]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions.c
projects / thirdparty / openssl.git / blob
? search:


c842e20fbfaaafd78f2a58ae0cb0a33907ce2879
[thirdparty/openssl.git] / ssl / statem / extensions.c
1 /*
2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include "internal/nelem.h"
12 #include "internal/cryptlib.h"
13 #include "../ssl_local.h"
14 #include "statem_local.h"
15 #include "internal/cryptlib.h"
16
17 DEFINE_STACK_OF(X509_NAME)
18
19 static int final_renegotiate(SSL *s, unsigned int context, int sent);
20 static int init_server_name(SSL *s, unsigned int context);
21 static int final_server_name(SSL *s, unsigned int context, int sent);
22 #ifndef OPENSSL_NO_EC
23 static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
24 #endif
25 static int init_session_ticket(SSL *s, unsigned int context);
26 #ifndef OPENSSL_NO_OCSP
27 static int init_status_request(SSL *s, unsigned int context);
28 #endif
29 #ifndef OPENSSL_NO_NEXTPROTONEG
30 static int init_npn(SSL *s, unsigned int context);
31 #endif
32 static int init_alpn(SSL *s, unsigned int context);
33 static int final_alpn(SSL *s, unsigned int context, int sent);
34 static int init_sig_algs_cert(SSL *s, unsigned int context);
35 static int init_sig_algs(SSL *s, unsigned int context);
36 static int init_certificate_authorities(SSL *s, unsigned int context);
37 static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
38 unsigned int context,
39 X509 *x,
40 size_t chainidx);
41 static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
42 unsigned int context, X509 *x,
43 size_t chainidx);
44 #ifndef OPENSSL_NO_SRP
45 static int init_srp(SSL *s, unsigned int context);
46 #endif
47 static int init_etm(SSL *s, unsigned int context);
48 static int init_ems(SSL *s, unsigned int context);
49 static int final_ems(SSL *s, unsigned int context, int sent);
50 static int init_psk_kex_modes(SSL *s, unsigned int context);
51 static int final_key_share(SSL *s, unsigned int context, int sent);
52 #ifndef OPENSSL_NO_SRTP
53 static int init_srtp(SSL *s, unsigned int context);
54 #endif
55 static int final_sig_algs(SSL *s, unsigned int context, int sent);
56 static int final_early_data(SSL *s, unsigned int context, int sent);
57 static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
58 static int init_post_handshake_auth(SSL *s, unsigned int context);
59
60 /* Structure to define a built-in extension */
61 typedef struct extensions_definition_st {
62 /* The defined type for the extension */
63 unsigned int type;
64 /*
65 * The context that this extension applies to, e.g. what messages and
66 * protocol versions
67 */
68 unsigned int context;
69 /*
70 * Initialise extension before parsing. Always called for relevant contexts
71 * even if extension not present
72 */
73 int (*init)(SSL *s, unsigned int context);
74 /* Parse extension sent from client to server */
75 int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
76 size_t chainidx);
77 /* Parse extension send from server to client */
78 int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
79 size_t chainidx);
80 /* Construct extension sent from server to client */
81 EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
82 X509 *x, size_t chainidx);
83 /* Construct extension sent from client to server */
84 EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
85 X509 *x, size_t chainidx);
86 /*
87 * Finalise extension after parsing. Always called where an extensions was
88 * initialised even if the extension was not present. |sent| is set to 1 if
89 * the extension was seen, or 0 otherwise.
90 */
91 int (*final)(SSL *s, unsigned int context, int sent);
92 } EXTENSION_DEFINITION;
93
94 /*
95 * Definitions of all built-in extensions. NOTE: Changes in the number or order
96 * of these extensions should be mirrored with equivalent changes to the
97 * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
98 * Each extension has an initialiser, a client and
99 * server side parser and a finaliser. The initialiser is called (if the
100 * extension is relevant to the given context) even if we did not see the
101 * extension in the message that we received. The parser functions are only
102 * called if we see the extension in the message. The finalisers are always
103 * called if the initialiser was called.
104 * There are also server and client side constructor functions which are always
105 * called during message construction if the extension is relevant for the
106 * given context.
107 * The initialisation, parsing, finalisation and construction functions are
108 * always called in the order defined in this list. Some extensions may depend
109 * on others having been processed first, so the order of this list is
110 * significant.
111 * The extension context is defined by a series of flags which specify which
112 * messages the extension is relevant to. These flags also specify whether the
113 * extension is relevant to a particular protocol or protocol version.
114 *
115 * TODO(TLS1.3): Make sure we have a test to check the consistency of these
116 *
117 * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
118 * the end, keep these extensions before signature_algorithm.
119 */
120 #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
121 static const EXTENSION_DEFINITION ext_defs[] = {
122 {
123 TLSEXT_TYPE_renegotiate,
124 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
125 | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
126 NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
127 tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
128 final_renegotiate
129 },
130 {
131 TLSEXT_TYPE_server_name,
132 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
133 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
134 init_server_name,
135 tls_parse_ctos_server_name, tls_parse_stoc_server_name,
136 tls_construct_stoc_server_name, tls_construct_ctos_server_name,
137 final_server_name
138 },
139 {
140 TLSEXT_TYPE_max_fragment_length,
141 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
142 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
143 NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
144 tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
145 final_maxfragmentlen
146 },
147 #ifndef OPENSSL_NO_SRP
148 {
149 TLSEXT_TYPE_srp,
150 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
151 init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
152 },
153 #else
154 INVALID_EXTENSION,
155 #endif
156 #ifndef OPENSSL_NO_EC
157 {
158 TLSEXT_TYPE_ec_point_formats,
159 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
160 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
161 NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
162 tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
163 final_ec_pt_formats
164 },
165 #else
166 INVALID_EXTENSION,
167 #endif
168 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
169 {
170 /*
171 * "supported_groups" is spread across several specifications.
172 * It was originally specified as "elliptic_curves" in RFC 4492,
173 * and broadened to include named FFDH groups by RFC 7919.
174 * Both RFCs 4492 and 7919 do not include a provision for the server
175 * to indicate to the client the complete list of groups supported
176 * by the server, with the server instead just indicating the
177 * selected group for this connection in the ServerKeyExchange
178 * message. TLS 1.3 adds a scheme for the server to indicate
179 * to the client its list of supported groups in the
180 * EncryptedExtensions message, but none of the relevant
181 * specifications permit sending supported_groups in the ServerHello.
