998 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
f63e4288
MC		 999 } else {
1000 /*
1001 * Ensure we get sensible values passed to tlsext_status_cb in the event
1002 * that we don't receive a status message
1003 */
8cbfcc70
RS		 1004 OPENSSL_free(s->ext.ocsp.resp);
1005 s->ext.ocsp.resp = NULL;
1006 s->ext.ocsp.resp_len = 0;
f63e4288 1007 }
332eb390
MC		 1008
1009 return 1;
1010}
8f8c11d8 1011#endif
332eb390 1012
805a2e9e 1013#ifndef OPENSSL_NO_NEXTPROTONEG
1266eefd 1014static int init_npn(SSL *s, unsigned int context)
805a2e9e 1015{
aff8c126 1016 s->s3->npn_seen = 0;
805a2e9e
MC		 1017
1018 return 1;
1019}
1020#endif
1021
1266eefd 1022static int init_alpn(SSL *s, unsigned int context)
805a2e9e 1023{
332eb390
MC		 1024 OPENSSL_free(s->s3->alpn_selected);
1025 s->s3->alpn_selected = NULL;
a5bb1aa1 1026 s->s3->alpn_selected_len = 0;
805a2e9e 1027 if (s->server) {
805a2e9e
MC		 1028 OPENSSL_free(s->s3->alpn_proposed);
1029 s->s3->alpn_proposed = NULL;
1030 s->s3->alpn_proposed_len = 0;
1031 }
805a2e9e
MC		 1032 return 1;
1033}
1034
f63a17d6 1035static int final_alpn(SSL *s, unsigned int context, int sent)
630369d9 1036{
4be3a7c7
MC		 1037 if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
1038 s->ext.early_data_ok = 0;
1039
630369d9
MC		 1040 if (!s->server || !SSL_IS_TLS13(s))
1041 return 1;
1042
1043 /*
1044 * Call alpn_select callback if needed. Has to be done after SNI and
1045 * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
1046 * we also have to do this before we decide whether to accept early_data.
1047 * In TLSv1.3 we've already negotiated our cipher so we do this call now.
1048 * For < TLSv1.3 we defer it until after cipher negotiation.
f63a17d6
MC		 1049 *
1050 * On failure SSLfatal() already called.
630369d9 1051 */
f63a17d6 1052 return tls_handle_alpn(s);
630369d9
MC		 1053}
1054
1266eefd 1055static int init_sig_algs(SSL *s, unsigned int context)
805a2e9e
MC		 1056{
1057 /* Clear any signature algorithms extension received */
1058 OPENSSL_free(s->s3->tmp.peer_sigalgs);
1059 s->s3->tmp.peer_sigalgs = NULL;
1060
1061 return 1;
1062}
1063
1064#ifndef OPENSSL_NO_SRP
1266eefd 1065static int init_srp(SSL *s, unsigned int context)
805a2e9e
MC		 1066{
1067 OPENSSL_free(s->srp_ctx.login);
1068 s->srp_ctx.login = NULL;
1069
1070 return 1;
1071}
1072#endif
1073
1266eefd 1074static int init_etm(SSL *s, unsigned int context)
805a2e9e 1075{
28a31a0a 1076 s->ext.use_etm = 0;
332eb390
MC		 1077
1078 return 1;
1079}
1080
1266eefd 1081static int init_ems(SSL *s, unsigned int context)
332eb390
MC		 1082{
1083 if (!s->server)
1084 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
1085
1086 return 1;
1087}
1088
f63a17d6 1089static int final_ems(SSL *s, unsigned int context, int sent)
332eb390
MC		 1090{
1091 if (!s->server && s->hit) {
1092 /*
1093 * Check extended master secret extension is consistent with
1094 * original session.
