1/* 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <string.h> 11#include "internal/nelem.h" 12#include "internal/cryptlib.h" 13#include "../ssl_local.h" 14#include "statem_local.h" 15#include "internal/cryptlib.h" 16 17static int final_renegotiate(SSL *s, unsigned int context, int sent); 18static int init_server_name(SSL *s, unsigned int context); 19static int final_server_name(SSL *s, unsigned int context, int sent); 20#ifndef OPENSSL_NO_EC 21static int final_ec_pt_formats(SSL *s, unsigned int context, int sent); 22#endif 23static int init_session_ticket(SSL *s, unsigned int context); 24#ifndef OPENSSL_NO_OCSP 25static int init_status_request(SSL *s, unsigned int context); 26#endif 27#ifndef OPENSSL_NO_NEXTPROTONEG 28static int init_npn(SSL *s, unsigned int context); 29#endif 30static int init_alpn(SSL *s, unsigned int context); 31static int final_alpn(SSL *s, unsigned int context, int sent); 32static int init_sig_algs_cert(SSL *s, unsigned int context); 33static int init_sig_algs(SSL *s, unsigned int context); 34static int init_certificate_authorities(SSL *s, unsigned int context); 35static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, 36 unsigned int context, 37 X509 *x, 38 size_t chainidx); 39static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, 40 unsigned int context, X509 *x, 41 size_t chainidx); 42#ifndef OPENSSL_NO_SRP 43static int init_srp(SSL *s, unsigned int context); 44#endif 45static int init_etm(SSL *s, unsigned int context); 46static int init_ems(SSL *s, unsigned int context); 47static int final_ems(SSL *s, unsigned int context, int sent); 48static int init_psk_kex_modes(SSL *s, unsigned int context); 49#ifndef OPENSSL_NO_EC 50static int final_key_share(SSL *s, unsigned int context, int sent); 51#endif 52#ifndef OPENSSL_NO_SRTP 53static int init_srtp(SSL *s, unsigned int context); 54#endif 55static int final_sig_algs(SSL *s, unsigned int context, int sent); 56static int final_early_data(SSL *s, unsigned int context, int sent); 57static int final_maxfragmentlen(SSL *s, unsigned int context, int sent); 58static int init_post_handshake_auth(SSL *s, unsigned int context); 59 60/* Structure to define a built-in extension */ 61typedef struct extensions_definition_st { 62 /* The defined type for the extension */ 63 unsigned int type; 64 /* 65 * The context that this extension applies to, e.g. what messages and 66 * protocol versions 67 */ 68 unsigned int context; 69 /* 70 * Initialise extension before parsing. Always called for relevant contexts 71 * even if extension not present 72 */ 73 int (*init)(SSL *s, unsigned int context); 74 /* Parse extension sent from client to server */ 75 int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 76 size_t chainidx); 77 /* Parse extension send from server to client */ 78 int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 79 size_t chainidx); 80 /* Construct extension sent from server to client */ 81 EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, 82 X509 *x, size_t chainidx); 83 /* Construct extension sent from client to server */ 84 EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, 85 X509 *x, size_t chainidx); 86 /* 87 * Finalise extension after parsing. Always called where an extensions was 88 * initialised even if the extension was not present. |sent| is set to 1 if 89 * the extension was seen, or 0 otherwise. 90 */ 91 int (*final)(SSL *s, unsigned int context, int sent); 92} EXTENSION_DEFINITION; 93 94/* 95 * Definitions of all built-in extensions. NOTE: Changes in the number or order 96 * of these extensions should be mirrored with equivalent changes to the 97 * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h. 98 * Each extension has an initialiser, a client and 99 * server side parser and a finaliser. The initialiser is called (if the 100 * extension is relevant to the given context) even if we did not see the 101 * extension in the message that we received. The parser functions are only 102 * called if we see the extension in the message. The finalisers are always 103 * called if the initialiser was called. 104 * There are also server and client side constructor functions which are always 105 * called during message construction if the extension is relevant for the 106 * given context. 107 * The initialisation, parsing, finalisation and construction functions are 108 * always called in the order defined in this list. Some extensions may depend 109 * on others having been processed first, so the order of this list is 110 * significant. 111 * The extension context is defined by a series of flags which specify which 112 * messages the extension is relevant to. These flags also specify whether the 113 * extension is relevant to a particular protocol or protocol version. 114 * 115 * TODO(TLS1.3): Make sure we have a test to check the consistency of these 116 * 117 * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at 118 * the end, keep these extensions before signature_algorithm. 119 */ 120#define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } 121static const EXTENSION_DEFINITION ext_defs[] = { 122 { 123 TLSEXT_TYPE_renegotiate, 124 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 125 | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 126 NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, 127 tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, 128 final_renegotiate 129 }, 130 { 131 TLSEXT_TYPE_server_name, 132 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 133 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 134 init_server_name, 135 tls_parse_ctos_server_name, tls_parse_stoc_server_name, 136 tls_construct_stoc_server_name, tls_construct_ctos_server_name, 137 final_server_name 138 }, 139 { 140 TLSEXT_TYPE_max_fragment_length, 141 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 142 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 143 NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen, 144 tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen, 145 final_maxfragmentlen 146 }, 147#ifndef OPENSSL_NO_SRP 148 { 149 TLSEXT_TYPE_srp, 150 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 151 init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL 152 }, 153#else 154 INVALID_EXTENSION, 155#endif 156#ifndef OPENSSL_NO_EC 157 { 158 TLSEXT_TYPE_ec_point_formats, 159 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 160 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 161 NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, 162 tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, 163 final_ec_pt_formats 164 }, 165 { 166 /* 167 * "supported_groups" is spread across several specifications. 168 * It was originally specified as "elliptic_curves" in RFC 4492, 169 * and broadened to include named FFDH groups by RFC 7919. 