182 * Nonetheless (possibly due to the close proximity to the
183 * "ec_point_formats" extension, which is allowed in the ServerHello),
184 * there are several servers that send this extension in the
185 * ServerHello anyway. Up to and including the 1.1.0 release,
186 * we did not check for the presence of nonpermitted extensions,
187 * so to avoid a regression, we must permit this extension in the
188 * TLS 1.2 ServerHello as well.
189 *
190 * Note that there is no tls_parse_stoc_supported_groups function,
191 * so we do not perform any additional parsing, validation, or
192 * processing on the server's group list -- this is just a minimal
193 * change to preserve compatibility with these misbehaving servers.
194 */
195 TLSEXT_TYPE_supported_groups,
196 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
197 | SSL_EXT_TLS1_2_SERVER_HELLO,
198 NULL, tls_parse_ctos_supported_groups, NULL,
199 tls_construct_stoc_supported_groups,
200 tls_construct_ctos_supported_groups, NULL
201 },
202 #else
203 INVALID_EXTENSION,
204 #endif
205 {
206 TLSEXT_TYPE_session_ticket,
207 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
208 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
209 init_session_ticket, tls_parse_ctos_session_ticket,
210 tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
211 tls_construct_ctos_session_ticket, NULL
212 },
213 #ifndef OPENSSL_NO_OCSP
214 {
215 TLSEXT_TYPE_status_request,
216 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
217 | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
218 init_status_request, tls_parse_ctos_status_request,
219 tls_parse_stoc_status_request, tls_construct_stoc_status_request,
220 tls_construct_ctos_status_request, NULL
221 },
222 #else
223 INVALID_EXTENSION,
224 #endif
225 #ifndef OPENSSL_NO_NEXTPROTONEG
226 {
227 TLSEXT_TYPE_next_proto_neg,
228 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
229 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
230 init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
231 tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
232 },
233 #else
234 INVALID_EXTENSION,
235 #endif
236 {
237 /*
238 * Must appear in this list after server_name so that finalisation
239 * happens after server_name callbacks
240 */
241 TLSEXT_TYPE_application_layer_protocol_negotiation,
242 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
243 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
244 init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
245 tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
246 },
247 #ifndef OPENSSL_NO_SRTP
248 {
249 TLSEXT_TYPE_use_srtp,
250 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
251 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
252 init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
253 tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
254 },
255 #else
256 INVALID_EXTENSION,
257 #endif
258 {
259 TLSEXT_TYPE_encrypt_then_mac,
260 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
261 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
262 init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
263 tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
264 },
265 #ifndef OPENSSL_NO_CT
266 {
267 TLSEXT_TYPE_signed_certificate_timestamp,
268 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
269 | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
270 NULL,
271 /*
272 * No server side support for this, but can be provided by a custom
273 * extension. This is an exception to the rule that custom extensions
274 * cannot override built in ones.
275 */
276 NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
277 },
278 #else
279 INVALID_EXTENSION,
280 #endif
281 {
282 TLSEXT_TYPE_extended_master_secret,
283 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
284 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
285 init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
286 tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
287 },
288 {
289 TLSEXT_TYPE_signature_algorithms_cert,
290 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
291 init_sig_algs_cert, tls_parse_ctos_sig_algs_cert,
292 tls_parse_ctos_sig_algs_cert,
293 /* We do not generate signature_algorithms_cert at present. */
294 NULL, NULL, NULL
295 },
296 {
297 TLSEXT_TYPE_post_handshake_auth,
298 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY,
299 init_post_handshake_auth,
300 tls_parse_ctos_post_handshake_auth, NULL,
301 NULL, tls_construct_ctos_post_handshake_auth,
302 NULL,
303 },
304 {
305 TLSEXT_TYPE_signature_algorithms,
306 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
307 init_sig_algs, tls_parse_ctos_sig_algs,
308 tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
309 tls_construct_ctos_sig_algs, final_sig_algs
310 },
311 {
312 TLSEXT_TYPE_supported_versions,
313 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
314 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
315 NULL,
316 /* Processed inline as part of version selection */
317 NULL, tls_parse_stoc_supported_versions,
318 tls_construct_stoc_supported_versions,
319 tls_construct_ctos_supported_versions, NULL
320 },
321 {
322 TLSEXT_TYPE_psk_kex_modes,
323 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
324 | SSL_EXT_TLS1_3_ONLY,
325 init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
326 tls_construct_ctos_psk_kex_modes, NULL
327 },
328 {
329 /*
330 * Must be in this list after supported_groups. We need that to have
331 * been parsed before we do this one.
332 */
333 TLSEXT_TYPE_key_share,
334 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
335 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
336 | SSL_EXT_TLS1_3_ONLY,
337 NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
338 tls_construct_stoc_key_share, tls_construct_ctos_key_share,
339 final_key_share
340 },
341 {
342 /* Must be after key_share */
343 TLSEXT_TYPE_cookie,
344 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
345 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
346 NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
347 tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
348 },
349 {
350 /*
351 * Special unsolicited ServerHello extension only used when
352 * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
353 * ignore it.
