Newer
Older
static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
unsigned int context,
X509 *x,
size_t chainidx,
int *al)
const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
|| !WPACKET_start_sub_packet_u16(pkt)
|| !construct_ca_names(s, pkt)
|| !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
return EXT_RETURN_SENT;
}
static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx, int *al)
{
if (!parse_ca_names(s, pkt, al))
return 0;
if (PACKET_remaining(pkt) != 0) {
*al = SSL_AD_DECODE_ERROR;
return 0;
}
return 1;
}
#ifndef OPENSSL_NO_SRTP
static int init_srtp(SSL *s, unsigned int context)
{
if (s->server)
s->srtp_profile = NULL;
return 1;
}
#endif
static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al)
{
if (!sent && SSL_IS_TLS13(s) && !s->hit) {
*al = TLS13_AD_MISSING_EXTENSION;
SSLerr(SSL_F_FINAL_SIG_ALGS, SSL_R_MISSING_SIGALGS_EXTENSION);
return 0;
}
return 1;
}
static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
{
if (!SSL_IS_TLS13(s))
return 1;
/* Nothing to do for key_share in an HRR */
if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
return 1;
* we are a client
* AND
* we have no key_share
* AND
* (we are not resuming
* OR the kex_mode doesn't allow non key_share resumes)
* THEN
if (!s->server
&& !sent
&& (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
/* Nothing left we can do - just fail */
*al = SSL_AD_MISSING_EXTENSION;
SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
return 0;
}
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
/*
* If
* we are a server
* AND
* we have no key_share
* THEN
* If
* we didn't already send a HelloRetryRequest
* AND
* the client sent a key_share extension
* AND
* (we are not resuming
* OR the kex_mode allows key_share resumes)
* AND
* a shared group exists
* THEN
* send a HelloRetryRequest
* ELSE If
* we are not resuming
* OR
* the kex_mode doesn't allow non key_share resumes
* THEN
* fail;
*/
if (s->server && s->s3->peer_tmp == NULL) {
/* No suitable share */
if (s->hello_retry_request == 0 && sent
&& (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
!= 0)) {
const unsigned char *pcurves, *pcurvestmp, *clntcurves;
size_t num_curves, clnt_num_curves, i;
/* Check if a shared group exists */
/* Get the clients list of supported groups. */
if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return 0;
}
/* Get our list of available groups */
if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return 0;
}
/* Find the first group we allow that is also in client's list */
for (i = 0, pcurvestmp = pcurves; i < num_curves;
i++, pcurvestmp += 2) {
if (check_in_list(s, group_id, clntcurves, clnt_num_curves, 1))
break;
}
if (i < num_curves) {
/* A shared group exists so send a HelloRetryRequest */
s->s3->group_id = group_id;
s->hello_retry_request = 1;
return 1;
}
}
if (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
/* Nothing left we can do - just fail */
if (!sent)
*al = SSL_AD_MISSING_EXTENSION;
else
*al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
return 0;
}
}
/* We have a key_share so don't send any more HelloRetryRequest messages */
if (s->server)
s->hello_retry_request = 0;
/*
* For a client side resumption with no key_share we need to generate
* the handshake secret (otherwise this is done during key_share
* processing).
