1*e71b7053SJung-uk Kim /* 2*e71b7053SJung-uk Kim * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. 3*e71b7053SJung-uk Kim * 4*e71b7053SJung-uk Kim * Licensed under the OpenSSL license (the "License"). You may not use 5*e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy 6*e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at 7*e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html 8*e71b7053SJung-uk Kim */ 9*e71b7053SJung-uk Kim 10*e71b7053SJung-uk Kim #include <string.h> 11*e71b7053SJung-uk Kim #include "internal/nelem.h" 12*e71b7053SJung-uk Kim #include "internal/cryptlib.h" 13*e71b7053SJung-uk Kim #include "../ssl_locl.h" 14*e71b7053SJung-uk Kim #include "statem_locl.h" 15*e71b7053SJung-uk Kim #include "internal/cryptlib.h" 16*e71b7053SJung-uk Kim 17*e71b7053SJung-uk Kim static int final_renegotiate(SSL *s, unsigned int context, int sent); 18*e71b7053SJung-uk Kim static int init_server_name(SSL *s, unsigned int context); 19*e71b7053SJung-uk Kim static int final_server_name(SSL *s, unsigned int context, int sent); 20*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 21*e71b7053SJung-uk Kim static int final_ec_pt_formats(SSL *s, unsigned int context, int sent); 22*e71b7053SJung-uk Kim #endif 23*e71b7053SJung-uk Kim static int init_session_ticket(SSL *s, unsigned int context); 24*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_OCSP 25*e71b7053SJung-uk Kim static int init_status_request(SSL *s, unsigned int context); 26*e71b7053SJung-uk Kim #endif 27*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 28*e71b7053SJung-uk Kim static int init_npn(SSL *s, unsigned int context); 29*e71b7053SJung-uk Kim #endif 30*e71b7053SJung-uk Kim static int init_alpn(SSL *s, unsigned int context); 31*e71b7053SJung-uk Kim static int final_alpn(SSL *s, unsigned int context, int sent); 32*e71b7053SJung-uk Kim static int init_sig_algs_cert(SSL *s, unsigned int context); 33*e71b7053SJung-uk Kim static int init_sig_algs(SSL *s, unsigned int context); 34*e71b7053SJung-uk Kim static int init_certificate_authorities(SSL *s, unsigned int context); 35*e71b7053SJung-uk Kim static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, 36*e71b7053SJung-uk Kim unsigned int context, 37*e71b7053SJung-uk Kim X509 *x, 38*e71b7053SJung-uk Kim size_t chainidx); 39*e71b7053SJung-uk Kim static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, 40*e71b7053SJung-uk Kim unsigned int context, X509 *x, 41*e71b7053SJung-uk Kim size_t chainidx); 42*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP 43*e71b7053SJung-uk Kim static int init_srp(SSL *s, unsigned int context); 44*e71b7053SJung-uk Kim #endif 45*e71b7053SJung-uk Kim static int init_etm(SSL *s, unsigned int context); 46*e71b7053SJung-uk Kim static int init_ems(SSL *s, unsigned int context); 47*e71b7053SJung-uk Kim static int final_ems(SSL *s, unsigned int context, int sent); 48*e71b7053SJung-uk Kim static int init_psk_kex_modes(SSL *s, unsigned int context); 49*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 50*e71b7053SJung-uk Kim static int final_key_share(SSL *s, unsigned int context, int sent); 51*e71b7053SJung-uk Kim #endif 52*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRTP 53*e71b7053SJung-uk Kim static int init_srtp(SSL *s, unsigned int context); 54*e71b7053SJung-uk Kim #endif 55*e71b7053SJung-uk Kim static int final_sig_algs(SSL *s, unsigned int context, int sent); 56*e71b7053SJung-uk Kim static int final_early_data(SSL *s, unsigned int context, int sent); 57*e71b7053SJung-uk Kim static int final_maxfragmentlen(SSL *s, unsigned int context, int sent); 58*e71b7053SJung-uk Kim static int init_post_handshake_auth(SSL *s, unsigned int context); 59*e71b7053SJung-uk Kim 60*e71b7053SJung-uk Kim /* Structure to define a built-in extension */ 61*e71b7053SJung-uk Kim typedef struct extensions_definition_st { 62*e71b7053SJung-uk Kim /* The defined type for the extension */ 63*e71b7053SJung-uk Kim unsigned int type; 64*e71b7053SJung-uk Kim /* 65*e71b7053SJung-uk Kim * The context that this extension applies to, e.g. what messages and 66*e71b7053SJung-uk Kim * protocol versions 67*e71b7053SJung-uk Kim */ 68*e71b7053SJung-uk Kim unsigned int context; 69*e71b7053SJung-uk Kim /* 70*e71b7053SJung-uk Kim * Initialise extension before parsing. Always called for relevant contexts 71*e71b7053SJung-uk Kim * even if extension not present 72*e71b7053SJung-uk Kim */ 73*e71b7053SJung-uk Kim int (*init)(SSL *s, unsigned int context); 74*e71b7053SJung-uk Kim /* Parse extension sent from client to server */ 75*e71b7053SJung-uk Kim int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 76*e71b7053SJung-uk Kim size_t chainidx); 77*e71b7053SJung-uk Kim /* Parse extension send from server to client */ 78*e71b7053SJung-uk Kim int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 79*e71b7053SJung-uk Kim size_t chainidx); 80*e71b7053SJung-uk Kim /* Construct extension sent from server to client */ 81*e71b7053SJung-uk Kim EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, 82*e71b7053SJung-uk Kim X509 *x, size_t chainidx); 83*e71b7053SJung-uk Kim /* Construct extension sent from client to server */ 84*e71b7053SJung-uk Kim EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, 85*e71b7053SJung-uk Kim X509 *x, size_t chainidx); 86*e71b7053SJung-uk Kim /* 87*e71b7053SJung-uk Kim * Finalise extension after parsing. Always called where an extensions was 88*e71b7053SJung-uk Kim * initialised even if the extension was not present. |sent| is set to 1 if 89*e71b7053SJung-uk Kim * the extension was seen, or 0 otherwise. 90*e71b7053SJung-uk Kim */ 91*e71b7053SJung-uk Kim int (*final)(SSL *s, unsigned int context, int sent); 92*e71b7053SJung-uk Kim } EXTENSION_DEFINITION; 93*e71b7053SJung-uk Kim 94*e71b7053SJung-uk Kim /* 95*e71b7053SJung-uk Kim * Definitions of all built-in extensions. NOTE: Changes in the number or order 96*e71b7053SJung-uk Kim * of these extensions should be mirrored with equivalent changes to the 97*e71b7053SJung-uk Kim * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h. 98*e71b7053SJung-uk Kim * Each extension has an initialiser, a client and 99*e71b7053SJung-uk Kim * server side parser and a finaliser. The initialiser is called (if the 100*e71b7053SJung-uk Kim * extension is relevant to the given context) even if we did not see the 101*e71b7053SJung-uk Kim * extension in the message that we received. The parser functions are only 102*e71b7053SJung-uk Kim * called if we see the extension in the message. The finalisers are always 103*e71b7053SJung-uk Kim * called if the initialiser was called. 104*e71b7053SJung-uk Kim * There are also server and client side constructor functions which are always 105*e71b7053SJung-uk Kim * called during message construction if the extension is relevant for the 106*e71b7053SJung-uk Kim * given context. 107*e71b7053SJung-uk Kim * The initialisation, parsing, finalisation and construction functions are 108*e71b7053SJung-uk Kim * always called in the order defined in this list. Some extensions may depend 109*e71b7053SJung-uk Kim * on others having been processed first, so the order of this list is 110*e71b7053SJung-uk Kim * significant. 111*e71b7053SJung-uk Kim * The extension context is defined by a series of flags which specify which 112*e71b7053SJung-uk Kim * messages the extension is relevant to. These flags also specify whether the 113*e71b7053SJung-uk Kim * extension is relevant to a particular protocol or protocol version. 114*e71b7053SJung-uk Kim * 115*e71b7053SJung-uk Kim * TODO(TLS1.3): Make sure we have a test to check the consistency of these 116*e71b7053SJung-uk Kim * 117*e71b7053SJung-uk Kim * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at 118*e71b7053SJung-uk Kim * the end, keep these extensions before signature_algorithm. 119*e71b7053SJung-uk Kim */ 120*e71b7053SJung-uk Kim #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } 121*e71b7053SJung-uk Kim static const EXTENSION_DEFINITION ext_defs[] = { 122*e71b7053SJung-uk Kim { 123*e71b7053SJung-uk Kim TLSEXT_TYPE_renegotiate, 124*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 125*e71b7053SJung-uk Kim | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 126*e71b7053SJung-uk Kim NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, 127*e71b7053SJung-uk Kim tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, 128*e71b7053SJung-uk Kim final_renegotiate 129*e71b7053SJung-uk Kim }, 130*e71b7053SJung-uk Kim { 131*e71b7053SJung-uk Kim TLSEXT_TYPE_server_name, 132*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 133*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 134*e71b7053SJung-uk Kim init_server_name, 135*e71b7053SJung-uk Kim tls_parse_ctos_server_name, tls_parse_stoc_server_name, 136*e71b7053SJung-uk Kim tls_construct_stoc_server_name, tls_construct_ctos_server_name, 137*e71b7053SJung-uk Kim final_server_name 138*e71b7053SJung-uk Kim }, 139*e71b7053SJung-uk Kim { 140*e71b7053SJung-uk Kim TLSEXT_TYPE_max_fragment_length, 141*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 142*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 143*e71b7053SJung-uk Kim NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen, 144*e71b7053SJung-uk Kim tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen, 145*e71b7053SJung-uk Kim final_maxfragmentlen 146*e71b7053SJung-uk Kim }, 147*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP 148*e71b7053SJung-uk Kim { 149*e71b7053SJung-uk Kim TLSEXT_TYPE_srp, 150*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 151*e71b7053SJung-uk Kim init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL 152*e71b7053SJung-uk Kim }, 153*e71b7053SJung-uk Kim #else 154*e71b7053SJung-uk Kim INVALID_EXTENSION, 155*e71b7053SJung-uk Kim #endif 156*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 157*e71b7053SJung-uk Kim { 158*e71b7053SJung-uk Kim TLSEXT_TYPE_ec_point_formats, 159*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 160*e71b7053SJung-uk Kim | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 161*e71b7053SJung-uk Kim NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, 162*e71b7053SJung-uk Kim tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, 163*e71b7053SJung-uk Kim final_ec_pt_formats 164*e71b7053SJung-uk Kim }, 165*e71b7053SJung-uk Kim { 166*e71b7053SJung-uk Kim /* 167*e71b7053SJung-uk Kim * "supported_groups" is spread across several specifications. 168*e71b7053SJung-uk Kim * It was originally specified as "elliptic_curves" in RFC 4492, 169*e71b7053SJung-uk Kim * and broadened to include named FFDH groups by RFC 7919. 170*e71b7053SJung-uk Kim * Both RFCs 4492 and 7919 do not include a provision for the server 171*e71b7053SJung-uk Kim * to indicate to the client the complete list of groups supported 172*e71b7053SJung-uk Kim * by the server, with the server instead just indicating the 173*e71b7053SJung-uk Kim * selected group for this connection in the ServerKeyExchange 174*e71b7053SJung-uk Kim * message. TLS 1.3 adds a scheme for the server to indicate 175*e71b7053SJung-uk Kim * to the client its list of supported groups in the 176*e71b7053SJung-uk Kim * EncryptedExtensions message, but none of the relevant 177*e71b7053SJung-uk Kim * specifications permit sending supported_groups in the ServerHello. 