170 * Both RFCs 4492 and 7919 do not include a provision for the server 171 * to indicate to the client the complete list of groups supported 172 * by the server, with the server instead just indicating the 173 * selected group for this connection in the ServerKeyExchange 174 * message. TLS 1.3 adds a scheme for the server to indicate 175 * to the client its list of supported groups in the 176 * EncryptedExtensions message, but none of the relevant 177 * specifications permit sending supported_groups in the ServerHello. 178 * Nonetheless (possibly due to the close proximity to the 179 * "ec_point_formats" extension, which is allowed in the ServerHello), 180 * there are several servers that send this extension in the 181 * ServerHello anyway. Up to and including the 1.1.0 release, 182 * we did not check for the presence of nonpermitted extensions, 183 * so to avoid a regression, we must permit this extension in the 184 * TLS 1.2 ServerHello as well. 185 * 186 * Note that there is no tls_parse_stoc_supported_groups function, 187 * so we do not perform any additional parsing, validation, or 188 * processing on the server's group list -- this is just a minimal 189 * change to preserve compatibility with these misbehaving servers. 190 */ 191 TLSEXT_TYPE_supported_groups, 192 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 193 | SSL_EXT_TLS1_2_SERVER_HELLO, 194 NULL, tls_parse_ctos_supported_groups, NULL, 195 tls_construct_stoc_supported_groups, 196 tls_construct_ctos_supported_groups, NULL 197 }, 198#else 199 INVALID_EXTENSION, 200 INVALID_EXTENSION, 201#endif 202 { 203 TLSEXT_TYPE_session_ticket, 204 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 205 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 206 init_session_ticket, tls_parse_ctos_session_ticket, 207 tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, 208 tls_construct_ctos_session_ticket, NULL 209 }, 210#ifndef OPENSSL_NO_OCSP 211 { 212 TLSEXT_TYPE_status_request, 213 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 214 | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 215 init_status_request, tls_parse_ctos_status_request, 216 tls_parse_stoc_status_request, tls_construct_stoc_status_request, 217 tls_construct_ctos_status_request, NULL 218 }, 219#else 220 INVALID_EXTENSION, 221#endif 222#ifndef OPENSSL_NO_NEXTPROTONEG 223 { 224 TLSEXT_TYPE_next_proto_neg, 225 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 226 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 227 init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, 228 tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL 229 }, 230#else 231 INVALID_EXTENSION, 232#endif 233 { 234 /* 235 * Must appear in this list after server_name so that finalisation 236 * happens after server_name callbacks 237 */ 238 TLSEXT_TYPE_application_layer_protocol_negotiation, 239 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 240 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 241 init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, 242 tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn 243 }, 244#ifndef OPENSSL_NO_SRTP 245 { 246 TLSEXT_TYPE_use_srtp, 247 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 248 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY, 249 init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, 250 tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL 251 }, 252#else 253 INVALID_EXTENSION, 254#endif 255 { 256 TLSEXT_TYPE_encrypt_then_mac, 257 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 258 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 259 init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, 260 tls_construct_stoc_etm, tls_construct_ctos_etm, NULL 261 }, 262#ifndef OPENSSL_NO_CT 263 { 264 TLSEXT_TYPE_signed_certificate_timestamp, 265 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 266 | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 267 NULL, 268 /* 269 * No server side support for this, but can be provided by a custom 270 * extension. This is an exception to the rule that custom extensions 271 * cannot override built in ones. 272 */ 273 NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL 274 }, 275#else 276 INVALID_EXTENSION, 277#endif 278 { 279 TLSEXT_TYPE_extended_master_secret, 280 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 281 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 282 init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, 283 tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems 284 }, 285 { 286 TLSEXT_TYPE_signature_algorithms_cert, 287 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 288 init_sig_algs_cert, tls_parse_ctos_sig_algs_cert, 289 tls_parse_ctos_sig_algs_cert, 290 /* We do not generate signature_algorithms_cert at present. */ 291 NULL, NULL, NULL 292 }, 293 { 294 TLSEXT_TYPE_post_handshake_auth, 295 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY, 296 init_post_handshake_auth, 297 tls_parse_ctos_post_handshake_auth, NULL, 298 NULL, tls_construct_ctos_post_handshake_auth, 299 NULL, 300 }, 301 { 302 TLSEXT_TYPE_signature_algorithms, 303 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 304 init_sig_algs, tls_parse_ctos_sig_algs, 305 tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs, 306 tls_construct_ctos_sig_algs, final_sig_algs 307 }, 308 { 309 TLSEXT_TYPE_supported_versions, 310 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 311 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY, 312 NULL, 313 /* Processed inline as part of version selection */ 314 NULL, tls_parse_stoc_supported_versions, 315 tls_construct_stoc_supported_versions, 316 tls_construct_ctos_supported_versions, NULL 317 }, 318 { 319 TLSEXT_TYPE_psk_kex_modes, 320 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY 321 | SSL_EXT_TLS1_3_ONLY, 322 init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, 323 tls_construct_ctos_psk_kex_modes, NULL 324 }, 325#ifndef OPENSSL_NO_EC 326 { 327 /* 328 * Must be in this list after supported_groups. We need that to have 329 * been parsed before we do this one. 330 */ 331 TLSEXT_TYPE_key_share, 332 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 333 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY 334 | SSL_EXT_TLS1_3_ONLY, 335 NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, 336 tls_construct_stoc_key_share, tls_construct_ctos_key_share, 337 final_key_share 338 }, 339#else 340 INVALID_EXTENSION, 341#endif 342 { 343 /* Must be after key_share */ 344 TLSEXT_TYPE_cookie, 345 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 346 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, 347 NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie, 348 tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL 349 }, 350 { 351 /* 352 * Special unsolicited ServerHello extension only used when 353 * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but 354 * ignore it. 355 */ 356 TLSEXT_TYPE_cryptopro_bug, 357 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 358 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 