VirtualBox

source: vbox/trunk/src/libs/openssl-3.0.7/ssl/statem/extensions.c@ 98326

Last change on this file since 98326 was 97372, checked in by vboxsync, 2 years ago

libs: Switch to openssl-3.0.7, bugref:10317
File size: 59.9 KB
Line 
1/*
2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#if defined(__TANDEM) && defined(_SPT_MODEL_)
11# include <spthread.h>
12# include <spt_extensions.h> /* timeval */
13#endif
14
15#include <string.h>
16#include "internal/nelem.h"
17#include "internal/cryptlib.h"
18#include "../ssl_local.h"
19#include "statem_local.h"
20#include "internal/cryptlib.h"
21
22static int final_renegotiate(SSL *s, unsigned int context, int sent);
23static int init_server_name(SSL *s, unsigned int context);
24static int final_server_name(SSL *s, unsigned int context, int sent);
25static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
26static int init_session_ticket(SSL *s, unsigned int context);
27#ifndef OPENSSL_NO_OCSP
28static int init_status_request(SSL *s, unsigned int context);
29#endif
30#ifndef OPENSSL_NO_NEXTPROTONEG
31static int init_npn(SSL *s, unsigned int context);
32#endif
33static int init_alpn(SSL *s, unsigned int context);
34static int final_alpn(SSL *s, unsigned int context, int sent);
35static int init_sig_algs_cert(SSL *s, unsigned int context);
36static int init_sig_algs(SSL *s, unsigned int context);
37static int init_certificate_authorities(SSL *s, unsigned int context);
38static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
39 unsigned int context,
40 X509 *x,
41 size_t chainidx);
42static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
43 unsigned int context, X509 *x,
44 size_t chainidx);
45#ifndef OPENSSL_NO_SRP
46static int init_srp(SSL *s, unsigned int context);
47#endif
48static int init_ec_point_formats(SSL *s, unsigned int context);
49static int init_etm(SSL *s, unsigned int context);
50static int init_ems(SSL *s, unsigned int context);
51static int final_ems(SSL *s, unsigned int context, int sent);
52static int init_psk_kex_modes(SSL *s, unsigned int context);
53static int final_key_share(SSL *s, unsigned int context, int sent);
54#ifndef OPENSSL_NO_SRTP
55static int init_srtp(SSL *s, unsigned int context);
56#endif
57static int final_sig_algs(SSL *s, unsigned int context, int sent);
58static int final_early_data(SSL *s, unsigned int context, int sent);
59static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
60static int init_post_handshake_auth(SSL *s, unsigned int context);
61static int final_psk(SSL *s, unsigned int context, int sent);
62
63/* Structure to define a built-in extension */
64typedef struct extensions_definition_st {
65 /* The defined type for the extension */
66 unsigned int type;
67 /*
68 * The context that this extension applies to, e.g. what messages and
69 * protocol versions
70 */
71 unsigned int context;
72 /*
73 * Initialise extension before parsing. Always called for relevant contexts
74 * even if extension not present
75 */
76 int (*init)(SSL *s, unsigned int context);
77 /* Parse extension sent from client to server */
78 int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
79 size_t chainidx);
80 /* Parse extension send from server to client */
81 int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
82 size_t chainidx);
83 /* Construct extension sent from server to client */
84 EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
85 X509 *x, size_t chainidx);
86 /* Construct extension sent from client to server */
87 EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
88 X509 *x, size_t chainidx);
89 /*
90 * Finalise extension after parsing. Always called where an extensions was
91 * initialised even if the extension was not present. |sent| is set to 1 if
92 * the extension was seen, or 0 otherwise.
93 */
94 int (*final)(SSL *s, unsigned int context, int sent);
95} EXTENSION_DEFINITION;
96
97/*
98 * Definitions of all built-in extensions. NOTE: Changes in the number or order
99 * of these extensions should be mirrored with equivalent changes to the
100 * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
101 * Extensions should be added to test/ext_internal_test.c as well, as that
102 * tests the ordering of the extensions.
103 *
104 * Each extension has an initialiser, a client and
105 * server side parser and a finaliser. The initialiser is called (if the
106 * extension is relevant to the given context) even if we did not see the
107 * extension in the message that we received. The parser functions are only
108 * called if we see the extension in the message. The finalisers are always
109 * called if the initialiser was called.
110 * There are also server and client side constructor functions which are always
111 * called during message construction if the extension is relevant for the
112 * given context.
113 * The initialisation, parsing, finalisation and construction functions are
114 * always called in the order defined in this list. Some extensions may depend
115 * on others having been processed first, so the order of this list is
116 * significant.
117 * The extension context is defined by a series of flags which specify which
118 * messages the extension is relevant to. These flags also specify whether the
119 * extension is relevant to a particular protocol or protocol version.
120 *
121 * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
122 * the end, keep these extensions before signature_algorithm.
123 */
124#define INVALID_EXTENSION { TLSEXT_TYPE_invalid, 0, NULL, NULL, NULL, NULL, NULL, NULL }
125static const EXTENSION_DEFINITION ext_defs[] = {
126 {
127 TLSEXT_TYPE_renegotiate,
128 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
129 | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
130 NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
131 tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
132 final_renegotiate
133 },
134 {
135 TLSEXT_TYPE_server_name,
136 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
137 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
138 init_server_name,
139 tls_parse_ctos_server_name, tls_parse_stoc_server_name,
140 tls_construct_stoc_server_name, tls_construct_ctos_server_name,
141 final_server_name
142 },
143 {
144 TLSEXT_TYPE_max_fragment_length,
145 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
146 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
147 NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
148 tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
149 final_maxfragmentlen
150 },
151#ifndef OPENSSL_NO_SRP
152 {
153 TLSEXT_TYPE_srp,
154 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
155 init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
156 },
157#else
158 INVALID_EXTENSION,
159#endif
160 {
161 TLSEXT_TYPE_ec_point_formats,
162 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
163 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
164 init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
165 tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
166 final_ec_pt_formats
167 },
168 {
169 /*
170 * "supported_groups" is spread across several specifications.
171 * It was originally specified as "elliptic_curves" in RFC 4492,
172 * and broadened to include named FFDH groups by RFC 7919.