178*e71b7053SJung-uk Kim * Nonetheless (possibly due to the close proximity to the 179*e71b7053SJung-uk Kim * "ec_point_formats" extension, which is allowed in the ServerHello), 180*e71b7053SJung-uk Kim * there are several servers that send this extension in the 181*e71b7053SJung-uk Kim * ServerHello anyway. Up to and including the 1.1.0 release, 182*e71b7053SJung-uk Kim * we did not check for the presence of nonpermitted extensions, 183*e71b7053SJung-uk Kim * so to avoid a regression, we must permit this extension in the 184*e71b7053SJung-uk Kim * TLS 1.2 ServerHello as well. 185*e71b7053SJung-uk Kim * 186*e71b7053SJung-uk Kim * Note that there is no tls_parse_stoc_supported_groups function, 187*e71b7053SJung-uk Kim * so we do not perform any additional parsing, validation, or 188*e71b7053SJung-uk Kim * processing on the server's group list -- this is just a minimal 189*e71b7053SJung-uk Kim * change to preserve compatibility with these misbehaving servers. 190*e71b7053SJung-uk Kim */ 191*e71b7053SJung-uk Kim TLSEXT_TYPE_supported_groups, 192*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 193*e71b7053SJung-uk Kim | SSL_EXT_TLS1_2_SERVER_HELLO, 194*e71b7053SJung-uk Kim NULL, tls_parse_ctos_supported_groups, NULL, 195*e71b7053SJung-uk Kim tls_construct_stoc_supported_groups, 196*e71b7053SJung-uk Kim tls_construct_ctos_supported_groups, NULL 197*e71b7053SJung-uk Kim }, 198*e71b7053SJung-uk Kim #else 199*e71b7053SJung-uk Kim INVALID_EXTENSION, 200*e71b7053SJung-uk Kim INVALID_EXTENSION, 201*e71b7053SJung-uk Kim #endif 202*e71b7053SJung-uk Kim { 203*e71b7053SJung-uk Kim TLSEXT_TYPE_session_ticket, 204*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 205*e71b7053SJung-uk Kim | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 206*e71b7053SJung-uk Kim init_session_ticket, tls_parse_ctos_session_ticket, 207*e71b7053SJung-uk Kim tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, 208*e71b7053SJung-uk Kim tls_construct_ctos_session_ticket, NULL 209*e71b7053SJung-uk Kim }, 210*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_OCSP 211*e71b7053SJung-uk Kim { 212*e71b7053SJung-uk Kim TLSEXT_TYPE_status_request, 213*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 214*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 215*e71b7053SJung-uk Kim init_status_request, tls_parse_ctos_status_request, 216*e71b7053SJung-uk Kim tls_parse_stoc_status_request, tls_construct_stoc_status_request, 217*e71b7053SJung-uk Kim tls_construct_ctos_status_request, NULL 218*e71b7053SJung-uk Kim }, 219*e71b7053SJung-uk Kim #else 220*e71b7053SJung-uk Kim INVALID_EXTENSION, 221*e71b7053SJung-uk Kim #endif 222*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 223*e71b7053SJung-uk Kim { 224*e71b7053SJung-uk Kim TLSEXT_TYPE_next_proto_neg, 225*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 226*e71b7053SJung-uk Kim | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 227*e71b7053SJung-uk Kim init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, 228*e71b7053SJung-uk Kim tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL 229*e71b7053SJung-uk Kim }, 230*e71b7053SJung-uk Kim #else 231*e71b7053SJung-uk Kim INVALID_EXTENSION, 232*e71b7053SJung-uk Kim #endif 233*e71b7053SJung-uk Kim { 234*e71b7053SJung-uk Kim /* 235*e71b7053SJung-uk Kim * Must appear in this list after server_name so that finalisation 236*e71b7053SJung-uk Kim * happens after server_name callbacks 237*e71b7053SJung-uk Kim */ 238*e71b7053SJung-uk Kim TLSEXT_TYPE_application_layer_protocol_negotiation, 239*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 240*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 241*e71b7053SJung-uk Kim init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, 242*e71b7053SJung-uk Kim tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn 243*e71b7053SJung-uk Kim }, 244*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRTP 245*e71b7053SJung-uk Kim { 246*e71b7053SJung-uk Kim TLSEXT_TYPE_use_srtp, 247*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 248*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY, 249*e71b7053SJung-uk Kim init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, 250*e71b7053SJung-uk Kim tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL 251*e71b7053SJung-uk Kim }, 252*e71b7053SJung-uk Kim #else 253*e71b7053SJung-uk Kim INVALID_EXTENSION, 254*e71b7053SJung-uk Kim #endif 255*e71b7053SJung-uk Kim { 256*e71b7053SJung-uk Kim TLSEXT_TYPE_encrypt_then_mac, 257*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 258*e71b7053SJung-uk Kim | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 259*e71b7053SJung-uk Kim init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, 260*e71b7053SJung-uk Kim tls_construct_stoc_etm, tls_construct_ctos_etm, NULL 261*e71b7053SJung-uk Kim }, 262*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_CT 263*e71b7053SJung-uk Kim { 264*e71b7053SJung-uk Kim TLSEXT_TYPE_signed_certificate_timestamp, 265*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 266*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 267*e71b7053SJung-uk Kim NULL, 268*e71b7053SJung-uk Kim /* 269*e71b7053SJung-uk Kim * No server side support for this, but can be provided by a custom 270*e71b7053SJung-uk Kim * extension. This is an exception to the rule that custom extensions 271*e71b7053SJung-uk Kim * cannot override built in ones. 272*e71b7053SJung-uk Kim */ 273*e71b7053SJung-uk Kim NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL 274*e71b7053SJung-uk Kim }, 275*e71b7053SJung-uk Kim #else 276*e71b7053SJung-uk Kim INVALID_EXTENSION, 277*e71b7053SJung-uk Kim #endif 278*e71b7053SJung-uk Kim { 279*e71b7053SJung-uk Kim TLSEXT_TYPE_extended_master_secret, 280*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 281*e71b7053SJung-uk Kim | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 282*e71b7053SJung-uk Kim init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, 283*e71b7053SJung-uk Kim tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems 284*e71b7053SJung-uk Kim }, 285*e71b7053SJung-uk Kim { 286*e71b7053SJung-uk Kim TLSEXT_TYPE_signature_algorithms_cert, 287*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 288*e71b7053SJung-uk Kim init_sig_algs_cert, tls_parse_ctos_sig_algs_cert, 289*e71b7053SJung-uk Kim tls_parse_ctos_sig_algs_cert, 290*e71b7053SJung-uk Kim /* We do not generate signature_algorithms_cert at present. */ 291*e71b7053SJung-uk Kim NULL, NULL, NULL 292*e71b7053SJung-uk Kim }, 293*e71b7053SJung-uk Kim { 294*e71b7053SJung-uk Kim TLSEXT_TYPE_post_handshake_auth, 295*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY, 296*e71b7053SJung-uk Kim init_post_handshake_auth, 297*e71b7053SJung-uk Kim tls_parse_ctos_post_handshake_auth, NULL, 298*e71b7053SJung-uk Kim NULL, tls_construct_ctos_post_handshake_auth, 299*e71b7053SJung-uk Kim NULL, 300*e71b7053SJung-uk Kim }, 301*e71b7053SJung-uk Kim { 302*e71b7053SJung-uk Kim TLSEXT_TYPE_signature_algorithms, 303*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 304*e71b7053SJung-uk Kim init_sig_algs, tls_parse_ctos_sig_algs, 305*e71b7053SJung-uk Kim tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs, 306*e71b7053SJung-uk Kim tls_construct_ctos_sig_algs, final_sig_algs 307*e71b7053SJung-uk Kim }, 308*e71b7053SJung-uk Kim { 309*e71b7053SJung-uk Kim TLSEXT_TYPE_supported_versions, 310*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 311*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY, 312*e71b7053SJung-uk Kim NULL, 313*e71b7053SJung-uk Kim /* Processed inline as part of version selection */ 314*e71b7053SJung-uk Kim NULL, tls_parse_stoc_supported_versions, 315*e71b7053SJung-uk Kim tls_construct_stoc_supported_versions, 316*e71b7053SJung-uk Kim tls_construct_ctos_supported_versions, NULL 317*e71b7053SJung-uk Kim }, 318*e71b7053SJung-uk Kim { 319*e71b7053SJung-uk Kim TLSEXT_TYPE_psk_kex_modes, 320*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY 321*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_ONLY, 322*e71b7053SJung-uk Kim init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, 323*e71b7053SJung-uk Kim tls_construct_ctos_psk_kex_modes, NULL 324*e71b7053SJung-uk Kim }, 325*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 326*e71b7053SJung-uk Kim { 327*e71b7053SJung-uk Kim /* 328*e71b7053SJung-uk Kim * Must be in this list after supported_groups. We need that to have 329*e71b7053SJung-uk Kim * been parsed before we do this one. 330*e71b7053SJung-uk Kim */ 331*e71b7053SJung-uk Kim TLSEXT_TYPE_key_share, 332*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 333*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY 334*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_ONLY, 335*e71b7053SJung-uk Kim NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, 336*e71b7053SJung-uk Kim tls_construct_stoc_key_share, tls_construct_ctos_key_share, 337*e71b7053SJung-uk Kim final_key_share 338*e71b7053SJung-uk Kim }, 339*e71b7053SJung-uk Kim #endif 340*e71b7053SJung-uk Kim { 341*e71b7053SJung-uk Kim /* Must be after key_share */ 342*e71b7053SJung-uk Kim TLSEXT_TYPE_cookie, 343*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 344*e71b7053SJung-uk Kim | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, 345*e71b7053SJung-uk Kim NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie, 346*e71b7053SJung-uk Kim tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL 347*e71b7053SJung-uk Kim }, 348*e71b7053SJung-uk Kim { 349*e71b7053SJung-uk Kim /* 350*e71b7053SJung-uk Kim * Special unsolicited ServerHello extension only used when 351*e71b7053SJung-uk Kim * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set 352*e71b7053SJung-uk Kim */ 353*e71b7053SJung-uk Kim TLSEXT_TYPE_cryptopro_bug, 354*e71b7053SJung-uk Kim SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 355*e71b7053SJung-uk Kim NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL 356*e71b7053SJung-uk Kim }, 357*e71b7053SJung-uk Kim { 358*e71b7053SJung-uk Kim TLSEXT_TYPE_early_data, 359*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 360*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY, 361*e71b7053SJung-uk Kim NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data, 362*e71b7053SJung-uk Kim tls_construct_stoc_early_data, tls_construct_ctos_early_data, 363*e71b7053SJung-uk Kim final_early_data 364*e71b7053SJung-uk Kim }, 365*e71b7053SJung-uk Kim { 366*e71b7053SJung-uk Kim TLSEXT_TYPE_certificate_authorities, 367*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 368*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_ONLY, 369*e71b7053SJung-uk Kim init_certificate_authorities, 370*e71b7053SJung-uk Kim tls_parse_certificate_authorities, tls_parse_certificate_authorities, 371*e71b7053SJung-uk Kim tls_construct_certificate_authorities, 372*e71b7053SJung-uk Kim tls_construct_certificate_authorities, NULL, 373*e71b7053SJung-uk Kim }, 374*e71b7053SJung-uk Kim { 375*e71b7053SJung-uk Kim /* Must be immediately before pre_shared_key */ 376*e71b7053SJung-uk Kim TLSEXT_TYPE_padding, 377*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO, 378*e71b7053SJung-uk Kim NULL, 379*e71b7053SJung-uk Kim /* We send this, but