359 NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL 360 }, 361 { 362 TLSEXT_TYPE_early_data, 363 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 364 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY, 365 NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data, 366 tls_construct_stoc_early_data, tls_construct_ctos_early_data, 367 final_early_data 368 }, 369 { 370 TLSEXT_TYPE_certificate_authorities, 371 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 372 | SSL_EXT_TLS1_3_ONLY, 373 init_certificate_authorities, 374 tls_parse_certificate_authorities, tls_parse_certificate_authorities, 375 tls_construct_certificate_authorities, 376 tls_construct_certificate_authorities, NULL, 377 }, 378 { 379 /* Must be immediately before pre_shared_key */ 380 TLSEXT_TYPE_padding, 381 SSL_EXT_CLIENT_HELLO, 382 NULL, 383 /* We send this, but don't read it */ 384 NULL, NULL, NULL, tls_construct_ctos_padding, NULL 385 }, 386 { 387 /* Required by the TLSv1.3 spec to always be the last extension */ 388 TLSEXT_TYPE_psk, 389 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 390 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, 391 NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, 392 tls_construct_ctos_psk, NULL 393 } 394}; 395 396/* Check whether an extension's context matches the current context */ 397static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx) 398{ 399 /* Check we're allowed to use this extension in this context */ 400 if ((thisctx & extctx) == 0) 401 return 0; 402 403 if (SSL_IS_DTLS(s)) { 404 if ((extctx & SSL_EXT_TLS_ONLY) != 0) 405 return 0; 406 } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) { 407 return 0; 408 } 409 410 return 1; 411} 412 413int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts) 414{ 415 size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset; 416 RAW_EXTENSION *thisext; 417 unsigned int context; 418 ENDPOINT role = ENDPOINT_BOTH; 419 420 if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0) 421 role = ENDPOINT_SERVER; 422 else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) 423 role = ENDPOINT_CLIENT; 424 425 /* Calculate the number of extensions in the extensions list */ 426 num_exts = builtin_num + s->cert->custext.meths_count; 427 428 for (thisext = exts, i = 0; i < num_exts; i++, thisext++) { 429 if (!thisext->present) 430 continue; 431 432 if (i < builtin_num) { 433 context = ext_defs[i].context; 434 } else { 435 custom_ext_method *meth = NULL; 436 437 meth = custom_ext_find(&s->cert->custext, role, thisext->type, 438 &offset); 439 if (!ossl_assert(meth != NULL)) 440 return 0; 441 context = meth->context; 442 } 443 444 if (!validate_context(s, context, thisctx)) 445 return 0; 446 } 447 448 return 1; 449} 450 451/* 452 * Verify whether we are allowed to use the extension |type| in the current 453 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to 454 * indicate the extension is not allowed. If returning 1 then |*found| is set to 455 * the definition for the extension we found. 456 */ 457static int verify_extension(SSL *s, unsigned int context, unsigned int type, 458 custom_ext_methods *meths, RAW_EXTENSION *rawexlist, 459 RAW_EXTENSION **found) 460{ 461 size_t i; 462 size_t builtin_num = OSSL_NELEM(ext_defs); 463 const EXTENSION_DEFINITION *thisext; 464 465 for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { 466 if (type == thisext->type) { 467 if (!validate_context(s, thisext->context, context)) 468 return 0; 469 470 *found = &rawexlist[i]; 471 return 1; 472 } 473 } 474 475 /* Check the custom extensions */ 476 if (meths != NULL) { 477 size_t offset = 0; 478 ENDPOINT role = ENDPOINT_BOTH; 479 custom_ext_method *meth = NULL; 480 481 if ((context & SSL_EXT_CLIENT_HELLO) != 0) 482 role = ENDPOINT_SERVER; 483 else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) 484 role = ENDPOINT_CLIENT; 485 486 meth = custom_ext_find(meths, role, type, &offset); 487 if (meth != NULL) { 488 if (!validate_context(s, meth->context, context)) 489 return 0; 490 *found = &rawexlist[offset + builtin_num]; 491 return 1; 492 } 493 } 494 495 /* Unknown extension. We allow it */ 496 *found = NULL; 497 return 1; 498} 499 500/* 501 * Check whether the context defined for an extension |extctx| means whether 502 * the extension is relevant for the current context |thisctx| or not. Returns 503 * 1 if the extension is relevant for this context, and 0 otherwise 504 */ 505int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) 506{ 507 int is_tls13; 508 509 /* 510 * For HRR we haven't selected the version yet but we know it will be 511 * TLSv1.3 512 */ 513 if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) 514 is_tls13 = 1; 515 else 516 is_tls13 = SSL_IS_TLS13(s); 517 518 if ((SSL_IS_DTLS(s) 519 && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) 520 || (s->version == SSL3_VERSION 521 && (extctx & SSL_EXT_SSL3_ALLOWED) == 0) 522 /* 523 * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated", 524 * which is never true when generating the ClientHello. 525 * However, version negotiation *has* occurred by the time the 526 * ClientHello extensions are being parsed. 527 * Be careful to allow TLS 1.3-only extensions when generating 528 * the ClientHello. 529 */ 530 || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0) 531 || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0 532 && (thisctx & SSL_EXT_CLIENT_HELLO) == 0) 533 || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0) 534 || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0)) 535 return 0; 536 return 1; 537} 538 539/* 540 * Gather a list of all the extensions from the data in |packet]. |context| 541 * tells us which message this extension is for. The raw extension data is 542 * stored in |*res| on success. We don't actually process the content of the 543 * extensions yet, except to check their types. This function also runs the 544 * initialiser functions for all known extensions if |init| is nonzero (whether 545 * we have collected them or not). If successful the caller is responsible for 546 * freeing the contents of |*res|. 547 * 548 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be 549 * more than one extension of the same type in a ClientHello or ServerHello. 550 * This function returns 1 if all extensions are unique and we have parsed their 551 * types, and 0 if the extensions contain duplicates, could not be successfully 552 * found, or an internal error occurred. We only check duplicates for 553 * extensions that we know about. We ignore others. 554 */ 555int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, 556 RAW_EXTENSION **res, size_t *len, int init) 557{ 558 PACKET extensions = *packet; 559 size_t i = 0; 560 size_t num_exts; 561 custom_ext_methods *exts = &s->cert->custext; 562 RAW_EXTENSION *raw_extensions = NULL; 563 const EXTENSION_DEFINITION *thisexd; 564 565 *res = NULL; 566 567 /* 568 * Initialise server side custom extensions. Client side is done during 569 * construction of extensions for the ClientHello. 