173 * Both RFCs 4492 and 7919 do not include a provision for the server
174 * to indicate to the client the complete list of groups supported
175 * by the server, with the server instead just indicating the
176 * selected group for this connection in the ServerKeyExchange
177 * message. TLS 1.3 adds a scheme for the server to indicate
178 * to the client its list of supported groups in the
179 * EncryptedExtensions message, but none of the relevant
180 * specifications permit sending supported_groups in the ServerHello.
181 * Nonetheless (possibly due to the close proximity to the
182 * "ec_point_formats" extension, which is allowed in the ServerHello),
183 * there are several servers that send this extension in the
184 * ServerHello anyway. Up to and including the 1.1.0 release,
185 * we did not check for the presence of nonpermitted extensions,
186 * so to avoid a regression, we must permit this extension in the
187 * TLS 1.2 ServerHello as well.
188 *
189 * Note that there is no tls_parse_stoc_supported_groups function,
190 * so we do not perform any additional parsing, validation, or
191 * processing on the server's group list -- this is just a minimal
192 * change to preserve compatibility with these misbehaving servers.
193 */
194 TLSEXT_TYPE_supported_groups,
195 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
196 | SSL_EXT_TLS1_2_SERVER_HELLO,
197 NULL, tls_parse_ctos_supported_groups, NULL,
198 tls_construct_stoc_supported_groups,
199 tls_construct_ctos_supported_groups, NULL
200 },
201 {
202 TLSEXT_TYPE_session_ticket,
203 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
204 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
205 init_session_ticket, tls_parse_ctos_session_ticket,
206 tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
207 tls_construct_ctos_session_ticket, NULL
208 },
209#ifndef OPENSSL_NO_OCSP
210 {
211 TLSEXT_TYPE_status_request,
212 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
213 | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
214 init_status_request, tls_parse_ctos_status_request,
215 tls_parse_stoc_status_request, tls_construct_stoc_status_request,
216 tls_construct_ctos_status_request, NULL
217 },
218#else
219 INVALID_EXTENSION,
220#endif
221#ifndef OPENSSL_NO_NEXTPROTONEG
222 {
223 TLSEXT_TYPE_next_proto_neg,
224 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
225 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
226 init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
227 tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
228 },
229#else
230 INVALID_EXTENSION,
231#endif
232 {
233 /*
234 * Must appear in this list after server_name so that finalisation
235 * happens after server_name callbacks
236 */
237 TLSEXT_TYPE_application_layer_protocol_negotiation,
238 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
239 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
240 init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
241 tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
242 },
243#ifndef OPENSSL_NO_SRTP
244 {
245 TLSEXT_TYPE_use_srtp,
246 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
247 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
248 init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
249 tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
250 },
251#else
252 INVALID_EXTENSION,
253#endif
254 {
255 TLSEXT_TYPE_encrypt_then_mac,
256 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
257 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
258 init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
259 tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
260 },
261#ifndef OPENSSL_NO_CT
262 {
263 TLSEXT_TYPE_signed_certificate_timestamp,
264 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
265 | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
266 NULL,
267 /*
268 * No server side support for this, but can be provided by a custom
269 * extension. This is an exception to the rule that custom extensions
270 * cannot override built in ones.
271 */
272 NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
273 },
274#else
275 INVALID_EXTENSION,
276#endif
277 {
278 TLSEXT_TYPE_extended_master_secret,
279 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
280 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
281 init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
282 tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
283 },
284 {
285 TLSEXT_TYPE_signature_algorithms_cert,
286 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
287 init_sig_algs_cert, tls_parse_ctos_sig_algs_cert,
288 tls_parse_ctos_sig_algs_cert,
289 /* We do not generate signature_algorithms_cert at present. */
290 NULL, NULL, NULL
291 },
292 {
293 TLSEXT_TYPE_post_handshake_auth,
294 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY,
295 init_post_handshake_auth,
296 tls_parse_ctos_post_handshake_auth, NULL,
297 NULL, tls_construct_ctos_post_handshake_auth,
298 NULL,
299 },
300 {
301 TLSEXT_TYPE_signature_algorithms,
302 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
303 init_sig_algs, tls_parse_ctos_sig_algs,
304 tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
305 tls_construct_ctos_sig_algs, final_sig_algs
306 },
307 {
308 TLSEXT_TYPE_supported_versions,
309 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
310 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
311 NULL,
312 /* Processed inline as part of version selection */
313 NULL, tls_parse_stoc_supported_versions,
314 tls_construct_stoc_supported_versions,
315 tls_construct_ctos_supported_versions, NULL
316 },
317 {
318 TLSEXT_TYPE_psk_kex_modes,
319 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
320 | SSL_EXT_TLS1_3_ONLY,
321 init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
322 tls_construct_ctos_psk_kex_modes, NULL
323 },
324 {
325 /*
326 * Must be in this list after supported_groups. We need that to have
327 * been parsed before we do this one.
328 */
329 TLSEXT_TYPE_key_share,
330 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
331 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
332 | SSL_EXT_TLS1_3_ONLY,
333 NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
334 tls_construct_stoc_key_share, tls_construct_ctos_key_share,
335 final_key_share
336 },
337 {
338 /* Must be after key_share */
339 TLSEXT_TYPE_cookie,
340 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
341 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
342 NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
343 tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
344 },
345 {
346 /*
347 * Special unsolicited ServerHello extension only used when
348 * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
349 * ignore it.