don't read it */ 380*e71b7053SJung-uk Kim NULL, NULL, NULL, tls_construct_ctos_padding, NULL 381*e71b7053SJung-uk Kim }, 382*e71b7053SJung-uk Kim { 383*e71b7053SJung-uk Kim /* Required by the TLSv1.3 spec to always be the last extension */ 384*e71b7053SJung-uk Kim TLSEXT_TYPE_psk, 385*e71b7053SJung-uk Kim SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 386*e71b7053SJung-uk Kim | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, 387*e71b7053SJung-uk Kim NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, 388*e71b7053SJung-uk Kim tls_construct_ctos_psk, NULL 389*e71b7053SJung-uk Kim } 390*e71b7053SJung-uk Kim }; 391*e71b7053SJung-uk Kim 392*e71b7053SJung-uk Kim /* Check whether an extension's context matches the current context */ 393*e71b7053SJung-uk Kim static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx) 394*e71b7053SJung-uk Kim { 395*e71b7053SJung-uk Kim /* Check we're allowed to use this extension in this context */ 396*e71b7053SJung-uk Kim if ((thisctx & extctx) == 0) 397*e71b7053SJung-uk Kim return 0; 398*e71b7053SJung-uk Kim 399*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 400*e71b7053SJung-uk Kim if ((extctx & SSL_EXT_TLS_ONLY) != 0) 401*e71b7053SJung-uk Kim return 0; 402*e71b7053SJung-uk Kim } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) { 403*e71b7053SJung-uk Kim return 0; 404*e71b7053SJung-uk Kim } 405*e71b7053SJung-uk Kim 406*e71b7053SJung-uk Kim return 1; 407*e71b7053SJung-uk Kim } 408*e71b7053SJung-uk Kim 409*e71b7053SJung-uk Kim int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts) 410*e71b7053SJung-uk Kim { 411*e71b7053SJung-uk Kim size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset; 412*e71b7053SJung-uk Kim RAW_EXTENSION *thisext; 413*e71b7053SJung-uk Kim unsigned int context; 414*e71b7053SJung-uk Kim ENDPOINT role = ENDPOINT_BOTH; 415*e71b7053SJung-uk Kim 416*e71b7053SJung-uk Kim if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0) 417*e71b7053SJung-uk Kim role = ENDPOINT_SERVER; 418*e71b7053SJung-uk Kim else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) 419*e71b7053SJung-uk Kim role = ENDPOINT_CLIENT; 420*e71b7053SJung-uk Kim 421*e71b7053SJung-uk Kim /* Calculate the number of extensions in the extensions list */ 422*e71b7053SJung-uk Kim num_exts = builtin_num + s->cert->custext.meths_count; 423*e71b7053SJung-uk Kim 424*e71b7053SJung-uk Kim for (thisext = exts, i = 0; i < num_exts; i++, thisext++) { 425*e71b7053SJung-uk Kim if (!thisext->present) 426*e71b7053SJung-uk Kim continue; 427*e71b7053SJung-uk Kim 428*e71b7053SJung-uk Kim if (i < builtin_num) { 429*e71b7053SJung-uk Kim context = ext_defs[i].context; 430*e71b7053SJung-uk Kim } else { 431*e71b7053SJung-uk Kim custom_ext_method *meth = NULL; 432*e71b7053SJung-uk Kim 433*e71b7053SJung-uk Kim meth = custom_ext_find(&s->cert->custext, role, thisext->type, 434*e71b7053SJung-uk Kim &offset); 435*e71b7053SJung-uk Kim if (!ossl_assert(meth != NULL)) 436*e71b7053SJung-uk Kim return 0; 437*e71b7053SJung-uk Kim context = meth->context; 438*e71b7053SJung-uk Kim } 439*e71b7053SJung-uk Kim 440*e71b7053SJung-uk Kim if (!validate_context(s, context, thisctx)) 441*e71b7053SJung-uk Kim return 0; 442*e71b7053SJung-uk Kim } 443*e71b7053SJung-uk Kim 444*e71b7053SJung-uk Kim return 1; 445*e71b7053SJung-uk Kim } 446*e71b7053SJung-uk Kim 447*e71b7053SJung-uk Kim /* 448*e71b7053SJung-uk Kim * Verify whether we are allowed to use the extension |type| in the current 449*e71b7053SJung-uk Kim * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to 450*e71b7053SJung-uk Kim * indicate the extension is not allowed. If returning 1 then |*found| is set to 451*e71b7053SJung-uk Kim * the definition for the extension we found. 452*e71b7053SJung-uk Kim */ 453*e71b7053SJung-uk Kim static int verify_extension(SSL *s, unsigned int context, unsigned int type, 454*e71b7053SJung-uk Kim custom_ext_methods *meths, RAW_EXTENSION *rawexlist, 455*e71b7053SJung-uk Kim RAW_EXTENSION **found) 456*e71b7053SJung-uk Kim { 457*e71b7053SJung-uk Kim size_t i; 458*e71b7053SJung-uk Kim size_t builtin_num = OSSL_NELEM(ext_defs); 459*e71b7053SJung-uk Kim const EXTENSION_DEFINITION *thisext; 460*e71b7053SJung-uk Kim 461*e71b7053SJung-uk Kim for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { 462*e71b7053SJung-uk Kim if (type == thisext->type) { 463*e71b7053SJung-uk Kim if (!validate_context(s, thisext->context, context)) 464*e71b7053SJung-uk Kim return 0; 465*e71b7053SJung-uk Kim 466*e71b7053SJung-uk Kim *found = &rawexlist[i]; 467*e71b7053SJung-uk Kim return 1; 468*e71b7053SJung-uk Kim } 469*e71b7053SJung-uk Kim } 470*e71b7053SJung-uk Kim 471*e71b7053SJung-uk Kim /* Check the custom extensions */ 472*e71b7053SJung-uk Kim if (meths != NULL) { 473*e71b7053SJung-uk Kim size_t offset = 0; 474*e71b7053SJung-uk Kim ENDPOINT role = ENDPOINT_BOTH; 475*e71b7053SJung-uk Kim custom_ext_method *meth = NULL; 476*e71b7053SJung-uk Kim 477*e71b7053SJung-uk Kim if ((context & SSL_EXT_CLIENT_HELLO) != 0) 478*e71b7053SJung-uk Kim role = ENDPOINT_SERVER; 479*e71b7053SJung-uk Kim else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) 480*e71b7053SJung-uk Kim role = ENDPOINT_CLIENT; 481*e71b7053SJung-uk Kim 482*e71b7053SJung-uk Kim meth = custom_ext_find(meths, role, type, &offset); 483*e71b7053SJung-uk Kim if (meth != NULL) { 484*e71b7053SJung-uk Kim if (!validate_context(s, meth->context, context)) 485*e71b7053SJung-uk Kim return 0; 486*e71b7053SJung-uk Kim *found = &rawexlist[offset + builtin_num]; 487*e71b7053SJung-uk Kim return 1; 488*e71b7053SJung-uk Kim } 489*e71b7053SJung-uk Kim } 490*e71b7053SJung-uk Kim 491*e71b7053SJung-uk Kim /* Unknown extension. We allow it */ 492*e71b7053SJung-uk Kim *found = NULL; 493*e71b7053SJung-uk Kim return 1; 494*e71b7053SJung-uk Kim } 495*e71b7053SJung-uk Kim 496*e71b7053SJung-uk Kim /* 497*e71b7053SJung-uk Kim * Check whether the context defined for an extension |extctx| means whether 498*e71b7053SJung-uk Kim * the extension is relevant for the current context |thisctx| or not. Returns 499*e71b7053SJung-uk Kim * 1 if the extension is relevant for this context, and 0 otherwise 500*e71b7053SJung-uk Kim */ 501*e71b7053SJung-uk Kim int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) 502*e71b7053SJung-uk Kim { 503*e71b7053SJung-uk Kim int is_tls13; 504*e71b7053SJung-uk Kim 505*e71b7053SJung-uk Kim /* 506*e71b7053SJung-uk Kim * For HRR we haven't selected the version yet but we know it will be 507*e71b7053SJung-uk Kim * TLSv1.3 508*e71b7053SJung-uk Kim */ 509*e71b7053SJung-uk Kim if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) 510*e71b7053SJung-uk Kim is_tls13 = 1; 511*e71b7053SJung-uk Kim else 512*e71b7053SJung-uk Kim is_tls13 = SSL_IS_TLS13(s); 513*e71b7053SJung-uk Kim 514*e71b7053SJung-uk Kim if ((SSL_IS_DTLS(s) 515*e71b7053SJung-uk Kim && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) 516*e71b7053SJung-uk Kim || (s->version == SSL3_VERSION 517*e71b7053SJung-uk Kim && (extctx & SSL_EXT_SSL3_ALLOWED) == 0) 518*e71b7053SJung-uk Kim /* 519*e71b7053SJung-uk Kim * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated", 520*e71b7053SJung-uk Kim * which is never true when generating the ClientHello. 521*e71b7053SJung-uk Kim * However, version negotiation *has* occurred by the time the 522*e71b7053SJung-uk Kim * ClientHello extensions are being parsed. 523*e71b7053SJung-uk Kim * Be careful to allow TLS 1.3-only extensions when generating 524*e71b7053SJung-uk Kim * the ClientHello. 525*e71b7053SJung-uk Kim */ 526*e71b7053SJung-uk Kim || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0) 527*e71b7053SJung-uk Kim || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0 528*e71b7053SJung-uk Kim && (thisctx & SSL_EXT_CLIENT_HELLO) == 0) 529*e71b7053SJung-uk Kim || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0) 530*e71b7053SJung-uk Kim || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0)) 531*e71b7053SJung-uk Kim return 0; 532*e71b7053SJung-uk Kim return 1; 533*e71b7053SJung-uk Kim } 534*e71b7053SJung-uk Kim 535*e71b7053SJung-uk Kim /* 536*e71b7053SJung-uk Kim * Gather a list of all the extensions from the data in |packet]. |context| 537*e71b7053SJung-uk Kim * tells us which message this extension is for. The raw extension data is 538*e71b7053SJung-uk Kim * stored in |*res| on success. We don't actually process the content of the 539*e71b7053SJung-uk Kim * extensions yet, except to check their types. This function also runs the 540*e71b7053SJung-uk Kim * initialiser functions for all known extensions if |init| is nonzero (whether 541*e71b7053SJung-uk Kim * we have collected them or not). If successful the caller is responsible for 542*e71b7053SJung-uk Kim * freeing the contents of |*res|. 543*e71b7053SJung-uk Kim * 544*e71b7053SJung-uk Kim * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be 545*e71b7053SJung-uk Kim * more than one extension of the same type in a ClientHello or ServerHello. 546*e71b7053SJung-uk Kim * This function returns 1 if all extensions are unique and we have parsed their 547*e71b7053SJung-uk Kim * types, and 0 if the extensions contain duplicates, could not be successfully 548*e71b7053SJung-uk Kim * found, or an internal error occurred. We only check duplicates for 549*e71b7053SJung-uk Kim * extensions that we know about. We ignore others. 550*e71b7053SJung-uk Kim */ 551*e71b7053SJung-uk Kim int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, 552*e71b7053SJung-uk Kim RAW_EXTENSION **res, size_t *len, int init) 553*e71b7053SJung-uk Kim { 554*e71b7053SJung-uk Kim PACKET extensions = *packet; 555*e71b7053SJung-uk Kim size_t i = 0; 556*e71b7053SJung-uk Kim size_t num_exts; 557*e71b7053SJung-uk Kim custom_ext_methods *exts = &s->cert->custext; 558*e71b7053SJung-uk Kim RAW_EXTENSION *raw_extensions = NULL; 559*e71b7053SJung-uk Kim const EXTENSION_DEFINITION *thisexd; 560*e71b7053SJung-uk Kim 561*e71b7053SJung-uk Kim *res = NULL; 562*e71b7053SJung-uk Kim 563*e71b7053SJung-uk Kim /* 564*e71b7053SJung-uk Kim * Initialise server side custom extensions. Client side is done during 565*e71b7053SJung-uk Kim * construction of extensions for the ClientHello. 566*e71b7053SJung-uk Kim */ 567*e71b7053SJung-uk Kim if ((context & SSL_EXT_CLIENT_HELLO) != 0) 568*e71b7053SJung-uk Kim custom_ext_init(&s->cert->custext); 569*e71b7053SJung-uk Kim 570*e71b7053SJung-uk Kim num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0); 571*e71b7053SJung-uk Kim raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions)); 572*e71b7053SJung-uk Kim if (raw_extensions == NULL) { 573*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS, 574*e71b7053SJung-uk Kim ERR_R_MALLOC_FAILURE); 575*e71b7053SJung-uk Kim return 0; 576*e71b7053SJung-uk Kim } 577*e71b7053SJung-uk Kim 578*e71b7053SJung-uk Kim i = 0; 579*e71b7053SJung-uk Kim while (PACKET_remaining(&extensions) > 0) { 580*e71b7053SJung-uk Kim unsigned int type, idx; 581*e71b7053SJung-uk Kim PACKET extension; 582*e71b7053SJung-uk Kim RAW_EXTENSION *thisex; 583*e71b7053SJung-uk Kim 584*e71b7053SJung-uk Kim if (!PACKET_get_net_2(&extensions, &type) || 585*e71b7053SJung-uk Kim !PACKET_get_length_prefixed_2(&extensions, &extension)) { 586*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS, 587*e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 588*e71b7053SJung-uk Kim goto err; 589*e71b7053SJung-uk Kim } 590*e71b7053SJung-uk Kim /* 591*e71b7053SJung-uk Kim * Verify this extension is allowed. We only check duplicates for 592*e71b7053SJung-uk Kim * extensions that we recognise. We also have a special case for the 593*e71b7053SJung-uk Kim * PSK extension, which must be the last one in the ClientHello. 