570 */ 571 if ((context & SSL_EXT_CLIENT_HELLO) != 0) 572 custom_ext_init(&s->cert->custext); 573 574 num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0); 575 raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions)); 576 if (raw_extensions == NULL) { 577 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS, 578 ERR_R_MALLOC_FAILURE); 579 return 0; 580 } 581 582 i = 0; 583 while (PACKET_remaining(&extensions) > 0) { 584 unsigned int type, idx; 585 PACKET extension; 586 RAW_EXTENSION *thisex; 587 588 if (!PACKET_get_net_2(&extensions, &type) || 589 !PACKET_get_length_prefixed_2(&extensions, &extension)) { 590 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS, 591 SSL_R_BAD_EXTENSION); 592 goto err; 593 } 594 /* 595 * Verify this extension is allowed. We only check duplicates for 596 * extensions that we recognise. We also have a special case for the 597 * PSK extension, which must be the last one in the ClientHello. 598 */ 599 if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) 600 || (thisex != NULL && thisex->present == 1) 601 || (type == TLSEXT_TYPE_psk 602 && (context & SSL_EXT_CLIENT_HELLO) != 0 603 && PACKET_remaining(&extensions) != 0)) { 604 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS, 605 SSL_R_BAD_EXTENSION); 606 goto err; 607 } 608 idx = thisex - raw_extensions; 609 /*- 610 * Check that we requested this extension (if appropriate). Requests can 611 * be sent in the ClientHello and CertificateRequest. Unsolicited 612 * extensions can be sent in the NewSessionTicket. We only do this for 613 * the built-in extensions. Custom extensions have a different but 614 * similar check elsewhere. 615 * Special cases: 616 * - The HRR cookie extension is unsolicited 617 * - The renegotiate extension is unsolicited (the client signals 618 * support via an SCSV) 619 * - The signed_certificate_timestamp extension can be provided by a 620 * custom extension or by the built-in version. We let the extension 621 * itself handle unsolicited response checks. 622 */ 623 if (idx < OSSL_NELEM(ext_defs) 624 && (context & (SSL_EXT_CLIENT_HELLO 625 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 626 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0 627 && type != TLSEXT_TYPE_cookie 628 && type != TLSEXT_TYPE_renegotiate 629 && type != TLSEXT_TYPE_signed_certificate_timestamp 630 && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0 631#ifndef OPENSSL_NO_GOST 632 && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 633 && type == TLSEXT_TYPE_cryptopro_bug) 634#endif 635 ) { 636 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 637 SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION); 638 goto err; 639 } 640 if (thisex != NULL) { 641 thisex->data = extension; 642 thisex->present = 1; 643 thisex->type = type; 644 thisex->received_order = i++; 645 if (s->ext.debug_cb) 646 s->ext.debug_cb(s, !s->server, thisex->type, 647 PACKET_data(&thisex->data), 648 PACKET_remaining(&thisex->data), 649 s->ext.debug_arg); 650 } 651 } 652 653 if (init) { 654 /* 655 * Initialise all known extensions relevant to this context, 656 * whether we have found them or not 657 */ 658 for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); 659 i++, thisexd++) { 660 if (thisexd->init != NULL && (thisexd->context & context) != 0 661 && extension_is_relevant(s, thisexd->context, context) 662 && !thisexd->init(s, context)) { 663 /* SSLfatal() already called */ 664 goto err; 665 } 666 } 667 } 668 669 *res = raw_extensions; 670 if (len != NULL) 671 *len = num_exts; 672 return 1; 673 674 err: 675 OPENSSL_free(raw_extensions); 676 return 0; 677} 678 679/* 680 * Runs the parser for a given extension with index |idx|. |exts| contains the 681 * list of all parsed extensions previously collected by 682 * tls_collect_extensions(). The parser is only run if it is applicable for the 683 * given |context| and the parser has not already been run. If this is for a 684 * Certificate message, then we also provide the parser with the relevant 685 * Certificate |x| and its position in the |chainidx| with 0 being the first 686 * Certificate. Returns 1 on success or 0 on failure. If an extension is not 687 * present this counted as success. 688 */ 689int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, 690 RAW_EXTENSION *exts, X509 *x, size_t chainidx) 691{ 692 RAW_EXTENSION *currext = &exts[idx]; 693 int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 694 size_t chainidx) = NULL; 695 696 /* Skip if the extension is not present */ 697 if (!currext->present) 698 return 1; 699 700 /* Skip if we've already parsed this extension */ 701 if (currext->parsed) 702 return 1; 703 704 currext->parsed = 1; 705 706 if (idx < OSSL_NELEM(ext_defs)) { 707 /* We are handling a built-in extension */ 708 const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; 709 710 /* Check if extension is defined for our protocol. If not, skip */ 711 if (!extension_is_relevant(s, extdef->context, context)) 712 return 1; 713 714 parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; 715 716 if (parser != NULL) 717 return parser(s, &currext->data, context, x, chainidx); 718 719 /* 720 * If the parser is NULL we fall through to the custom extension 721 * processing 722 */ 723 } 724 725 /* Parse custom extensions */ 726 return custom_ext_parse(s, context, currext->type, 727 PACKET_data(&currext->data), 728 PACKET_remaining(&currext->data), 729 x, chainidx); 730} 731 732/* 733 * Parse all remaining extensions that have not yet been parsed. Also calls the 734 * finalisation for all extensions at the end if |fin| is nonzero, whether we 735 * collected them or not. Returns 1 for success or 0 for failure. If we are 736 * working on a Certificate message then we also pass the Certificate |x| and 737 * its position in the |chainidx|, with 0 being the first certificate. 738 */ 739int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, 740 size_t chainidx, int fin) 741{ 742 size_t i, numexts = OSSL_NELEM(ext_defs); 743 const EXTENSION_DEFINITION *thisexd; 744 745 /* Calculate the number of extensions in the extensions list */ 746 numexts += s->cert->custext.meths_count; 747 748 /* Parse each extension in turn */ 749 for (i = 0; i < numexts; i++) { 750 if (!tls_parse_extension(s, i, context, exts, x, chainidx)) { 751 /* SSLfatal() already called */ 752 return 0; 753 } 754 } 755 756 if (fin) { 757 /* 758 * Finalise all known extensions relevant to this context, 759 * whether we have found them or not 760 */ 761 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); 762 i++, thisexd++) { 763 if (thisexd->final != NULL && (thisexd->context & context) != 0 764 && !thisexd->final(s, context, exts[i].present)) { 765 /* SSLfatal() already called */ 766 return 0; 767 } 768 } 769 } 770 771 return 1; 772} 773 774int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, 775 int max_version) 776{ 777 /* Skip if not relevant for our context */ 778 if ((extctx & thisctx) == 0) 779 return 0; 780 781 /* Check if this extension is defined for our protocol. If not, skip */ 782 if (!extension_is_relevant(s, extctx, thisctx) 783 || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0 784 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0 785 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))) 786 return 0; 787 788 return 1; 789} 790 791/* 792 * Construct all the extensions relevant to the current |context| and write 793 * them to |pkt|. If this is an extension for a Certificate in a Certificate 794 * message, then |x| will be set to the Certificate we are handling, and 795 * |chainidx| will indicate the position in the chainidx we are processing (with 796 * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a 797 * failure construction stops at the first extension to fail to construct. 