]>
Commit | Line | Data |
---|---|---|
6b473aca MC |
1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * | |
4 | * Licensed under the OpenSSL license (the "License"). You may not use | |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
6b473aca MC |
10 | #include "../ssl_locl.h" |
11 | #include "statem_locl.h" | |
12 | ||
1266eefd | 13 | static int final_renegotiate(SSL *s, unsigned int context, int sent, |
805a2e9e | 14 | int *al); |
1266eefd MC |
15 | static int init_server_name(SSL *s, unsigned int context); |
16 | static int final_server_name(SSL *s, unsigned int context, int sent, | |
805a2e9e | 17 | int *al); |
332eb390 | 18 | #ifndef OPENSSL_NO_EC |
1266eefd | 19 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, |
332eb390 MC |
20 | int *al); |
21 | #endif | |
1266eefd | 22 | static int init_session_ticket(SSL *s, unsigned int context); |
8f8c11d8 | 23 | #ifndef OPENSSL_NO_OCSP |
1266eefd | 24 | static int init_status_request(SSL *s, unsigned int context); |
8f8c11d8 | 25 | #endif |
805a2e9e | 26 | #ifndef OPENSSL_NO_NEXTPROTONEG |
1266eefd | 27 | static int init_npn(SSL *s, unsigned int context); |
805a2e9e | 28 | #endif |
1266eefd MC |
29 | static int init_alpn(SSL *s, unsigned int context); |
30 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al); | |
31 | static int init_sig_algs(SSL *s, unsigned int context); | |
805a2e9e | 32 | #ifndef OPENSSL_NO_SRP |
1266eefd | 33 | static int init_srp(SSL *s, unsigned int context); |
805a2e9e | 34 | #endif |
1266eefd MC |
35 | static int init_etm(SSL *s, unsigned int context); |
36 | static int init_ems(SSL *s, unsigned int context); | |
37 | static int final_ems(SSL *s, unsigned int context, int sent, int *al); | |
805a2e9e | 38 | #ifndef OPENSSL_NO_SRTP |
1266eefd | 39 | static int init_srtp(SSL *s, unsigned int context); |
805a2e9e MC |
40 | #endif |
41 | ||
70af3d8e | 42 | /* Structure to define a built-in extension */ |
1266eefd MC |
43 | typedef struct extensions_definition_st { |
44 | /* The defined type for the extension */ | |
6b473aca | 45 | unsigned int type; |
1266eefd MC |
46 | /* |
47 | * The context that this extension applies to, e.g. what messages and | |
48 | * protocol versions | |
49 | */ | |
50 | unsigned int context; | |
68db4dda | 51 | /* |
805a2e9e MC |
52 | * Initialise extension before parsing. Always called for relevant contexts |
53 | * even if extension not present | |
68db4dda | 54 | */ |
1266eefd MC |
55 | int (*init)(SSL *s, unsigned int context); |
56 | /* Parse extension sent from client to server */ | |
8521ced6 | 57 | int (*parse_ctos)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al); |
1266eefd | 58 | /* Parse extension send from server to client */ |
8521ced6 | 59 | int (*parse_stoc)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al); |
1266eefd | 60 | /* Construct extension sent from server to client */ |
8521ced6 | 61 | int (*construct_stoc)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, |
30aeba43 | 62 | int *al); |
1266eefd | 63 | /* Construct extension sent from client to server */ |
8521ced6 MC |
64 | int (*construct_ctos)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, |
65 | int *al); | |
68db4dda | 66 | /* |
805a2e9e MC |
67 | * Finalise extension after parsing. Always called where an extensions was |
68 | * initialised even if the extension was not present. |sent| is set to 1 if | |
69 | * the extension was seen, or 0 otherwise. | |
68db4dda | 70 | */ |
1266eefd | 71 | int (*final)(SSL *s, unsigned int context, int sent, int *al); |
6b473aca MC |
72 | } EXTENSION_DEFINITION; |
73 | ||
4b299b8e | 74 | /* |
70af3d8e MC |
75 | * Definitions of all built-in extensions. NOTE: Changes in the number or order |
76 | * of these extensions should be mirrored with equivalent changes to the indexes | |
77 | * defined in statem_locl.h. | |
78 | * Each extension has an initialiser, a client and | |
79 | * server side parser and a finaliser. The initialiser is called (if the | |
80 | * extension is relevant to the given context) even if we did not see the | |
81 | * extension in the message that we received. The parser functions are only | |
82 | * called if we see the extension in the message. The finalisers are always | |
83 | * called if the initialiser was called. | |
84 | * There are also server and client side constructor functions which are always | |
85 | * called during message construction if the extension is relevant for the | |
86 | * given context. | |
87 | * The initialisation, parsing, finalisation and construction functions are | |
88 | * always called in the order defined in this list. Some extensions may depend | |
89 | * on others having been processed first, so the order of this list is | |
90 | * significant. | |
91 | * The extension context is defined by a series of flags which specify which | |
92 | * messages the extension is relevant to. These flags also specify whether the | |
93 | * extension is relevant to a paricular protocol or protocol version. | |