1095 */
1096 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
1097 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
f63a17d6
MC		 1098 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
1099 SSL_R_INCONSISTENT_EXTMS);
332eb390
MC		 1100 return 0;
1101 }
1102 }
805a2e9e
MC		 1103
1104 return 1;
1105}
1106
45615c5f
DSH		 1107static int init_certificate_authorities(SSL *s, unsigned int context)
1108{
fa7c2637
DSH		 1109 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
1110 s->s3->tmp.peer_ca_names = NULL;
45615c5f
DSH		 1111 return 1;
1112}
1113
b186a592
MC		 1114static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
1115 unsigned int context,
1116 X509 *x,
f63a17d6 1117 size_t chainidx)
45615c5f 1118{
9784ec04 1119 const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
45615c5f
DSH		 1120
1121 if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
b186a592 1122 return EXT_RETURN_NOT_SENT;
45615c5f
DSH		 1123
1124 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
f63a17d6
MC		 1125 || !WPACKET_start_sub_packet_u16(pkt)) {
1126 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1127 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
45615c5f 1128 ERR_R_INTERNAL_ERROR);
b186a592 1129 return EXT_RETURN_FAIL;
45615c5f
DSH		 1130 }
1131
f63a17d6
MC		 1132 if (!construct_ca_names(s, pkt)) {
1133 /* SSLfatal() already called */
1134 return EXT_RETURN_FAIL;
1135 }
1136
1137 if (!WPACKET_close(pkt)) {
1138 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1139 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
1140 ERR_R_INTERNAL_ERROR);
1141 return EXT_RETURN_FAIL;
1142 }
1143
b186a592 1144 return EXT_RETURN_SENT;
45615c5f
DSH		 1145}
1146
1147static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
1148 unsigned int context, X509 *x,
f63a17d6 1149 size_t chainidx)
45615c5f 1150{
f63a17d6 1151 if (!parse_ca_names(s, pkt))
45615c5f
DSH		 1152 return 0;
1153 if (PACKET_remaining(pkt) != 0) {
f63a17d6
MC		 1154 SSLfatal(s, SSL_AD_DECODE_ERROR,
1155 SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
45615c5f
DSH		 1156 return 0;
1157 }
1158 return 1;
1159}
1160
805a2e9e 1161#ifndef OPENSSL_NO_SRTP
1266eefd 1162static int init_srtp(SSL *s, unsigned int context)
805a2e9e
MC		 1163{
1164 if (s->server)
1165 s->srtp_profile = NULL;
1166
1167 return 1;
1168}
1169#endif
04904312 1170
f63a17d6 1171static int final_sig_algs(SSL *s, unsigned int context, int sent)
04904312 1172{
108d45df 1173 if (!sent && SSL_IS_TLS13(s) && !s->hit) {
f63a17d6
MC		 1174 SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
1175 SSL_R_MISSING_SIGALGS_EXTENSION);
04904312
MC		 1176 return 0;
1177 }
1178
1179 return 1;
1180}
b2f7e8c0 1181
deb2d5e7 1182#ifndef OPENSSL_NO_EC
f63a17d6 1183static int final_key_share(SSL *s, unsigned int context, int sent)
f4bbb37c
MC		 1184{
1185 if (!SSL_IS_TLS13(s))
1186 return 1;
1187
07d447a6
MC		 1188 /* Nothing to do for key_share in an HRR */
1189 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
1190 return 1;
1191
f4bbb37c
MC		 1192 /*
1193 * If
aff9929b
MC		 1194 * we are a client
1195 * AND
f4bbb37c
MC		 1196 * we have no key_share
1197 * AND
1198 * (we are not resuming
1199 * OR the kex_mode doesn't allow non key_share resumes)
1200 * THEN
aff9929b 1201 * fail;
f4bbb37c 1202 */
aff9929b
MC		 1203 if (!s->server
1204 && !sent
f4bbb37c
MC		 1205 && (!s->hit
1206 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
7d061fce 1207 /* Nothing left we can do - just fail */
f63a17d6
MC		 1208 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
1209 SSL_R_NO_SUITABLE_KEY_SHARE);
f4bbb37c
MC		 1210 return 0;
1211 }
aff9929b