798 */ 799int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, 800 X509 *x, size_t chainidx) 801{ 802 size_t i; 803 int min_version, max_version = 0, reason; 804 const EXTENSION_DEFINITION *thisexd; 805 806 if (!WPACKET_start_sub_packet_u16(pkt) 807 /* 808 * If extensions are of zero length then we don't even add the 809 * extensions length bytes to a ClientHello/ServerHello 810 * (for non-TLSv1.3). 811 */ 812 || ((context & 813 (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0 814 && !WPACKET_set_flags(pkt, 815 WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { 816 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 817 ERR_R_INTERNAL_ERROR); 818 return 0; 819 } 820 821 if ((context & SSL_EXT_CLIENT_HELLO) != 0) { 822 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 823 if (reason != 0) { 824 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 825 reason); 826 return 0; 827 } 828 } 829 830 /* Add custom extensions first */ 831 if ((context & SSL_EXT_CLIENT_HELLO) != 0) { 832 /* On the server side with initialise during ClientHello parsing */ 833 custom_ext_init(&s->cert->custext); 834 } 835 if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) { 836 /* SSLfatal() already called */ 837 return 0; 838 } 839 840 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { 841 EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context, 842 X509 *x, size_t chainidx); 843 EXT_RETURN ret; 844 845 /* Skip if not relevant for our context */ 846 if (!should_add_extension(s, thisexd->context, context, max_version)) 847 continue; 848 849 construct = s->server ? thisexd->construct_stoc 850 : thisexd->construct_ctos; 851 852 if (construct == NULL) 853 continue; 854 855 ret = construct(s, pkt, context, x, chainidx); 856 if (ret == EXT_RETURN_FAIL) { 857 /* SSLfatal() already called */ 858 return 0; 859 } 860 if (ret == EXT_RETURN_SENT 861 && (context & (SSL_EXT_CLIENT_HELLO 862 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 863 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0) 864 s->ext.extflags[i] |= SSL_EXT_FLAG_SENT; 865 } 866 867 if (!WPACKET_close(pkt)) { 868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 869 ERR_R_INTERNAL_ERROR); 870 return 0; 871 } 872 873 return 1; 874} 875 876/* 877 * Built in extension finalisation and initialisation functions. All initialise 878 * or finalise the associated extension type for the given |context|. For 879 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 880 * otherwise. These functions return 1 on success or 0 on failure. 881 */ 882 883static int final_renegotiate(SSL *s, unsigned int context, int sent) 884{ 885 if (!s->server) { 886 /* 887 * Check if we can connect to a server that doesn't support safe 888 * renegotiation 889 */ 890 if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 891 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) 892 && !sent) { 893 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE, 894 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 895 return 0; 896 } 897 898 return 1; 899 } 900 901 /* Need RI if renegotiating */ 902 if (s->renegotiate 903 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) 904 && !sent) { 905 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE, 906 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 907 return 0; 908 } 909 910 911 return 1; 912} 913 914static int init_server_name(SSL *s, unsigned int context) 915{ 916 if (s->server) { 917 s->servername_done = 0; 918 919 OPENSSL_free(s->ext.hostname); 920 s->ext.hostname = NULL; 921 } 922 923 return 1; 924} 925 926static int final_server_name(SSL *s, unsigned int context, int sent) 927{ 928 int ret = SSL_TLSEXT_ERR_NOACK; 929 int altmp = SSL_AD_UNRECOGNIZED_NAME; 930 int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0; 931 932 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) { 933 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 934 ERR_R_INTERNAL_ERROR); 935 return 0; 936 } 937 938 if (s->ctx->ext.servername_cb != NULL) 939 ret = s->ctx->ext.servername_cb(s, &altmp, 940 s->ctx->ext.servername_arg); 941 else if (s->session_ctx->ext.servername_cb != NULL) 942 ret = s->session_ctx->ext.servername_cb(s, &altmp, 943 s->session_ctx->ext.servername_arg); 944 945 /* 946 * For servers, propagate the SNI hostname from the temporary 947 * storage in the SSL to the persistent SSL_SESSION, now that we 948 * know we accepted it. 949 * Clients make this copy when parsing the server's response to 950 * the extension, which is when they find out that the negotiation 951 * was successful. 952 */ 953 if (s->server) { 954 if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) { 955 /* Only store the hostname in the session if we accepted it. */ 956 OPENSSL_free(s->session->ext.hostname); 957 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 958 if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) { 959 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 960 ERR_R_INTERNAL_ERROR); 961 } 962 } 963 } 964 965 /* 966 * If we switched contexts (whether here or in the client_hello callback), 967 * move the sess_accept increment from the session_ctx to the new 968 * context, to avoid the confusing situation of having sess_accept_good 969 * exceed sess_accept (zero) for the new context. 970 */ 971 if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx 972 && s->hello_retry_request == SSL_HRR_NONE) { 973 tsan_counter(&s->ctx->stats.sess_accept); 974 tsan_decr(&s->session_ctx->stats.sess_accept); 975 } 976 977 /* 978 * If we're expecting to send a ticket, and tickets were previously enabled, 979 * and now tickets are disabled, then turn off expected ticket. 