Newer
Older
{
unsigned long alg_k, alg_a;
if (s->server)
return 1;
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
/*
* If we are client and using an elliptic curve cryptography cipher
* suite, then if server returns an EC point formats lists extension it
* must contain uncompressed.
*/
if (s->ext.ecpointformats != NULL
&& s->ext.ecpointformats_len > 0
&& s->session->ext.ecpointformats != NULL
&& s->session->ext.ecpointformats_len > 0
&& ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
/* we are using an ECC cipher */
size_t i;
unsigned char *list = s->session->ext.ecpointformats;
for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
break;
}
if (i == s->session->ext.ecpointformats_len) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
return 0;
}
}
return 1;
}
#endif
static int init_session_ticket(SSL *s, unsigned int context)
{
if (!s->server)
return 1;
}
static int init_status_request(SSL *s, unsigned int context)
s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
} else {
/*
* Ensure we get sensible values passed to tlsext_status_cb in the event
* that we don't receive a status message
*/
OPENSSL_free(s->ext.ocsp.resp);
s->ext.ocsp.resp = NULL;
s->ext.ocsp.resp_len = 0;
return 1;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
static int init_npn(SSL *s, unsigned int context)
return 1;
}
#endif
static int init_alpn(SSL *s, unsigned int context)
OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = NULL;
s->s3->alpn_selected_len = 0;
if (s->server) {
OPENSSL_free(s->s3->alpn_proposed);
s->s3->alpn_proposed = NULL;
s->s3->alpn_proposed_len = 0;
}
return 1;
}
static int final_alpn(SSL *s, unsigned int context, int sent)
if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
s->ext.early_data_ok = 0;
if (!s->server || !SSL_IS_TLS13(s))
return 1;
/*
* Call alpn_select callback if needed. Has to be done after SNI and
* cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
* we also have to do this before we decide whether to accept early_data.
* In TLSv1.3 we've already negotiated our cipher so we do this call now.
* For < TLSv1.3 we defer it until after cipher negotiation.
* On failure SSLfatal() already called.
return tls_handle_alpn(s);
}
static int init_sig_algs(SSL *s, unsigned int context)
{
/* Clear any signature algorithms extension received */
OPENSSL_free(s->s3->tmp.peer_sigalgs);
s->s3->tmp.peer_sigalgs = NULL;
return 1;
}
static int init_sig_algs_cert(SSL *s, unsigned int context)
{
/* Clear any signature algorithms extension received */
OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
s->s3->tmp.peer_cert_sigalgs = NULL;
return 1;
}
#ifndef OPENSSL_NO_SRP
static int init_srp(SSL *s, unsigned int context)
{
OPENSSL_free(s->srp_ctx.login);
s->srp_ctx.login = NULL;
return 1;
}
#endif
static int init_etm(SSL *s, unsigned int context)
s->ext.use_etm = 0;
return 1;
}
static int init_ems(SSL *s, unsigned int context)
{
if (!s->server)
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with
* original session.