354 */
355 TLSEXT_TYPE_cryptopro_bug,
356 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
357 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
358 NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
359 },
360 {
361 TLSEXT_TYPE_early_data,
362 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
363 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
364 NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
365 tls_construct_stoc_early_data, tls_construct_ctos_early_data,
366 final_early_data
367 },
368 {
369 TLSEXT_TYPE_certificate_authorities,
370 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
371 | SSL_EXT_TLS1_3_ONLY,
372 init_certificate_authorities,
373 tls_parse_certificate_authorities, tls_parse_certificate_authorities,
374 tls_construct_certificate_authorities,
375 tls_construct_certificate_authorities, NULL,
376 },
377 {
378 /* Must be immediately before pre_shared_key */
379 TLSEXT_TYPE_padding,
380 SSL_EXT_CLIENT_HELLO,
381 NULL,
382 /* We send this, but don't read it */
383 NULL, NULL, NULL, tls_construct_ctos_padding, NULL
384 },
385 {
386 /* Required by the TLSv1.3 spec to always be the last extension */
387 TLSEXT_TYPE_psk,
388 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
389 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
390 NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
391 tls_construct_ctos_psk, NULL
392 }
393 };
394
395 /* Check whether an extension's context matches the current context */
396 static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
397 {
398 /* Check we're allowed to use this extension in this context */
399 if ((thisctx & extctx) == 0)
400 return 0;
401
402 if (SSL_IS_DTLS(s)) {
403 if ((extctx & SSL_EXT_TLS_ONLY) != 0)
404 return 0;
405 } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
406 return 0;
407 }
408
409 return 1;
410 }
411
412 int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts)
413 {
414 size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
415 RAW_EXTENSION *thisext;
416 unsigned int context;
417 ENDPOINT role = ENDPOINT_BOTH;
418
419 if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
420 role = ENDPOINT_SERVER;
421 else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
422 role = ENDPOINT_CLIENT;
423
424 /* Calculate the number of extensions in the extensions list */
425 num_exts = builtin_num + s->cert->custext.meths_count;
426
427 for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
428 if (!thisext->present)
429 continue;
430
431 if (i < builtin_num) {
432 context = ext_defs[i].context;
433 } else {
434 custom_ext_method *meth = NULL;
435
436 meth = custom_ext_find(&s->cert->custext, role, thisext->type,
437 &offset);
438 if (!ossl_assert(meth != NULL))
439 return 0;
440 context = meth->context;
441 }
442
443 if (!validate_context(s, context, thisctx))
444 return 0;
445 }
446
447 return 1;
448 }
449
450 /*
451 * Verify whether we are allowed to use the extension |type| in the current
452 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
453 * indicate the extension is not allowed. If returning 1 then |*found| is set to
454 * the definition for the extension we found.
455 */
456 static int verify_extension(SSL *s, unsigned int context, unsigned int type,
457 custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
458 RAW_EXTENSION **found)
459 {
460 size_t i;
461 size_t builtin_num = OSSL_NELEM(ext_defs);
462 const EXTENSION_DEFINITION *thisext;
463
464 for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
465 if (type == thisext->type) {
466 if (!validate_context(s, thisext->context, context))
467 return 0;
468
469 *found = &rawexlist[i];
470 return 1;
471 }
472 }
473
474 /* Check the custom extensions */
475 if (meths != NULL) {
476 size_t offset = 0;
477 ENDPOINT role = ENDPOINT_BOTH;
478 custom_ext_method *meth = NULL;
479
480 if ((context & SSL_EXT_CLIENT_HELLO) != 0)
481 role = ENDPOINT_SERVER;
482 else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
483 role = ENDPOINT_CLIENT;
484
485 meth = custom_ext_find(meths, role, type, &offset);
486 if (meth != NULL) {
487 if (!validate_context(s, meth->context, context))
488 return 0;
489 *found = &rawexlist[offset + builtin_num];
490 return 1;
491 }
492 }
493
494 /* Unknown extension. We allow it */
495 *found = NULL;
496 return 1;
497 }
498
499 /*
500 * Check whether the context defined for an extension |extctx| means whether
501 * the extension is relevant for the current context |thisctx| or not. Returns
502 * 1 if the extension is relevant for this context, and 0 otherwise
503 */
504 int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
505 {
506 int is_tls13;
507
508 /*
509 * For HRR we haven't selected the version yet but we know it will be
510 * TLSv1.3
511 */
512 if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
513 is_tls13 = 1;
514 else
515 is_tls13 = SSL_IS_TLS13(s);
516
517 if ((SSL_IS_DTLS(s)
518 && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
519 || (s->version == SSL3_VERSION
520 && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
521 /*
522 * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated",
523 * which is never true when generating the ClientHello.
524 * However, version negotiation *has* occurred by the time the
525 * ClientHello extensions are being parsed.
526 * Be careful to allow TLS 1.3-only extensions when generating
527 * the ClientHello.
528 */
529 || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
530 || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
531 && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
532 || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
533 || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
534 return 0;
535 return 1;
536 }
537
538 /*
539 * Gather a list of all the extensions from the data in |packet]. |context|
540 * tells us which message this extension is for. The raw extension data is
541 * stored in |*res| on success. We don't actually process the content of the
542 * extensions yet, except to check their types. This function also runs the
543 * initialiser functions for all known extensions if |init| is nonzero (whether
544 * we have collected them or not). If successful the caller is responsible for
545 * freeing the contents of |*res|.
546 *
547 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
548 * more than one extension of the same type in a ClientHello or ServerHello.
549 * This function returns 1 if all extensions are unique and we have parsed their
550 * types, and 0 if the extensions contain duplicates, could not be successfully
551 * found, or an internal error occurred. We only check duplicates for
552 * extensions that we know about. We ignore others.
553 */
554 int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
555 RAW_EXTENSION **res, size_t *len, int init)
556 {
557 PACKET extensions = *packet;
558 size_t i = 0;
559 size_t num_exts;
560 custom_ext_methods *exts = &s->cert->custext;
561 RAW_EXTENSION *raw_extensions = NULL;
562 const EXTENSION_DEFINITION *thisexd;
563
564 *res = NULL;
565
566 /*
567 * Initialise server side custom extensions. Client side is done during
568 * construction of extensions for the ClientHello.
569 */
570 if ((context & SSL_EXT_CLIENT_HELLO) != 0)
571 custom_ext_init(&s->cert->custext);
572
573 num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
574 raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
575 if (raw_extensions == NULL) {
576 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
577 ERR_R_MALLOC_FAILURE);
578 return 0;
579 }
580
581 i = 0;
582 while (PACKET_remaining(&extensions) > 0) {
583 unsigned int type, idx;
584 PACKET extension;
585 RAW_EXTENSION *thisex;
586
587 if (!PACKET_get_net_2(&extensions, &type) ||
588 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
589 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
590 SSL_R_BAD_EXTENSION);
591 goto err;
592 }
593 /*
594 * Verify this extension is allowed. We only check duplicates for
595 * extensions that we recognise. We also have a special case for the
596 * PSK extension, which must be the last one in the ClientHello.
597 */
598 if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
599 || (thisex != NULL && thisex->present == 1)
600 || (type == TLSEXT_TYPE_psk
601 && (context & SSL_EXT_CLIENT_HELLO) != 0
602 && PACKET_remaining(&extensions) != 0)) {
603 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
604 SSL_R_BAD_EXTENSION);
605 goto err;
606 }
607 idx = thisex - raw_extensions;
608 /*-
609 * Check that we requested this extension (if appropriate). Requests can
610 * be sent in the ClientHello and CertificateRequest. Unsolicited
611 * extensions can be sent in the NewSessionTicket. We only do this for
612 * the built-in extensions. Custom extensions have a different but
613 * similar check elsewhere.