980 * Also, if this is not a resumption, create a new session ID 981 */ 982 if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected 983 && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) { 984 s->ext.ticket_expected = 0; 985 if (!s->hit) { 986 SSL_SESSION* ss = SSL_get_session(s); 987 988 if (ss != NULL) { 989 OPENSSL_free(ss->ext.tick); 990 ss->ext.tick = NULL; 991 ss->ext.ticklen = 0; 992 ss->ext.tick_lifetime_hint = 0; 993 ss->ext.tick_age_add = 0; 994 if (!ssl_generate_session_id(s, ss)) { 995 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 996 ERR_R_INTERNAL_ERROR); 997 return 0; 998 } 999 } else { 1000 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 1001 ERR_R_INTERNAL_ERROR); 1002 return 0; 1003 } 1004 } 1005 } 1006 1007 switch (ret) { 1008 case SSL_TLSEXT_ERR_ALERT_FATAL: 1009 SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED); 1010 return 0; 1011 1012 case SSL_TLSEXT_ERR_ALERT_WARNING: 1013 /* TLSv1.3 doesn't have warning alerts so we suppress this */ 1014 if (!SSL_IS_TLS13(s)) 1015 ssl3_send_alert(s, SSL3_AL_WARNING, altmp); 1016 s->servername_done = 0; 1017 return 1; 1018 1019 case SSL_TLSEXT_ERR_NOACK: 1020 s->servername_done = 0; 1021 return 1; 1022 1023 default: 1024 return 1; 1025 } 1026} 1027 1028#ifndef OPENSSL_NO_EC 1029static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) 1030{ 1031 unsigned long alg_k, alg_a; 1032 1033 if (s->server) 1034 return 1; 1035 1036 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1037 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1038 1039 /* 1040 * If we are client and using an elliptic curve cryptography cipher 1041 * suite, then if server returns an EC point formats lists extension it 1042 * must contain uncompressed. 1043 */ 1044 if (s->ext.ecpointformats != NULL 1045 && s->ext.ecpointformats_len > 0 1046 && s->ext.peer_ecpointformats != NULL 1047 && s->ext.peer_ecpointformats_len > 0 1048 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 1049 /* we are using an ECC cipher */ 1050 size_t i; 1051 unsigned char *list = s->ext.peer_ecpointformats; 1052 1053 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 1054 if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) 1055 break; 1056 } 1057 if (i == s->ext.peer_ecpointformats_len) { 1058 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS, 1059 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1060 return 0; 1061 } 1062 } 1063 1064 return 1; 1065} 1066#endif 1067 1068static int init_session_ticket(SSL *s, unsigned int context) 1069{ 1070 if (!s->server) 1071 s->ext.ticket_expected = 0; 1072 1073 return 1; 1074} 1075 1076#ifndef OPENSSL_NO_OCSP 1077static int init_status_request(SSL *s, unsigned int context) 1078{ 1079 if (s->server) { 1080 s->ext.status_type = TLSEXT_STATUSTYPE_nothing; 1081 } else { 1082 /* 1083 * Ensure we get sensible values passed to tlsext_status_cb in the event 1084 * that we don't receive a status message 1085 */ 1086 OPENSSL_free(s->ext.ocsp.resp); 1087 s->ext.ocsp.resp = NULL; 1088 s->ext.ocsp.resp_len = 0; 1089 } 1090 1091 return 1; 1092} 1093#endif 1094 1095#ifndef OPENSSL_NO_NEXTPROTONEG 1096static int init_npn(SSL *s, unsigned int context) 1097{ 1098 s->s3->npn_seen = 0; 1099 1100 return 1; 1101} 1102#endif 1103 1104static int init_alpn(SSL *s, unsigned int context) 1105{ 1106 OPENSSL_free(s->s3->alpn_selected); 1107 s->s3->alpn_selected = NULL; 1108 s->s3->alpn_selected_len = 0; 1109 if (s->server) { 1110 OPENSSL_free(s->s3->alpn_proposed); 1111 s->s3->alpn_proposed = NULL; 1112 s->s3->alpn_proposed_len = 0; 1113 } 1114 return 1; 1115} 1116 1117static int final_alpn(SSL *s, unsigned int context, int sent) 1118{ 1119 if (!s->server && !sent && s->session->ext.alpn_selected != NULL) 1120 s->ext.early_data_ok = 0; 1121 1122 if (!s->server || !SSL_IS_TLS13(s)) 1123 return 1; 1124 1125 /* 1126 * Call alpn_select callback if needed. Has to be done after SNI and 1127 * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 1128 * we also have to do this before we decide whether to accept early_data. 1129 * In TLSv1.3 we've already negotiated our cipher so we do this call now. 1130 * For < TLSv1.3 we defer it until after cipher negotiation. 1131 * 1132 * On failure SSLfatal() already called. 1133 */ 1134 return tls_handle_alpn(s); 1135} 1136 1137static int init_sig_algs(SSL *s, unsigned int context) 1138{ 1139 /* Clear any signature algorithms extension received */ 1140 OPENSSL_free(s->s3->tmp.peer_sigalgs); 1141 s->s3->tmp.peer_sigalgs = NULL; 1142 s->s3->tmp.peer_sigalgslen = 0; 1143 1144 return 1; 1145} 1146 1147static int init_sig_algs_cert(SSL *s, unsigned int context) 1148{ 1149 /* Clear any signature algorithms extension received */ 1150 OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); 1151 s->s3->tmp.peer_cert_sigalgs = NULL; 1152 s->s3->tmp.peer_cert_sigalgslen = 0; 1153 1154 return 1; 1155} 1156 1157#ifndef OPENSSL_NO_SRP 1158static int init_srp(SSL *s, unsigned int context) 1159{ 1160 OPENSSL_free(s->srp_ctx.login); 1161 s->srp_ctx.login = NULL; 1162 1163 return 1; 1164} 1165#endif 1166 1167static int init_etm(SSL *s, unsigned int context) 1168{ 1169 s->ext.use_etm = 0; 1170 1171 return 1; 1172} 1173 1174static int init_ems(SSL *s, unsigned int context) 1175{ 1176 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { 1177 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; 1178 s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS; 1179 } 1180 1181 return 1; 1182} 1183 1184static int final_ems(SSL *s, unsigned int context, int sent) 1185{ 1186 /* 1187 * Check extended master secret extension is not dropped on 1188 * renegotiation. 1189 */ 1190 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) 1191 && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) { 1192 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, 1193 SSL_R_INCONSISTENT_EXTMS); 1194 return 0; 1195 } 1196 if (!s->server && s->hit) { 1197 /* 1198 * Check extended master secret extension is consistent with 1199 * original session. 1200 */ 1201 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != 1202 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { 1203 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, 1204 SSL_R_INCONSISTENT_EXTMS); 1205 return 0; 1206 } 1207 } 1208 1209 return 1; 1210} 1211 1212static int init_certificate_authorities(SSL *s, unsigned int context) 1213{ 1214 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); 1215 s->s3->tmp.peer_ca_names = NULL; 1216 return 1; 1217} 1218 1219static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, 1220 unsigned int context, 1221 X509 *x, 1222 size_t chainidx) 1223{ 1224 const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s); 1225 1226 if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0) 1227 return EXT_RETURN_NOT_SENT; 1228 1229 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities) 1230 || !WPACKET_start_sub_packet_u16(pkt)) { 1231 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1232 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, 1233 ERR_R_INTERNAL_ERROR); 1234 return EXT_RETURN_FAIL; 1235 } 1236 1237 if (!construct_ca_names(s, ca_sk, pkt)) { 1238 /* SSLfatal() already called */ 1239 return EXT_RETURN_FAIL; 1240 } 1241 1242 if (!WPACKET_close(pkt)) { 