a1448c26 | 94 | * |
70af3d8e | 95 | * TODO(TLS1.3): Make sure we have a test to check the consistency of these |
4b299b8e | 96 | */ |
0785274c | 97 | #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } |
6b473aca MC |
98 | static const EXTENSION_DEFINITION ext_defs[] = { |
99 | { | |
100 | TLSEXT_TYPE_renegotiate, | |
6b473aca | 101 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED |
1266eefd MC |
102 | | EXT_TLS1_2_AND_BELOW_ONLY, |
103 | NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, | |
104 | tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, | |
105 | final_renegotiate | |
6b473aca MC |
106 | }, |
107 | { | |
108 | TLSEXT_TYPE_server_name, | |
6b473aca | 109 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
110 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
111 | init_server_name, | |
112 | tls_parse_ctos_server_name, tls_parse_stoc_server_name, | |
113 | tls_construct_stoc_server_name, tls_construct_ctos_server_name, | |
114 | final_server_name | |
6b473aca MC |
115 | }, |
116 | #ifndef OPENSSL_NO_SRP | |
117 | { | |
118 | TLSEXT_TYPE_srp, | |
1266eefd MC |
119 | EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
120 | init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL | |
6b473aca | 121 | }, |
0785274c MC |
122 | #else |
123 | INVALID_EXTENSION, | |
6b473aca MC |
124 | #endif |
125 | #ifndef OPENSSL_NO_EC | |
126 | { | |
127 | TLSEXT_TYPE_ec_point_formats, | |
3b58c54f | 128 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
1266eefd MC |
129 | NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, |
130 | tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, | |
131 | final_ec_pt_formats | |
6b473aca MC |
132 | }, |
133 | { | |
134 | TLSEXT_TYPE_supported_groups, | |
1266eefd MC |
135 | EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
136 | NULL, tls_parse_ctos_supported_groups, NULL, | |
7da160b0 | 137 | NULL /* TODO(TLS1.3): Need to add this */, |
1266eefd | 138 | tls_construct_ctos_supported_groups, NULL |
6b473aca | 139 | }, |
0785274c MC |
140 | #else |
141 | INVALID_EXTENSION, | |
142 | INVALID_EXTENSION, | |
6b473aca MC |
143 | #endif |
144 | { | |
145 | TLSEXT_TYPE_session_ticket, | |
1266eefd MC |
146 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
147 | init_session_ticket, tls_parse_ctos_session_ticket, | |
148 | tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, | |
149 | tls_construct_ctos_session_ticket, NULL | |
6b473aca MC |
150 | }, |
151 | { | |
152 | TLSEXT_TYPE_signature_algorithms, | |
1266eefd MC |
153 | EXT_CLIENT_HELLO, |
154 | init_sig_algs, tls_parse_ctos_sig_algs, NULL, NULL, | |
155 | tls_construct_ctos_sig_algs, NULL | |
6b473aca | 156 | }, |
ab83e314 | 157 | #ifndef OPENSSL_NO_OCSP |
6b473aca MC |
158 | { |
159 | TLSEXT_TYPE_status_request, | |
4b299b8e | 160 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
161 | | EXT_TLS1_3_CERTIFICATE, |
162 | init_status_request, tls_parse_ctos_status_request, | |
163 | tls_parse_stoc_status_request, tls_construct_stoc_status_request, | |
f63e4288 | 164 | tls_construct_ctos_status_request, NULL |
6b473aca | 165 | }, |
0785274c MC |
166 | #else |
167 | INVALID_EXTENSION, | |
ab83e314 | 168 | #endif |
6b473aca MC |
169 | #ifndef OPENSSL_NO_NEXTPROTONEG |
170 | { | |
171 | TLSEXT_TYPE_next_proto_neg, | |
1266eefd MC |
172 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
173 | init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, | |
174 | tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL | |
6b473aca | 175 | }, |
0785274c MC |
176 | #else |
177 | INVALID_EXTENSION, | |
6b473aca MC |
178 | #endif |
179 | { | |
02f0274e MC |
180 | /* |
181 | * Must appear in this list after server_name so that finalisation | |
182 | * happens after server_name callbacks | |
183 | */ | |
6b473aca | 184 | TLSEXT_TYPE_application_layer_protocol_negotiation, |
6b473aca | 185 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
186 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS, |
187 | init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, | |
188 | tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn | |
6b473aca | 189 | }, |
7da160b0 | 190 | #ifndef OPENSSL_NO_SRTP |
6b473aca MC |
191 | { |
192 | TLSEXT_TYPE_use_srtp, | |
6b473aca | 193 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
1266eefd MC |
194 | | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY, |
195 | init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, | |
196 | tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL | |
6b473aca | 197 | }, |
0785274c MC |
198 | #else |
199 | INVALID_EXTENSION, | |
7da160b0 | 200 | #endif |
6b473aca MC |
201 | { |
202 | TLSEXT_TYPE_encrypt_then_mac, | |
1266eefd MC |
203 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
204 | init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, | |
205 | tls_construct_stoc_etm, tls_construct_ctos_etm, NULL | |
6b473aca | 206 | }, |