350 */
351 TLSEXT_TYPE_cryptopro_bug,
352 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
353 | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
354 NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
355 },
356 {
357 TLSEXT_TYPE_early_data,
358 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
359 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
360 NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
361 tls_construct_stoc_early_data, tls_construct_ctos_early_data,
362 final_early_data
363 },
364 {
365 TLSEXT_TYPE_certificate_authorities,
366 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
367 | SSL_EXT_TLS1_3_ONLY,
368 init_certificate_authorities,
369 tls_parse_certificate_authorities, tls_parse_certificate_authorities,
370 tls_construct_certificate_authorities,
371 tls_construct_certificate_authorities, NULL,
372 },
373 {
374 /* Must be immediately before pre_shared_key */
375 TLSEXT_TYPE_padding,
376 SSL_EXT_CLIENT_HELLO,
377 NULL,
378 /* We send this, but don't read it */
379 NULL, NULL, NULL, tls_construct_ctos_padding, NULL
380 },
381 {
382 /* Required by the TLSv1.3 spec to always be the last extension */
383 TLSEXT_TYPE_psk,
384 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
385 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
386 NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
387 tls_construct_ctos_psk, final_psk
388 }
389};
390
391/* Returns a TLSEXT_TYPE for the given index */
392unsigned int ossl_get_extension_type(size_t idx)
393{
394 size_t num_exts = OSSL_NELEM(ext_defs);
395
396 if (idx >= num_exts)
397 return TLSEXT_TYPE_out_of_range;
398
399 return ext_defs[idx].type;
400}
401
402/* Check whether an extension's context matches the current context */
403static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
404{
405 /* Check we're allowed to use this extension in this context */
406 if ((thisctx & extctx) == 0)
407 return 0;
408
409 if (SSL_IS_DTLS(s)) {
410 if ((extctx & SSL_EXT_TLS_ONLY) != 0)
411 return 0;
412 } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
413 return 0;
414 }
415
416 return 1;
417}
418
419int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts)
420{
421 size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
422 RAW_EXTENSION *thisext;
423 unsigned int context;
424 ENDPOINT role = ENDPOINT_BOTH;
425
426 if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
427 role = ENDPOINT_SERVER;
428 else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
429 role = ENDPOINT_CLIENT;
430
431 /* Calculate the number of extensions in the extensions list */
432 num_exts = builtin_num + s->cert->custext.meths_count;
433
434 for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
435 if (!thisext->present)
436 continue;
437
438 if (i < builtin_num) {
439 context = ext_defs[i].context;
440 } else {
441 custom_ext_method *meth = NULL;
442
443 meth = custom_ext_find(&s->cert->custext, role, thisext->type,
444 &offset);
445 if (!ossl_assert(meth != NULL))
446 return 0;
447 context = meth->context;
448 }
449
450 if (!validate_context(s, context, thisctx))
451 return 0;
452 }
453
454 return 1;
455}
456
457/*
458 * Verify whether we are allowed to use the extension |type| in the current
459 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
460 * indicate the extension is not allowed. If returning 1 then |*found| is set to
461 * the definition for the extension we found.
462 */
463static int verify_extension(SSL *s, unsigned int context, unsigned int type,
464 custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
465 RAW_EXTENSION **found)
466{
467 size_t i;
468 size_t builtin_num = OSSL_NELEM(ext_defs);
469 const EXTENSION_DEFINITION *thisext;
470
471 for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
472 if (type == thisext->type) {
473 if (!validate_context(s, thisext->context, context))
474 return 0;
475
476 *found = &rawexlist[i];
477 return 1;
478 }
479 }
480
481 /* Check the custom extensions */
482 if (meths != NULL) {
483 size_t offset = 0;
484 ENDPOINT role = ENDPOINT_BOTH;
485 custom_ext_method *meth = NULL;
486
487 if ((context & SSL_EXT_CLIENT_HELLO) != 0)
488 role = ENDPOINT_SERVER;
489 else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
490 role = ENDPOINT_CLIENT;
491
492 meth = custom_ext_find(meths, role, type, &offset);
493 if (meth != NULL) {
494 if (!validate_context(s, meth->context, context))
495 return 0;
496 *found = &rawexlist[offset + builtin_num];
497 return 1;
498 }
499 }
500
501 /* Unknown extension. We allow it */
502 *found = NULL;
503 return 1;
504}
505
506/*
507 * Check whether the context defined for an extension |extctx| means whether
508 * the extension is relevant for the current context |thisctx| or not. Returns
509 * 1 if the extension is relevant for this context, and 0 otherwise
510 */
511int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
512{
513 int is_tls13;
514
515 /*
516 * For HRR we haven't selected the version yet but we know it will be
517 * TLSv1.3
518 */
519 if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
520 is_tls13 = 1;
521 else
522 is_tls13 = SSL_IS_TLS13(s);
523
524 if ((SSL_IS_DTLS(s)
525 && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
526 || (s->version == SSL3_VERSION
527 && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
528 /*
529 * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated",
530 * which is never true when generating the ClientHello.
531 * However, version negotiation *has* occurred by the time the
532 * ClientHello extensions are being parsed.
533 * Be careful to allow TLS 1.3-only extensions when generating
534 * the ClientHello.
535 */
536 || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
537 || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
538 && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
539 || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
540 || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
541 return 0;
542 return 1;
543}
544
545/*
546 * Gather a list of all the extensions from the data in |packet]. |context|
547 * tells us which message this extension is for. The raw extension data is
548 * stored in |*res| on success. We don't actually process the content of the
549 * extensions yet, except to check their types. This function also runs the
550 * initialiser functions for all known extensions if |init| is nonzero (whether
551 * we have collected them or not). If successful the caller is responsible for
552 * freeing the contents of |*res|.
553 *
554 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
555 * more than one extension of the same type in a ClientHello or ServerHello.
556 * This function returns 1 if all extensions are unique and we have parsed their
557 * types, and 0 if the extensions contain duplicates, could not be successfully
558 * found, or an internal error occurred. We only check duplicates for
559 * extensions that we know about. We ignore others.
560 */
561int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
562 RAW_EXTENSION **res, size_t *len, int init)
563{
564 PACKET extensions = *packet;
565 size_t i = 0;
566 size_t num_exts;
567 custom_ext_methods *exts = &s->cert->custext;
568 RAW_EXTENSION *raw_extensions = NULL;
569 const EXTENSION_DEFINITION *thisexd;
570
571 *res = NULL;
572
573 /*
574 * Initialise server side custom extensions. Client side is done during
575 * construction of extensions for the ClientHello.
576 */
577 if ((context & SSL_EXT_CLIENT_HELLO) != 0)
578 custom_ext_init(&s->cert->custext);
579
580 num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
581 raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
582 if (raw_extensions == NULL) {
583 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
584 return 0;
585 }
586
587 i = 0;
588 while (PACKET_remaining(&extensions) > 0) {
589 unsigned int type, idx;
590 PACKET extension;
591 RAW_EXTENSION *thisex;
592
593 if (!PACKET_get_net_2(&extensions, &type) ||
594 !PACKET_get_length_prefixed_2(&extensions, &extension)) {
595 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
596 goto err;
597 }
598 /*
599 * Verify this extension is allowed. We only check duplicates for
600 * extensions that we recognise. We also have a special case for the
601 * PSK extension, which must be the last one in the ClientHello.