1243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1244 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, 1245 ERR_R_INTERNAL_ERROR); 1246 return EXT_RETURN_FAIL; 1247 } 1248 1249 return EXT_RETURN_SENT; 1250} 1251 1252static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, 1253 unsigned int context, X509 *x, 1254 size_t chainidx) 1255{ 1256 if (!parse_ca_names(s, pkt)) 1257 return 0; 1258 if (PACKET_remaining(pkt) != 0) { 1259 SSLfatal(s, SSL_AD_DECODE_ERROR, 1260 SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION); 1261 return 0; 1262 } 1263 return 1; 1264} 1265 1266#ifndef OPENSSL_NO_SRTP 1267static int init_srtp(SSL *s, unsigned int context) 1268{ 1269 if (s->server) 1270 s->srtp_profile = NULL; 1271 1272 return 1; 1273} 1274#endif 1275 1276static int final_sig_algs(SSL *s, unsigned int context, int sent) 1277{ 1278 if (!sent && SSL_IS_TLS13(s) && !s->hit) { 1279 SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS, 1280 SSL_R_MISSING_SIGALGS_EXTENSION); 1281 return 0; 1282 } 1283 1284 return 1; 1285} 1286 1287#ifndef OPENSSL_NO_EC 1288static int final_key_share(SSL *s, unsigned int context, int sent) 1289{ 1290 if (!SSL_IS_TLS13(s)) 1291 return 1; 1292 1293 /* Nothing to do for key_share in an HRR */ 1294 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) 1295 return 1; 1296 1297 /* 1298 * If 1299 * we are a client 1300 * AND 1301 * we have no key_share 1302 * AND 1303 * (we are not resuming 1304 * OR the kex_mode doesn't allow non key_share resumes) 1305 * THEN 1306 * fail; 1307 */ 1308 if (!s->server 1309 && !sent 1310 && (!s->hit 1311 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) { 1312 /* Nothing left we can do - just fail */ 1313 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE, 1314 SSL_R_NO_SUITABLE_KEY_SHARE); 1315 return 0; 1316 } 1317 /* 1318 * IF 1319 * we are a server 1320 * THEN 1321 * IF 1322 * we have a suitable key_share 1323 * THEN 1324 * IF 1325 * we are stateless AND we have no cookie 1326 * THEN 1327 * send a HelloRetryRequest 1328 * ELSE 1329 * IF 1330 * we didn't already send a HelloRetryRequest 1331 * AND 1332 * the client sent a key_share extension 1333 * AND 1334 * (we are not resuming 1335 * OR the kex_mode allows key_share resumes) 1336 * AND 1337 * a shared group exists 1338 * THEN 1339 * send a HelloRetryRequest 1340 * ELSE IF 1341 * we are not resuming 1342 * OR 1343 * the kex_mode doesn't allow non key_share resumes 1344 * THEN 1345 * fail 1346 * ELSE IF 1347 * we are stateless AND we have no cookie 1348 * THEN 1349 * send a HelloRetryRequest 1350 */ 1351 if (s->server) { 1352 if (s->s3->peer_tmp != NULL) { 1353 /* We have a suitable key_share */ 1354 if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0 1355 && !s->ext.cookieok) { 1356 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) { 1357 /* 1358 * If we are stateless then we wouldn't know about any 1359 * previously sent HRR - so how can this be anything other 1360 * than 0? 1361 */ 1362 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1363 ERR_R_INTERNAL_ERROR); 1364 return 0; 1365 } 1366 s->hello_retry_request = SSL_HRR_PENDING; 1367 return 1; 1368 } 1369 } else { 1370 /* No suitable key_share */ 1371 if (s->hello_retry_request == SSL_HRR_NONE && sent 1372 && (!s->hit 1373 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) 1374 != 0)) { 1375 const uint16_t *pgroups, *clntgroups; 1376 size_t num_groups, clnt_num_groups, i; 1377 unsigned int group_id = 0; 1378 1379 /* Check if a shared group exists */ 1380 1381 /* Get the clients list of supported groups. */ 1382 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); 1383 tls1_get_supported_groups(s, &pgroups, &num_groups); 1384 1385 /* 1386 * Find the first group we allow that is also in client's list 1387 */ 1388 for (i = 0; i < num_groups; i++) { 1389 group_id = pgroups[i]; 1390 1391 if (check_in_list(s, group_id, clntgroups, clnt_num_groups, 1392 1)) 1393 break; 1394 } 1395 1396 if (i < num_groups) { 1397 /* A shared group exists so send a HelloRetryRequest */ 1398 s->s3->group_id = group_id; 1399 s->hello_retry_request = SSL_HRR_PENDING; 1400 return 1; 1401 } 1402 } 1403 if (!s->hit 1404 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) { 1405 /* Nothing left we can do - just fail */ 1406 SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE 1407 : SSL_AD_MISSING_EXTENSION, 1408 SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); 1409 return 0; 1410 } 1411 1412 if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0 1413 && !s->ext.cookieok) { 1414 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) { 1415 /* 1416 * If we are stateless then we wouldn't know about any 1417 * previously sent HRR - so how can this be anything other 1418 * than 0? 1419 */ 1420 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1421 ERR_R_INTERNAL_ERROR); 1422 return 0; 1423 } 1424 s->hello_retry_request = SSL_HRR_PENDING; 1425 return 1; 1426 } 1427 } 1428 1429 /* 1430 * We have a key_share so don't send any more HelloRetryRequest 1431 * messages 1432 */ 1433 if (s->hello_retry_request == SSL_HRR_PENDING) 1434 s->hello_retry_request = SSL_HRR_COMPLETE; 1435 } else { 1436 /* 1437 * For a client side resumption with no key_share we need to generate 1438 * the handshake secret (otherwise this is done during key_share 1439 * processing). 1440 */ 1441 if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) { 1442 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1443 ERR_R_INTERNAL_ERROR); 1444 return 0; 1445 } 1446 } 1447 1448 return 1; 1449} 1450#endif 1451 1452static int init_psk_kex_modes(SSL *s, unsigned int context) 1453{ 1454 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE; 1455 return 1; 1456} 1457 1458int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 1459 size_t binderoffset, const unsigned char *binderin, 1460 unsigned char *binderout, SSL_SESSION *sess, int sign, 1461 int external) 1462{ 1463 EVP_PKEY *mackey = NULL; 1464 EVP_MD_CTX *mctx = NULL; 1465 unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; 1466 unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; 1467 unsigned char *early_secret; 1468#ifdef CHARSET_EBCDIC 1469 static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; 1470 static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; 1471#else 1472 static const unsigned char resumption_label[] = "res binder"; 1473 static const unsigned char external_label[] = "ext binder"; 1474#endif 1475 const unsigned char *label; 1476 size_t bindersize, labelsize, hashsize; 1477 int hashsizei = EVP_MD_size(md); 1478 int ret = -1; 1479 int usepskfored = 0; 1480 1481 /* Ensure cast to size_t is safe */ 1482 if (!ossl_assert(hashsizei >= 0)) { 1483 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1484 ERR_R_INTERNAL_ERROR); 1485 goto err; 1486 } 1487 hashsize = (size_t)hashsizei; 1488 1489 if (external 1490 && s->early_data_state == SSL_EARLY_DATA_CONNECTING 1491 && s->session->ext.max_early_data == 0 1492 && sess->ext.max_early_data > 0) 1493 usepskfored = 1; 1494 1495 if (external) { 1496 label = external_label; 1497 labelsize = sizeof(external_label) - 1; 1498 } else { 1499 label = resumption_label; 1500 labelsize = sizeof(resumption_label) - 1; 1501 } 1502 1503 /* 1504 * Generate the early_secret. On the server side we've selected a PSK to 1505 * resume with (internal or external) so we always do this. On the client 1506 * side we do this for a non-external (i.e. resumption) PSK or external PSK 1507 * that will be used for early_data so that it is in place for sending early 1508 * data. For client side external PSK not being used for early_data we 1509 * generate it but store it away for later use. 1510 */ 1511 if (s->server || !external || usepskfored) 1512 early_secret = (unsigned char *)s->early_secret; 1513 else 1514 early_secret = (unsigned char *)sess->early_secret; 1515 1516 if (!tls13_generate_secret(s, md, NULL, sess->master_key, 1517 sess->master_key_length, early_secret)) { 1518 /* SSLfatal() already called */ 1519 goto err; 1520 } 1521 1522 /* 1523 * Create the handshake hash for the binder key...the messages so far are 1524 * empty! 1525 */ 1526 mctx = EVP_MD_CTX_new(); 1527 if (mctx == NULL 1528 || EVP_DigestInit_ex(mctx, md, NULL) <= 0 1529 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 1530 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1531 ERR_R_INTERNAL_ERROR); 1532 goto err; 1533 } 1534 1535 /* Generate the binder key */ 1536 if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash, 1537 hashsize, binderkey, hashsize, 1)) { 1538 /* SSLfatal() already called */ 1539 goto err; 1540 } 1541 1542 /* Generate the finished key */ 1543 if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) { 1544 /* SSLfatal() already called */ 1545 goto err; 1546 } 1547 1548 if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) { 1549 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1550 ERR_R_INTERNAL_ERROR); 1551 goto err; 1552 } 1553 1554 /* 1555 * Get a hash of the ClientHello up to the start of the binders. If we are 1556 * following a HelloRetryRequest then this includes the hash of the first 1557 * ClientHello and the HelloRetryRequest itself. 1558 */ 1559 if (s->hello_retry_request == SSL_HRR_PENDING) { 1560 size_t hdatalen; 1561 long hdatalen_l; 1562 void *hdata; 1563 1564 hdatalen = hdatalen_l = 1565 BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 1566 if (hdatalen_l <= 0) { 1567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1568 SSL_R_BAD_HANDSHAKE_LENGTH); 1569 goto err; 1570 } 1571 1572 /* 1573 * For servers the handshake buffer data will include the second 1574 * ClientHello - which we don't want - so we need to take that bit off. 1575 */ 1576 if (s->server) { 1577 PACKET hashprefix, msg; 1578 1579 /* Find how many bytes are left after the first two messages */ 1580 if (!PACKET_buf_init(&hashprefix, hdata, hdatalen) 1581 || !PACKET_forward(&hashprefix, 1) 1582 || !PACKET_get_length_prefixed_3(&hashprefix, &msg) 1583 || !PACKET_forward(&hashprefix, 1) 1584 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) { 1585 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1586 ERR_R_INTERNAL_ERROR); 1587 goto err; 1588 } 1589 hdatalen -= PACKET_remaining(&hashprefix); 1590 } 1591 1592 if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) { 1593 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1594 ERR_R_INTERNAL_ERROR); 1595 goto err; 1596 } 1597 } 1598 1599 if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0 1600 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 1601 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1602 ERR_R_INTERNAL_ERROR); 1603 goto err; 1604 } 1605 1606 mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey, 1607 hashsize); 1608 if (mackey == NULL) { 1609 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1610 ERR_R_INTERNAL_ERROR); 1611 goto err; 1612 } 1613 1614 if (!sign) 1615 binderout = tmpbinder; 1616 1617 bindersize = hashsize; 1618 if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0 1619 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0 1620 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0 1621 || bindersize != hashsize) { 1622 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1623 ERR_R_INTERNAL_ERROR); 1624 goto err; 1625 } 1626 1627 if (sign) { 1628 ret = 1; 1629 } else { 1630 /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */ 1631 ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0); 1632 if (!ret) 1633 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER, 1634 SSL_R_BINDER_DOES_NOT_VERIFY); 1635 } 1636 1637 err: 1638 OPENSSL_cleanse(binderkey, sizeof(binderkey)); 1639 OPENSSL_cleanse(finishedkey, sizeof(finishedkey)); 1640 EVP_PKEY_free(mackey); 1641 EVP_MD_CTX_free(mctx); 1642 1643 return ret; 1644} 1645 1646static int final_early_data(SSL *s, unsigned int context, int sent) 1647{ 1648 if (!sent) 1649 return 1; 1650 1651 if (!s->server) { 1652 if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 1653 && sent 1654 && !s->ext.early_data_ok) { 1655 /* 1656 * If we get here then the server accepted our early_data but we 1657 * later realised that it shouldn't have done (e.g. inconsistent 1658 * ALPN) 1659 */ 1660 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA, 1661 SSL_R_BAD_EARLY_DATA); 1662 return 0; 1663 } 1664 1665 return 1; 1666 } 1667 1668 if (s->max_early_data == 0 1669 || !s->hit 1670 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING 1671 || !s->ext.early_data_ok 1672 || s->hello_retry_request != SSL_HRR_NONE 1673 || (s->allow_early_data_cb != NULL 1674 && !s->allow_early_data_cb(s, 1675 s->allow_early_data_cb_data))) { 1676 s->ext.early_data = SSL_EARLY_DATA_REJECTED; 1677 } else { 1678 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 1679 1680 if (!tls13_change_cipher_state(s, 1681 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) { 1682 /* SSLfatal() already called */ 1683 return 0; 1684 } 1685 } 1686 1687 return 1; 1688} 1689 1690static int final_maxfragmentlen(SSL *s, unsigned int context, int sent) 1691{ 1692 /* 1693 * Session resumption on server-side with MFL extension active 1694 * BUT MFL extension packet was not resent (i.e. sent == 0) 1695 */ 1696 if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 1697 && !sent ) { 1698 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN, 1699 SSL_R_BAD_EXTENSION); 1700 return 0; 1701 } 1702 1703 /* Current SSL buffer is lower than requested MFL */ 1704 if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 1705 && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session)) 1706 /* trigger a larger buffer reallocation */ 1707 if (!ssl3_setup_buffers(s)) { 1708 /* SSLfatal() already called */ 1709 return 0; 1710 } 1711 1712 return 1; 1713} 1714 1715static int init_post_handshake_auth(SSL *s, unsigned int context) 1716{ 1717 s->post_handshake_auth = SSL_PHA_NONE; 1718 1719 return 1; 1720} 1721