6dd083fd | 207 | #ifndef OPENSSL_NO_CT |
6b473aca MC |
208 | { |
209 | TLSEXT_TYPE_signed_certificate_timestamp, | |
1266eefd MC |
210 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO |
211 | | EXT_TLS1_3_CERTIFICATE, | |
68db4dda | 212 | NULL, |
6b473aca MC |
213 | /* |
214 | * No server side support for this, but can be provided by a custom | |
215 | * extension. This is an exception to the rule that custom extensions | |
216 | * cannot override built in ones. | |
217 | */ | |
1266eefd | 218 | NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL |
6b473aca | 219 | }, |
0785274c MC |
220 | #else |
221 | INVALID_EXTENSION, | |
6dd083fd | 222 | #endif |
6b473aca MC |
223 | { |
224 | TLSEXT_TYPE_extended_master_secret, | |
1266eefd MC |
225 | EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
226 | init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, | |
227 | tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems | |
6b473aca MC |
228 | }, |
229 | { | |
230 | TLSEXT_TYPE_supported_versions, | |
1266eefd | 231 | EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY, |
68db4dda | 232 | NULL, |
6b473aca | 233 | /* Processed inline as part of version selection */ |
1266eefd | 234 | NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL |
6b473aca MC |
235 | }, |
236 | { | |
70af3d8e MC |
237 | /* |
238 | * Must be in this list after supported_groups. We need that to have | |
239 | * been parsed before we do this one. | |
240 | */ | |
6b473aca | 241 | TLSEXT_TYPE_key_share, |
6b473aca MC |
242 | EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO |
243 | | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY | |
1266eefd MC |
244 | | EXT_TLS1_3_ONLY, |
245 | NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, | |
246 | tls_construct_stoc_key_share, tls_construct_ctos_key_share, NULL | |
7da160b0 MC |
247 | }, |
248 | { | |
249 | /* | |
250 | * Special unsolicited ServerHello extension only used when | |
251 | * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set | |
252 | */ | |
253 | TLSEXT_TYPE_cryptopro_bug, | |
1266eefd MC |
254 | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY, |
255 | NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL | |
ab83e314 MC |
256 | }, |
257 | { | |
258 | /* Last in the list because it must be added as the last extension */ | |
259 | TLSEXT_TYPE_padding, | |
1266eefd | 260 | EXT_CLIENT_HELLO, |
68db4dda | 261 | NULL, |
ab83e314 | 262 | /* We send this, but don't read it */ |
1266eefd | 263 | NULL, NULL, NULL, tls_construct_ctos_padding, NULL |
6b473aca MC |
264 | } |
265 | }; | |
266 | ||
6b473aca MC |
267 | /* |
268 | * Verify whether we are allowed to use the extension |type| in the current | |
269 | * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to | |
70af3d8e MC |
270 | * indicate the extension is not allowed. If returning 1 then |*found| is set to |
271 | * 1 if we found a definition for the extension, and |*idx| is set to its index | |
6b473aca | 272 | */ |
70af3d8e | 273 | static int verify_extension(SSL *s, unsigned int context, unsigned int type, |
1266eefd MC |
274 | custom_ext_methods *meths, RAW_EXTENSION *rawexlist, |
275 | RAW_EXTENSION **found) | |
6b473aca MC |
276 | { |
277 | size_t i; | |
70af3d8e | 278 | size_t builtin_num = OSSL_NELEM(ext_defs); |
d270de32 | 279 | const EXTENSION_DEFINITION *thisext; |
6b473aca | 280 | |
1266eefd MC |
281 | for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { |
282 | if (type == thisext->type) { | |
6b473aca | 283 | /* Check we're allowed to use this extension in this context */ |
1266eefd | 284 | if ((context & thisext->context) == 0) |
6b473aca MC |
285 | return 0; |
286 | ||
287 | if (SSL_IS_DTLS(s)) { | |
1266eefd | 288 | if ((thisext->context & EXT_TLS_ONLY) != 0) |
6b473aca | 289 | return 0; |
1266eefd | 290 | } else if ((thisext->context & EXT_DTLS_ONLY) != 0) { |
6b473aca MC |
291 | return 0; |
292 | } | |
293 | ||
1266eefd | 294 | *found = &rawexlist[i]; |
6b473aca MC |
295 | return 1; |
296 | } | |
297 | } | |
298 | ||
70af3d8e MC |
299 | if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) { |
300 | /* | |
301 | * Custom extensions only apply to <=TLS1.2. This extension is unknown | |
302 | * in this context - we allow it | |
303 | */ | |
1266eefd | 304 | *found = NULL; |
70af3d8e MC |
305 | return 1; |
306 | } | |
6b473aca | 307 | |
70af3d8e MC |
308 | /* Check the custom extensions */ |
309 | if (meths != NULL) { | |
310 | for (i = builtin_num; i < builtin_num + meths->meths_count; i++) { | |
311 | if (meths->meths[i - builtin_num].ext_type == type) { | |
1266eefd | 312 | *found = &rawexlist[i]; |
70af3d8e MC |
313 | return 1; |
314 | } | |
6b473aca MC |
315 | } |
316 | } | |
317 | ||
70af3d8e | 318 | /* Unknown extension. We allow it */ |
1266eefd | 319 | *found = NULL; |
70af3d8e | 320 | return 1; |
6b473aca MC |
321 | } |
322 | ||
70af3d8e MC |
323 | /* |
324 | * Check whether the context defined for an extension |extctx| means whether | |