594*e71b7053SJung-uk Kim */ 595*e71b7053SJung-uk Kim if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) 596*e71b7053SJung-uk Kim || (thisex != NULL && thisex->present == 1) 597*e71b7053SJung-uk Kim || (type == TLSEXT_TYPE_psk 598*e71b7053SJung-uk Kim && (context & SSL_EXT_CLIENT_HELLO) != 0 599*e71b7053SJung-uk Kim && PACKET_remaining(&extensions) != 0)) { 600*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS, 601*e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 602*e71b7053SJung-uk Kim goto err; 603*e71b7053SJung-uk Kim } 604*e71b7053SJung-uk Kim idx = thisex - raw_extensions; 605*e71b7053SJung-uk Kim /*- 606*e71b7053SJung-uk Kim * Check that we requested this extension (if appropriate). Requests can 607*e71b7053SJung-uk Kim * be sent in the ClientHello and CertificateRequest. Unsolicited 608*e71b7053SJung-uk Kim * extensions can be sent in the NewSessionTicket. We only do this for 609*e71b7053SJung-uk Kim * the built-in extensions. Custom extensions have a different but 610*e71b7053SJung-uk Kim * similar check elsewhere. 611*e71b7053SJung-uk Kim * Special cases: 612*e71b7053SJung-uk Kim * - The HRR cookie extension is unsolicited 613*e71b7053SJung-uk Kim * - The renegotiate extension is unsolicited (the client signals 614*e71b7053SJung-uk Kim * support via an SCSV) 615*e71b7053SJung-uk Kim * - The signed_certificate_timestamp extension can be provided by a 616*e71b7053SJung-uk Kim * custom extension or by the built-in version. We let the extension 617*e71b7053SJung-uk Kim * itself handle unsolicited response checks. 618*e71b7053SJung-uk Kim */ 619*e71b7053SJung-uk Kim if (idx < OSSL_NELEM(ext_defs) 620*e71b7053SJung-uk Kim && (context & (SSL_EXT_CLIENT_HELLO 621*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 622*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0 623*e71b7053SJung-uk Kim && type != TLSEXT_TYPE_cookie 624*e71b7053SJung-uk Kim && type != TLSEXT_TYPE_renegotiate 625*e71b7053SJung-uk Kim && type != TLSEXT_TYPE_signed_certificate_timestamp 626*e71b7053SJung-uk Kim && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) { 627*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 628*e71b7053SJung-uk Kim SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION); 629*e71b7053SJung-uk Kim goto err; 630*e71b7053SJung-uk Kim } 631*e71b7053SJung-uk Kim if (thisex != NULL) { 632*e71b7053SJung-uk Kim thisex->data = extension; 633*e71b7053SJung-uk Kim thisex->present = 1; 634*e71b7053SJung-uk Kim thisex->type = type; 635*e71b7053SJung-uk Kim thisex->received_order = i++; 636*e71b7053SJung-uk Kim if (s->ext.debug_cb) 637*e71b7053SJung-uk Kim s->ext.debug_cb(s, !s->server, thisex->type, 638*e71b7053SJung-uk Kim PACKET_data(&thisex->data), 639*e71b7053SJung-uk Kim PACKET_remaining(&thisex->data), 640*e71b7053SJung-uk Kim s->ext.debug_arg); 641*e71b7053SJung-uk Kim } 642*e71b7053SJung-uk Kim } 643*e71b7053SJung-uk Kim 644*e71b7053SJung-uk Kim if (init) { 645*e71b7053SJung-uk Kim /* 646*e71b7053SJung-uk Kim * Initialise all known extensions relevant to this context, 647*e71b7053SJung-uk Kim * whether we have found them or not 648*e71b7053SJung-uk Kim */ 649*e71b7053SJung-uk Kim for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); 650*e71b7053SJung-uk Kim i++, thisexd++) { 651*e71b7053SJung-uk Kim if (thisexd->init != NULL && (thisexd->context & context) != 0 652*e71b7053SJung-uk Kim && extension_is_relevant(s, thisexd->context, context) 653*e71b7053SJung-uk Kim && !thisexd->init(s, context)) { 654*e71b7053SJung-uk Kim /* SSLfatal() already called */ 655*e71b7053SJung-uk Kim goto err; 656*e71b7053SJung-uk Kim } 657*e71b7053SJung-uk Kim } 658*e71b7053SJung-uk Kim } 659*e71b7053SJung-uk Kim 660*e71b7053SJung-uk Kim *res = raw_extensions; 661*e71b7053SJung-uk Kim if (len != NULL) 662*e71b7053SJung-uk Kim *len = num_exts; 663*e71b7053SJung-uk Kim return 1; 664*e71b7053SJung-uk Kim 665*e71b7053SJung-uk Kim err: 666*e71b7053SJung-uk Kim OPENSSL_free(raw_extensions); 667*e71b7053SJung-uk Kim return 0; 668*e71b7053SJung-uk Kim } 669*e71b7053SJung-uk Kim 670*e71b7053SJung-uk Kim /* 671*e71b7053SJung-uk Kim * Runs the parser for a given extension with index |idx|. |exts| contains the 672*e71b7053SJung-uk Kim * list of all parsed extensions previously collected by 673*e71b7053SJung-uk Kim * tls_collect_extensions(). The parser is only run if it is applicable for the 674*e71b7053SJung-uk Kim * given |context| and the parser has not already been run. If this is for a 675*e71b7053SJung-uk Kim * Certificate message, then we also provide the parser with the relevant 676*e71b7053SJung-uk Kim * Certificate |x| and its position in the |chainidx| with 0 being the first 677*e71b7053SJung-uk Kim * Certificate. Returns 1 on success or 0 on failure. If an extension is not 678*e71b7053SJung-uk Kim * present this counted as success. 679*e71b7053SJung-uk Kim */ 680*e71b7053SJung-uk Kim int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, 681*e71b7053SJung-uk Kim RAW_EXTENSION *exts, X509 *x, size_t chainidx) 682*e71b7053SJung-uk Kim { 683*e71b7053SJung-uk Kim RAW_EXTENSION *currext = &exts[idx]; 684*e71b7053SJung-uk Kim int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 685*e71b7053SJung-uk Kim size_t chainidx) = NULL; 686*e71b7053SJung-uk Kim 687*e71b7053SJung-uk Kim /* Skip if the extension is not present */ 688*e71b7053SJung-uk Kim if (!currext->present) 689*e71b7053SJung-uk Kim return 1; 690*e71b7053SJung-uk Kim 691*e71b7053SJung-uk Kim /* Skip if we've already parsed this extension */ 692*e71b7053SJung-uk Kim if (currext->parsed) 693*e71b7053SJung-uk Kim return 1; 694*e71b7053SJung-uk Kim 695*e71b7053SJung-uk Kim currext->parsed = 1; 696*e71b7053SJung-uk Kim 697*e71b7053SJung-uk Kim if (idx < OSSL_NELEM(ext_defs)) { 698*e71b7053SJung-uk Kim /* We are handling a built-in extension */ 699*e71b7053SJung-uk Kim const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; 700*e71b7053SJung-uk Kim 701*e71b7053SJung-uk Kim /* Check if extension is defined for our protocol. If not, skip */ 702*e71b7053SJung-uk Kim if (!extension_is_relevant(s, extdef->context, context)) 703*e71b7053SJung-uk Kim return 1; 704*e71b7053SJung-uk Kim 705*e71b7053SJung-uk Kim parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; 706*e71b7053SJung-uk Kim 707*e71b7053SJung-uk Kim if (parser != NULL) 708*e71b7053SJung-uk Kim return parser(s, &currext->data, context, x, chainidx); 709*e71b7053SJung-uk Kim 710*e71b7053SJung-uk Kim /* 711*e71b7053SJung-uk Kim * If the parser is NULL we fall through to the custom extension 712*e71b7053SJung-uk Kim * processing 713*e71b7053SJung-uk Kim */ 714*e71b7053SJung-uk Kim } 715*e71b7053SJung-uk Kim 716*e71b7053SJung-uk Kim /* Parse custom extensions */ 717*e71b7053SJung-uk Kim return custom_ext_parse(s, context, currext->type, 718*e71b7053SJung-uk Kim PACKET_data(&currext->data), 719*e71b7053SJung-uk Kim PACKET_remaining(&currext->data), 720*e71b7053SJung-uk Kim x, chainidx); 721*e71b7053SJung-uk Kim } 722*e71b7053SJung-uk Kim 723*e71b7053SJung-uk Kim /* 724*e71b7053SJung-uk Kim * Parse all remaining extensions that have not yet been parsed. Also calls the 725*e71b7053SJung-uk Kim * finalisation for all extensions at the end if |fin| is nonzero, whether we 726*e71b7053SJung-uk Kim * collected them or not. Returns 1 for success or 0 for failure. If we are 727*e71b7053SJung-uk Kim * working on a Certificate message then we also pass the Certificate |x| and 728*e71b7053SJung-uk Kim * its position in the |chainidx|, with 0 being the first certificate. 729*e71b7053SJung-uk Kim */ 730*e71b7053SJung-uk Kim int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, 731*e71b7053SJung-uk Kim size_t chainidx, int fin) 732*e71b7053SJung-uk Kim { 733*e71b7053SJung-uk Kim size_t i, numexts = OSSL_NELEM(ext_defs); 734*e71b7053SJung-uk Kim const EXTENSION_DEFINITION *thisexd; 735*e71b7053SJung-uk Kim 736*e71b7053SJung-uk Kim /* Calculate the number of extensions in the extensions list */ 737*e71b7053SJung-uk Kim numexts += s->cert->custext.meths_count; 738*e71b7053SJung-uk Kim 739*e71b7053SJung-uk Kim /* Parse each extension in turn */ 740*e71b7053SJung-uk Kim for (i = 0; i < numexts; i++) { 741*e71b7053SJung-uk Kim if (!tls_parse_extension(s, i, context, exts, x, chainidx)) { 742*e71b7053SJung-uk Kim /* SSLfatal() already called */ 743*e71b7053SJung-uk Kim return 0; 744*e71b7053SJung-uk Kim } 745*e71b7053SJung-uk Kim } 746*e71b7053SJung-uk Kim 747*e71b7053SJung-uk Kim if (fin) { 748*e71b7053SJung-uk Kim /* 749*e71b7053SJung-uk Kim * Finalise all known extensions relevant to this context, 750*e71b7053SJung-uk Kim * whether we have found them or not 751*e71b7053SJung-uk Kim */ 752*e71b7053SJung-uk Kim for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); 753*e71b7053SJung-uk Kim i++, thisexd++) { 754*e71b7053SJung-uk Kim if (thisexd->final != NULL && (thisexd->context & context) != 0 755*e71b7053SJung-uk Kim && !thisexd->final(s, context, exts[i].present)) { 756*e71b7053SJung-uk Kim /* SSLfatal() already called */ 757*e71b7053SJung-uk Kim return 0; 758*e71b7053SJung-uk Kim } 759*e71b7053SJung-uk Kim } 760*e71b7053SJung-uk Kim } 761*e71b7053SJung-uk Kim 762*e71b7053SJung-uk Kim return 1; 763*e71b7053SJung-uk Kim } 764*e71b7053SJung-uk Kim 765*e71b7053SJung-uk Kim int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, 766*e71b7053SJung-uk Kim int max_version) 767*e71b7053SJung-uk Kim { 768*e71b7053SJung-uk Kim /* Skip if not relevant for our context */ 769*e71b7053SJung-uk Kim if ((extctx & thisctx) == 0) 770*e71b7053SJung-uk Kim return 0; 771*e71b7053SJung-uk Kim 772*e71b7053SJung-uk Kim /* Check if this extension is defined for our protocol. If not, skip */ 773*e71b7053SJung-uk Kim if (!extension_is_relevant(s, extctx, thisctx) 774*e71b7053SJung-uk Kim || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0 775*e71b7053SJung-uk Kim && (thisctx & SSL_EXT_CLIENT_HELLO) != 0 776*e71b7053SJung-uk Kim && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))) 777*e71b7053SJung-uk Kim return 0; 778*e71b7053SJung-uk Kim 779*e71b7053SJung-uk Kim return 1; 780*e71b7053SJung-uk Kim } 781*e71b7053SJung-uk Kim 782*e71b7053SJung-uk Kim /* 783*e71b7053SJung-uk Kim * Construct all the extensions relevant to the current |context| and write 784*e71b7053SJung-uk Kim * them to |pkt|. If this is an extension for a Certificate in a Certificate 785*e71b7053SJung-uk Kim * message, then |x| will be set to the Certificate we are handling, and 786*e71b7053SJung-uk Kim * |chainidx| will indicate the position in the chainidx we are processing (with 787*e71b7053SJung-uk Kim * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a 788*e71b7053SJung-uk Kim * failure construction stops at the first extension to fail to construct. 