602 */
603 if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
604 || (thisex != NULL && thisex->present == 1)
605 || (type == TLSEXT_TYPE_psk
606 && (context & SSL_EXT_CLIENT_HELLO) != 0
607 && PACKET_remaining(&extensions) != 0)) {
608 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
609 goto err;
610 }
611 idx = thisex - raw_extensions;
612 /*-
613 * Check that we requested this extension (if appropriate). Requests can
614 * be sent in the ClientHello and CertificateRequest. Unsolicited
615 * extensions can be sent in the NewSessionTicket. We only do this for
616 * the built-in extensions. Custom extensions have a different but
617 * similar check elsewhere.
618 * Special cases:
619 * - The HRR cookie extension is unsolicited
620 * - The renegotiate extension is unsolicited (the client signals
621 * support via an SCSV)
622 * - The signed_certificate_timestamp extension can be provided by a
623 * custom extension or by the built-in version. We let the extension
624 * itself handle unsolicited response checks.
625 */
626 if (idx < OSSL_NELEM(ext_defs)
627 && (context & (SSL_EXT_CLIENT_HELLO
628 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
629 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
630 && type != TLSEXT_TYPE_cookie
631 && type != TLSEXT_TYPE_renegotiate
632 && type != TLSEXT_TYPE_signed_certificate_timestamp
633 && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
634#ifndef OPENSSL_NO_GOST
635 && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
636 && type == TLSEXT_TYPE_cryptopro_bug)
637#endif
638 ) {
639 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
640 SSL_R_UNSOLICITED_EXTENSION);
641 goto err;
642 }
643 if (thisex != NULL) {
644 thisex->data = extension;
645 thisex->present = 1;
646 thisex->type = type;
647 thisex->received_order = i++;
648 if (s->ext.debug_cb)
649 s->ext.debug_cb(s, !s->server, thisex->type,
650 PACKET_data(&thisex->data),
651 PACKET_remaining(&thisex->data),
652 s->ext.debug_arg);
653 }
654 }
655
656 if (init) {
657 /*
658 * Initialise all known extensions relevant to this context,
659 * whether we have found them or not
660 */
661 for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
662 i++, thisexd++) {
663 if (thisexd->init != NULL && (thisexd->context & context) != 0
664 && extension_is_relevant(s, thisexd->context, context)
665 && !thisexd->init(s, context)) {
666 /* SSLfatal() already called */
667 goto err;
668 }
669 }
670 }
671
672 *res = raw_extensions;
673 if (len != NULL)
674 *len = num_exts;
675 return 1;
676
677 err:
678 OPENSSL_free(raw_extensions);
679 return 0;
680}
681
682/*
683 * Runs the parser for a given extension with index |idx|. |exts| contains the
684 * list of all parsed extensions previously collected by
685 * tls_collect_extensions(). The parser is only run if it is applicable for the
686 * given |context| and the parser has not already been run. If this is for a
687 * Certificate message, then we also provide the parser with the relevant
688 * Certificate |x| and its position in the |chainidx| with 0 being the first
689 * Certificate. Returns 1 on success or 0 on failure. If an extension is not
690 * present this counted as success.
691 */
692int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
693 RAW_EXTENSION *exts, X509 *x, size_t chainidx)
694{
695 RAW_EXTENSION *currext = &exts[idx];
696 int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
697 size_t chainidx) = NULL;
698
699 /* Skip if the extension is not present */
700 if (!currext->present)
701 return 1;
702
703 /* Skip if we've already parsed this extension */
704 if (currext->parsed)
705 return 1;
706
707 currext->parsed = 1;
708
709 if (idx < OSSL_NELEM(ext_defs)) {
710 /* We are handling a built-in extension */
711 const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
712
713 /* Check if extension is defined for our protocol. If not, skip */
714 if (!extension_is_relevant(s, extdef->context, context))
715 return 1;
716
717 parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
718
719 if (parser != NULL)
720 return parser(s, &currext->data, context, x, chainidx);
721
722 /*
723 * If the parser is NULL we fall through to the custom extension
724 * processing
725 */
726 }
727
728 /* Parse custom extensions */
729 return custom_ext_parse(s, context, currext->type,
730 PACKET_data(&currext->data),
731 PACKET_remaining(&currext->data),
732 x, chainidx);
733}
734
735/*
736 * Parse all remaining extensions that have not yet been parsed. Also calls the
737 * finalisation for all extensions at the end if |fin| is nonzero, whether we
738 * collected them or not. Returns 1 for success or 0 for failure. If we are
739 * working on a Certificate message then we also pass the Certificate |x| and
740 * its position in the |chainidx|, with 0 being the first certificate.
741 */
742int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
743 size_t chainidx, int fin)
744{
745 size_t i, numexts = OSSL_NELEM(ext_defs);
746 const EXTENSION_DEFINITION *thisexd;
747
748 /* Calculate the number of extensions in the extensions list */
749 numexts += s->cert->custext.meths_count;
750
751 /* Parse each extension in turn */
752 for (i = 0; i < numexts; i++) {
753 if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
754 /* SSLfatal() already called */
755 return 0;
756 }
757 }
758
759 if (fin) {
760 /*
761 * Finalise all known extensions relevant to this context,
762 * whether we have found them or not
763 */
764 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
765 i++, thisexd++) {
766 if (thisexd->final != NULL && (thisexd->context & context) != 0
767 && !thisexd->final(s, context, exts[i].present)) {
768 /* SSLfatal() already called */
769 return 0;
770 }
771 }
772 }
773
774 return 1;
775}
776
777int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
778 int max_version)
779{
780 /* Skip if not relevant for our context */
781 if ((extctx & thisctx) == 0)
782 return 0;
783
784 /* Check if this extension is defined for our protocol. If not, skip */
785 if (!extension_is_relevant(s, extctx, thisctx)
786 || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
787 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
788 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
789 return 0;
790
791 return 1;
792}
793
794/*
795 * Construct all the extensions relevant to the current |context| and write
796 * them to |pkt|. If this is an extension for a Certificate in a Certificate
797 * message, then |x| will be set to the Certificate we are handling, and
798 * |chainidx| will indicate the position in the chainidx we are processing (with
799 * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
800 * failure construction stops at the first extension to fail to construct.
801 */
802int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
803 X509 *x, size_t chainidx)
804{
805 size_t i;
806 int min_version, max_version = 0, reason;
807 const EXTENSION_DEFINITION *thisexd;
808
809 if (!WPACKET_start_sub_packet_u16(pkt)
810 /*
811 * If extensions are of zero length then we don't even add the
812 * extensions length bytes to a ClientHello/ServerHello
813 * (for non-TLSv1.3).