325 | * the extension is relevant for the current context |thisctx| or not. Returns | |
326 | * 1 if the extension is relevant for this context, and 0 otherwise | |
327 | */ | |
805a2e9e MC |
328 | static int extension_is_relevant(SSL *s, unsigned int extctx, |
329 | unsigned int thisctx) | |
330 | { | |
331 | if ((SSL_IS_DTLS(s) | |
332 | && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0) | |
333 | || (s->version == SSL3_VERSION | |
334 | && (extctx & EXT_SSL3_ALLOWED) == 0) | |
335 | || (SSL_IS_TLS13(s) | |
336 | && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0) | |
337 | || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0)) | |
338 | return 0; | |
339 | ||
340 | return 1; | |
341 | } | |
342 | ||
6b473aca MC |
343 | /* |
344 | * Gather a list of all the extensions from the data in |packet]. |context| | |
70af3d8e | 345 | * tells us which message this extension is for. The raw extension data is |
1266eefd MC |
346 | * stored in |*res| on success. In the event of an error the alert type to use |
347 | * is stored in |*al|. We don't actually process the content of the extensions | |
348 | * yet, except to check their types. This function also runs the initialiser | |
349 | * functions for all known extensions (whether we have collected them or not). | |
350 | * If successful the caller is responsible for freeing the contents of |*res|. | |
6b473aca MC |
351 | * |
352 | * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be | |
353 | * more than one extension of the same type in a ClientHello or ServerHello. | |
354 | * This function returns 1 if all extensions are unique and we have parsed their | |
355 | * types, and 0 if the extensions contain duplicates, could not be successfully | |
1266eefd | 356 | * found, or an internal error occurred. We only check duplicates for |
70af3d8e | 357 | * extensions that we know about. We ignore others. |
6b473aca | 358 | */ |
6b473aca | 359 | int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, |
70af3d8e | 360 | RAW_EXTENSION **res, int *al) |
6b473aca MC |
361 | { |
362 | PACKET extensions = *packet; | |
d270de32 | 363 | size_t i = 0; |
70af3d8e | 364 | custom_ext_methods *exts = NULL; |
6b473aca | 365 | RAW_EXTENSION *raw_extensions = NULL; |
d270de32 | 366 | const EXTENSION_DEFINITION *thisexd; |
6b473aca | 367 | |
ecc2f938 MC |
368 | *res = NULL; |
369 | ||
70af3d8e MC |
370 | /* |
371 | * Initialise server side custom extensions. Client side is done during | |
372 | * construction of extensions for the ClientHello. | |
373 | */ | |
374 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
375 | exts = &s->cert->srv_ext; | |
376 | custom_ext_init(&s->cert->srv_ext); | |
377 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
378 | exts = &s->cert->cli_ext; | |
379 | } | |
380 | ||
381 | raw_extensions = OPENSSL_zalloc((OSSL_NELEM(ext_defs) | |
382 | + (exts != NULL ? exts->meths_count : 0)) | |
1266eefd | 383 | * sizeof(*raw_extensions)); |
70af3d8e MC |
384 | if (raw_extensions == NULL) { |
385 | *al = SSL_AD_INTERNAL_ERROR; | |
386 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, ERR_R_MALLOC_FAILURE); | |
387 | return 0; | |
388 | } | |
389 | ||
6b473aca MC |
390 | while (PACKET_remaining(&extensions) > 0) { |
391 | unsigned int type; | |
392 | PACKET extension; | |
1266eefd | 393 | RAW_EXTENSION *thisex; |
6b473aca MC |
394 | |
395 | if (!PACKET_get_net_2(&extensions, &type) || | |
396 | !PACKET_get_length_prefixed_2(&extensions, &extension)) { | |
397 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); | |
70af3d8e | 398 | *al = SSL_AD_DECODE_ERROR; |
6b473aca MC |
399 | goto err; |
400 | } | |
70af3d8e MC |
401 | /* |
402 | * Verify this extension is allowed. We only check duplicates for | |
403 | * extensions that we recognise. | |
404 | */ | |
1266eefd MC |
405 | if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) |
406 | || (thisex != NULL && thisex->present == 1)) { | |
6b473aca | 407 | SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); |
70af3d8e | 408 | *al = SSL_AD_ILLEGAL_PARAMETER; |
6b473aca MC |
409 | goto err; |
410 | } | |
1266eefd MC |
411 | if (thisex != NULL) { |
412 | thisex->data = extension; | |
413 | thisex->present = 1; | |
414 | thisex->type = type; | |
6b473aca MC |
415 | } |
416 | } | |
417 | ||
68db4dda MC |
418 | /* |
419 | * Initialise all known extensions relevant to this context, whether we have | |
420 | * found them or not | |
421 | */ | |
1266eefd MC |
422 | for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
423 | if(thisexd->init != NULL && (thisexd->context & context) != 0 | |
424 | && extension_is_relevant(s, thisexd->context, context) | |
425 | && !thisexd->init(s, context)) { | |
70af3d8e | 426 | *al = SSL_AD_INTERNAL_ERROR; |
68db4dda MC |
427 | goto err; |
428 | } | |
429 | } | |
430 | ||
6b473aca | 431 | *res = raw_extensions; |
6b473aca MC |
432 | return 1; |
433 | ||
434 | err: | |