789*e71b7053SJung-uk Kim */ 790*e71b7053SJung-uk Kim int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, 791*e71b7053SJung-uk Kim X509 *x, size_t chainidx) 792*e71b7053SJung-uk Kim { 793*e71b7053SJung-uk Kim size_t i; 794*e71b7053SJung-uk Kim int min_version, max_version = 0, reason; 795*e71b7053SJung-uk Kim const EXTENSION_DEFINITION *thisexd; 796*e71b7053SJung-uk Kim 797*e71b7053SJung-uk Kim if (!WPACKET_start_sub_packet_u16(pkt) 798*e71b7053SJung-uk Kim /* 799*e71b7053SJung-uk Kim * If extensions are of zero length then we don't even add the 800*e71b7053SJung-uk Kim * extensions length bytes to a ClientHello/ServerHello 801*e71b7053SJung-uk Kim * (for non-TLSv1.3). 802*e71b7053SJung-uk Kim */ 803*e71b7053SJung-uk Kim || ((context & 804*e71b7053SJung-uk Kim (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0 805*e71b7053SJung-uk Kim && !WPACKET_set_flags(pkt, 806*e71b7053SJung-uk Kim WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { 807*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 808*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 809*e71b7053SJung-uk Kim return 0; 810*e71b7053SJung-uk Kim } 811*e71b7053SJung-uk Kim 812*e71b7053SJung-uk Kim if ((context & SSL_EXT_CLIENT_HELLO) != 0) { 813*e71b7053SJung-uk Kim reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 814*e71b7053SJung-uk Kim if (reason != 0) { 815*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 816*e71b7053SJung-uk Kim reason); 817*e71b7053SJung-uk Kim return 0; 818*e71b7053SJung-uk Kim } 819*e71b7053SJung-uk Kim } 820*e71b7053SJung-uk Kim 821*e71b7053SJung-uk Kim /* Add custom extensions first */ 822*e71b7053SJung-uk Kim if ((context & SSL_EXT_CLIENT_HELLO) != 0) { 823*e71b7053SJung-uk Kim /* On the server side with initialise during ClientHello parsing */ 824*e71b7053SJung-uk Kim custom_ext_init(&s->cert->custext); 825*e71b7053SJung-uk Kim } 826*e71b7053SJung-uk Kim if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) { 827*e71b7053SJung-uk Kim /* SSLfatal() already called */ 828*e71b7053SJung-uk Kim return 0; 829*e71b7053SJung-uk Kim } 830*e71b7053SJung-uk Kim 831*e71b7053SJung-uk Kim for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { 832*e71b7053SJung-uk Kim EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context, 833*e71b7053SJung-uk Kim X509 *x, size_t chainidx); 834*e71b7053SJung-uk Kim EXT_RETURN ret; 835*e71b7053SJung-uk Kim 836*e71b7053SJung-uk Kim /* Skip if not relevant for our context */ 837*e71b7053SJung-uk Kim if (!should_add_extension(s, thisexd->context, context, max_version)) 838*e71b7053SJung-uk Kim continue; 839*e71b7053SJung-uk Kim 840*e71b7053SJung-uk Kim construct = s->server ? thisexd->construct_stoc 841*e71b7053SJung-uk Kim : thisexd->construct_ctos; 842*e71b7053SJung-uk Kim 843*e71b7053SJung-uk Kim if (construct == NULL) 844*e71b7053SJung-uk Kim continue; 845*e71b7053SJung-uk Kim 846*e71b7053SJung-uk Kim ret = construct(s, pkt, context, x, chainidx); 847*e71b7053SJung-uk Kim if (ret == EXT_RETURN_FAIL) { 848*e71b7053SJung-uk Kim /* SSLfatal() already called */ 849*e71b7053SJung-uk Kim return 0; 850*e71b7053SJung-uk Kim } 851*e71b7053SJung-uk Kim if (ret == EXT_RETURN_SENT 852*e71b7053SJung-uk Kim && (context & (SSL_EXT_CLIENT_HELLO 853*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 854*e71b7053SJung-uk Kim | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0) 855*e71b7053SJung-uk Kim s->ext.extflags[i] |= SSL_EXT_FLAG_SENT; 856*e71b7053SJung-uk Kim } 857*e71b7053SJung-uk Kim 858*e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) { 859*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 860*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 861*e71b7053SJung-uk Kim return 0; 862*e71b7053SJung-uk Kim } 863*e71b7053SJung-uk Kim 864*e71b7053SJung-uk Kim return 1; 865*e71b7053SJung-uk Kim } 866*e71b7053SJung-uk Kim 867*e71b7053SJung-uk Kim /* 868*e71b7053SJung-uk Kim * Built in extension finalisation and initialisation functions. All initialise 869*e71b7053SJung-uk Kim * or finalise the associated extension type for the given |context|. For 870*e71b7053SJung-uk Kim * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 871*e71b7053SJung-uk Kim * otherwise. These functions return 1 on success or 0 on failure. 872*e71b7053SJung-uk Kim */ 873*e71b7053SJung-uk Kim 874*e71b7053SJung-uk Kim static int final_renegotiate(SSL *s, unsigned int context, int sent) 875*e71b7053SJung-uk Kim { 876*e71b7053SJung-uk Kim if (!s->server) { 877*e71b7053SJung-uk Kim /* 878*e71b7053SJung-uk Kim * Check if we can connect to a server that doesn't support safe 879*e71b7053SJung-uk Kim * renegotiation 880*e71b7053SJung-uk Kim */ 881*e71b7053SJung-uk Kim if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 882*e71b7053SJung-uk Kim && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) 883*e71b7053SJung-uk Kim && !sent) { 884*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE, 885*e71b7053SJung-uk Kim SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 886*e71b7053SJung-uk Kim return 0; 887*e71b7053SJung-uk Kim } 888*e71b7053SJung-uk Kim 889*e71b7053SJung-uk Kim return 1; 890*e71b7053SJung-uk Kim } 891*e71b7053SJung-uk Kim 892*e71b7053SJung-uk Kim /* Need RI if renegotiating */ 893*e71b7053SJung-uk Kim if (s->renegotiate 894*e71b7053SJung-uk Kim && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) 895*e71b7053SJung-uk Kim && !sent) { 896*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE, 897*e71b7053SJung-uk Kim SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 898*e71b7053SJung-uk Kim return 0; 899*e71b7053SJung-uk Kim } 900*e71b7053SJung-uk Kim 901*e71b7053SJung-uk Kim 902*e71b7053SJung-uk Kim return 1; 903*e71b7053SJung-uk Kim } 904*e71b7053SJung-uk Kim 905*e71b7053SJung-uk Kim static int init_server_name(SSL *s, unsigned int context) 906*e71b7053SJung-uk Kim { 907*e71b7053SJung-uk Kim if (s->server) { 908*e71b7053SJung-uk Kim s->servername_done = 0; 909*e71b7053SJung-uk Kim 910*e71b7053SJung-uk Kim OPENSSL_free(s->ext.hostname); 911*e71b7053SJung-uk Kim s->ext.hostname = NULL; 912*e71b7053SJung-uk Kim } 913*e71b7053SJung-uk Kim 914*e71b7053SJung-uk Kim return 1; 915*e71b7053SJung-uk Kim } 916*e71b7053SJung-uk Kim 917*e71b7053SJung-uk Kim static int final_server_name(SSL *s, unsigned int context, int sent) 918*e71b7053SJung-uk Kim { 919*e71b7053SJung-uk Kim int ret = SSL_TLSEXT_ERR_NOACK; 920*e71b7053SJung-uk Kim int altmp = SSL_AD_UNRECOGNIZED_NAME; 921*e71b7053SJung-uk Kim int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0; 922*e71b7053SJung-uk Kim 923*e71b7053SJung-uk Kim if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) { 924*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 925*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 926*e71b7053SJung-uk Kim return 0; 927*e71b7053SJung-uk Kim } 928*e71b7053SJung-uk Kim 929*e71b7053SJung-uk Kim if (s->ctx->ext.servername_cb != NULL) 930*e71b7053SJung-uk Kim ret = s->ctx->ext.servername_cb(s, &altmp, 931*e71b7053SJung-uk Kim s->ctx->ext.servername_arg); 932*e71b7053SJung-uk Kim else if (s->session_ctx->ext.servername_cb != NULL) 933*e71b7053SJung-uk Kim ret = s->session_ctx->ext.servername_cb(s, &altmp, 934*e71b7053SJung-uk Kim s->session_ctx->ext.servername_arg); 935*e71b7053SJung-uk Kim 936*e71b7053SJung-uk Kim /* 937*e71b7053SJung-uk Kim * For servers, propagate the SNI hostname from the temporary 938*e71b7053SJung-uk Kim * storage in the SSL to the persistent SSL_SESSION, now that we 939*e71b7053SJung-uk Kim * know we accepted it. 940*e71b7053SJung-uk Kim * Clients make this copy when parsing the server's response to 941*e71b7053SJung-uk Kim * the extension, which is when they find out that the negotiation 942*e71b7053SJung-uk Kim * was successful. 943*e71b7053SJung-uk Kim */ 944*e71b7053SJung-uk Kim if (s->server) { 945*e71b7053SJung-uk Kim /* TODO(OpenSSL1.2) revisit !sent case */ 946*e71b7053SJung-uk Kim if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) { 947*e71b7053SJung-uk Kim /* Only store the hostname in the session if we accepted it. */ 948*e71b7053SJung-uk Kim OPENSSL_free(s->session->ext.hostname); 949*e71b7053SJung-uk Kim s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 950*e71b7053SJung-uk Kim if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) { 951*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 952*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 953*e71b7053SJung-uk Kim } 954*e71b7053SJung-uk Kim } 955*e71b7053SJung-uk Kim } 956*e71b7053SJung-uk Kim 957*e71b7053SJung-uk Kim /* 958*e71b7053SJung-uk Kim * If we switched contexts (whether here or in the client_hello callback), 959*e71b7053SJung-uk Kim * move the sess_accept increment from the session_ctx to the new 960*e71b7053SJung-uk Kim * context, to avoid the confusing situation of having sess_accept_good 961*e71b7053SJung-uk Kim * exceed sess_accept (zero) for the new context. 962*e71b7053SJung-uk Kim */ 963*e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) { 964*e71b7053SJung-uk Kim tsan_counter(&s->ctx->stats.sess_accept); 965*e71b7053SJung-uk Kim tsan_counter(&s->session_ctx->stats.sess_accept); 966*e71b7053SJung-uk Kim } 967*e71b7053SJung-uk Kim 968*e71b7053SJung-uk Kim /* 969*e71b7053SJung-uk Kim * If we're expecting to send a ticket, and tickets were previously enabled, 970*e71b7053SJung-uk Kim * and now tickets are disabled, then turn off expected ticket. 971*e71b7053SJung-uk Kim * Also, if this is not a resumption, create a new session ID 972*e71b7053SJung-uk Kim */ 973*e71b7053SJung-uk Kim if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected 974*e71b7053SJung-uk Kim && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) { 975*e71b7053SJung-uk Kim s->ext.ticket_expected = 0; 976*e71b7053SJung-uk Kim if (!s->hit) { 977*e71b7053SJung-uk Kim SSL_SESSION* ss = SSL_get_session(s); 978*e71b7053SJung-uk Kim 979*e71b7053SJung-uk Kim if (ss != NULL) { 980*e71b7053SJung-uk Kim OPENSSL_free(ss->ext.tick); 981*e71b7053SJung-uk Kim ss->ext.tick = NULL; 982*e71b7053SJung-uk Kim ss->ext.ticklen = 0; 983*e71b7053SJung-uk Kim ss->ext.tick_lifetime_hint = 0; 984*e71b7053SJung-uk Kim ss->ext.tick_age_add = 0; 985*e71b7053SJung-uk Kim ss->ext.tick_identity = 0; 986*e71b7053SJung-uk Kim if (!ssl_generate_session_id(s, ss)) { 987*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 988*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 989*e71b7053SJung-uk Kim return 0; 990*e71b7053SJung-uk Kim } 991*e71b7053SJung-uk Kim } else { 992*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 993*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 994*e71b7053SJung-uk Kim return 0; 995*e71b7053SJung-uk Kim } 996*e71b7053SJung-uk Kim } 997*e71b7053SJung-uk Kim } 998*e71b7053SJung-uk Kim 999*e71b7053SJung-uk Kim switch (ret) { 1000*e71b7053SJung-uk Kim case SSL_TLSEXT_ERR_ALERT_FATAL: 1001*e71b7053SJung-uk Kim SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED); 1002*e71b7053SJung-uk Kim return 0; 1003*e71b7053SJung-uk Kim 1004*e71b7053SJung-uk Kim case SSL_TLSEXT_ERR_ALERT_WARNING: 1005*e71b7053SJung-uk Kim /* TLSv1.3 doesn't have warning alerts so we suppress this */ 1006*e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) 1007*e71b7053SJung-uk Kim ssl3_send_alert(s, SSL3_AL_WARNING, altmp); 1008*e71b7053SJung-uk Kim return 1; 1009*e71b7053SJung-uk Kim 1010*e71b7053SJung-uk Kim case SSL_TLSEXT_ERR_NOACK: 1011*e71b7053SJung-uk Kim s->servername_done = 0; 1012*e71b7053SJung-uk Kim return 1; 1013*e71b7053SJung-uk Kim 1014*e71b7053SJung-uk Kim default: 1015*e71b7053SJung-uk Kim return 1; 1016*e71b7053SJung-uk Kim } 1017*e71b7053SJung-uk Kim } 1018*e71b7053SJung-uk Kim 1019*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 1020*e71b7053SJung-uk Kim static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) 1021*e71b7053SJung-uk Kim { 1022*e71b7053SJung-uk Kim unsigned long alg_k, alg_a; 1023*e71b7053SJung-uk Kim 1024*e71b7053SJung-uk Kim if (s->server) 1025*e71b7053SJung-uk Kim return 1; 1026*e71b7053SJung-uk Kim 1027*e71b7053SJung-uk Kim alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1028*e71b7053SJung-uk Kim alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1029*e71b7053SJung-uk Kim 1030*e71b7053SJung-uk Kim /* 1031*e71b7053SJung-uk Kim * If we are client and using an elliptic curve cryptography cipher 1032*e71b7053SJung-uk Kim * suite, then if server returns an EC point formats lists extension it 1033*e71b7053SJung-uk Kim * must contain uncompressed. 