614 * Special cases:
615 * - The HRR cookie extension is unsolicited
616 * - The renegotiate extension is unsolicited (the client signals
617 * support via an SCSV)
618 * - The signed_certificate_timestamp extension can be provided by a
619 * custom extension or by the built-in version. We let the extension
620 * itself handle unsolicited response checks.
621 */
622 if (idx < OSSL_NELEM(ext_defs)
623 && (context & (SSL_EXT_CLIENT_HELLO
624 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
625 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
626 && type != TLSEXT_TYPE_cookie
627 && type != TLSEXT_TYPE_renegotiate
628 && type != TLSEXT_TYPE_signed_certificate_timestamp
629 && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
630 #ifndef OPENSSL_NO_GOST
631 && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
632 && type == TLSEXT_TYPE_cryptopro_bug)
633 #endif
634 ) {
635 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
636 SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
637 goto err;
638 }
639 if (thisex != NULL) {
640 thisex->data = extension;
641 thisex->present = 1;
642 thisex->type = type;
643 thisex->received_order = i++;
644 if (s->ext.debug_cb)
645 s->ext.debug_cb(s, !s->server, thisex->type,
646 PACKET_data(&thisex->data),
647 PACKET_remaining(&thisex->data),
648 s->ext.debug_arg);
649 }
650 }
651
652 if (init) {
653 /*
654 * Initialise all known extensions relevant to this context,
655 * whether we have found them or not
656 */
657 for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
658 i++, thisexd++) {
659 if (thisexd->init != NULL && (thisexd->context & context) != 0
660 && extension_is_relevant(s, thisexd->context, context)
661 && !thisexd->init(s, context)) {
662 /* SSLfatal() already called */
663 goto err;
664 }
665 }
666 }
667
668 *res = raw_extensions;
669 if (len != NULL)
670 *len = num_exts;
671 return 1;
672
673 err:
674 OPENSSL_free(raw_extensions);
675 return 0;
676 }
677
678 /*
679 * Runs the parser for a given extension with index |idx|. |exts| contains the
680 * list of all parsed extensions previously collected by
681 * tls_collect_extensions(). The parser is only run if it is applicable for the
682 * given |context| and the parser has not already been run. If this is for a
683 * Certificate message, then we also provide the parser with the relevant
684 * Certificate |x| and its position in the |chainidx| with 0 being the first
685 * Certificate. Returns 1 on success or 0 on failure. If an extension is not
686 * present this counted as success.
687 */
688 int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
689 RAW_EXTENSION *exts, X509 *x, size_t chainidx)
690 {
691 RAW_EXTENSION *currext = &exts[idx];
692 int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
693 size_t chainidx) = NULL;
694
695 /* Skip if the extension is not present */
696 if (!currext->present)
697 return 1;
698
699 /* Skip if we've already parsed this extension */
700 if (currext->parsed)
701 return 1;
702
703 currext->parsed = 1;
704
705 if (idx < OSSL_NELEM(ext_defs)) {
706 /* We are handling a built-in extension */
707 const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
708
709 /* Check if extension is defined for our protocol. If not, skip */
710 if (!extension_is_relevant(s, extdef->context, context))
711 return 1;
712
713 parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
714
715 if (parser != NULL)
716 return parser(s, &currext->data, context, x, chainidx);
717
718 /*
719 * If the parser is NULL we fall through to the custom extension
720 * processing
721 */
722 }
723
724 /* Parse custom extensions */
725 return custom_ext_parse(s, context, currext->type,
726 PACKET_data(&currext->data),
727 PACKET_remaining(&currext->data),
728 x, chainidx);
729 }
730
731 /*
732 * Parse all remaining extensions that have not yet been parsed. Also calls the
733 * finalisation for all extensions at the end if |fin| is nonzero, whether we
734 * collected them or not. Returns 1 for success or 0 for failure. If we are
735 * working on a Certificate message then we also pass the Certificate |x| and
736 * its position in the |chainidx|, with 0 being the first certificate.
737 */
738 int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
739 size_t chainidx, int fin)
740 {
741 size_t i, numexts = OSSL_NELEM(ext_defs);
742 const EXTENSION_DEFINITION *thisexd;
743
744 /* Calculate the number of extensions in the extensions list */
745 numexts += s->cert->custext.meths_count;
746
747 /* Parse each extension in turn */
748 for (i = 0; i < numexts; i++) {
749 if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
750 /* SSLfatal() already called */
751 return 0;
752 }
753 }
754
755 if (fin) {
756 /*
757 * Finalise all known extensions relevant to this context,
758 * whether we have found them or not
759 */
760 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
761 i++, thisexd++) {
762 if (thisexd->final != NULL && (thisexd->context & context) != 0
763 && !thisexd->final(s, context, exts[i].present)) {
764 /* SSLfatal() already called */
765 return 0;
766 }
767 }
768 }
769
770 return 1;
771 }
772
773 int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
774 int max_version)
775 {
776 /* Skip if not relevant for our context */
777 if ((extctx & thisctx) == 0)
778 return 0;
779
780 /* Check if this extension is defined for our protocol. If not, skip */
781 if (!extension_is_relevant(s, extctx, thisctx)
782 || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
783 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
784 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
785 return 0;
786
787 return 1;
788 }
789
790 /*
791 * Construct all the extensions relevant to the current |context| and write
792 * them to |pkt|. If this is an extension for a Certificate in a Certificate
793 * message, then |x| will be set to the Certificate we are handling, and
794 * |chainidx| will indicate the position in the chainidx we are processing (with
795 * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
796 * failure construction stops at the first extension to fail to construct.
797 */
798 int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
799 X509 *x, size_t chainidx)
800 {
801 size_t i;
802 int min_version, max_version = 0, reason;
803 const EXTENSION_DEFINITION *thisexd;
804
805 if (!WPACKET_start_sub_packet_u16(pkt)
806 /*
807 * If extensions are of zero length then we don't even add the
808 * extensions length bytes to a ClientHello/ServerHello
809 * (for non-TLSv1.3).