*/
if (!sent && !s->server && !tls13_generate_handshake_secret(s, NULL, 0)) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_FINAL_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return 0;
}
return 1;
}
static int init_psk_kex_modes(SSL *s, unsigned int context)
{
s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
return 1;
}
int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
size_t binderoffset, const unsigned char *binderin,
unsigned char *binderout, SSL_SESSION *sess, int sign,
int external)
{
EVP_PKEY *mackey = NULL;
EVP_MD_CTX *mctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
unsigned char tmppsk[EVP_MAX_MD_SIZE];
unsigned char *early_secret, *psk;
const char resumption_label[] = "res binder";
const char external_label[] = "ext binder";
const char nonce_label[] = "resumption";
const char *label;
size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
int usepskfored = 0;
if (external
&& s->early_data_state == SSL_EARLY_DATA_CONNECTING
&& s->session->ext.max_early_data == 0
&& sess->ext.max_early_data > 0)
usepskfored = 1;
if (external) {
label = external_label;
labelsize = sizeof(external_label) - 1;
} else {
label = resumption_label;
labelsize = sizeof(resumption_label) - 1;
}
if (sess->master_key_length != hashsize) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_PSK);
goto err;
}
if (external) {
psk = sess->master_key;
} else {
psk = tmppsk;
if (!tls13_hkdf_expand(s, md, sess->master_key,
(const unsigned char *)nonce_label,
sizeof(nonce_label) - 1, sess->ext.tick_nonce,
sess->ext.tick_nonce_len, psk, hashsize)) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
}
/*
* Generate the early_secret. On the server side we've selected a PSK to
* resume with (internal or external) so we always do this. On the client
* side we do this for a non-external (i.e. resumption) PSK or external PSK
* that will be used for early_data so that it is in place for sending early
* data. For client side external PSK not being used for early_data we
* generate it but store it away for later use.
*/
if (s->server || !external || usepskfored)
early_secret = (unsigned char *)s->early_secret;
else
early_secret = (unsigned char *)sess->early_secret;
if (!tls13_generate_secret(s, md, NULL, psk, hashsize, early_secret)) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
/*
* Create the handshake hash for the binder key...the messages so far are
* empty!
*/
mctx = EVP_MD_CTX_new();
if (mctx == NULL
|| EVP_DigestInit_ex(mctx, md, NULL) <= 0
|| EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
/* Generate the binder key */
if (!tls13_hkdf_expand(s, md, early_secret, (unsigned char *)label,
labelsize, hash, hashsize, binderkey, hashsize)) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
/* Generate the finished key */
if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
* Get a hash of the ClientHello up to the start of the binders. If we are
* following a HelloRetryRequest then this includes the hash of the first
* ClientHello and the HelloRetryRequest itself.
if (s->hello_retry_request) {
size_t hdatalen;
void *hdata;
hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
if (hdatalen <= 0) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, SSL_R_BAD_HANDSHAKE_LENGTH);
goto err;
}
/*
* For servers the handshake buffer data will include the second
* ClientHello - which we don't want - so we need to take that bit off.
*/
if (s->server) {
PACKET hashprefix, msg;
/* Find how many bytes are left after the first two messages */
if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
|| !PACKET_forward(&hashprefix, 1)
|| !PACKET_get_length_prefixed_3(&hashprefix, &msg)
|| !PACKET_forward(&hashprefix, 1)
|| !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
|| EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
mackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, finishedkey, hashsize);
if (mackey == NULL) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
if (!sign)
binderout = tmpbinder;
bindersize = hashsize;
if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
|| EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
|| EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
|| bindersize != hashsize) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}
if (sign) {
ret = 1;
} else {
/* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
}
err:
OPENSSL_cleanse(binderkey, sizeof(binderkey));
OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
EVP_PKEY_free(mackey);
EVP_MD_CTX_free(mctx);
return ret;
}
static int final_early_data(SSL *s, unsigned int context, int sent, int *al)
{
if (!s->server || !sent)
return 1;
if (s->max_early_data == 0
|| !s->hit
|| s->session->ext.tick_identity != 0
|| s->early_data_state != SSL_EARLY_DATA_ACCEPTING
|| !s->ext.early_data_ok
|| s->hello_retry_request
|| s->s3->alpn_selected_len != s->session->ext.alpn_selected_len
|| (s->s3->alpn_selected_len > 0
&& memcmp(s->s3->alpn_selected, s->session->ext.alpn_selected,
s->s3->alpn_selected_len) != 0)) {
s->ext.early_data = SSL_EARLY_DATA_REJECTED;
} else {
s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
if (!tls13_change_cipher_state(s,
SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
*al = SSL_AD_INTERNAL_ERROR;
return 0;
}
}
return 1;
}