1034*e71b7053SJung-uk Kim */ 1035*e71b7053SJung-uk Kim if (s->ext.ecpointformats != NULL 1036*e71b7053SJung-uk Kim && s->ext.ecpointformats_len > 0 1037*e71b7053SJung-uk Kim && s->session->ext.ecpointformats != NULL 1038*e71b7053SJung-uk Kim && s->session->ext.ecpointformats_len > 0 1039*e71b7053SJung-uk Kim && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 1040*e71b7053SJung-uk Kim /* we are using an ECC cipher */ 1041*e71b7053SJung-uk Kim size_t i; 1042*e71b7053SJung-uk Kim unsigned char *list = s->session->ext.ecpointformats; 1043*e71b7053SJung-uk Kim 1044*e71b7053SJung-uk Kim for (i = 0; i < s->session->ext.ecpointformats_len; i++) { 1045*e71b7053SJung-uk Kim if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) 1046*e71b7053SJung-uk Kim break; 1047*e71b7053SJung-uk Kim } 1048*e71b7053SJung-uk Kim if (i == s->session->ext.ecpointformats_len) { 1049*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS, 1050*e71b7053SJung-uk Kim SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1051*e71b7053SJung-uk Kim return 0; 1052*e71b7053SJung-uk Kim } 1053*e71b7053SJung-uk Kim } 1054*e71b7053SJung-uk Kim 1055*e71b7053SJung-uk Kim return 1; 1056*e71b7053SJung-uk Kim } 1057*e71b7053SJung-uk Kim #endif 1058*e71b7053SJung-uk Kim 1059*e71b7053SJung-uk Kim static int init_session_ticket(SSL *s, unsigned int context) 1060*e71b7053SJung-uk Kim { 1061*e71b7053SJung-uk Kim if (!s->server) 1062*e71b7053SJung-uk Kim s->ext.ticket_expected = 0; 1063*e71b7053SJung-uk Kim 1064*e71b7053SJung-uk Kim return 1; 1065*e71b7053SJung-uk Kim } 1066*e71b7053SJung-uk Kim 1067*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_OCSP 1068*e71b7053SJung-uk Kim static int init_status_request(SSL *s, unsigned int context) 1069*e71b7053SJung-uk Kim { 1070*e71b7053SJung-uk Kim if (s->server) { 1071*e71b7053SJung-uk Kim s->ext.status_type = TLSEXT_STATUSTYPE_nothing; 1072*e71b7053SJung-uk Kim } else { 1073*e71b7053SJung-uk Kim /* 1074*e71b7053SJung-uk Kim * Ensure we get sensible values passed to tlsext_status_cb in the event 1075*e71b7053SJung-uk Kim * that we don't receive a status message 1076*e71b7053SJung-uk Kim */ 1077*e71b7053SJung-uk Kim OPENSSL_free(s->ext.ocsp.resp); 1078*e71b7053SJung-uk Kim s->ext.ocsp.resp = NULL; 1079*e71b7053SJung-uk Kim s->ext.ocsp.resp_len = 0; 1080*e71b7053SJung-uk Kim } 1081*e71b7053SJung-uk Kim 1082*e71b7053SJung-uk Kim return 1; 1083*e71b7053SJung-uk Kim } 1084*e71b7053SJung-uk Kim #endif 1085*e71b7053SJung-uk Kim 1086*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_NEXTPROTONEG 1087*e71b7053SJung-uk Kim static int init_npn(SSL *s, unsigned int context) 1088*e71b7053SJung-uk Kim { 1089*e71b7053SJung-uk Kim s->s3->npn_seen = 0; 1090*e71b7053SJung-uk Kim 1091*e71b7053SJung-uk Kim return 1; 1092*e71b7053SJung-uk Kim } 1093*e71b7053SJung-uk Kim #endif 1094*e71b7053SJung-uk Kim 1095*e71b7053SJung-uk Kim static int init_alpn(SSL *s, unsigned int context) 1096*e71b7053SJung-uk Kim { 1097*e71b7053SJung-uk Kim OPENSSL_free(s->s3->alpn_selected); 1098*e71b7053SJung-uk Kim s->s3->alpn_selected = NULL; 1099*e71b7053SJung-uk Kim s->s3->alpn_selected_len = 0; 1100*e71b7053SJung-uk Kim if (s->server) { 1101*e71b7053SJung-uk Kim OPENSSL_free(s->s3->alpn_proposed); 1102*e71b7053SJung-uk Kim s->s3->alpn_proposed = NULL; 1103*e71b7053SJung-uk Kim s->s3->alpn_proposed_len = 0; 1104*e71b7053SJung-uk Kim } 1105*e71b7053SJung-uk Kim return 1; 1106*e71b7053SJung-uk Kim } 1107*e71b7053SJung-uk Kim 1108*e71b7053SJung-uk Kim static int final_alpn(SSL *s, unsigned int context, int sent) 1109*e71b7053SJung-uk Kim { 1110*e71b7053SJung-uk Kim if (!s->server && !sent && s->session->ext.alpn_selected != NULL) 1111*e71b7053SJung-uk Kim s->ext.early_data_ok = 0; 1112*e71b7053SJung-uk Kim 1113*e71b7053SJung-uk Kim if (!s->server || !SSL_IS_TLS13(s)) 1114*e71b7053SJung-uk Kim return 1; 1115*e71b7053SJung-uk Kim 1116*e71b7053SJung-uk Kim /* 1117*e71b7053SJung-uk Kim * Call alpn_select callback if needed. Has to be done after SNI and 1118*e71b7053SJung-uk Kim * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 1119*e71b7053SJung-uk Kim * we also have to do this before we decide whether to accept early_data. 1120*e71b7053SJung-uk Kim * In TLSv1.3 we've already negotiated our cipher so we do this call now. 1121*e71b7053SJung-uk Kim * For < TLSv1.3 we defer it until after cipher negotiation. 1122*e71b7053SJung-uk Kim * 1123*e71b7053SJung-uk Kim * On failure SSLfatal() already called. 1124*e71b7053SJung-uk Kim */ 1125*e71b7053SJung-uk Kim return tls_handle_alpn(s); 1126*e71b7053SJung-uk Kim } 1127*e71b7053SJung-uk Kim 1128*e71b7053SJung-uk Kim static int init_sig_algs(SSL *s, unsigned int context) 1129*e71b7053SJung-uk Kim { 1130*e71b7053SJung-uk Kim /* Clear any signature algorithms extension received */ 1131*e71b7053SJung-uk Kim OPENSSL_free(s->s3->tmp.peer_sigalgs); 1132*e71b7053SJung-uk Kim s->s3->tmp.peer_sigalgs = NULL; 1133*e71b7053SJung-uk Kim 1134*e71b7053SJung-uk Kim return 1; 1135*e71b7053SJung-uk Kim } 1136*e71b7053SJung-uk Kim 1137*e71b7053SJung-uk Kim static int init_sig_algs_cert(SSL *s, unsigned int context) 1138*e71b7053SJung-uk Kim { 1139*e71b7053SJung-uk Kim /* Clear any signature algorithms extension received */ 1140*e71b7053SJung-uk Kim OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); 1141*e71b7053SJung-uk Kim s->s3->tmp.peer_cert_sigalgs = NULL; 1142*e71b7053SJung-uk Kim 1143*e71b7053SJung-uk Kim return 1; 1144*e71b7053SJung-uk Kim } 1145*e71b7053SJung-uk Kim 1146*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRP 1147*e71b7053SJung-uk Kim static int init_srp(SSL *s, unsigned int context) 1148*e71b7053SJung-uk Kim { 1149*e71b7053SJung-uk Kim OPENSSL_free(s->srp_ctx.login); 1150*e71b7053SJung-uk Kim s->srp_ctx.login = NULL; 1151*e71b7053SJung-uk Kim 1152*e71b7053SJung-uk Kim return 1; 1153*e71b7053SJung-uk Kim } 1154*e71b7053SJung-uk Kim #endif 1155*e71b7053SJung-uk Kim 1156*e71b7053SJung-uk Kim static int init_etm(SSL *s, unsigned int context) 1157*e71b7053SJung-uk Kim { 1158*e71b7053SJung-uk Kim s->ext.use_etm = 0; 1159*e71b7053SJung-uk Kim 1160*e71b7053SJung-uk Kim return 1; 1161*e71b7053SJung-uk Kim } 1162*e71b7053SJung-uk Kim 1163*e71b7053SJung-uk Kim static int init_ems(SSL *s, unsigned int context) 1164*e71b7053SJung-uk Kim { 1165*e71b7053SJung-uk Kim if (!s->server) 1166*e71b7053SJung-uk Kim s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; 1167*e71b7053SJung-uk Kim 1168*e71b7053SJung-uk Kim return 1; 1169*e71b7053SJung-uk Kim } 1170*e71b7053SJung-uk Kim 1171*e71b7053SJung-uk Kim static int final_ems(SSL *s, unsigned int context, int sent) 1172*e71b7053SJung-uk Kim { 1173*e71b7053SJung-uk Kim if (!s->server && s->hit) { 1174*e71b7053SJung-uk Kim /* 1175*e71b7053SJung-uk Kim * Check extended master secret extension is consistent with 1176*e71b7053SJung-uk Kim * original session. 1177*e71b7053SJung-uk Kim */ 1178*e71b7053SJung-uk Kim if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != 1179*e71b7053SJung-uk Kim !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { 1180*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, 1181*e71b7053SJung-uk Kim SSL_R_INCONSISTENT_EXTMS); 1182*e71b7053SJung-uk Kim return 0; 1183*e71b7053SJung-uk Kim } 1184*e71b7053SJung-uk Kim } 1185*e71b7053SJung-uk Kim 1186*e71b7053SJung-uk Kim return 1; 1187*e71b7053SJung-uk Kim } 1188*e71b7053SJung-uk Kim 1189*e71b7053SJung-uk Kim static int init_certificate_authorities(SSL *s, unsigned int context) 1190*e71b7053SJung-uk Kim { 1191*e71b7053SJung-uk Kim sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); 1192*e71b7053SJung-uk Kim s->s3->tmp.peer_ca_names = NULL; 1193*e71b7053SJung-uk Kim return 1; 1194*e71b7053SJung-uk Kim } 1195*e71b7053SJung-uk Kim 1196*e71b7053SJung-uk Kim static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, 1197*e71b7053SJung-uk Kim unsigned int context, 1198*e71b7053SJung-uk Kim X509 *x, 1199*e71b7053SJung-uk Kim size_t chainidx) 1200*e71b7053SJung-uk Kim { 1201*e71b7053SJung-uk Kim const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s); 1202*e71b7053SJung-uk Kim 1203*e71b7053SJung-uk Kim if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0) 1204*e71b7053SJung-uk Kim return EXT_RETURN_NOT_SENT; 1205*e71b7053SJung-uk Kim 1206*e71b7053SJung-uk Kim if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities) 1207*e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(pkt)) { 1208*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1209*e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, 1210*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1211*e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1212*e71b7053SJung-uk Kim } 1213*e71b7053SJung-uk Kim 1214*e71b7053SJung-uk Kim if (!construct_ca_names(s, pkt)) { 1215*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1216*e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1217*e71b7053SJung-uk Kim } 1218*e71b7053SJung-uk Kim 1219*e71b7053SJung-uk Kim if (!WPACKET_close(pkt)) { 1220*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1221*e71b7053SJung-uk Kim SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, 1222*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1223*e71b7053SJung-uk Kim return EXT_RETURN_FAIL; 1224*e71b7053SJung-uk Kim } 1225*e71b7053SJung-uk Kim 1226*e71b7053SJung-uk Kim return EXT_RETURN_SENT; 1227*e71b7053SJung-uk Kim } 1228*e71b7053SJung-uk Kim 1229*e71b7053SJung-uk Kim static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, 1230*e71b7053SJung-uk Kim unsigned int context, X509 *x, 1231*e71b7053SJung-uk Kim size_t chainidx) 1232*e71b7053SJung-uk Kim { 1233*e71b7053SJung-uk Kim if (!parse_ca_names(s, pkt)) 1234*e71b7053SJung-uk Kim return 0; 1235*e71b7053SJung-uk Kim if (PACKET_remaining(pkt) != 0) { 1236*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_DECODE_ERROR, 1237*e71b7053SJung-uk Kim SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION); 1238*e71b7053SJung-uk Kim return 0; 1239*e71b7053SJung-uk Kim } 1240*e71b7053SJung-uk Kim return 1; 1241*e71b7053SJung-uk Kim } 1242*e71b7053SJung-uk