MC		 1212 /*
1213 * If
1214 * we are a server
1215 * AND
1216 * we have no key_share
1217 * THEN
1218 * If
1219 * we didn't already send a HelloRetryRequest
1220 * AND
1221 * the client sent a key_share extension
1222 * AND
1223 * (we are not resuming
1224 * OR the kex_mode allows key_share resumes)
1225 * AND
1226 * a shared group exists
1227 * THEN
1228 * send a HelloRetryRequest
1229 * ELSE If
1230 * we are not resuming
1231 * OR
1232 * the kex_mode doesn't allow non key_share resumes
1233 * THEN
1234 * fail;
1235 */
1236 if (s->server && s->s3->peer_tmp == NULL) {
1237 /* No suitable share */
1238 if (s->hello_retry_request == 0 && sent
1239 && (!s->hit
1240 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
1241 != 0)) {
f48d826e
DSH		 1242 const uint16_t *pgroups, *clntgroups;
1243 size_t num_groups, clnt_num_groups, i;
319a33d0 1244 unsigned int group_id = 0;
aff9929b 1245
2248dbeb 1246 /* Check if a shared group exists */
aff9929b
MC		 1247
1248 /* Get the clients list of supported groups. */
f48d826e
DSH		 1249 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
1250 tls1_get_supported_groups(s, &pgroups, &num_groups);
aff9929b
MC		 1251
1252 /* Find the first group we allow that is also in client's list */
f48d826e
DSH		 1253 for (i = 0; i < num_groups; i++) {
1254 group_id = pgroups[i];
aff9929b 1255
f48d826e 1256 if (check_in_list(s, group_id, clntgroups, clnt_num_groups, 1))
aff9929b
MC		 1257 break;
1258 }
1259
f48d826e 1260 if (i < num_groups) {
aff9929b
MC		 1261 /* A shared group exists so send a HelloRetryRequest */
1262 s->s3->group_id = group_id;
1263 s->hello_retry_request = 1;
1264 return 1;
1265 }
1266 }
1267 if (!s->hit
1268 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
1269 /* Nothing left we can do - just fail */
f63a17d6
MC		 1270 SSLfatal(s,
1271 sent ? SSL_AD_HANDSHAKE_FAILURE : SSL_AD_MISSING_EXTENSION,
1272 SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
aff9929b
MC		 1273 return 0;
1274 }
1275 }
1276
1277 /* We have a key_share so don't send any more HelloRetryRequest messages */
1278 if (s->server)
1279 s->hello_retry_request = 0;
f4bbb37c
MC		 1280
1281 /*
1282 * For a client side resumption with no key_share we need to generate
1283 * the handshake secret (otherwise this is done during key_share
1284 * processing).
1285 */
1286 if (!sent && !s->server && !tls13_generate_handshake_secret(s, NULL, 0)) {
f63a17d6
MC		 1287 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1288 ERR_R_INTERNAL_ERROR);
f4bbb37c
MC		 1289 return 0;
1290 }
1291
1292 return 1;
1293}
deb2d5e7 1294#endif
f4bbb37c 1295
b2f7e8c0
MC		 1296static int init_psk_kex_modes(SSL *s, unsigned int context)
1297{
1298 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
b2f7e8c0
MC		 1299 return 1;
1300}
1053a6e2
MC		 1301
1302int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
1303 size_t binderoffset, const unsigned char *binderin,
3a7c56b2
MC		 1304 unsigned char *binderout, SSL_SESSION *sess, int sign,
1305 int external)
1053a6e2
MC		 1306{
1307 EVP_PKEY *mackey = NULL;
1308 EVP_MD_CTX *mctx = NULL;
1309 unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
1310 unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
b81bd336
MC		 1311 unsigned char tmppsk[EVP_MAX_MD_SIZE];
1312 unsigned char *early_secret, *psk;
17aa119e 1313 const char resumption_label[] = "res binder";
3a7c56b2 1314 const char external_label[] = "ext binder";
b81bd336 1315 const char nonce_label[] = "resumption";
3a7c56b2
MC		 1316 const char *label;
1317 size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
1053a6e2 1318 int ret = -1;
add8d0e9
MC		 1319 int usepskfored = 0;
1320