*/
if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
!(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
SSL_R_INCONSISTENT_EXTMS);
return 0;
}
}
return 1;
}
static int init_certificate_authorities(SSL *s, unsigned int context)
{
sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
s->s3->tmp.peer_ca_names = NULL;
static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
unsigned int context,
X509 *x,
const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
|| !WPACKET_start_sub_packet_u16(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
if (!construct_ca_names(s, pkt)) {
/* SSLfatal() already called */
return EXT_RETURN_FAIL;
}
if (!WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
}
return EXT_RETURN_SENT;
}
static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
unsigned int context, X509 *x,
if (!parse_ca_names(s, pkt))
return 0;
if (PACKET_remaining(pkt) != 0) {
SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
return 0;
}
return 1;
}
#ifndef OPENSSL_NO_SRTP
static int init_srtp(SSL *s, unsigned int context)
{
if (s->server)
s->srtp_profile = NULL;
return 1;
}
#endif
static int final_sig_algs(SSL *s, unsigned int context, int sent)
if (!sent && SSL_IS_TLS13(s) && !s->hit) {
SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
SSL_R_MISSING_SIGALGS_EXTENSION);
return 0;
}
return 1;
}
static int final_key_share(SSL *s, unsigned int context, int sent)
{
if (!SSL_IS_TLS13(s))
return 1;
/* Nothing to do for key_share in an HRR */
if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
return 1;
* we are a client
* AND
* we have no key_share
* AND
* (we are not resuming
* OR the kex_mode doesn't allow non key_share resumes)
* THEN
if (!s->server
&& !sent
&& (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
/* Nothing left we can do - just fail */
SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
SSL_R_NO_SUITABLE_KEY_SHARE);
* we are a server
* THEN
* IF
* we have a suitable key_share
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
* IF
* we are stateless AND we have no cookie
* THEN
* send a HelloRetryRequest
* ELSE
* IF
* we didn't already send a HelloRetryRequest
* AND
* the client sent a key_share extension
* AND
* (we are not resuming
* OR the kex_mode allows key_share resumes)
* AND
* a shared group exists
* THEN
* send a HelloRetryRequest
* ELSE IF
* we are not resuming
* OR
* the kex_mode doesn't allow non key_share resumes
* THEN
* fail
* ELSE IF
* we are stateless AND we have no cookie
* THEN
* send a HelloRetryRequest
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
if (s->server) {
if (s->s3->peer_tmp != NULL) {
/* We have a suitable key_share */
if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
&& !s->ext.cookieok) {
if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
/*
* If we are stateless then we wouldn't know about any
* previously sent HRR - so how can this be anything other
* than 0?
*/
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
ERR_R_INTERNAL_ERROR);
return 0;
}
s->hello_retry_request = SSL_HRR_PENDING;
return 1;
}
} else {
/* No suitable key_share */
if (s->hello_retry_request == SSL_HRR_NONE && sent
&& (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
!= 0)) {
const uint16_t *pgroups, *clntgroups;
size_t num_groups, clnt_num_groups, i;
unsigned int group_id = 0;
/* Check if a shared group exists */
/* Get the clients list of supported groups. */
tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
tls1_get_supported_groups(s, &pgroups, &num_groups);
/*
* Find the first group we allow that is also in client's list
*/
for (i = 0; i < num_groups; i++) {
group_id = pgroups[i];
if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
1))
break;
}
if (i < num_groups) {
/* A shared group exists so send a HelloRetryRequest */
s->s3->group_id = group_id;
s->hello_retry_request = SSL_HRR_PENDING;
return 1;
}
}
if (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
/* Nothing left we can do - just fail */
SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
: SSL_AD_MISSING_EXTENSION,
SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
return 0;
if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
&& !s->ext.cookieok) {
if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
/*
* If we are stateless then we wouldn't know about any
* previously sent HRR - so how can this be anything other
* than 0?
*/
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
ERR_R_INTERNAL_ERROR);
return 0;
}
s->hello_retry_request = SSL_HRR_PENDING;
return 1;
}
}
/*
* We have a key_share so don't send any more HelloRetryRequest
* messages
*/
if (s->hello_retry_request == SSL_HRR_PENDING)
s->hello_retry_request = SSL_HRR_COMPLETE;
} else {
/*
* For a client side resumption with no key_share we need to generate
* the handshake secret (otherwise this is done during key_share
* processing).
*/
if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
ERR_R_INTERNAL_ERROR);
return 0;
}
}
static int init_psk_kex_modes(SSL *s, unsigned int context)
{
s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
return 1;
}
int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
size_t binderoffset, const unsigned char *binderin,
unsigned char *binderout, SSL_SESSION *sess, int sign,
int external)
{
EVP_PKEY *mackey = NULL;
EVP_MD_CTX *mctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
unsigned char *early_secret;
static const unsigned char resumption_label[] = "res binder";
static const unsigned char external_label[] = "ext binder";
const unsigned char *label;
size_t bindersize, labelsize, hashsize;
int usepskfored = 0;
/* Ensure cast to size_t is safe */
if (!ossl_assert(hashsizei >= 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);
goto err;
}
hashsize = (size_t)hashsizei;
if (external
&& s->early_data_state == SSL_EARLY_DATA_CONNECTING
&& s->session->ext.max_early_data == 0
&& sess->ext.max_early_data > 0)
usepskfored = 1;
if (external) {
label = external_label;
labelsize = sizeof(external_label) - 1;
} else {
label = resumption_label;
labelsize = sizeof(resumption_label) - 1;
}
/*
* Generate the early_secret. On the server side we've selected a PSK to
* resume with (internal or external) so we always do this. On the client
* side we do this for a non-external (i.e. resumption) PSK or external PSK
* that will be used for early_data so that it is in place for sending early
* data. For client side external PSK not being used for early_data we
* generate it but store it away for later use.