814 */
815 || ((context &
816 (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
817 && !WPACKET_set_flags(pkt,
818 WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
819 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
820 return 0;
821 }
822
823 if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
824 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
825 if (reason != 0) {
826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
827 return 0;
828 }
829 }
830
831 /* Add custom extensions first */
832 if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
833 /* On the server side with initialise during ClientHello parsing */
834 custom_ext_init(&s->cert->custext);
835 }
836 if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
837 /* SSLfatal() already called */
838 return 0;
839 }
840
841 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
842 EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
843 X509 *x, size_t chainidx);
844 EXT_RETURN ret;
845
846 /* Skip if not relevant for our context */
847 if (!should_add_extension(s, thisexd->context, context, max_version))
848 continue;
849
850 construct = s->server ? thisexd->construct_stoc
851 : thisexd->construct_ctos;
852
853 if (construct == NULL)
854 continue;
855
856 ret = construct(s, pkt, context, x, chainidx);
857 if (ret == EXT_RETURN_FAIL) {
858 /* SSLfatal() already called */
859 return 0;
860 }
861 if (ret == EXT_RETURN_SENT
862 && (context & (SSL_EXT_CLIENT_HELLO
863 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
864 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
865 s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
866 }
867
868 if (!WPACKET_close(pkt)) {
869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
870 return 0;
871 }
872
873 return 1;
874}
875
876/*
877 * Built in extension finalisation and initialisation functions. All initialise
878 * or finalise the associated extension type for the given |context|. For
879 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
880 * otherwise. These functions return 1 on success or 0 on failure.
881 */
882
883static int final_renegotiate(SSL *s, unsigned int context, int sent)
884{
885 if (!s->server) {
886 /*
887 * Check if we can connect to a server that doesn't support safe
888 * renegotiation
889 */
890 if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
891 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
892 && !sent) {
893 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
894 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
895 return 0;
896 }
897
898 return 1;
899 }
900
901 /* Need RI if renegotiating */
902 if (s->renegotiate
903 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
904 && !sent) {
905 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
906 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
907 return 0;
908 }
909
910
911 return 1;
912}
913
914static ossl_inline void ssl_tsan_decr(const SSL_CTX *ctx,
915 TSAN_QUALIFIER int *stat)
916{
917 if (ssl_tsan_lock(ctx)) {
918 tsan_decr(stat);
919 ssl_tsan_unlock(ctx);
920 }
921}
922
923static int init_server_name(SSL *s, unsigned int context)
924{
925 if (s->server) {
926 s->servername_done = 0;
927
928 OPENSSL_free(s->ext.hostname);
929 s->ext.hostname = NULL;
930 }
931
932 return 1;
933}
934
935static int final_server_name(SSL *s, unsigned int context, int sent)
936{
937 int ret = SSL_TLSEXT_ERR_NOACK;
938 int altmp = SSL_AD_UNRECOGNIZED_NAME;
939 int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
940
941 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
942 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
943 return 0;
944 }
945
946 if (s->ctx->ext.servername_cb != NULL)
947 ret = s->ctx->ext.servername_cb(s, &altmp,
948 s->ctx->ext.servername_arg);
949 else if (s->session_ctx->ext.servername_cb != NULL)
950 ret = s->session_ctx->ext.servername_cb(s, &altmp,
951 s->session_ctx->ext.servername_arg);
952
953 /*
954 * For servers, propagate the SNI hostname from the temporary
955 * storage in the SSL to the persistent SSL_SESSION, now that we
956 * know we accepted it.
957 * Clients make this copy when parsing the server's response to
958 * the extension, which is when they find out that the negotiation
959 * was successful.
960 */
961 if (s->server) {
962 if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
963 /* Only store the hostname in the session if we accepted it. */
964 OPENSSL_free(s->session->ext.hostname);
965 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
966 if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
967 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
968 }
969 }
970 }
971
972 /*
973 * If we switched contexts (whether here or in the client_hello callback),
974 * move the sess_accept increment from the session_ctx to the new
975 * context, to avoid the confusing situation of having sess_accept_good
976 * exceed sess_accept (zero) for the new context.
977 */
978 if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
979 && s->hello_retry_request == SSL_HRR_NONE) {
980 ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept);
981 ssl_tsan_decr(s->session_ctx, &s->session_ctx->stats.sess_accept);
982 }
983
984 /*
985 * If we're expecting to send a ticket, and tickets were previously enabled,
986 * and now tickets are disabled, then turn off expected ticket.
987 * Also, if this is not a resumption, create a new session ID
988 */
989 if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
990 && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
991 s->ext.ticket_expected = 0;
992 if (!s->hit) {
993 SSL_SESSION* ss = SSL_get_session(s);
994
995 if (ss != NULL) {
996 OPENSSL_free(ss->ext.tick);
997 ss->ext.tick = NULL;
998 ss->ext.ticklen = 0;
999 ss->ext.tick_lifetime_hint = 0;
1000 ss->ext.tick_age_add = 0;
1001 if (!ssl_generate_session_id(s, ss)) {
1002 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1003 return 0;
1004 }
1005 } else {
1006 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1007 return 0;
1008 }
1009 }
1010 }
1011
1012 switch (ret) {
1013 case SSL_TLSEXT_ERR_ALERT_FATAL:
1014 SSLfatal(s, altmp, SSL_R_CALLBACK_FAILED);
1015 return 0;
1016
1017 case SSL_TLSEXT_ERR_ALERT_WARNING:
1018 /* TLSv1.3 doesn't have warning alerts so we suppress this */
1019 if (!SSL_IS_TLS13(s))
1020 ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
1021 s->servername_done = 0;
1022 return 1;
1023
1024 case SSL_TLSEXT_ERR_NOACK:
1025 s->servername_done = 0;
1026 return 1;
1027
1028 default:
1029 return 1;
1030 }
1031}
1032
1033static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
1034{
1035 unsigned long alg_k, alg_a;
1036
1037 if (s->server)
1038 return 1;
1039
1040 alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1041 alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1042
1043 /*
1044 * If we are client and using an elliptic curve cryptography cipher
1045 * suite, then if server returns an EC point formats lists extension it
1046 * must contain uncompressed.