810 */
811 || ((context &
812 (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
813 && !WPACKET_set_flags(pkt,
814 WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
815 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
816 ERR_R_INTERNAL_ERROR);
817 return 0;
818 }
819
820 if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
821 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
822 if (reason != 0) {
823 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
824 reason);
825 return 0;
826 }
827 }
828
829 /* Add custom extensions first */
830 if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
831 /* On the server side with initialise during ClientHello parsing */
832 custom_ext_init(&s->cert->custext);
833 }
834 if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
835 /* SSLfatal() already called */
836 return 0;
837 }
838
839 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
840 EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
841 X509 *x, size_t chainidx);
842 EXT_RETURN ret;
843
844 /* Skip if not relevant for our context */
845 if (!should_add_extension(s, thisexd->context, context, max_version))
846 continue;
847
848 construct = s->server ? thisexd->construct_stoc
849 : thisexd->construct_ctos;
850
851 if (construct == NULL)
852 continue;
853
854 ret = construct(s, pkt, context, x, chainidx);
855 if (ret == EXT_RETURN_FAIL) {
856 /* SSLfatal() already called */
857 return 0;
858 }
859 if (ret == EXT_RETURN_SENT
860 && (context & (SSL_EXT_CLIENT_HELLO
861 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
862 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
863 s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
864 }
865
866 if (!WPACKET_close(pkt)) {
867 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
868 ERR_R_INTERNAL_ERROR);
869 return 0;
870 }
871
872 return 1;
873 }
874
875 /*
876 * Built in extension finalisation and initialisation functions. All initialise
877 * or finalise the associated extension type for the given |context|. For
878 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
879 * otherwise. These functions return 1 on success or 0 on failure.
880 */
881
882 static int final_renegotiate(SSL *s, unsigned int context, int sent)
883 {
884 if (!s->server) {
885 /*
886 * Check if we can connect to a server that doesn't support safe
887 * renegotiation
888 */
889 if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
890 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
891 && !sent) {
892 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
893 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
894 return 0;
895 }
896
897 return 1;
898 }
899
900 /* Need RI if renegotiating */
901 if (s->renegotiate
902 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
903 && !sent) {
904 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
905 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
906 return 0;
907 }
908
909
910 return 1;
911 }
912
913 static int init_server_name(SSL *s, unsigned int context)
914 {
915 if (s->server) {
916 s->servername_done = 0;
917
918 OPENSSL_free(s->ext.hostname);
919 s->ext.hostname = NULL;
920 }
921
922 return 1;
923 }
924
925 static int final_server_name(SSL *s, unsigned int context, int sent)
926 {
927 int ret = SSL_TLSEXT_ERR_NOACK;
928 int altmp = SSL_AD_UNRECOGNIZED_NAME;
929 int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
930
931 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
932 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
933 ERR_R_INTERNAL_ERROR);
934 return 0;
935 }
936
937 if (s->ctx->ext.servername_cb != NULL)
938 ret = s->ctx->ext.servername_cb(s, &altmp,
939 s->ctx->ext.servername_arg);
940 else if (s->session_ctx->ext.servername_cb != NULL)
941 ret = s->session_ctx->ext.servername_cb(s, &altmp,
942 s->session_ctx->ext.servername_arg);
943
944 /*
945 * For servers, propagate the SNI hostname from the temporary
946 * storage in the SSL to the persistent SSL_SESSION, now that we
947 * know we accepted it.
948 * Clients make this copy when parsing the server's response to
949 * the extension, which is when they find out that the negotiation
950 * was successful.
951 */
952 if (s->server) {
953 if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
954 /* Only store the hostname in the session if we accepted it. */
955 OPENSSL_free(s->session->ext.hostname);
956 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
957 if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
959 ERR_R_INTERNAL_ERROR);
960 }
961 }
962 }
963
964 /*
965 * If we switched contexts (whether here or in the client_hello callback),
966 * move the sess_accept increment from the session_ctx to the new
967 * context, to avoid the confusing situation of having sess_accept_good
968 * exceed sess_accept (zero) for the new context.
969 */
970 if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
971 tsan_counter(&s->ctx->stats.sess_accept);
972 tsan_decr(&s->session_ctx->stats.sess_accept);
973 }
974
975 /*
976 * If we're expecting to send a ticket, and tickets were previously enabled,
977 * and now tickets are disabled, then turn off expected ticket.
978 * Also, if this is not a resumption, create a new session ID
979 */
980 if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
981 && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
982 s->ext.ticket_expected = 0;
983 if (!s->hit) {
984 SSL_SESSION* ss = SSL_get_session(s);
985
986 if (ss != NULL) {
987 OPENSSL_free(ss->ext.tick);
988 ss->ext.tick = NULL;
989 ss->ext.ticklen = 0;
990 ss->ext.tick_lifetime_hint = 0;
991 ss->ext.tick_age_add = 0;
992 if (!ssl_generate_session_id(s, ss)) {
993 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
994 ERR_R_INTERNAL_ERROR);
995 return 0;
996 }
997 } else {
998 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
999 ERR_R_INTERNAL_ERROR);
1000 return 0;
1001 }
1002 }
1003 }
1004
1005 switch (ret) {
1006 case SSL_TLSEXT_ERR_ALERT_FATAL:
1007 SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
1008 return 0;
1009
1010 case SSL_TLSEXT_ERR_ALERT_WARNING:
1011 /* TLSv1.3 doesn't have warning alerts so we suppress this */
1012 if (!SSL_IS_TLS13(s))
1013 ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
1014 s->servername_done = 0;
1015 return 1;
1016
1017 case SSL_TLSEXT_ERR_NOACK:
1018 s->servername_done = 0;
1019 return 1;
1020
1021 default:
1022 return 1;
1023 }
1024 }
1025
1026 #ifndef OPENSSL_NO_EC
1027 static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
1028 {
1029 unsigned long alg_k, alg_a;
1030
1031 if (s->server)
1032 return 1;
1033
1034 alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1035 alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1036
1037 /*
1038 * If we are client and using an elliptic curve cryptography cipher
1039 * suite, then if server returns an EC point formats lists extension it
1040 * must contain uncompressed.