435 | OPENSSL_free(raw_extensions); | |
436 | return 0; | |
437 | } | |
438 | ||
68db4dda | 439 | /* |
70af3d8e MC |
440 | * Runs the parser for a given extension with index |idx|. |exts| contains the |
441 | * list of all parsed extensions previously collected by | |
442 | * tls_collect_extensions(). The parser is only run if it is applicable for the | |
f97d4c37 MC |
443 | * given |context| and the parser has not already been run. If this is for a |
444 | * Certificate message, then we also provide the parser with the relevant | |
8521ced6 | 445 | * Certificate |x| and its position in the |chainidx| with 0 being the first |
f97d4c37 MC |
446 | * Certificate. Returns 1 on success or 0 on failure. In the event of a failure |
447 | * |*al| is populated with a suitable alert code. If an extension is not present | |
448 | * this counted as success. | |
68db4dda | 449 | */ |
d270de32 | 450 | int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, |
8521ced6 | 451 | RAW_EXTENSION *exts, X509 *x, size_t chainidx, int *al) |
6b473aca | 452 | { |
70af3d8e | 453 | RAW_EXTENSION *currext = &exts[idx]; |
8521ced6 | 454 | int (*parser)(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al) = NULL; |
6b473aca | 455 | |
70af3d8e MC |
456 | /* Skip if the extension is not present */ |
457 | if (!currext->present) | |
458 | return 1; | |
6b473aca | 459 | |
aff8c126 RS |
460 | if (s->ext.debug_cb) |
461 | s->ext.debug_cb(s, !s->server, currext->type, | |
462 | PACKET_data(&currext->data), | |
463 | PACKET_remaining(&currext->data), | |
464 | s->ext.debug_arg); | |
6b473aca | 465 | |
70af3d8e MC |
466 | /* Skip if we've already parsed this extension */ |
467 | if (currext->parsed) | |
468 | return 1; | |
6b473aca | 469 | |
70af3d8e MC |
470 | currext->parsed = 1; |
471 | ||
472 | if (idx < OSSL_NELEM(ext_defs)) { | |
473 | /* We are handling a built-in extension */ | |
474 | const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; | |
475 | ||
476 | /* Check if extension is defined for our protocol. If not, skip */ | |
477 | if (!extension_is_relevant(s, extdef->context, context)) | |
478 | return 1; | |
479 | ||
1266eefd | 480 | parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; |
224135e9 | 481 | |
1266eefd | 482 | if (parser != NULL) |
8521ced6 | 483 | return parser(s, &currext->data, x, chainidx, al); |
6b473aca | 484 | |
70af3d8e MC |
485 | /* |
486 | * If the parser is NULL we fall through to the custom extension | |
487 | * processing | |
488 | */ | |
6b473aca MC |
489 | } |
490 | ||
70af3d8e MC |
491 | /* |
492 | * This is a custom extension. We only allow this if it is a non | |
493 | * resumed session on the server side. | |
8521ced6 | 494 | *chain |
70af3d8e MC |
495 | * TODO(TLS1.3): We only allow old style <=TLS1.2 custom extensions. |
496 | * We're going to need a new mechanism for TLS1.3 to specify which | |
497 | * messages to add the custom extensions to. | |
498 | */ | |
499 | if ((!s->hit || !s->server) | |
500 | && (context | |
501 | & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 | |
502 | && custom_ext_parse(s, s->server, currext->type, | |
503 | PACKET_data(&currext->data), | |
504 | PACKET_remaining(&currext->data), | |
505 | al) <= 0) | |
506 | return 0; | |
507 | ||
805a2e9e MC |
508 | return 1; |
509 | } | |
510 | ||
511 | /* | |
512 | * Parse all remaining extensions that have not yet been parsed. Also calls the | |
70af3d8e | 513 | * finalisation for all extensions at the end, whether we collected them or not. |
f97d4c37 MC |
514 | * Returns 1 for success or 0 for failure. If we are working on a Certificate |
515 | * message then we also pass the Certificate |x| and its position in the | |
8521ced6 MC |
516 | * |chainidx|, with 0 being the first certificate. On failure, |*al| is |
517 | * populated with a suitable alert code. | |
805a2e9e | 518 | */ |
f97d4c37 | 519 | int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, |
8521ced6 | 520 | size_t chainidx, int *al) |
805a2e9e | 521 | { |
1266eefd | 522 | size_t i, numexts = OSSL_NELEM(ext_defs); |
d270de32 | 523 | const EXTENSION_DEFINITION *thisexd; |
805a2e9e | 524 | |
70af3d8e MC |
525 | /* Calculate the number of extensions in the extensions list */ |
526 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
527 | numexts += s->cert->srv_ext.meths_count; | |
528 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
529 | numexts += s->cert->cli_ext.meths_count; | |
530 | } | |
531 | ||
532 | /* Parse each extension in turn */ | |
1266eefd | 533 | for (i = 0; i < numexts; i++) { |
8521ced6 | 534 | if (!tls_parse_extension(s, i, context, exts, x, chainidx, al)) |
70af3d8e MC |
535 | return 0; |
536 | } | |
805a2e9e | 537 | |
68db4dda MC |
538 | /* |
539 | * Finalise all known extensions relevant to this context, whether we have | |
540 | * found them or not | |
541 | */ | |
1266eefd MC |
542 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
543 | if(thisexd->final != NULL | |