1047 */
1048 if (s->ext.ecpointformats != NULL
1049 && s->ext.ecpointformats_len > 0
1050 && s->ext.peer_ecpointformats != NULL
1051 && s->ext.peer_ecpointformats_len > 0
1052 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
1053 /* we are using an ECC cipher */
1054 size_t i;
1055 unsigned char *list = s->ext.peer_ecpointformats;
1056
1057 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
1058 if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
1059 break;
1060 }
1061 if (i == s->ext.peer_ecpointformats_len) {
1062 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1063 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1064 return 0;
1065 }
1066 }
1067
1068 return 1;
1069}
1070
1071static int init_session_ticket(SSL *s, unsigned int context)
1072{
1073 if (!s->server)
1074 s->ext.ticket_expected = 0;
1075
1076 return 1;
1077}
1078
1079#ifndef OPENSSL_NO_OCSP
1080static int init_status_request(SSL *s, unsigned int context)
1081{
1082 if (s->server) {
1083 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1084 } else {
1085 /*
1086 * Ensure we get sensible values passed to tlsext_status_cb in the event
1087 * that we don't receive a status message
1088 */
1089 OPENSSL_free(s->ext.ocsp.resp);
1090 s->ext.ocsp.resp = NULL;
1091 s->ext.ocsp.resp_len = 0;
1092 }
1093
1094 return 1;
1095}
1096#endif
1097
1098#ifndef OPENSSL_NO_NEXTPROTONEG
1099static int init_npn(SSL *s, unsigned int context)
1100{
1101 s->s3.npn_seen = 0;
1102
1103 return 1;
1104}
1105#endif
1106
1107static int init_alpn(SSL *s, unsigned int context)
1108{
1109 OPENSSL_free(s->s3.alpn_selected);
1110 s->s3.alpn_selected = NULL;
1111 s->s3.alpn_selected_len = 0;
1112 if (s->server) {
1113 OPENSSL_free(s->s3.alpn_proposed);
1114 s->s3.alpn_proposed = NULL;
1115 s->s3.alpn_proposed_len = 0;
1116 }
1117 return 1;
1118}
1119
1120static int final_alpn(SSL *s, unsigned int context, int sent)
1121{
1122 if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
1123 s->ext.early_data_ok = 0;
1124
1125 if (!s->server || !SSL_IS_TLS13(s))
1126 return 1;
1127
1128 /*
1129 * Call alpn_select callback if needed. Has to be done after SNI and
1130 * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
1131 * we also have to do this before we decide whether to accept early_data.
1132 * In TLSv1.3 we've already negotiated our cipher so we do this call now.
1133 * For < TLSv1.3 we defer it until after cipher negotiation.
1134 *
1135 * On failure SSLfatal() already called.
1136 */
1137 return tls_handle_alpn(s);
1138}
1139
1140static int init_sig_algs(SSL *s, unsigned int context)
1141{
1142 /* Clear any signature algorithms extension received */
1143 OPENSSL_free(s->s3.tmp.peer_sigalgs);
1144 s->s3.tmp.peer_sigalgs = NULL;
1145 s->s3.tmp.peer_sigalgslen = 0;
1146
1147 return 1;
1148}
1149
1150static int init_sig_algs_cert(SSL *s, ossl_unused unsigned int context)
1151{
1152 /* Clear any signature algorithms extension received */
1153 OPENSSL_free(s->s3.tmp.peer_cert_sigalgs);
1154 s->s3.tmp.peer_cert_sigalgs = NULL;
1155 s->s3.tmp.peer_cert_sigalgslen = 0;
1156
1157 return 1;
1158}
1159
1160#ifndef OPENSSL_NO_SRP
1161static int init_srp(SSL *s, unsigned int context)
1162{
1163 OPENSSL_free(s->srp_ctx.login);
1164 s->srp_ctx.login = NULL;
1165
1166 return 1;
1167}
1168#endif
1169
1170static int init_ec_point_formats(SSL *s, unsigned int context)
1171{
1172 OPENSSL_free(s->ext.peer_ecpointformats);
1173 s->ext.peer_ecpointformats = NULL;
1174 s->ext.peer_ecpointformats_len = 0;
1175
1176 return 1;
1177}
1178
1179static int init_etm(SSL *s, unsigned int context)
1180{
1181 s->ext.use_etm = 0;
1182
1183 return 1;
1184}
1185
1186static int init_ems(SSL *s, unsigned int context)
1187{
1188 if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1189 s->s3.flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
1190 s->s3.flags |= TLS1_FLAGS_REQUIRED_EXTMS;
1191 }
1192
1193 return 1;
1194}
1195
1196static int final_ems(SSL *s, unsigned int context, int sent)
1197{
1198 /*
1199 * Check extended master secret extension is not dropped on
1200 * renegotiation.
1201 */
1202 if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)
1203 && (s->s3.flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
1204 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
1205 return 0;
1206 }
1207 if (!s->server && s->hit) {
1208 /*
1209 * Check extended master secret extension is consistent with
1210 * original session.