1321 if (external
1322 && s->early_data_state == SSL_EARLY_DATA_CONNECTING
1323 && s->session->ext.max_early_data == 0
1324 && sess->ext.max_early_data > 0)
1325 usepskfored = 1;
1053a6e2 1326
3a7c56b2
MC		 1327 if (external) {
1328 label = external_label;
1329 labelsize = sizeof(external_label) - 1;
1330 } else {
1331 label = resumption_label;
1332 labelsize = sizeof(resumption_label) - 1;
1333 }
1334
b81bd336 1335 if (sess->master_key_length != hashsize) {
635c8f77
MC		 1336 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1337 SSL_R_BAD_PSK);
b81bd336
MC		 1338 goto err;
1339 }
1340
1341 if (external) {
1342 psk = sess->master_key;
1343 } else {
b81bd336
MC		 1344 psk = tmppsk;
1345 if (!tls13_hkdf_expand(s, md, sess->master_key,
1346 (const unsigned char *)nonce_label,
1347 sizeof(nonce_label) - 1, sess->ext.tick_nonce,
1348 sess->ext.tick_nonce_len, psk, hashsize)) {
635c8f77 1349 /* SSLfatal() already called */
b81bd336
MC		 1350 goto err;
1351 }
1352 }
1353
9368f865
MC		 1354 /*
1355 * Generate the early_secret. On the server side we've selected a PSK to
1356 * resume with (internal or external) so we always do this. On the client
add8d0e9
MC		 1357 * side we do this for a non-external (i.e. resumption) PSK or external PSK
1358 * that will be used for early_data so that it is in place for sending early
1359 * data. For client side external PSK not being used for early_data we
9368f865
MC		 1360 * generate it but store it away for later use.
1361 */
add8d0e9 1362 if (s->server || !external || usepskfored)
9368f865
MC		 1363 early_secret = (unsigned char *)s->early_secret;
1364 else
1365 early_secret = (unsigned char *)sess->early_secret;
b81bd336 1366 if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {
635c8f77 1367 /* SSLfatal() already called */
1053a6e2
MC		 1368 goto err;
1369 }
1370
1371 /*
1372 * Create the handshake hash for the binder key...the messages so far are
1373 * empty!
1374 */
1375 mctx = EVP_MD_CTX_new();
1376 if (mctx == NULL
1377 || EVP_DigestInit_ex(mctx, md, NULL) <= 0
1378 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
635c8f77
MC		 1379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1380 ERR_R_INTERNAL_ERROR);
1053a6e2
MC		 1381 goto err;
1382 }
1383
1384 /* Generate the binder key */
9368f865 1385 if (!tls13_hkdf_expand(s, md, early_secret, (unsigned char *)label,
a19ae67d 1386 labelsize, hash, hashsize, binderkey, hashsize)) {
635c8f77 1387 /* SSLfatal() already called */
1053a6e2
MC		 1388 goto err;
1389 }
1390
1391 /* Generate the finished key */
1392 if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
635c8f77 1393 /* SSLfatal() already called */
1053a6e2
MC		 1394 goto err;
1395 }
1396
aff9929b 1397 if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
635c8f77
MC		 1398 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1399 ERR_R_INTERNAL_ERROR);
aff9929b
MC		 1400 goto err;
1401 }
1402
1053a6e2 1403 /*
aff9929b
MC		 1404 * Get a hash of the ClientHello up to the start of the binders. If we are
1405 * following a HelloRetryRequest then this includes the hash of the first
1406 * ClientHello and the HelloRetryRequest itself.
1053a6e2 1407 */
aff9929b
MC		 1408 if (s->hello_retry_request) {
1409 size_t hdatalen;
1410 void *hdata;
1411
1412 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
1413 if (hdatalen <= 0) {
635c8f77
MC		 1414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1415 SSL_R_BAD_HANDSHAKE_LENGTH);
aff9929b
MC		 1416 goto err;
1417 }
1418
1419 /*
1420 * For servers the handshake buffer data will include the second
1421 * ClientHello - which we don't want - so we need to take that bit off.