1041 */
1042 if (s->ext.ecpointformats != NULL
1043 && s->ext.ecpointformats_len > 0
1044 && s->ext.peer_ecpointformats != NULL
1045 && s->ext.peer_ecpointformats_len > 0
1046 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
1047 /* we are using an ECC cipher */
1048 size_t i;
1049 unsigned char *list = s->ext.peer_ecpointformats;
1050
1051 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
1052 if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
1053 break;
1054 }
1055 if (i == s->ext.peer_ecpointformats_len) {
1056 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
1057 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1058 return 0;
1059 }
1060 }
1061
1062 return 1;
1063 }
1064 #endif
1065
1066 static int init_session_ticket(SSL *s, unsigned int context)
1067 {
1068 if (!s->server)
1069 s->ext.ticket_expected = 0;
1070
1071 return 1;
1072 }
1073
1074 #ifndef OPENSSL_NO_OCSP
1075 static int init_status_request(SSL *s, unsigned int context)
1076 {
1077 if (s->server) {
1078 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1079 } else {
1080 /*
1081 * Ensure we get sensible values passed to tlsext_status_cb in the event
1082 * that we don't receive a status message
1083 */
1084 OPENSSL_free(s->ext.ocsp.resp);
1085 s->ext.ocsp.resp = NULL;
1086 s->ext.ocsp.resp_len = 0;
1087 }
1088
1089 return 1;
1090 }
1091 #endif
1092
1093 #ifndef OPENSSL_NO_NEXTPROTONEG
1094 static int init_npn(SSL *s, unsigned int context)
1095 {
1096 s->s3.npn_seen = 0;
1097
1098 return 1;
1099 }
1100 #endif
1101
1102 static int init_alpn(SSL *s, unsigned int context)
1103 {
1104 OPENSSL_free(s->s3.alpn_selected);
1105 s->s3.alpn_selected = NULL;
1106 s->s3.alpn_selected_len = 0;
1107 if (s->server) {
1108 OPENSSL_free(s->s3.alpn_proposed);
1109 s->s3.alpn_proposed = NULL;
1110 s->s3.alpn_proposed_len = 0;
1111 }
1112 return 1;
1113 }
1114
1115 static int final_alpn(SSL *s, unsigned int context, int sent)
1116 {
1117 if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
1118 s->ext.early_data_ok = 0;
1119
1120 if (!s->server || !SSL_IS_TLS13(s))
1121 return 1;
1122
1123 /*
1124 * Call alpn_select callback if needed. Has to be done after SNI and
1125 * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
1126 * we also have to do this before we decide whether to accept early_data.
1127 * In TLSv1.3 we've already negotiated our cipher so we do this call now.
1128 * For < TLSv1.3 we defer it until after cipher negotiation.
1129 *
1130 * On failure SSLfatal() already called.
1131 */
1132 return tls_handle_alpn(s);
1133 }
1134
1135 static int init_sig_algs(SSL *s, unsigned int context)
1136 {
1137 /* Clear any signature algorithms extension received */
1138 OPENSSL_free(s->s3.tmp.peer_sigalgs);
1139 s->s3.tmp.peer_sigalgs = NULL;
1140
1141 return 1;
1142 }
1143
1144 static int init_sig_algs_cert(SSL *s, unsigned int context)
1145 {
1146 /* Clear any signature algorithms extension received */
1147 OPENSSL_free(s->s3.tmp.peer_cert_sigalgs);
1148 s->s3.tmp.peer_cert_sigalgs = NULL;
1149
1150 return 1;
1151 }
1152
1153 #ifndef OPENSSL_NO_SRP
1154 static int init_srp(SSL *s, unsigned int context)
1155 {
1156 OPENSSL_free(s->srp_ctx.login);
1157 s->srp_ctx.login = NULL;
1158
1159 return 1;
1160 }
1161 #endif
1162
1163 static int init_etm(SSL *s, unsigned int context)
1164 {
1165 s->ext.use_etm = 0;
1166
1167 return 1;
1168 }
1169
1170 static int init_ems(SSL *s, unsigned int context)
1171 {
1172 if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1173 s->s3.flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
1174 s->s3.flags |= TLS1_FLAGS_REQUIRED_EXTMS;
1175 }
1176
1177 return 1;
1178 }
1179
1180 static int final_ems(SSL *s, unsigned int context, int sent)
1181 {
1182 /*
1183 * Check extended master secret extension is not dropped on
1184 * renegotiation.
1185 */
1186 if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)
1187 && (s->s3.flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
1188 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
1189 SSL_R_INCONSISTENT_EXTMS);
1190 return 0;
1191 }
1192 if (!s->server && s->hit) {
1193 /*
1194 * Check extended master secret extension is consistent with
1195 * original session.
1196 */
1197 if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
1198 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
1199 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
1200 SSL_R_INCONSISTENT_EXTMS);
1201 return 0;
1202 }
1203 }
1204
1205 return 1;
1206 }
1207
1208 static int init_certificate_authorities(SSL *s, unsigned int context)
1209 {
1210 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
1211 s->s3.tmp.peer_ca_names = NULL;
1212 return 1;
1213 }
1214
1215 static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
1216 unsigned int context,
1217 X509 *x,
1218 size_t chainidx)
1219 {
1220 const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
1221
1222 if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
1223 return EXT_RETURN_NOT_SENT;
1224
1225 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
1226 || !WPACKET_start_sub_packet_u16(pkt)) {
1227 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1228 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
1229 ERR_R_INTERNAL_ERROR);
1230 return EXT_RETURN_FAIL;
1231 }
1232
1233 if (!construct_ca_names(s, ca_sk, pkt)) {
1234 /* SSLfatal() already called */
1235 return EXT_RETURN_FAIL;
1236 }
1237
1238 if (!WPACKET_close(pkt)) {
1239 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1240 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
1241 ERR_R_INTERNAL_ERROR);
1242 return EXT_RETURN_FAIL;
1243 }
1244
1245 return EXT_RETURN_SENT;
1246 }
1247
1248 static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
1249 unsigned int context, X509 *x,
1250 size_t chainidx)
1251 {
1252 if (!parse_ca_names(s, pkt))
1253 return 0;
1254 if (PACKET_remaining(pkt) != 0) {
1255 SSLfatal(s, SSL_AD_DECODE_ERROR,
1256 SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
1257 return 0;
1258 }
1259 return 1;
1260 }
1261
1262 #ifndef OPENSSL_NO_SRTP
1263 static int init_srtp(SSL *s, unsigned int context)
1264 {
1265 if (s->server)
1266 s->srtp_profile = NULL;
1267
1268 return 1;
1269 }
1270 #endif
1271
1272 static int final_sig_algs(SSL *s, unsigned int context, int sent)
1273 {
1274 if (!sent && SSL_IS_TLS13(s) && !s->hit) {
1275 SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
1276 SSL_R_MISSING_SIGALGS_EXTENSION);
1277 return 0;
1278 }
1279
1280 return 1;
1281 }
1282
1283 static int final_key_share(SSL *s, unsigned int context, int sent)