*/
if (s->server || !external || usepskfored)
early_secret = (unsigned char *)s->early_secret;
else
early_secret = (unsigned char *)sess->early_secret;
if (!tls13_generate_secret(s, md, NULL, sess->master_key,
sess->master_key_length, early_secret)) {
/* SSLfatal() already called */
goto err;
}
/*
* Create the handshake hash for the binder key...the messages so far are
* empty!
*/
mctx = EVP_MD_CTX_new();
if (mctx == NULL
|| EVP_DigestInit_ex(mctx, md, NULL) <= 0
|| EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);
goto err;
}
/* Generate the binder key */
if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
hashsize, binderkey, hashsize)) {
/* SSLfatal() already called */
goto err;
}
/* Generate the finished key */
if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
/* SSLfatal() already called */
if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);
goto err;
}
* Get a hash of the ClientHello up to the start of the binders. If we are
* following a HelloRetryRequest then this includes the hash of the first
* ClientHello and the HelloRetryRequest itself.
if (s->hello_retry_request == SSL_HRR_PENDING) {
size_t hdatalen;
void *hdata;
hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
if (hdatalen <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
SSL_R_BAD_HANDSHAKE_LENGTH);
goto err;
}
/*
* For servers the handshake buffer data will include the second
* ClientHello - which we don't want - so we need to take that bit off.
*/
if (s->server) {
PACKET hashprefix, msg;
/* Find how many bytes are left after the first two messages */
if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
|| !PACKET_forward(&hashprefix, 1)
|| !PACKET_get_length_prefixed_3(&hashprefix, &msg)
|| !PACKET_forward(&hashprefix, 1)
|| !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
|| EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);
mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey,
hashsize);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);
goto err;
}
if (!sign)
binderout = tmpbinder;
bindersize = hashsize;
if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
|| EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
|| EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
|| bindersize != hashsize) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);
goto err;
}
if (sign) {
ret = 1;
} else {
/* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
if (!ret)
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
SSL_R_BINDER_DOES_NOT_VERIFY);
}
err:
OPENSSL_cleanse(binderkey, sizeof(binderkey));
OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
EVP_PKEY_free(mackey);
EVP_MD_CTX_free(mctx);
return ret;
}
static int final_early_data(SSL *s, unsigned int context, int sent)
if (!sent)
return 1;
if (!s->server) {
if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
&& sent
&& !s->ext.early_data_ok) {
/*
* If we get here then the server accepted our early_data but we
* later realised that it shouldn't have done (e.g. inconsistent
* ALPN)
*/
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
SSL_R_BAD_EARLY_DATA);
return 0;
}
return 1;
if (s->max_early_data == 0
|| !s->hit
|| s->session->ext.tick_identity != 0
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|| !s->ext.early_data_ok
|| s->hello_retry_request != SSL_HRR_NONE) {
s->ext.early_data = SSL_EARLY_DATA_REJECTED;
} else {
s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
if (!tls13_change_cipher_state(s,
SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
/* SSLfatal() already called */
return 0;
}
}
return 1;
}
static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
{
/*
* Session resumption on server-side with MFL extension active
* BUT MFL extension packet was not resent (i.e. sent == 0)
*/
if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
SSL_R_BAD_EXTENSION);
return 0;
}
/* Current SSL buffer is lower than requested MFL */
if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
&& s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
/* trigger a larger buffer reallocation */
if (!ssl3_setup_buffers(s)) {
/* SSLfatal() already called */
static int init_post_handshake_auth(SSL *s, unsigned int context)
{
s->post_handshake_auth = SSL_PHA_NONE;
return 1;
}