1422 */
1423 if (s->server) {
77815a02
MC		 1424 PACKET hashprefix, msg;
1425
1426 /* Find how many bytes are left after the first two messages */
1427 if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
1428 || !PACKET_forward(&hashprefix, 1)
1429 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
1430 || !PACKET_forward(&hashprefix, 1)
1431 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
635c8f77
MC		 1432 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1433 ERR_R_INTERNAL_ERROR);
aff9929b
MC		 1434 goto err;
1435 }
77815a02 1436 hdatalen -= PACKET_remaining(&hashprefix);
aff9929b
MC		 1437 }
1438
1439 if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
635c8f77
MC		 1440 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1441 ERR_R_INTERNAL_ERROR);
aff9929b
MC		 1442 goto err;
1443 }
1444 }
1445
1446 if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
1053a6e2 1447 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
635c8f77
MC		 1448 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1449 ERR_R_INTERNAL_ERROR);
1053a6e2
MC		 1450 goto err;
1451 }
1452
1453 mackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, finishedkey, hashsize);
1454 if (mackey == NULL) {
635c8f77
MC		 1455 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1456 ERR_R_INTERNAL_ERROR);
1053a6e2
MC		 1457 goto err;
1458 }
1459
1460 if (!sign)
1461 binderout = tmpbinder;
1462
1463 bindersize = hashsize;
1464 if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
1465 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
1466 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
1467 || bindersize != hashsize) {
635c8f77
MC		 1468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1469 ERR_R_INTERNAL_ERROR);
1053a6e2
MC		 1470 goto err;
1471 }
1472
1473 if (sign) {
1474 ret = 1;
1475 } else {
1476 /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
1477 ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
635c8f77
MC		 1478 if (!ret)
1479 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
1480 SSL_R_BINDER_DOES_NOT_VERIFY);
1053a6e2
MC		 1481 }
1482
1483 err:
1484 OPENSSL_cleanse(binderkey, sizeof(binderkey));
1485 OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
1486 EVP_PKEY_free(mackey);
1487 EVP_MD_CTX_free(mctx);
1488
1489 return ret;
1490}
38df5a45 1491
f63a17d6 1492static int final_early_data(SSL *s, unsigned int context, int sent)
38df5a45 1493{
4be3a7c7
MC		 1494 if (!sent)
1495 return 1;
1496
1497 if (!s->server) {
1498 if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
1499 && sent
1500 && !s->ext.early_data_ok) {
1501 /*
1502 * If we get here then the server accepted our early_data but we
1503 * later realised that it shouldn't have done (e.g. inconsistent
1504 * ALPN)
1505 */
f63a17d6
MC		 1506 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
1507 SSL_R_BAD_EARLY_DATA);
4be3a7c7
MC		 1508 return 0;
1509 }
1510
38df5a45 1511 return 1;
4be3a7c7 1512 }
38df5a45
MC		 1513
1514 if (s->max_early_data == 0
1515 || !s->hit
1516 || s->session->ext.tick_identity != 0
1517 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
1518 || !s->ext.early_data_ok
630369d9 1519 || s->hello_retry_request) {
38df5a45
MC		 1520 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
1521 } else {
1522 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1523
1524 if (!tls13_change_cipher_state(s,
1525 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
f63a17d6 1526 /* SSLfatal() already called */
38df5a45
MC		 1527 return 0;
1528 }
1529 }
1530
1531 return 1;
1532}
cf72c757 1533
f63a17d6 1534static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
cf72c757
F		 1535{
1536 /*
1537 * Session resumption on server-side with MFL extension active
1538 * BUT MFL extension packet was not resent (i.e. sent == 0)
1539 */
f63a17d6 1540 if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
cf72c757 1541 && !sent ) {
f63a17d6
MC		 1542 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
1543 SSL_R_BAD_EXTENSION);
cf72c757
F		 1544 return 0;
1545 }
1546
1547 /* Current SSL buffer is lower than requested MFL */
f63a17d6
MC		 1548 if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1549 && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
cf72c757 1550 /* trigger a larger buffer reallocation */
f63a17d6
MC		 1551 if (!ssl3_setup_buffers(s)) {
1552 /* SSLfatal() already called */
cf72c757 1553 return 0;
f63a17d6 1554 }
cf72c757
F		 1555
1556 return 1;
1557}
A mirror of the official openssl repository