Kim 1243*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SRTP 1244*e71b7053SJung-uk Kim static int init_srtp(SSL *s, unsigned int context) 1245*e71b7053SJung-uk Kim { 1246*e71b7053SJung-uk Kim if (s->server) 1247*e71b7053SJung-uk Kim s->srtp_profile = NULL; 1248*e71b7053SJung-uk Kim 1249*e71b7053SJung-uk Kim return 1; 1250*e71b7053SJung-uk Kim } 1251*e71b7053SJung-uk Kim #endif 1252*e71b7053SJung-uk Kim 1253*e71b7053SJung-uk Kim static int final_sig_algs(SSL *s, unsigned int context, int sent) 1254*e71b7053SJung-uk Kim { 1255*e71b7053SJung-uk Kim if (!sent && SSL_IS_TLS13(s) && !s->hit) { 1256*e71b7053SJung-uk Kim SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS, 1257*e71b7053SJung-uk Kim SSL_R_MISSING_SIGALGS_EXTENSION); 1258*e71b7053SJung-uk Kim return 0; 1259*e71b7053SJung-uk Kim } 1260*e71b7053SJung-uk Kim 1261*e71b7053SJung-uk Kim return 1; 1262*e71b7053SJung-uk Kim } 1263*e71b7053SJung-uk Kim 1264*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_EC 1265*e71b7053SJung-uk Kim static int final_key_share(SSL *s, unsigned int context, int sent) 1266*e71b7053SJung-uk Kim { 1267*e71b7053SJung-uk Kim if (!SSL_IS_TLS13(s)) 1268*e71b7053SJung-uk Kim return 1; 1269*e71b7053SJung-uk Kim 1270*e71b7053SJung-uk Kim /* Nothing to do for key_share in an HRR */ 1271*e71b7053SJung-uk Kim if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) 1272*e71b7053SJung-uk Kim return 1; 1273*e71b7053SJung-uk Kim 1274*e71b7053SJung-uk Kim /* 1275*e71b7053SJung-uk Kim * If 1276*e71b7053SJung-uk Kim * we are a client 1277*e71b7053SJung-uk Kim * AND 1278*e71b7053SJung-uk Kim * we have no key_share 1279*e71b7053SJung-uk Kim * AND 1280*e71b7053SJung-uk Kim * (we are not resuming 1281*e71b7053SJung-uk Kim * OR the kex_mode doesn't allow non key_share resumes) 1282*e71b7053SJung-uk Kim * THEN 1283*e71b7053SJung-uk Kim * fail; 1284*e71b7053SJung-uk Kim */ 1285*e71b7053SJung-uk Kim if (!s->server 1286*e71b7053SJung-uk Kim && !sent 1287*e71b7053SJung-uk Kim && (!s->hit 1288*e71b7053SJung-uk Kim || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) { 1289*e71b7053SJung-uk Kim /* Nothing left we can do - just fail */ 1290*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE, 1291*e71b7053SJung-uk Kim SSL_R_NO_SUITABLE_KEY_SHARE); 1292*e71b7053SJung-uk Kim return 0; 1293*e71b7053SJung-uk Kim } 1294*e71b7053SJung-uk Kim /* 1295*e71b7053SJung-uk Kim * IF 1296*e71b7053SJung-uk Kim * we are a server 1297*e71b7053SJung-uk Kim * THEN 1298*e71b7053SJung-uk Kim * IF 1299*e71b7053SJung-uk Kim * we have a suitable key_share 1300*e71b7053SJung-uk Kim * THEN 1301*e71b7053SJung-uk Kim * IF 1302*e71b7053SJung-uk Kim * we are stateless AND we have no cookie 1303*e71b7053SJung-uk Kim * THEN 1304*e71b7053SJung-uk Kim * send a HelloRetryRequest 1305*e71b7053SJung-uk Kim * ELSE 1306*e71b7053SJung-uk Kim * IF 1307*e71b7053SJung-uk Kim * we didn't already send a HelloRetryRequest 1308*e71b7053SJung-uk Kim * AND 1309*e71b7053SJung-uk Kim * the client sent a key_share extension 1310*e71b7053SJung-uk Kim * AND 1311*e71b7053SJung-uk Kim * (we are not resuming 1312*e71b7053SJung-uk Kim * OR the kex_mode allows key_share resumes) 1313*e71b7053SJung-uk Kim * AND 1314*e71b7053SJung-uk Kim * a shared group exists 1315*e71b7053SJung-uk Kim * THEN 1316*e71b7053SJung-uk Kim * send a HelloRetryRequest 1317*e71b7053SJung-uk Kim * ELSE IF 1318*e71b7053SJung-uk Kim * we are not resuming 1319*e71b7053SJung-uk Kim * OR 1320*e71b7053SJung-uk Kim * the kex_mode doesn't allow non key_share resumes 1321*e71b7053SJung-uk Kim * THEN 1322*e71b7053SJung-uk Kim * fail 1323*e71b7053SJung-uk Kim * ELSE IF 1324*e71b7053SJung-uk Kim * we are stateless AND we have no cookie 1325*e71b7053SJung-uk Kim * THEN 1326*e71b7053SJung-uk Kim * send a HelloRetryRequest 1327*e71b7053SJung-uk Kim */ 1328*e71b7053SJung-uk Kim if (s->server) { 1329*e71b7053SJung-uk Kim if (s->s3->peer_tmp != NULL) { 1330*e71b7053SJung-uk Kim /* We have a suitable key_share */ 1331*e71b7053SJung-uk Kim if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0 1332*e71b7053SJung-uk Kim && !s->ext.cookieok) { 1333*e71b7053SJung-uk Kim if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) { 1334*e71b7053SJung-uk Kim /* 1335*e71b7053SJung-uk Kim * If we are stateless then we wouldn't know about any 1336*e71b7053SJung-uk Kim * previously sent HRR - so how can this be anything other 1337*e71b7053SJung-uk Kim * than 0? 1338*e71b7053SJung-uk Kim */ 1339*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1340*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1341*e71b7053SJung-uk Kim return 0; 1342*e71b7053SJung-uk Kim } 1343*e71b7053SJung-uk Kim s->hello_retry_request = SSL_HRR_PENDING; 1344*e71b7053SJung-uk Kim return 1; 1345*e71b7053SJung-uk Kim } 1346*e71b7053SJung-uk Kim } else { 1347*e71b7053SJung-uk Kim /* No suitable key_share */ 1348*e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_NONE && sent 1349*e71b7053SJung-uk Kim && (!s->hit 1350*e71b7053SJung-uk Kim || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) 1351*e71b7053SJung-uk Kim != 0)) { 1352*e71b7053SJung-uk Kim const uint16_t *pgroups, *clntgroups; 1353*e71b7053SJung-uk Kim size_t num_groups, clnt_num_groups, i; 1354*e71b7053SJung-uk Kim unsigned int group_id = 0; 1355*e71b7053SJung-uk Kim 1356*e71b7053SJung-uk Kim /* Check if a shared group exists */ 1357*e71b7053SJung-uk Kim 1358*e71b7053SJung-uk Kim /* Get the clients list of supported groups. */ 1359*e71b7053SJung-uk Kim tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); 1360*e71b7053SJung-uk Kim tls1_get_supported_groups(s, &pgroups, &num_groups); 1361*e71b7053SJung-uk Kim 1362*e71b7053SJung-uk Kim /* 1363*e71b7053SJung-uk Kim * Find the first group we allow that is also in client's list 1364*e71b7053SJung-uk Kim */ 1365*e71b7053SJung-uk Kim for (i = 0; i < num_groups; i++) { 1366*e71b7053SJung-uk Kim group_id = pgroups[i]; 1367*e71b7053SJung-uk Kim 1368*e71b7053SJung-uk Kim if (check_in_list(s, group_id, clntgroups, clnt_num_groups, 1369*e71b7053SJung-uk Kim 1)) 1370*e71b7053SJung-uk Kim break; 1371*e71b7053SJung-uk Kim } 1372*e71b7053SJung-uk Kim 1373*e71b7053SJung-uk Kim if (i < num_groups) { 1374*e71b7053SJung-uk Kim /* A shared group exists so send a HelloRetryRequest */ 1375*e71b7053SJung-uk Kim s->s3->group_id = group_id; 1376*e71b7053SJung-uk Kim s->hello_retry_request = SSL_HRR_PENDING; 1377*e71b7053SJung-uk Kim return 1; 1378*e71b7053SJung-uk Kim } 1379*e71b7053SJung-uk Kim } 1380*e71b7053SJung-uk Kim if (!s->hit 1381*e71b7053SJung-uk Kim || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) { 1382*e71b7053SJung-uk Kim /* Nothing left we can do - just fail */ 1383*e71b7053SJung-uk Kim SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE 1384*e71b7053SJung-uk Kim : SSL_AD_MISSING_EXTENSION, 1385*e71b7053SJung-uk Kim SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); 1386*e71b7053SJung-uk Kim return 0; 1387*e71b7053SJung-uk Kim } 1388*e71b7053SJung-uk Kim 1389*e71b7053SJung-uk Kim if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0 1390*e71b7053SJung-uk Kim && !s->ext.cookieok) { 1391*e71b7053SJung-uk Kim if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) { 1392*e71b7053SJung-uk Kim /* 1393*e71b7053SJung-uk Kim * If we are stateless then we wouldn't know about any 1394*e71b7053SJung-uk Kim * previously sent HRR - so how can this be anything other 1395*e71b7053SJung-uk Kim * than 0? 1396*e71b7053SJung-uk Kim */ 1397*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1398*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1399*e71b7053SJung-uk Kim return 0; 1400*e71b7053SJung-uk Kim } 1401*e71b7053SJung-uk Kim s->hello_retry_request = SSL_HRR_PENDING; 1402*e71b7053SJung-uk Kim return 1; 1403*e71b7053SJung-uk Kim } 1404*e71b7053SJung-uk Kim } 1405*e71b7053SJung-uk Kim 1406*e71b7053SJung-uk Kim /* 1407*e71b7053SJung-uk Kim * We have a key_share so don't send any more HelloRetryRequest 1408*e71b7053SJung-uk Kim * messages 1409*e71b7053SJung-uk Kim */ 1410*e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING) 1411*e71b7053SJung-uk Kim s->hello_retry_request = SSL_HRR_COMPLETE; 1412*e71b7053SJung-uk Kim } else { 1413*e71b7053SJung-uk Kim /* 1414*e71b7053SJung-uk Kim * For a client side resumption with no key_share we need to generate 1415*e71b7053SJung-uk Kim * the handshake secret (otherwise this is done during key_share 1416*e71b7053SJung-uk Kim * processing). 1417*e71b7053SJung-uk Kim */ 1418*e71b7053SJung-uk Kim if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) { 1419*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1420*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1421*e71b7053SJung-uk Kim return 0; 1422*e71b7053SJung-uk Kim } 1423*e71b7053SJung-uk Kim } 1424*e71b7053SJung-uk Kim 1425*e71b7053SJung-uk Kim return 1; 1426*e71b7053SJung-uk Kim } 1427*e71b7053SJung-uk Kim #endif 1428*e71b7053SJung-uk Kim 1429*e71b7053SJung-uk Kim static int init_psk_kex_modes(SSL *s, unsigned int context) 1430*e71b7053SJung-uk Kim { 1431*e71b7053SJung-uk Kim s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE; 1432*e71b7053SJung-uk Kim return 1; 1433*e71b7053SJung-uk Kim } 1434*e71b7053SJung-uk Kim 1435*e71b7053SJung-uk Kim int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 1436*e71b7053SJung-uk Kim size_t binderoffset, const unsigned char *binderin, 1437*e71b7053SJung-uk Kim unsigned char *binderout, SSL_SESSION *sess, int sign, 1438*e71b7053SJung-uk Kim int external) 1439*e71b7053SJung-uk Kim { 1440*e71b7053SJung-uk Kim EVP_PKEY *mackey = NULL; 1441*e71b7053SJung-uk Kim EVP_MD_CTX *mctx = NULL; 1442*e71b7053SJung-uk Kim unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; 1443*e71b7053SJung-uk Kim unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; 1444*e71b7053SJung-uk Kim unsigned char *early_secret; 1445*e71b7053SJung-uk Kim static const unsigned char resumption_label[] = "res binder"; 1446*e71b7053SJung-uk Kim static const unsigned char external_label[] = "ext binder"; 1447*e71b7053SJung-uk Kim const unsigned char *label; 1448*e71b7053SJung-uk Kim size_t bindersize, labelsize, hashsize; 1449*e71b7053SJung-uk Kim int hashsizei = EVP_MD_size(md); 1450*e71b7053SJung-uk Kim int ret = -1; 1451*e71b7053SJung-uk Kim int usepskfored = 0; 1452*e71b7053SJung-uk Kim 1453*e71b7053SJung-uk Kim /* Ensure cast to size_t is safe */ 1454*e71b7053SJung-uk Kim if (!ossl_assert(hashsizei >= 0)) { 1455*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1456*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1457*e71b7053SJung-uk Kim goto err; 1458*e71b7053SJung-uk Kim } 1459*e71b7053SJung-uk Kim hashsize = (size_t)hashsizei; 1460*e71b7053SJung-uk Kim 1461*e71b7053SJung-uk Kim if (external 1462*e71b7053SJung-uk Kim && s->early_data_state == SSL_EARLY_DATA_CONNECTING 1463*e71b7053SJung-uk Kim && s->session->ext.max_early_data == 0 1464*e71b7053SJung-uk Kim && sess->ext.max_early_data > 0) 1465*e71b7053SJung-uk Kim usepskfored = 1; 1466*e71b7053SJung-uk Kim 1467*e71b7053SJung-uk Kim if (external) { 1468*e71b7053SJung-uk Kim label = external_label; 1469*e71b7053SJung-uk Kim labelsize = sizeof(external_label) - 1; 1470*e71b7053SJung-uk Kim } else { 1471*e71b7053SJung-uk Kim label = resumption_label; 1472*e71b7053SJung-uk Kim labelsize = sizeof(resumption_label) - 1; 1473*e71b7053SJung-uk Kim } 1474*e71b7053SJung-uk Kim 1475*e71b7053SJung-uk Kim /* 1476*e71b7053SJung-uk Kim * Generate the early_secret. On the server side we've selected a PSK to 1477*e71b7053SJung-uk Kim * resume with (internal or external) so we always do this. On the client 1478*e71b7053SJung-uk Kim * side we do this for a non-external (i.e. resumption) PSK or external PSK 1479*e71b7053SJung-uk Kim * that will be used for early_data so that it is in place for sending early 1480*e71b7053SJung-uk Kim * data. For client side external PSK not being used for early_data we 1481*e71b7053SJung-uk Kim * generate it but store it away for later use. 1482*e71b7053SJung-uk Kim */ 1483*e71b7053SJung-uk Kim if (s->server || !external || usepskfored) 1484*e71b7053SJung-uk Kim early_secret = (unsigned char *)s->early_secret; 1485*e71b7053SJung-uk Kim else 1486*e71b7053SJung-uk Kim early_secret = (unsigned char *)sess->early_secret; 1487*e71b7053SJung-uk Kim 1488*e71b7053SJung-uk Kim if (!tls13_generate_secret(s, md, NULL, sess->master_key, 1489*e71b7053SJung-uk Kim sess->master_key_length, early_secret)) { 1490*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1491*e71b7053SJung-uk Kim goto err; 1492*e71b7053SJung-uk Kim } 1493*e71b7053SJung-uk Kim 1494*e71b7053SJung-uk Kim /* 1495*e71b7053SJung-uk Kim * Create the handshake hash for the binder key...the messages so far are 1496*e71b7053SJung-uk Kim * empty! 