1284 {
1285 #if !defined(OPENSSL_NO_TLS1_3)
1286 if (!SSL_IS_TLS13(s))
1287 return 1;
1288
1289 /* Nothing to do for key_share in an HRR */
1290 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
1291 return 1;
1292
1293 /*
1294 * If
1295 * we are a client
1296 * AND
1297 * we have no key_share
1298 * AND
1299 * (we are not resuming
1300 * OR the kex_mode doesn't allow non key_share resumes)
1301 * THEN
1302 * fail;
1303 */
1304 if (!s->server
1305 && !sent
1306 && (!s->hit
1307 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
1308 /* Nothing left we can do - just fail */
1309 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
1310 SSL_R_NO_SUITABLE_KEY_SHARE);
1311 return 0;
1312 }
1313 /*
1314 * IF
1315 * we are a server
1316 * THEN
1317 * IF
1318 * we have a suitable key_share
1319 * THEN
1320 * IF
1321 * we are stateless AND we have no cookie
1322 * THEN
1323 * send a HelloRetryRequest
1324 * ELSE
1325 * IF
1326 * we didn't already send a HelloRetryRequest
1327 * AND
1328 * the client sent a key_share extension
1329 * AND
1330 * (we are not resuming
1331 * OR the kex_mode allows key_share resumes)
1332 * AND
1333 * a shared group exists
1334 * THEN
1335 * send a HelloRetryRequest
1336 * ELSE IF
1337 * we are not resuming
1338 * OR
1339 * the kex_mode doesn't allow non key_share resumes
1340 * THEN
1341 * fail
1342 * ELSE IF
1343 * we are stateless AND we have no cookie
1344 * THEN
1345 * send a HelloRetryRequest
1346 */
1347 if (s->server) {
1348 if (s->s3.peer_tmp != NULL) {
1349 /* We have a suitable key_share */
1350 if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
1351 && !s->ext.cookieok) {
1352 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1353 /*
1354 * If we are stateless then we wouldn't know about any
1355 * previously sent HRR - so how can this be anything other
1356 * than 0?
1357 */
1358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1359 ERR_R_INTERNAL_ERROR);
1360 return 0;
1361 }
1362 s->hello_retry_request = SSL_HRR_PENDING;
1363 return 1;
1364 }
1365 } else {
1366 /* No suitable key_share */
1367 if (s->hello_retry_request == SSL_HRR_NONE && sent
1368 && (!s->hit
1369 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
1370 != 0)) {
1371 const uint16_t *pgroups, *clntgroups;
1372 size_t num_groups, clnt_num_groups, i;
1373 unsigned int group_id = 0;
1374
1375 /* Check if a shared group exists */
1376
1377 /* Get the clients list of supported groups. */
1378 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
1379 tls1_get_supported_groups(s, &pgroups, &num_groups);
1380
1381 /*
1382 * Find the first group we allow that is also in client's list
1383 */
1384 for (i = 0; i < num_groups; i++) {
1385 group_id = pgroups[i];
1386
1387 if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
1388 1))
1389 break;
1390 }
1391
1392 if (i < num_groups) {
1393 /* A shared group exists so send a HelloRetryRequest */
1394 s->s3.group_id = group_id;
1395 s->hello_retry_request = SSL_HRR_PENDING;
1396 return 1;
1397 }
1398 }
1399 if (!s->hit
1400 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
1401 /* Nothing left we can do - just fail */
1402 SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
1403 : SSL_AD_MISSING_EXTENSION,
1404 SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
1405 return 0;
1406 }
1407
1408 if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
1409 && !s->ext.cookieok) {
1410 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1411 /*
1412 * If we are stateless then we wouldn't know about any
1413 * previously sent HRR - so how can this be anything other
1414 * than 0?
1415 */
1416 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1417 ERR_R_INTERNAL_ERROR);
1418 return 0;
1419 }
1420 s->hello_retry_request = SSL_HRR_PENDING;
1421 return 1;
1422 }
1423 }
1424
1425 /*
1426 * We have a key_share so don't send any more HelloRetryRequest
1427 * messages
1428 */
1429 if (s->hello_retry_request == SSL_HRR_PENDING)
1430 s->hello_retry_request = SSL_HRR_COMPLETE;
1431 } else {
1432 /*
1433 * For a client side resumption with no key_share we need to generate
1434 * the handshake secret (otherwise this is done during key_share
1435 * processing).
1436 */
1437 if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
1438 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1439 ERR_R_INTERNAL_ERROR);
1440 return 0;
1441 }
1442 }
1443 #endif /* !defined(OPENSSL_NO_TLS1_3) */
1444 return 1;
1445 }
1446
1447 static int init_psk_kex_modes(SSL *s, unsigned int context)
1448 {
1449 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
1450 return 1;
1451 }
1452
1453 int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
1454 size_t binderoffset, const unsigned char *binderin,
1455 unsigned char *binderout, SSL_SESSION *sess, int sign,
1456 int external)
1457 {
1458 EVP_PKEY *mackey = NULL;
1459 EVP_MD_CTX *mctx = NULL;
1460 unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
1461 unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
1462 unsigned char *early_secret;
1463 #ifdef CHARSET_EBCDIC
1464 static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
1465 static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
1466 #else
1467 static const unsigned char resumption_label[] = "res binder";
1468 static const unsigned char external_label[] = "ext binder";
1469 #endif
1470 const unsigned char *label;
1471 size_t bindersize, labelsize, hashsize;
1472 int hashsizei = EVP_MD_size(md);
1473 int ret = -1;
1474 int usepskfored = 0;
1475
1476 /* Ensure cast to size_t is safe */
1477 if (!ossl_assert(hashsizei >= 0)) {
1478 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1479 ERR_R_INTERNAL_ERROR);
1480 goto err;
1481 }
1482 hashsize = (size_t)hashsizei;
1483
1484 if (external
1485 && s->early_data_state == SSL_EARLY_DATA_CONNECTING
1486 && s->session->ext.max_early_data == 0
1487 && sess->ext.max_early_data > 0)
1488 usepskfored = 1;
1489
1490 if (external) {
1491 label = external_label;
1492 labelsize = sizeof(external_label) - 1;
1493 } else {
1494 label = resumption_label;
1495 labelsize = sizeof(resumption_label) - 1;
1496 }
1497
1498 /*
1499 * Generate the early_secret. On the server side we've selected a PSK to
1500 * resume with (internal or external) so we always do this. On the client
1501 * side we do this for a non-external (i.e. resumption) PSK or external PSK
1502 * that will be used for early_data so that it is in place for sending early
1503 * data. For client side external PSK not being used for early_data we
1504 * generate it but store it away for later use.