544 | && (thisexd->context & context) != 0 | |
545 | && !thisexd->final(s, context, exts[i].present, al)) | |
68db4dda | 546 | return 0; |
68db4dda MC |
547 | } |
548 | ||
6b473aca MC |
549 | return 1; |
550 | } | |
551 | ||
552 | /* | |
70af3d8e | 553 | * Construct all the extensions relevant to the current |context| and write |
30aeba43 | 554 | * them to |pkt|. If this is an extension for a Certificate in a Certificate |
8521ced6 MC |
555 | * message, then |x| will be set to the Certificate we are handling, and |
556 | * |chainidx| will indicate the position in the chainidx we are processing (with | |
557 | * 0 being the first in the chain). Returns 1 on success or 0 on failure. If a | |
558 | * failure occurs then |al| is populated with a suitable alert code. On a | |
559 | * failure construction stops at the first extension to fail to construct. | |
6b473aca | 560 | */ |
224135e9 | 561 | int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, |
8521ced6 | 562 | X509 *x, size_t chainidx, int *al) |
224135e9 | 563 | { |
1266eefd MC |
564 | size_t i; |
565 | int addcustom = 0, min_version, max_version = 0, reason, tmpal; | |
d270de32 | 566 | const EXTENSION_DEFINITION *thisexd; |
224135e9 | 567 | |
7da160b0 | 568 | /* |
70af3d8e | 569 | * Normally if something goes wrong during construction it's an internal |
7da160b0 MC |
570 | * error. We can always override this later. |
571 | */ | |
70af3d8e | 572 | tmpal = SSL_AD_INTERNAL_ERROR; |
7da160b0 | 573 | |
224135e9 MC |
574 | if (!WPACKET_start_sub_packet_u16(pkt) |
575 | /* | |
576 | * If extensions are of zero length then we don't even add the | |
7da160b0 | 577 | * extensions length bytes to a ClientHello/ServerHello in SSLv3 |
224135e9 | 578 | */ |
7da160b0 MC |
579 | || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0 |
580 | && s->version == SSL3_VERSION | |
224135e9 MC |
581 | && !WPACKET_set_flags(pkt, |
582 | WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { | |
224135e9 | 583 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 584 | goto err; |
224135e9 MC |
585 | } |
586 | ||
ab83e314 MC |
587 | if ((context & EXT_CLIENT_HELLO) != 0) { |
588 | reason = ssl_get_client_min_max_version(s, &min_version, &max_version); | |
589 | if (reason != 0) { | |
590 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason); | |
70af3d8e | 591 | goto err; |
ab83e314 MC |
592 | } |
593 | } | |
594 | ||
595 | /* Add custom extensions first */ | |
596 | if ((context & EXT_CLIENT_HELLO) != 0) { | |
597 | custom_ext_init(&s->cert->cli_ext); | |
598 | addcustom = 1; | |
599 | } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) { | |
600 | /* | |
601 | * We already initialised the custom extensions during ClientHello | |
602 | * parsing. | |
a1448c26 | 603 | * |
ab83e314 MC |
604 | * TODO(TLS1.3): We're going to need a new custom extension mechanism |
605 | * for TLS1.3, so that custom extensions can specify which of the | |
606 | * multiple message they wish to add themselves to. | |
607 | */ | |
608 | addcustom = 1; | |
609 | } | |
610 | ||
70af3d8e | 611 | if (addcustom && !custom_ext_add(s, s->server, pkt, &tmpal)) { |
ab83e314 | 612 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 613 | goto err; |
ab83e314 MC |
614 | } |
615 | ||
1266eefd | 616 | for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { |
8521ced6 MC |
617 | int (*construct)(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx, |
618 | int *al); | |
4b299b8e | 619 | |
224135e9 | 620 | /* Skip if not relevant for our context */ |
d270de32 | 621 | if ((thisexd->context & context) == 0) |
224135e9 MC |
622 | continue; |
623 | ||
1266eefd MC |
624 | construct = s->server ? thisexd->construct_stoc |
625 | : thisexd->construct_ctos; | |
224135e9 MC |
626 | |
627 | /* Check if this extension is defined for our protocol. If not, skip */ | |
628 | if ((SSL_IS_DTLS(s) | |
1266eefd | 629 | && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY) |
4b299b8e | 630 | != 0) |
224135e9 | 631 | || (s->version == SSL3_VERSION |
1266eefd | 632 | && (thisexd->context & EXT_SSL3_ALLOWED) == 0) |
224135e9 | 633 | || (SSL_IS_TLS13(s) |
1266eefd | 634 | && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY) |
4b299b8e | 635 | != 0) |
224135e9 | 636 | || (!SSL_IS_TLS13(s) |
1266eefd | 637 | && (thisexd->context & EXT_TLS1_3_ONLY) != 0 |
4b299b8e | 638 | && (context & EXT_CLIENT_HELLO) == 0) |
1266eefd | 639 | || ((thisexd->context & EXT_TLS1_3_ONLY) != 0 |
ab83e314 MC |
640 | && (context & EXT_CLIENT_HELLO) != 0 |
641 | && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)) | |
224135e9 MC |
642 | || construct == NULL) |
643 | continue; | |
644 | ||
8521ced6 | 645 | if (!construct(s, pkt, x, chainidx, &tmpal)) |
70af3d8e | 646 | goto err; |
224135e9 MC |
647 | } |
648 | ||
224135e9 | 649 | if (!WPACKET_close(pkt)) { |
224135e9 | 650 | SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, ERR_R_INTERNAL_ERROR); |
70af3d8e | 651 | goto err; |
224135e9 MC |
652 | } |
653 | ||