1497*e71b7053SJung-uk Kim */ 1498*e71b7053SJung-uk Kim mctx = EVP_MD_CTX_new(); 1499*e71b7053SJung-uk Kim if (mctx == NULL 1500*e71b7053SJung-uk Kim || EVP_DigestInit_ex(mctx, md, NULL) <= 0 1501*e71b7053SJung-uk Kim || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 1502*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1503*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1504*e71b7053SJung-uk Kim goto err; 1505*e71b7053SJung-uk Kim } 1506*e71b7053SJung-uk Kim 1507*e71b7053SJung-uk Kim /* Generate the binder key */ 1508*e71b7053SJung-uk Kim if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash, 1509*e71b7053SJung-uk Kim hashsize, binderkey, hashsize)) { 1510*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1511*e71b7053SJung-uk Kim goto err; 1512*e71b7053SJung-uk Kim } 1513*e71b7053SJung-uk Kim 1514*e71b7053SJung-uk Kim /* Generate the finished key */ 1515*e71b7053SJung-uk Kim if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) { 1516*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1517*e71b7053SJung-uk Kim goto err; 1518*e71b7053SJung-uk Kim } 1519*e71b7053SJung-uk Kim 1520*e71b7053SJung-uk Kim if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) { 1521*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1522*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1523*e71b7053SJung-uk Kim goto err; 1524*e71b7053SJung-uk Kim } 1525*e71b7053SJung-uk Kim 1526*e71b7053SJung-uk Kim /* 1527*e71b7053SJung-uk Kim * Get a hash of the ClientHello up to the start of the binders. If we are 1528*e71b7053SJung-uk Kim * following a HelloRetryRequest then this includes the hash of the first 1529*e71b7053SJung-uk Kim * ClientHello and the HelloRetryRequest itself. 1530*e71b7053SJung-uk Kim */ 1531*e71b7053SJung-uk Kim if (s->hello_retry_request == SSL_HRR_PENDING) { 1532*e71b7053SJung-uk Kim size_t hdatalen; 1533*e71b7053SJung-uk Kim void *hdata; 1534*e71b7053SJung-uk Kim 1535*e71b7053SJung-uk Kim hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 1536*e71b7053SJung-uk Kim if (hdatalen <= 0) { 1537*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1538*e71b7053SJung-uk Kim SSL_R_BAD_HANDSHAKE_LENGTH); 1539*e71b7053SJung-uk Kim goto err; 1540*e71b7053SJung-uk Kim } 1541*e71b7053SJung-uk Kim 1542*e71b7053SJung-uk Kim /* 1543*e71b7053SJung-uk Kim * For servers the handshake buffer data will include the second 1544*e71b7053SJung-uk Kim * ClientHello - which we don't want - so we need to take that bit off. 1545*e71b7053SJung-uk Kim */ 1546*e71b7053SJung-uk Kim if (s->server) { 1547*e71b7053SJung-uk Kim PACKET hashprefix, msg; 1548*e71b7053SJung-uk Kim 1549*e71b7053SJung-uk Kim /* Find how many bytes are left after the first two messages */ 1550*e71b7053SJung-uk Kim if (!PACKET_buf_init(&hashprefix, hdata, hdatalen) 1551*e71b7053SJung-uk Kim || !PACKET_forward(&hashprefix, 1) 1552*e71b7053SJung-uk Kim || !PACKET_get_length_prefixed_3(&hashprefix, &msg) 1553*e71b7053SJung-uk Kim || !PACKET_forward(&hashprefix, 1) 1554*e71b7053SJung-uk Kim || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) { 1555*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1556*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1557*e71b7053SJung-uk Kim goto err; 1558*e71b7053SJung-uk Kim } 1559*e71b7053SJung-uk Kim hdatalen -= PACKET_remaining(&hashprefix); 1560*e71b7053SJung-uk Kim } 1561*e71b7053SJung-uk Kim 1562*e71b7053SJung-uk Kim if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) { 1563*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1564*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1565*e71b7053SJung-uk Kim goto err; 1566*e71b7053SJung-uk Kim } 1567*e71b7053SJung-uk Kim } 1568*e71b7053SJung-uk Kim 1569*e71b7053SJung-uk Kim if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0 1570*e71b7053SJung-uk Kim || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 1571*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1572*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1573*e71b7053SJung-uk Kim goto err; 1574*e71b7053SJung-uk Kim } 1575*e71b7053SJung-uk Kim 1576*e71b7053SJung-uk Kim mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey, 1577*e71b7053SJung-uk Kim hashsize); 1578*e71b7053SJung-uk Kim if (mackey == NULL) { 1579*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1580*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1581*e71b7053SJung-uk Kim goto err; 1582*e71b7053SJung-uk Kim } 1583*e71b7053SJung-uk Kim 1584*e71b7053SJung-uk Kim if (!sign) 1585*e71b7053SJung-uk Kim binderout = tmpbinder; 1586*e71b7053SJung-uk Kim 1587*e71b7053SJung-uk Kim bindersize = hashsize; 1588*e71b7053SJung-uk Kim if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0 1589*e71b7053SJung-uk Kim || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0 1590*e71b7053SJung-uk Kim || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0 1591*e71b7053SJung-uk Kim || bindersize != hashsize) { 1592*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1593*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 1594*e71b7053SJung-uk Kim goto err; 1595*e71b7053SJung-uk Kim } 1596*e71b7053SJung-uk Kim 1597*e71b7053SJung-uk Kim if (sign) { 1598*e71b7053SJung-uk Kim ret = 1; 1599*e71b7053SJung-uk Kim } else { 1600*e71b7053SJung-uk Kim /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */ 1601*e71b7053SJung-uk Kim ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0); 1602*e71b7053SJung-uk Kim if (!ret) 1603*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER, 1604*e71b7053SJung-uk Kim SSL_R_BINDER_DOES_NOT_VERIFY); 1605*e71b7053SJung-uk Kim } 1606*e71b7053SJung-uk Kim 1607*e71b7053SJung-uk Kim err: 1608*e71b7053SJung-uk Kim OPENSSL_cleanse(binderkey, sizeof(binderkey)); 1609*e71b7053SJung-uk Kim OPENSSL_cleanse(finishedkey, sizeof(finishedkey)); 1610*e71b7053SJung-uk Kim EVP_PKEY_free(mackey); 1611*e71b7053SJung-uk Kim EVP_MD_CTX_free(mctx); 1612*e71b7053SJung-uk Kim 1613*e71b7053SJung-uk Kim return ret; 1614*e71b7053SJung-uk Kim } 1615*e71b7053SJung-uk Kim 1616*e71b7053SJung-uk Kim static int final_early_data(SSL *s, unsigned int context, int sent) 1617*e71b7053SJung-uk Kim { 1618*e71b7053SJung-uk Kim if (!sent) 1619*e71b7053SJung-uk Kim return 1; 1620*e71b7053SJung-uk Kim 1621*e71b7053SJung-uk Kim if (!s->server) { 1622*e71b7053SJung-uk Kim if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 1623*e71b7053SJung-uk Kim && sent 1624*e71b7053SJung-uk Kim && !s->ext.early_data_ok) { 1625*e71b7053SJung-uk Kim /* 1626*e71b7053SJung-uk Kim * If we get here then the server accepted our early_data but we 1627*e71b7053SJung-uk Kim * later realised that it shouldn't have done (e.g. inconsistent 1628*e71b7053SJung-uk Kim * ALPN) 1629*e71b7053SJung-uk Kim */ 1630*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA, 1631*e71b7053SJung-uk Kim SSL_R_BAD_EARLY_DATA); 1632*e71b7053SJung-uk Kim return 0; 1633*e71b7053SJung-uk Kim } 1634*e71b7053SJung-uk Kim 1635*e71b7053SJung-uk Kim return 1; 1636*e71b7053SJung-uk Kim } 1637*e71b7053SJung-uk Kim 1638*e71b7053SJung-uk Kim if (s->max_early_data == 0 1639*e71b7053SJung-uk Kim || !s->hit 1640*e71b7053SJung-uk Kim || s->session->ext.tick_identity != 0 1641*e71b7053SJung-uk Kim || s->early_data_state != SSL_EARLY_DATA_ACCEPTING 1642*e71b7053SJung-uk Kim || !s->ext.early_data_ok 1643*e71b7053SJung-uk Kim || s->hello_retry_request != SSL_HRR_NONE 1644*e71b7053SJung-uk Kim || (s->ctx->allow_early_data_cb != NULL 1645*e71b7053SJung-uk Kim && !s->ctx->allow_early_data_cb(s, 1646*e71b7053SJung-uk Kim s->ctx->allow_early_data_cb_data))) { 1647*e71b7053SJung-uk Kim s->ext.early_data = SSL_EARLY_DATA_REJECTED; 1648*e71b7053SJung-uk Kim } else { 1649*e71b7053SJung-uk Kim s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 1650*e71b7053SJung-uk Kim 1651*e71b7053SJung-uk Kim if (!tls13_change_cipher_state(s, 1652*e71b7053SJung-uk Kim SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) { 1653*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1654*e71b7053SJung-uk Kim return 0; 1655*e71b7053SJung-uk Kim } 1656*e71b7053SJung-uk Kim } 1657*e71b7053SJung-uk Kim 1658*e71b7053SJung-uk Kim return 1; 1659*e71b7053SJung-uk Kim } 1660*e71b7053SJung-uk Kim 1661*e71b7053SJung-uk Kim static int final_maxfragmentlen(SSL *s, unsigned int context, int sent) 1662*e71b7053SJung-uk Kim { 1663*e71b7053SJung-uk Kim /* 1664*e71b7053SJung-uk Kim * Session resumption on server-side with MFL extension active 1665*e71b7053SJung-uk Kim * BUT MFL extension packet was not resent (i.e. sent == 0) 1666*e71b7053SJung-uk Kim */ 1667*e71b7053SJung-uk Kim if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 1668*e71b7053SJung-uk Kim && !sent ) { 1669*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN, 1670*e71b7053SJung-uk Kim SSL_R_BAD_EXTENSION); 1671*e71b7053SJung-uk Kim return 0; 1672*e71b7053SJung-uk Kim } 1673*e71b7053SJung-uk Kim 1674*e71b7053SJung-uk Kim /* Current SSL buffer is lower than requested MFL */ 1675*e71b7053SJung-uk Kim if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 1676*e71b7053SJung-uk Kim && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session)) 1677*e71b7053SJung-uk Kim /* trigger a larger buffer reallocation */ 1678*e71b7053SJung-uk Kim if (!ssl3_setup_buffers(s)) { 1679*e71b7053SJung-uk Kim /* SSLfatal() already called */ 1680*e71b7053SJung-uk Kim return 0; 1681*e71b7053SJung-uk Kim } 1682*e71b7053SJung-uk Kim 1683*e71b7053SJung-uk Kim return 1; 1684*e71b7053SJung-uk Kim } 1685*e71b7053SJung-uk Kim 1686*e71b7053SJung-uk Kim static int init_post_handshake_auth(SSL *s, unsigned int context) 1687*e71b7053SJung-uk Kim { 1688*e71b7053SJung-uk Kim s->post_handshake_auth = SSL_PHA_NONE; 1689*e71b7053SJung-uk Kim 1690*e71b7053SJung-uk Kim return 1; 1691*e71b7053SJung-uk Kim } 1692