1505 */
1506 if (s->server || !external || usepskfored)
1507 early_secret = (unsigned char *)s->early_secret;
1508 else
1509 early_secret = (unsigned char *)sess->early_secret;
1510
1511 if (!tls13_generate_secret(s, md, NULL, sess->master_key,
1512 sess->master_key_length, early_secret)) {
1513 /* SSLfatal() already called */
1514 goto err;
1515 }
1516
1517 /*
1518 * Create the handshake hash for the binder key...the messages so far are
1519 * empty!
1520 */
1521 mctx = EVP_MD_CTX_new();
1522 if (mctx == NULL
1523 || EVP_DigestInit_ex(mctx, md, NULL) <= 0
1524 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1526 ERR_R_INTERNAL_ERROR);
1527 goto err;
1528 }
1529
1530 /* Generate the binder key */
1531 if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
1532 hashsize, binderkey, hashsize, 1)) {
1533 /* SSLfatal() already called */
1534 goto err;
1535 }
1536
1537 /* Generate the finished key */
1538 if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
1539 /* SSLfatal() already called */
1540 goto err;
1541 }
1542
1543 if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
1544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1545 ERR_R_INTERNAL_ERROR);
1546 goto err;
1547 }
1548
1549 /*
1550 * Get a hash of the ClientHello up to the start of the binders. If we are
1551 * following a HelloRetryRequest then this includes the hash of the first
1552 * ClientHello and the HelloRetryRequest itself.
1553 */
1554 if (s->hello_retry_request == SSL_HRR_PENDING) {
1555 size_t hdatalen;
1556 long hdatalen_l;
1557 void *hdata;
1558
1559 hdatalen = hdatalen_l =
1560 BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
1561 if (hdatalen_l <= 0) {
1562 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1563 SSL_R_BAD_HANDSHAKE_LENGTH);
1564 goto err;
1565 }
1566
1567 /*
1568 * For servers the handshake buffer data will include the second
1569 * ClientHello - which we don't want - so we need to take that bit off.
1570 */
1571 if (s->server) {
1572 PACKET hashprefix, msg;
1573
1574 /* Find how many bytes are left after the first two messages */
1575 if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
1576 || !PACKET_forward(&hashprefix, 1)
1577 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
1578 || !PACKET_forward(&hashprefix, 1)
1579 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
1580 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1581 ERR_R_INTERNAL_ERROR);
1582 goto err;
1583 }
1584 hdatalen -= PACKET_remaining(&hashprefix);
1585 }
1586
1587 if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
1588 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1589 ERR_R_INTERNAL_ERROR);
1590 goto err;
1591 }
1592 }
1593
1594 if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
1595 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1596 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1597 ERR_R_INTERNAL_ERROR);
1598 goto err;
1599 }
1600
1601 mackey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC",
1602 s->ctx->propq,
1603 finishedkey,
1604 hashsize);
1605 if (mackey == NULL) {
1606 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1607 ERR_R_INTERNAL_ERROR);
1608 goto err;
1609 }
1610
1611 if (!sign)
1612 binderout = tmpbinder;
1613
1614 bindersize = hashsize;
1615 if (EVP_DigestSignInit_with_libctx(mctx, NULL, EVP_MD_name(md),
1616 s->ctx->libctx, s->ctx->propq,
1617 mackey) <= 0
1618 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
1619 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
1620 || bindersize != hashsize) {
1621 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1622 ERR_R_INTERNAL_ERROR);
1623 goto err;
1624 }
1625
1626 if (sign) {
1627 ret = 1;
1628 } else {
1629 /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
1630 ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
1631 if (!ret)
1632 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
1633 SSL_R_BINDER_DOES_NOT_VERIFY);
1634 }
1635
1636 err:
1637 OPENSSL_cleanse(binderkey, sizeof(binderkey));
1638 OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
1639 EVP_PKEY_free(mackey);
1640 EVP_MD_CTX_free(mctx);
1641
1642 return ret;
1643 }
1644
1645 static int final_early_data(SSL *s, unsigned int context, int sent)
1646 {
1647 if (!sent)
1648 return 1;
1649
1650 if (!s->server) {
1651 if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
1652 && sent
1653 && !s->ext.early_data_ok) {
1654 /*
1655 * If we get here then the server accepted our early_data but we
1656 * later realised that it shouldn't have done (e.g. inconsistent
1657 * ALPN)
1658 */
1659 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
1660 SSL_R_BAD_EARLY_DATA);
1661 return 0;
1662 }
1663
1664 return 1;
1665 }
1666
1667 if (s->max_early_data == 0
1668 || !s->hit
1669 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
1670 || !s->ext.early_data_ok
1671 || s->hello_retry_request != SSL_HRR_NONE
1672 || (s->allow_early_data_cb != NULL
1673 && !s->allow_early_data_cb(s,
1674 s->allow_early_data_cb_data))) {
1675 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
1676 } else {
1677 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1678
1679 if (!tls13_change_cipher_state(s,
1680 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
1681 /* SSLfatal() already called */
1682 return 0;
1683 }
1684 }
1685
1686 return 1;
1687 }
1688
1689 static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
1690 {
1691 /*
1692 * Session resumption on server-side with MFL extension active
1693 * BUT MFL extension packet was not resent (i.e. sent == 0)
1694 */
1695 if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1696 && !sent ) {
1697 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
1698 SSL_R_BAD_EXTENSION);
1699 return 0;
1700 }
1701
1702 /* Current SSL buffer is lower than requested MFL */
1703 if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1704 && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
1705 /* trigger a larger buffer reallocation */
1706 if (!ssl3_setup_buffers(s)) {
1707 /* SSLfatal() already called */
1708 return 0;
1709 }
1710
1711 return 1;
1712 }
1713
1714 static int init_post_handshake_auth(SSL *s, unsigned int context)
1715 {
1716 s->post_handshake_auth = SSL_PHA_NONE;
1717
1718 return 1;
1719 }
A mirror of the official openssl repository