654 | return 1; | |
70af3d8e MC |
655 | |
656 | err: | |
657 | *al = tmpal; | |
658 | return 0; | |
224135e9 | 659 | } |
805a2e9e | 660 | |
70af3d8e MC |
661 | /* |
662 | * Built in extension finalisation and initialisation functions. All initialise | |
663 | * or finalise the associated extension type for the given |context|. For | |
664 | * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 | |
665 | * otherwise. These functions return 1 on success or 0 on failure. In the event | |
666 | * of a failure then |*al| is populated with a suitable error code. | |
667 | */ | |
668 | ||
1266eefd | 669 | static int final_renegotiate(SSL *s, unsigned int context, int sent, |
805a2e9e MC |
670 | int *al) |
671 | { | |
332eb390 MC |
672 | if (!s->server) { |
673 | /* | |
674 | * Check if we can connect to a server that doesn't support safe | |
675 | * renegotiation | |
676 | */ | |
677 | if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) | |
678 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
679 | && !sent) { | |
680 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 681 | SSLerr(SSL_F_FINAL_RENEGOTIATE, |
332eb390 MC |
682 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
683 | return 0; | |
684 | } | |
685 | ||
805a2e9e | 686 | return 1; |
332eb390 | 687 | } |
805a2e9e MC |
688 | |
689 | /* Need RI if renegotiating */ | |
690 | if (s->renegotiate | |
691 | && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) | |
692 | && !sent) { | |
693 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 694 | SSLerr(SSL_F_FINAL_RENEGOTIATE, |
805a2e9e MC |
695 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); |
696 | return 0; | |
697 | } | |
698 | ||
332eb390 | 699 | |
805a2e9e MC |
700 | return 1; |
701 | } | |
702 | ||
1266eefd | 703 | static int init_server_name(SSL *s, unsigned int context) |
805a2e9e MC |
704 | { |
705 | if (s->server) | |
706 | s->servername_done = 0; | |
707 | ||
708 | return 1; | |
709 | } | |
710 | ||
1266eefd | 711 | static int final_server_name(SSL *s, unsigned int context, int sent, |
805a2e9e MC |
712 | int *al) |
713 | { | |
714 | int ret = SSL_TLSEXT_ERR_NOACK; | |
715 | int altmp = SSL_AD_UNRECOGNIZED_NAME; | |
716 | ||
aff8c126 RS |
717 | if (s->ctx != NULL && s->ctx->ext.servername_cb != 0) |
718 | ret = s->ctx->ext.servername_cb(s, &altmp, | |
719 | s->ctx->ext.servername_arg); | |
805a2e9e | 720 | else if (s->initial_ctx != NULL |
aff8c126 RS |
721 | && s->initial_ctx->ext.servername_cb != 0) |
722 | ret = s->initial_ctx->ext.servername_cb(s, &altmp, | |
723 | s->initial_ctx->ext.servername_arg); | |
805a2e9e MC |
724 | |
725 | switch (ret) { | |
726 | case SSL_TLSEXT_ERR_ALERT_FATAL: | |
727 | *al = altmp; | |
728 | return 0; | |
729 | ||
730 | case SSL_TLSEXT_ERR_ALERT_WARNING: | |
731 | *al = altmp; | |
732 | return 1; | |
733 | ||
734 | case SSL_TLSEXT_ERR_NOACK: | |
735 | s->servername_done = 0; | |
736 | return 1; | |
737 | ||
738 | default: | |
739 | return 1; | |
740 | } | |
741 | } | |
742 | ||
332eb390 | 743 | #ifndef OPENSSL_NO_EC |
1266eefd | 744 | static int final_ec_pt_formats(SSL *s, unsigned int context, int sent, |
332eb390 MC |
745 | int *al) |
746 | { | |
747 | unsigned long alg_k, alg_a; | |
748 | ||
749 | if (s->server) | |
750 | return 1; | |
751 | ||
752 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
753 | alg_a = s->s3->tmp.new_cipher->algorithm_auth; | |
754 | ||
755 | /* | |
756 | * If we are client and using an elliptic curve cryptography cipher | |
757 | * suite, then if server returns an EC point formats lists extension it | |
758 | * must contain uncompressed. | |
759 | */ | |
aff8c126 RS |
760 | if (s->ext.ecpointformats != NULL |
761 | && s->ext.ecpointformats_len > 0 | |
762 | && s->session->ext.ecpointformats != NULL | |
763 | && s->session->ext.ecpointformats_len > 0 | |
1266eefd | 764 | && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { |
332eb390 MC |
765 | /* we are using an ECC cipher */ |
766 | size_t i; | |
aff8c126 | 767 | unsigned char *list = s->session->ext.ecpointformats; |
1266eefd | 768 | |
aff8c126 | 769 | for (i = 0; i < s->session->ext.ecpointformats_len; i++) { |
1266eefd | 770 | if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) |
332eb390 | 771 | break; |
332eb390 | 772 | } |
aff8c126 | 773 | if (i == s->session->ext.ecpointformats_len) { |
7fe97c07 | 774 | SSLerr(SSL_F_FINAL_EC_PT_FORMATS, |
332eb390 MC |
775 | SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); |
776 | return 0; | |
777 | } | |
778 | } | |
779 | ||
780 | return 1; | |
781 | } | |
782 | #endif | |
783 | ||
1266eefd | 784 | static int init_session_ticket(SSL *s, unsigned int context) |
332eb390 MC |
785 | { |
786 | if (!s->server) | |
aff8c126 | 787 | s->ext.ticket_expected = 0; |
332eb390 MC |
788 | |
789 | return 1; | |
790 | } | |
791 | ||
8f8c11d8 | 792 | #ifndef OPENSSL_NO_OCSP |
1266eefd | 793 | static int init_status_request(SSL *s, unsigned int context) |
805a2e9e | 794 | { |
