Ensure buffer/length pairs are always in sync

[openssl.git] / ssl / statem / extensions.c
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c

index 8d4939d601258a0e5d5e8f04632ad6c9f185064c..0ce436d082802e7b4522b3b956ca5c9b87fe865c 100644 (file)
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1,7 +1,7 @@
  /*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
   *
- * Licensed under the OpenSSL license (the "License").  You may not use
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
   * in the file LICENSE in the source distribution or at
   * https://www.openssl.org/source/license.html
@@ -10,16 +10,14 @@
  #include <string.h>
  #include "internal/nelem.h"
  #include "internal/cryptlib.h"
-#include "../ssl_locl.h"
-#include "statem_locl.h"
+#include "../ssl_local.h"
+#include "statem_local.h"
  #include "internal/cryptlib.h"
  
  static int final_renegotiate(SSL *s, unsigned int context, int sent);
  static int init_server_name(SSL *s, unsigned int context);
  static int final_server_name(SSL *s, unsigned int context, int sent);
-#ifndef OPENSSL_NO_EC
  static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
-#endif
  static int init_session_ticket(SSL *s, unsigned int context);
  #ifndef OPENSSL_NO_OCSP
  static int init_status_request(SSL *s, unsigned int context);
@@ -46,9 +44,7 @@ static int init_etm(SSL *s, unsigned int context);
  static int init_ems(SSL *s, unsigned int context);
  static int final_ems(SSL *s, unsigned int context, int sent);
  static int init_psk_kex_modes(SSL *s, unsigned int context);
-#ifndef OPENSSL_NO_EC
  static int final_key_share(SSL *s, unsigned int context, int sent);
-#endif
  #ifndef OPENSSL_NO_SRTP
  static int init_srtp(SSL *s, unsigned int context);
  #endif
@@ -94,7 +90,7 @@ typedef struct extensions_definition_st {
  /*
   * Definitions of all built-in extensions. NOTE: Changes in the number or order
   * of these extensions should be mirrored with equivalent changes to the
- * indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
+ * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
   * Each extension has an initialiser, a client and
   * server side parser and a finaliser. The initialiser is called (if the
   * extension is relevant to the given context) even if we did not see the
@@ -153,7 +149,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
  #else
      INVALID_EXTENSION,
  #endif
-#ifndef OPENSSL_NO_EC
      {
          TLSEXT_TYPE_ec_point_formats,
          SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
@@ -195,10 +190,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
          tls_construct_stoc_supported_groups,
          tls_construct_ctos_supported_groups, NULL
      },
-#else
-    INVALID_EXTENSION,
-    INVALID_EXTENSION,
-#endif
      {
          TLSEXT_TYPE_session_ticket,
          SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
@@ -322,7 +313,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
          init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
          tls_construct_ctos_psk_kex_modes, NULL
      },
-#ifndef OPENSSL_NO_EC
      {
          /*
           * Must be in this list after supported_groups. We need that to have
@@ -336,7 +326,6 @@ static const EXTENSION_DEFINITION ext_defs[] = {
          tls_construct_stoc_key_share, tls_construct_ctos_key_share,
          final_key_share
      },
-#endif
      {
          /* Must be after key_share */
          TLSEXT_TYPE_cookie,
@@ -348,10 +337,12 @@ static const EXTENSION_DEFINITION ext_defs[] = {
      {
          /*
           * Special unsolicited ServerHello extension only used when
-         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
+         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
+         * ignore it.
           */
          TLSEXT_TYPE_cryptopro_bug,
-        SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
+        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
          NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
      },
      {
@@ -570,8 +561,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
      num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
      raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
      if (raw_extensions == NULL) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
-                 ERR_R_MALLOC_FAILURE);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
          return 0;
      }
  