1211 */
1212 if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
1213 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
1214 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
1215 return 0;
1216 }
1217 }
1218
1219 return 1;
1220}
1221
1222static int init_certificate_authorities(SSL *s, unsigned int context)
1223{
1224 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
1225 s->s3.tmp.peer_ca_names = NULL;
1226 return 1;
1227}
1228
1229static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
1230 unsigned int context,
1231 X509 *x,
1232 size_t chainidx)
1233{
1234 const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
1235
1236 if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
1237 return EXT_RETURN_NOT_SENT;
1238
1239 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
1240 || !WPACKET_start_sub_packet_u16(pkt)) {
1241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1242 return EXT_RETURN_FAIL;
1243 }
1244
1245 if (!construct_ca_names(s, ca_sk, pkt)) {
1246 /* SSLfatal() already called */
1247 return EXT_RETURN_FAIL;
1248 }
1249
1250 if (!WPACKET_close(pkt)) {
1251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1252 return EXT_RETURN_FAIL;
1253 }
1254
1255 return EXT_RETURN_SENT;
1256}
1257
1258static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
1259 unsigned int context, X509 *x,
1260 size_t chainidx)
1261{
1262 if (!parse_ca_names(s, pkt))
1263 return 0;
1264 if (PACKET_remaining(pkt) != 0) {
1265 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266 return 0;
1267 }
1268 return 1;
1269}
1270
1271#ifndef OPENSSL_NO_SRTP
1272static int init_srtp(SSL *s, unsigned int context)
1273{
1274 if (s->server)
1275 s->srtp_profile = NULL;
1276
1277 return 1;
1278}
1279#endif
1280
1281static int final_sig_algs(SSL *s, unsigned int context, int sent)
1282{
1283 if (!sent && SSL_IS_TLS13(s) && !s->hit) {
1284 SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
1285 SSL_R_MISSING_SIGALGS_EXTENSION);
1286 return 0;
1287 }
1288
1289 return 1;
1290}
1291
1292static int final_key_share(SSL *s, unsigned int context, int sent)
1293{
1294#if !defined(OPENSSL_NO_TLS1_3)
1295 if (!SSL_IS_TLS13(s))
1296 return 1;
1297
1298 /* Nothing to do for key_share in an HRR */
1299 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
1300 return 1;
1301
1302 /*
1303 * If
1304 * we are a client
1305 * AND
1306 * we have no key_share
1307 * AND
1308 * (we are not resuming
1309 * OR the kex_mode doesn't allow non key_share resumes)
1310 * THEN
1311 * fail;
1312 */
1313 if (!s->server
1314 && !sent
1315 && (!s->hit
1316 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
1317 /* Nothing left we can do - just fail */
1318 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_NO_SUITABLE_KEY_SHARE);
1319 return 0;
1320 }
1321 /*
1322 * IF
1323 * we are a server
1324 * THEN
1325 * IF
1326 * we have a suitable key_share
1327 * THEN
1328 * IF
1329 * we are stateless AND we have no cookie
1330 * THEN
1331 * send a HelloRetryRequest
1332 * ELSE
1333 * IF
1334 * we didn't already send a HelloRetryRequest
1335 * AND
1336 * the client sent a key_share extension
1337 * AND
1338 * (we are not resuming
1339 * OR the kex_mode allows key_share resumes)
1340 * AND
1341 * a shared group exists
1342 * THEN
1343 * send a HelloRetryRequest
1344 * ELSE IF
1345 * we are not resuming
1346 * OR
1347 * the kex_mode doesn't allow non key_share resumes
1348 * THEN
1349 * fail
1350 * ELSE IF
1351 * we are stateless AND we have no cookie
1352 * THEN
1353 * send a HelloRetryRequest
1354 */
1355 if (s->server) {
1356 if (s->s3.peer_tmp != NULL) {
1357 /* We have a suitable key_share */
1358 if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
1359 && !s->ext.cookieok) {
1360 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1361 /*
1362 * If we are stateless then we wouldn't know about any
1363 * previously sent HRR - so how can this be anything other
1364 * than 0?
1365 */
1366 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1367 return 0;
1368 }
1369 s->hello_retry_request = SSL_HRR_PENDING;
1370 return 1;
1371 }
1372 } else {
1373 /* No suitable key_share */
1374 if (s->hello_retry_request == SSL_HRR_NONE && sent
1375 && (!s->hit
1376 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
1377 != 0)) {
1378 const uint16_t *pgroups, *clntgroups;
1379 size_t num_groups, clnt_num_groups, i;
1380 unsigned int group_id = 0;
1381
1382 /* Check if a shared group exists */
1383
1384 /* Get the clients list of supported groups. */
1385 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
1386 tls1_get_supported_groups(s, &pgroups, &num_groups);
1387
1388 /*
1389 * Find the first group we allow that is also in client's list
1390 */
1391 for (i = 0; i < num_groups; i++) {
1392 group_id = pgroups[i];
1393
1394 if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
1395 1))
1396 break;
1397 }
1398
1399 if (i < num_groups) {
1400 /* A shared group exists so send a HelloRetryRequest */
1401 s->s3.group_id = group_id;
1402 s->hello_retry_request = SSL_HRR_PENDING;
1403 return 1;
1404 }
1405 }
1406 if (!s->hit
1407 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
1408 /* Nothing left we can do - just fail */
1409 SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
1410 : SSL_AD_MISSING_EXTENSION,
1411 SSL_R_NO_SUITABLE_KEY_SHARE);
1412 return 0;
1413 }
1414
1415 if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
1416 && !s->ext.cookieok) {
1417 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1418 /*
1419 * If we are stateless then we wouldn't know about any
1420 * previously sent HRR - so how can this be anything other
1421 * than 0?
1422 */
1423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1424 return 0;
1425 }
1426 s->hello_retry_request = SSL_HRR_PENDING;
1427 return 1;
1428 }
1429 }
1430
1431 /*
1432 * We have a key_share so don't send any more HelloRetryRequest
1433 * messages
1434 */
1435 if (s->hello_retry_request == SSL_HRR_PENDING)
1436 s->hello_retry_request = SSL_HRR_COMPLETE;
1437 } else {
1438 /*
1439 * For a client side resumption with no key_share we need to generate
1440 * the handshake secret (otherwise this is done during key_share
1441 * processing).
1442 */
1443 if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
1444 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1445 return 0;
1446 }
1447 }
1448#endif /* !defined(OPENSSL_NO_TLS1_3) */
1449 return 1;
1450}
1451
1452static int init_psk_kex_modes(SSL *s, unsigned int context)
1453{
1454 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
1455 return 1;
1456}
1457
1458int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
1459 size_t binderoffset, const unsigned char *binderin,
1460 unsigned char *binderout, SSL_SESSION *sess, int sign,
1461 int external)
1462{
1463 EVP_PKEY *mackey = NULL;
1464 EVP_MD_CTX *mctx = NULL;
1465 unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
1466 unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
1467 unsigned char *early_secret;
1468#ifdef CHARSET_EBCDIC
1469 static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
1470 static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
1471#else
1472 static const unsigned char resumption_label[] = "res binder";
1473 static const unsigned char external_label[] = "ext binder";
1474#endif
1475 const unsigned char *label;
1476 size_t bindersize, labelsize, hashsize;
1477 int hashsizei = EVP_MD_get_size(md);
1478 int ret = -1;
1479 int usepskfored = 0;
1480
1481 /* Ensure cast to size_t is safe */
1482 if (!ossl_assert(hashsizei >= 0)) {
1483 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1484 goto err;
1485 }
1486 hashsize = (size_t)hashsizei;
1487
1488 if (external
1489 && s->early_data_state == SSL_EARLY_DATA_CONNECTING
1490 && s->session->ext.max_early_data == 0
1491 && sess->ext.max_early_data > 0)
1492 usepskfored = 1;
1493
1494 if (external) {
1495 label = external_label;
1496 labelsize = sizeof(external_label) - 1;
1497 } else {
1498 label = resumption_label;
1499 labelsize = sizeof(resumption_label) - 1;
1500 }
1501
1502 /*
1503 * Generate the early_secret. On the server side we've selected a PSK to
1504 * resume with (internal or external) so we always do this. On the client
1505 * side we do this for a non-external (i.e. resumption) PSK or external PSK
1506 * that will be used for early_data so that it is in place for sending early
1507 * data. For client side external PSK not being used for early_data we
1508 * generate it but store it away for later use.