f63e4288 | 795 | if (s->server) { |
aff8c126 | 796 | s->ext.status_type = TLSEXT_STATUSTYPE_nothing; |
f63e4288 MC |
797 | } else { |
798 | /* | |
799 | * Ensure we get sensible values passed to tlsext_status_cb in the event | |
800 | * that we don't receive a status message | |
801 | */ | |
802 | OPENSSL_free(s->tlsext_ocsp_resp); | |
aff8c126 RS |
803 | s->ext.ocsp_resp = NULL; |
804 | s->ext.ocsp_resplen = 0; | |
f63e4288 | 805 | } |
332eb390 MC |
806 | |
807 | return 1; | |
808 | } | |
aff8c126 RS |
809 | |
810 | static int final_status_request(SSL *s, unsigned int context, int sent, | |
811 | int *al) | |
812 | { | |
813 | if (s->server) | |
814 | return 1; | |
815 | ||
816 | /* | |
817 | * Ensure we get sensible values passed to ext.status_cb in the event | |
818 | * that we don't receive a status message | |
819 | */ | |
820 | OPENSSL_free(s->ext.ocsp.resp); | |
821 | s->ext.ocsp.resp = NULL; | |
822 | s->ext.ocsp.resp_len = 0; | |
823 | >>>>>>> Move extension data into sub-structs | |
824 | ||
825 | return 1; | |
826 | } | |
8f8c11d8 | 827 | #endif |
332eb390 | 828 | |
805a2e9e | 829 | #ifndef OPENSSL_NO_NEXTPROTONEG |
1266eefd | 830 | static int init_npn(SSL *s, unsigned int context) |
805a2e9e | 831 | { |
aff8c126 | 832 | s->s3->npn_seen = 0; |
805a2e9e MC |
833 | |
834 | return 1; | |
835 | } | |
836 | #endif | |
837 | ||
1266eefd | 838 | static int init_alpn(SSL *s, unsigned int context) |
805a2e9e | 839 | { |
332eb390 MC |
840 | OPENSSL_free(s->s3->alpn_selected); |
841 | s->s3->alpn_selected = NULL; | |
805a2e9e | 842 | if (s->server) { |
805a2e9e MC |
843 | s->s3->alpn_selected_len = 0; |
844 | OPENSSL_free(s->s3->alpn_proposed); | |
845 | s->s3->alpn_proposed = NULL; | |
846 | s->s3->alpn_proposed_len = 0; | |
847 | } | |
805a2e9e MC |
848 | return 1; |
849 | } | |
850 | ||
1266eefd | 851 | static int final_alpn(SSL *s, unsigned int context, int sent, int *al) |
02f0274e MC |
852 | { |
853 | const unsigned char *selected = NULL; | |
854 | unsigned char selected_len = 0; | |
855 | ||
856 | if (!s->server) | |
857 | return 1; | |
858 | ||
aff8c126 RS |
859 | if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { |
860 | int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len, | |
861 | s->s3->alpn_proposed, | |
862 | (unsigned int)s->s3->alpn_proposed_len, | |
863 | s->ctx->ext.alpn_select_cb_arg); | |
02f0274e MC |
864 | |
865 | if (r == SSL_TLSEXT_ERR_OK) { | |
866 | OPENSSL_free(s->s3->alpn_selected); | |
867 | s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len); | |
868 | if (s->s3->alpn_selected == NULL) { | |
869 | *al = SSL_AD_INTERNAL_ERROR; | |
870 | return 0; | |
871 | } | |
872 | s->s3->alpn_selected_len = selected_len; | |
873 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
874 | /* ALPN takes precedence over NPN. */ | |
aff8c126 | 875 | s->s3->npn_seen = 0; |
02f0274e MC |
876 | #endif |
877 | } else { | |
878 | *al = SSL_AD_NO_APPLICATION_PROTOCOL; | |
879 | return 0; | |
880 | } | |
881 | } | |
882 | ||
883 | return 1; | |
884 | } | |
885 | ||
1266eefd | 886 | static int init_sig_algs(SSL *s, unsigned int context) |
805a2e9e MC |
887 | { |
888 | /* Clear any signature algorithms extension received */ | |
889 | OPENSSL_free(s->s3->tmp.peer_sigalgs); | |
890 | s->s3->tmp.peer_sigalgs = NULL; | |
891 | ||
892 | return 1; | |
893 | } | |
894 | ||
895 | #ifndef OPENSSL_NO_SRP | |
1266eefd | 896 | static int init_srp(SSL *s, unsigned int context) |
805a2e9e MC |
897 | { |
898 | OPENSSL_free(s->srp_ctx.login); | |
899 | s->srp_ctx.login = NULL; | |
900 | ||
901 | return 1; | |
902 | } | |
903 | #endif | |
904 | ||
1266eefd | 905 | static int init_etm(SSL *s, unsigned int context) |
805a2e9e | 906 | { |
332eb390 MC |
907 | s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; |
908 | ||
909 | return 1; | |
910 | } | |
911 | ||
1266eefd | 912 | static int init_ems(SSL *s, unsigned int context) |
332eb390 MC |
913 | { |
914 | if (!s->server) | |
915 | s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; | |
916 | ||
917 | return 1; | |
918 | } | |
919 | ||
1266eefd | 920 | static int final_ems(SSL *s, unsigned int context, int sent, int *al) |
332eb390 MC |
921 | { |
922 | if (!s->server && s->hit) { | |
923 | /* | |
924 | * Check extended master secret extension is consistent with | |
925 | * original session. | |
926 | */ | |
927 | if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != | |
928 | !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { | |
929 | *al = SSL_AD_HANDSHAKE_FAILURE; | |
7fe97c07 | 930 | SSLerr(SSL_F_FINAL_EMS, SSL_R_INCONSISTENT_EXTMS); |
332eb390 MC |
931 | return 0; |
932 | } | |
933 | } | |
805a2e9e MC |
934 | |
935 | return 1; | |
936 | } | |
937 | ||
938 | #ifndef OPENSSL_NO_SRTP | |
1266eefd | 939 | static int init_srtp(SSL *s, unsigned int context) |
805a2e9e MC |
940 | { |
941 | if (s->server) | |
942 | s->srtp_profile = NULL; | |
943 | ||
944 | return 1; | |
945 | } | |
946 | #endif |