@@ -583,8 +573,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
  
          if (!PACKET_get_net_2(&extensions, &type) ||
              !PACKET_get_length_prefixed_2(&extensions, &extension)) {
-            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
-                     SSL_R_BAD_EXTENSION);
+            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
              goto err;
          }
          /*
@@ -597,8 +586,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
                  || (type == TLSEXT_TYPE_psk
                      && (context & SSL_EXT_CLIENT_HELLO) != 0
                      && PACKET_remaining(&extensions) != 0)) {
-            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
-                     SSL_R_BAD_EXTENSION);
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
              goto err;
          }
          idx = thisex - raw_extensions;
@@ -623,9 +611,14 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
                  && type != TLSEXT_TYPE_cookie
                  && type != TLSEXT_TYPE_renegotiate
                  && type != TLSEXT_TYPE_signed_certificate_timestamp
-                && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) {
+                && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
+#ifndef OPENSSL_NO_GOST
+                && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
+                     && type == TLSEXT_TYPE_cryptopro_bug)
+#endif
+                                                                ) {
              SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
-                     SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
+                     SSL_R_UNSOLICITED_EXTENSION);
              goto err;
          }
          if (thisex != NULL) {
@@ -804,16 +797,14 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
                   (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
                  && !WPACKET_set_flags(pkt,
                                       WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          return 0;
      }
  
      if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
          reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
          if (reason != 0) {
-            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
-                     reason);
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
              return 0;
          }
      }
@@ -856,8 +847,7 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
      }
  
      if (!WPACKET_close(pkt)) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          return 0;
      }
  
@@ -881,7 +871,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent)
          if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
                  && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
                  && !sent) {
-            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                       SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
              return 0;
          }
@@ -893,7 +883,7 @@ static int final_renegotiate(SSL *s, unsigned int context, int sent)
      if (s->renegotiate
              && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
              && !sent) {
-        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
+        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                   SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
          return 0;
      }
@@ -921,8 +911,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
      int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
  
      if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          return 0;
      }
  
@@ -942,14 +931,12 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
       * was successful.
       */
      if (s->server) {
-        /* TODO(OpenSSL1.2) revisit !sent case */
-        if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit || SSL_IS_TLS13(s))) {
+        if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
              /* Only store the hostname in the session if we accepted it. */
              OPENSSL_free(s->session->ext.hostname);
              s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
              if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
-                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
-                         ERR_R_INTERNAL_ERROR);
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
              }
          }
      }
@@ -960,9 +947,10 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
       * context, to avoid the confusing situation of having sess_accept_good
       * exceed sess_accept (zero) for the new context.
       */
-    if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
+    if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
+                   && s->hello_retry_request == SSL_HRR_NONE) {
          tsan_counter(&s->ctx->stats.sess_accept);
-        tsan_counter(&s->session_ctx->stats.sess_accept);
+        tsan_decr(&s->session_ctx->stats.sess_accept);
      }
  
      /*
@@ -982,15 +970,12 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
                  ss->ext.ticklen = 0;
                  ss->ext.tick_lifetime_hint = 0;
                  ss->ext.tick_age_add = 0;
-                ss->ext.tick_identity = 0;
                  if (!ssl_generate_session_id(s, ss)) {
-                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
-                             ERR_R_INTERNAL_ERROR);
+                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                      return 0;
                  }
              } else {
-                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
-                         ERR_R_INTERNAL_ERROR);
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                  return 0;
              }
          }
@@ -998,13 +983,14 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
  
      switch (ret) {
      case SSL_TLSEXT_ERR_ALERT_FATAL:
-        SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
+        SSLfatal(s, altmp, SSL_R_CALLBACK_FAILED);
          return 0;
  
      case SSL_TLSEXT_ERR_ALERT_WARNING:
          /* TLSv1.3 doesn't have warning alerts so we suppress this */
          if (!SSL_IS_TLS13(s))
              ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
+        s->servername_done = 0;
          return 1;
  
      case SSL_TLSEXT_ERR_NOACK:
@@ -1016,7 +1002,6 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
      }
  }
  
-#ifndef OPENSSL_NO_EC
  static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
  {
      unsigned long alg_k, alg_a;
@@ -1024,8 +1009,8 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
      if (s->server)
          return 1;
  
-    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+    alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
+    alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  
      /*
       * If we are client and using an elliptic curve cryptography cipher
@@ -1034,19 +1019,19 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
       */
      if (s->ext.ecpointformats != NULL
              && s->ext.ecpointformats_len > 0
-            && s->session->ext.ecpointformats != NULL
-            && s->session->ext.ecpointformats_len > 0
+            && s->ext.peer_ecpointformats != NULL
+            && s->ext.peer_ecpointformats_len > 0
              && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
          /* we are using an ECC cipher */
          size_t i;
-        unsigned char *list = s->session->ext.ecpointformats;
+        unsigned char *list = s->ext.peer_ecpointformats;
  
-        for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
+        for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
              if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
                  break;
          }
-        if (i == s->session->ext.ecpointformats_len) {
-            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
+        if (i == s->ext.peer_ecpointformats_len) {
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                       SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
              return 0;
          }
@@ -1054,7 +1039,6 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
  
      return 1;
  }
-#endif
  
  static int init_session_ticket(SSL *s, unsigned int context)
  {
@@ -1086,7 +1070,7 @@ static int init_status_request(SSL *s, unsigned int context)
  #ifndef OPENSSL_NO_NEXTPROTONEG
  static int init_npn(SSL *s, unsigned int context)
  {
-    s->s3->npn_seen = 0;
+    s->s3.npn_seen = 0;
  
      return 1;
  }
@@ -1094,13 +1078,13 @@ static int init_npn(SSL *s, unsigned int context)
  
  static int init_alpn(SSL *s, unsigned int context)
  {
-    OPENSSL_free(s->s3->alpn_selected);
-    s->s3->alpn_selected = NULL;
-    s->s3->alpn_selected_len = 0;
+    OPENSSL_free(s->s3.alpn_selected);
+    s->s3.alpn_selected = NULL;
+    s->s3.alpn_selected_len = 0;
      if (s->server) {
-        OPENSSL_free(s->s3->alpn_proposed);
-        s->s3->alpn_proposed = NULL;
-        s->s3->alpn_proposed_len = 0;
+        OPENSSL_free(s->s3.alpn_proposed);
+        s->s3.alpn_proposed = NULL;
+        s->s3.alpn_proposed_len = 0;
      }
      return 1;
  }
@@ -1128,17 +1112,19 @@ static int final_alpn(SSL *s, unsigned int context, int sent)
  static int init_sig_algs(SSL *s, unsigned int context)
  {
      /* Clear any signature algorithms extension received */
-    OPENSSL_free(s->s3->tmp.peer_sigalgs);
-    s->s3->tmp.peer_sigalgs = NULL;
+    OPENSSL_free(s->s3.tmp.peer_sigalgs);
+    s->s3.tmp.peer_sigalgs = NULL;
+    s->s3.tmp.peer_sigalgslen = 0;
  
      return 1;
  }
  
-static int init_sig_algs_cert(SSL *s, unsigned int context)
+static int init_sig_algs_cert(SSL *s, ossl_unused unsigned int context)
  {
      /* Clear any signature algorithms extension received */
-    OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
-    s->s3->tmp.peer_cert_sigalgs = NULL;
+    OPENSSL_free(s->s3.tmp.peer_cert_sigalgs);
+    s->s3.tmp.peer_cert_sigalgs = NULL;
+    s->s3.tmp.peer_cert_sigalgslen = 0;
  
      return 1;
  }
@@ -1162,23 +1148,33 @@ static int init_etm(SSL *s, unsigned int context)
  
  static int init_ems(SSL *s, unsigned int context)
  {
-    if (!s->server)
-        s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+    if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) {
+        s->s3.flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+        s->s3.flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+    }
  
      return 1;
  }
  
  static int final_ems(SSL *s, unsigned int context, int sent)
  {
+    /*
+     * Check extended master secret extension is not dropped on
+     * renegotiation.
+     */
+    if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS)
+        && (s->s3.flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
+        return 0;
+    }
      if (!s->server && s->hit) {
          /*
           * Check extended master secret extension is consistent with
           * original session.
           */
-        if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
+        if (!(s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
              !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
-            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
-                     SSL_R_INCONSISTENT_EXTMS);
+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_EXTMS);
              return 0;
          }
      }
@@ -1188,8 +1184,8 @@ static int final_ems(SSL *s, unsigned int context, int sent)
  
  static int init_certificate_authorities(SSL *s, unsigned int context)
  {
-    sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
-    s->s3->tmp.peer_ca_names = NULL;
+    sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
+    s->s3.tmp.peer_ca_names = NULL;
      return 1;
  }
  
@@ -1198,28 +1194,24 @@ static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
                                                          X509 *x,
                                                          size_t chainidx)
  {
-    const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
+    const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
  
      if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
          return EXT_RETURN_NOT_SENT;
  
      if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
          || !WPACKET_start_sub_packet_u16(pkt)) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
-                 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
-               ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          return EXT_RETURN_FAIL;
      }
  
-    if (!construct_ca_names(s, pkt)) {
+    if (!construct_ca_names(s, ca_sk, pkt)) {
          /* SSLfatal() already called */
          return EXT_RETURN_FAIL;
      }
  
      if (!WPACKET_close(pkt)) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
-                 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          return EXT_RETURN_FAIL;
      }
  
@@ -1233,8 +1225,7 @@ static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
      if (!parse_ca_names(s, pkt))
          return 0;
      if (PACKET_remaining(pkt) != 0) {
-        SSLfatal(s, SSL_AD_DECODE_ERROR,
-                 SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
+        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
          return 0;
      }
      return 1;
@@ -1253,7 +1244,7 @@ static int init_srtp(SSL *s, unsigned int context)
  static int final_sig_algs(SSL *s, unsigned int context, int sent)
  {
      if (!sent && SSL_IS_TLS13(s) && !s->hit) {
-        SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
+        SSLfatal(s, TLS13_AD_MISSING_EXTENSION,
                   SSL_R_MISSING_SIGALGS_EXTENSION);
          return 0;
      }
@@ -1261,9 +1252,9 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent)
      return 1;
  }
  
-#ifndef OPENSSL_NO_EC
  static int final_key_share(SSL *s, unsigned int context, int sent)
  {
+#if !defined(OPENSSL_NO_TLS1_3)
      if (!SSL_IS_TLS13(s))
          return 1;
  
@@ -1287,8 +1278,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
              && (!s->hit
                  || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
          /* Nothing left we can do - just fail */
-        SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
-                 SSL_R_NO_SUITABLE_KEY_SHARE);
+        SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_NO_SUITABLE_KEY_SHARE);
          return 0;
      }
      /*
@@ -1326,9 +1316,9 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
       *             send a HelloRetryRequest
       */
      if (s->server) {
-        if (s->s3->peer_tmp != NULL) {
+        if (s->s3.peer_tmp != NULL) {
              /* We have a suitable key_share */
-            if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
+            if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
                      && !s->ext.cookieok) {
                  if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
                      /*
@@ -1336,8 +1326,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
                       * previously sent HRR - so how can this be anything other
                       * than 0?
                       */
-                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
-                             ERR_R_INTERNAL_ERROR);
+                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                      return 0;
                  }
                  s->hello_retry_request = SSL_HRR_PENDING;
@@ -1372,7 +1361,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
  
                  if (i < num_groups) {
                      /* A shared group exists so send a HelloRetryRequest */
-                    s->s3->group_id = group_id;
+                    s->s3.group_id = group_id;
                      s->hello_retry_request = SSL_HRR_PENDING;
                      return 1;
                  }
@@ -1382,11 +1371,11 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
                  /* Nothing left we can do - just fail */
                  SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
                                   : SSL_AD_MISSING_EXTENSION,
-                         SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
+                         SSL_R_NO_SUITABLE_KEY_SHARE);
                  return 0;
              }
  
-            if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
+            if ((s->s3.flags & TLS1_FLAGS_STATELESS) != 0
                      && !s->ext.cookieok) {
                  if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
                      /*
@@ -1394,8 +1383,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
                       * previously sent HRR - so how can this be anything other
                       * than 0?
                       */
-                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
-                             ERR_R_INTERNAL_ERROR);
+                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                      return 0;
                  }
                  s->hello_retry_request = SSL_HRR_PENDING;
@@ -1416,15 +1404,13 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
           * processing).
           */
          if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
-            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
-                     ERR_R_INTERNAL_ERROR);
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
              return 0;
          }
      }
-
+#endif /* !defined(OPENSSL_NO_TLS1_3) */
      return 1;
  }
-#endif
  
  static int init_psk_kex_modes(SSL *s, unsigned int context)
  {
@@ -1442,8 +1428,13 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
      unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
      unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
      unsigned char *early_secret;
+#ifdef CHARSET_EBCDIC
+    static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
+    static const unsigned char external_label[]   = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
+#else
      static const unsigned char resumption_label[] = "res binder";
      static const unsigned char external_label[] = "ext binder";
+#endif
      const unsigned char *label;
      size_t bindersize, labelsize, hashsize;
      int hashsizei = EVP_MD_size(md);
@@ -1452,8 +1443,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
  
      /* Ensure cast to size_t is safe */
      if (!ossl_assert(hashsizei >= 0)) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          goto err;
      }
      hashsize = (size_t)hashsizei;
@@ -1499,14 +1489,13 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
      if (mctx == NULL
              || EVP_DigestInit_ex(mctx, md, NULL) <= 0
              || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          goto err;
      }
  
      /* Generate the binder key */
      if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
-                           hashsize, binderkey, hashsize)) {
+                           hashsize, binderkey, hashsize, 1)) {
          /* SSLfatal() already called */
          goto err;
      }
@@ -1518,8 +1507,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
      }
  
      if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          goto err;
      }
  
@@ -1534,10 +1522,9 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
          void *hdata;
  
          hdatalen = hdatalen_l =
-            BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
+            BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
          if (hdatalen_l <= 0) {
-            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                     SSL_R_BAD_HANDSHAKE_LENGTH);
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH);
              goto err;
          }
  
@@ -1554,32 +1541,29 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
                      || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
                      || !PACKET_forward(&hashprefix, 1)
                      || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
-                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                         ERR_R_INTERNAL_ERROR);
+                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                  goto err;
              }
              hdatalen -= PACKET_remaining(&hashprefix);
          }
  
          if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
-            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                     ERR_R_INTERNAL_ERROR);
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
              goto err;
          }
      }
  
      if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
              || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          goto err;
      }
  
-    mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey,
-                                          hashsize);
+    mackey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
+                                             s->ctx->propq, finishedkey,
+                                             hashsize);
      if (mackey == NULL) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          goto err;
      }
  
@@ -1587,12 +1571,12 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
          binderout = tmpbinder;
  
      bindersize = hashsize;
-    if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
+    if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_name(md), s->ctx->libctx,
+                              s->ctx->propq, mackey, NULL) <= 0
              || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
              || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
              || bindersize != hashsize) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
-                 ERR_R_INTERNAL_ERROR);
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
          goto err;
      }
  
@@ -1602,8 +1586,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
          /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
          ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
          if (!ret)
-            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
-                     SSL_R_BINDER_DOES_NOT_VERIFY);
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BINDER_DOES_NOT_VERIFY);
      }
  
   err:
@@ -1629,8 +1612,7 @@ static int final_early_data(SSL *s, unsigned int context, int sent)
               * later realised that it shouldn't have done (e.g. inconsistent
               * ALPN)
               */
-            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
-                     SSL_R_BAD_EARLY_DATA);
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EARLY_DATA);
              return 0;
          }
  
@@ -1639,13 +1621,12 @@ static int final_early_data(SSL *s, unsigned int context, int sent)
  
      if (s->max_early_data == 0
              || !s->hit
-            || s->session->ext.tick_identity != 0
              || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
              || !s->ext.early_data_ok
              || s->hello_retry_request != SSL_HRR_NONE
-            || (s->ctx->allow_early_data_cb != NULL
-                && !s->ctx->allow_early_data_cb(s,
-                                         s->ctx->allow_early_data_cb_data))) {
+            || (s->allow_early_data_cb != NULL
+                && !s->allow_early_data_cb(s,
+                                         s->allow_early_data_cb_data))) {
          s->ext.early_data = SSL_EARLY_DATA_REJECTED;
      } else {
          s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
@@ -1668,8 +1649,7 @@ static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
       */
      if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
              && !sent ) {
-        SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
-                 SSL_R_BAD_EXTENSION);
+        SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_BAD_EXTENSION);
          return 0;
      }
  
@@ -1685,7 +1665,7 @@ static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
      return 1;
  }
  
-static int init_post_handshake_auth(SSL *s, unsigned int context)
+static int init_post_handshake_auth(SSL *s, ossl_unused unsigned int context)
  {
      s->post_handshake_auth = SSL_PHA_NONE;