1509 */
1510 if (s->server || !external || usepskfored)
1511 early_secret = (unsigned char *)s->early_secret;
1512 else
1513 early_secret = (unsigned char *)sess->early_secret;
1514
1515 if (!tls13_generate_secret(s, md, NULL, sess->master_key,
1516 sess->master_key_length, early_secret)) {
1517 /* SSLfatal() already called */
1518 goto err;
1519 }
1520
1521 /*
1522 * Create the handshake hash for the binder key...the messages so far are
1523 * empty!
1524 */
1525 mctx = EVP_MD_CTX_new();
1526 if (mctx == NULL
1527 || EVP_DigestInit_ex(mctx, md, NULL) <= 0
1528 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1529 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1530 goto err;
1531 }
1532
1533 /* Generate the binder key */
1534 if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
1535 hashsize, binderkey, hashsize, 1)) {
1536 /* SSLfatal() already called */
1537 goto err;
1538 }
1539
1540 /* Generate the finished key */
1541 if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
1542 /* SSLfatal() already called */
1543 goto err;
1544 }
1545
1546 if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
1547 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1548 goto err;
1549 }
1550
1551 /*
1552 * Get a hash of the ClientHello up to the start of the binders. If we are
1553 * following a HelloRetryRequest then this includes the hash of the first
1554 * ClientHello and the HelloRetryRequest itself.
1555 */
1556 if (s->hello_retry_request == SSL_HRR_PENDING) {
1557 size_t hdatalen;
1558 long hdatalen_l;
1559 void *hdata;
1560
1561 hdatalen = hdatalen_l =
1562 BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
1563 if (hdatalen_l <= 0) {
1564 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH);
1565 goto err;
1566 }
1567
1568 /*
1569 * For servers the handshake buffer data will include the second
1570 * ClientHello - which we don't want - so we need to take that bit off.
1571 */
1572 if (s->server) {
1573 PACKET hashprefix, msg;
1574
1575 /* Find how many bytes are left after the first two messages */
1576 if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
1577 || !PACKET_forward(&hashprefix, 1)
1578 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
1579 || !PACKET_forward(&hashprefix, 1)
1580 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
1581 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1582 goto err;
1583 }
1584 hdatalen -= PACKET_remaining(&hashprefix);
1585 }
1586
1587 if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
1588 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1589 goto err;
1590 }
1591 }
1592
1593 if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
1594 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1596 goto err;
1597 }
1598
1599 mackey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
1600 s->ctx->propq, finishedkey,
1601 hashsize);
1602 if (mackey == NULL) {
1603 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1604 goto err;
1605 }
1606
1607 if (!sign)
1608 binderout = tmpbinder;
1609
1610 bindersize = hashsize;
1611 if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_get0_name(md), s->ctx->libctx,
1612 s->ctx->propq, mackey, NULL) <= 0
1613 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
1614 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
1615 || bindersize != hashsize) {
1616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1617 goto err;
1618 }
1619
1620 if (sign) {
1621 ret = 1;
1622 } else {
1623 /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
1624 ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
1625 if (!ret)
1626 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BINDER_DOES_NOT_VERIFY);
1627 }
1628
1629 err:
1630 OPENSSL_cleanse(binderkey, sizeof(binderkey));
1631 OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
1632 EVP_PKEY_free(mackey);
1633 EVP_MD_CTX_free(mctx);
1634
1635 return ret;
1636}
1637
1638static int final_early_data(SSL *s, unsigned int context, int sent)
1639{
1640 if (!sent)
1641 return 1;
1642
1643 if (!s->server) {
1644 if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
1645 && sent
1646 && !s->ext.early_data_ok) {
1647 /*
1648 * If we get here then the server accepted our early_data but we
1649 * later realised that it shouldn't have done (e.g. inconsistent
1650 * ALPN)
1651 */
1652 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EARLY_DATA);
1653 return 0;
1654 }
1655
1656 return 1;
1657 }
1658
1659 if (s->max_early_data == 0
1660 || !s->hit
1661 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
1662 || !s->ext.early_data_ok
1663 || s->hello_retry_request != SSL_HRR_NONE
1664 || (s->allow_early_data_cb != NULL
1665 && !s->allow_early_data_cb(s,
1666 s->allow_early_data_cb_data))) {
1667 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
1668 } else {
1669 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1670
1671 if (!tls13_change_cipher_state(s,
1672 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
1673 /* SSLfatal() already called */
1674 return 0;
1675 }
1676 }
1677
1678 return 1;
1679}
1680
1681static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
1682{
1683 /*
1684 * Session resumption on server-side with MFL extension active
1685 * BUT MFL extension packet was not resent (i.e. sent == 0)
1686 */
1687 if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1688 && !sent ) {
1689 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_BAD_EXTENSION);
1690 return 0;
1691 }
1692
1693 /* Current SSL buffer is lower than requested MFL */
1694 if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1695 && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
1696 /* trigger a larger buffer reallocation */
1697 if (!ssl3_setup_buffers(s)) {
1698 /* SSLfatal() already called */
1699 return 0;
1700 }
1701
1702 return 1;
1703}
1704
1705static int init_post_handshake_auth(SSL *s, ossl_unused unsigned int context)
1706{
1707 s->post_handshake_auth = SSL_PHA_NONE;
1708
1709 return 1;
1710}
1711
1712/*
1713 * If clients offer "pre_shared_key" without a "psk_key_exchange_modes"
1714 * extension, servers MUST abort the handshake.
1715 */
1716static int final_psk(SSL *s, unsigned int context, int sent)
1717{
1718 if (s->server && sent && s->clienthello != NULL
1719 && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) {
1720 SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
1721 SSL_R_MISSING_PSK_KEX_MODES_EXTENSION);
1722 return 0;
1723 }
1724
1725 return 1;
1726}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette