/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
static int final_alpn(SSL *s, unsigned int context, int sent, int *al);
static int init_sig_algs(SSL *s, unsigned int context);
static int init_certificate_authorities(SSL *s, unsigned int context);
-static int tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
- unsigned int context, X509 *x,
- size_t chainidx, int *al);
+static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
+ unsigned int context,
+ X509 *x,
+ size_t chainidx,
+ int *al);
static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx, int *al);
int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al);
/* Construct extension sent from server to client */
- int (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
- size_t chainidx, int *al);
+ EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx, int *al);
/* Construct extension sent from client to server */
- int (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
- size_t chainidx, int *al);
+ EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx, int *al);
/*
* Finalise extension after parsing. Always called where an extensions was
* initialised even if the extension was not present. |sent| is set to 1 if
/*
* Definitions of all built-in extensions. NOTE: Changes in the number or order
- * of these extensions should be mirrored with equivalent changes to the
+ * of these extensions should be mirrored with equivalent changes to the
* indexes ( TLSEXT_IDX_* ) defined in ssl_locl.h.
* Each extension has an initialiser, a client and
* server side parser and a finaliser. The initialiser is called (if the
TLSEXT_TYPE_supported_groups,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
NULL, tls_parse_ctos_supported_groups, NULL,
- NULL /* TODO(TLS1.3): Need to add this */,
+ tls_construct_stoc_supported_groups,
tls_construct_ctos_supported_groups, NULL
},
#else
* stored in |*res| on success. In the event of an error the alert type to use
* is stored in |*al|. We don't actually process the content of the extensions
* yet, except to check their types. This function also runs the initialiser
- * functions for all known extensions (whether we have collected them or not).
- * If successful the caller is responsible for freeing the contents of |*res|.
+ * functions for all known extensions if |init| is nonzero (whether we have
+ * collected them or not). If successful the caller is responsible for freeing
+ * the contents of |*res|.
*
* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
* more than one extension of the same type in a ClientHello or ServerHello.
* extensions that we know about. We ignore others.
*/
int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
- RAW_EXTENSION **res, int *al, size_t *len)
+ RAW_EXTENSION **res, int *al, size_t *len,
+ int init)
{
PACKET extensions = *packet;
size_t i = 0;
return 0;
}
+ i = 0;
while (PACKET_remaining(&extensions) > 0) {
- unsigned int type;
+ unsigned int type, idx;
PACKET extension;
RAW_EXTENSION *thisex;
*al = SSL_AD_ILLEGAL_PARAMETER;
goto err;
}
+ idx = thisex - raw_extensions;
+ /*-
+ * Check that we requested this extension (if appropriate). Requests can
+ * be sent in the ClientHello and CertificateRequest. Unsolicited
+ * extensions can be sent in the NewSessionTicket. We only do this for
+ * the built-in extensions. Custom extensions have a different but
+ * similar check elsewhere.
+ * Special cases:
+ * - The HRR cookie extension is unsolicited
+ * - The renegotiate extension is unsolicited (the client signals
+ * support via an SCSV)
+ * - The signed_certificate_timestamp extension can be provided by a
+ * custom extension or by the built-in version. We let the extension
+ * itself handle unsolicited response checks.
+ */
+ if (idx < OSSL_NELEM(ext_defs)
+ && (context & (SSL_EXT_CLIENT_HELLO
+ | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+ | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
+ && type != TLSEXT_TYPE_cookie
+ && type != TLSEXT_TYPE_renegotiate
+ && type != TLSEXT_TYPE_signed_certificate_timestamp
+ && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) {
+ SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
+ *al = SSL_AD_UNSUPPORTED_EXTENSION;
+ goto err;
+ }
if (thisex != NULL) {
thisex->data = extension;
thisex->present = 1;
thisex->type = type;
+ thisex->received_order = i++;
}
}
- /*
- * Initialise all known extensions relevant to this context, whether we have
- * found them or not
- */
- for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
- if(thisexd->init != NULL && (thisexd->context & context) != 0
+ if (init) {
+ /*
+ * Initialise all known extensions relevant to this context,
+ * whether we have found them or not
+ */
+ for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
+ i++, thisexd++) {
+ if (thisexd->init != NULL && (thisexd->context & context) != 0
&& extension_is_relevant(s, thisexd->context, context)
&& !thisexd->init(s, context)) {
- *al = SSL_AD_INTERNAL_ERROR;
- goto err;
+ *al = SSL_AD_INTERNAL_ERROR;
+ goto err;
+ }
}
}
/*
* Parse all remaining extensions that have not yet been parsed. Also calls the
- * finalisation for all extensions at the end, whether we collected them or not.
- * Returns 1 for success or 0 for failure. If we are working on a Certificate
- * message then we also pass the Certificate |x| and its position in the
- * |chainidx|, with 0 being the first certificate. On failure, |*al| is
- * populated with a suitable alert code.
+ * finalisation for all extensions at the end if |fin| is nonzero, whether we
+ * collected them or not. Returns 1 for success or 0 for failure. If we are
+ * working on a Certificate message then we also pass the Certificate |x| and
+ * its position in the |chainidx|, with 0 being the first certificate. On
+ * failure, |*al| is populated with a suitable alert code.
*/
int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
- size_t chainidx, int *al)
+ size_t chainidx, int *al, int fin)
{
size_t i, numexts = OSSL_NELEM(ext_defs);
const EXTENSION_DEFINITION *thisexd;
return 0;
}
- /*
- * Finalise all known extensions relevant to this context, whether we have
- * found them or not
- */
- for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
- if(thisexd->final != NULL
- && (thisexd->context & context) != 0
+ if (fin) {
+ /*
+ * Finalise all known extensions relevant to this context,
+ * whether we have found them or not
+ */
+ for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
+ i++, thisexd++) {
+ if (thisexd->final != NULL && (thisexd->context & context) != 0
&& !thisexd->final(s, context, exts[i].present, al))
- return 0;
+ return 0;
+ }
}
return 1;
}
if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
- reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
+ reason = ssl_get_min_max_version(s, &min_version, &max_version);
if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
goto err;
}
for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
- int (*construct)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
- size_t chainidx, int *al);
+ EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx, int *al);
+ EXT_RETURN ret;
/* Skip if not relevant for our context */
if (!should_add_extension(s, thisexd->context, context, max_version))
if (construct == NULL)
continue;
- if (!construct(s, pkt, context, x, chainidx, &tmpal))
+ ret = construct(s, pkt, context, x, chainidx, &tmpal);
+ if (ret == EXT_RETURN_FAIL)
goto err;
+ if (ret == EXT_RETURN_SENT
+ && (context & (SSL_EXT_CLIENT_HELLO
+ | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+ | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
+ s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
}
if (!WPACKET_close(pkt)) {
/* ALPN takes precedence over NPN. */
s->s3->npn_seen = 0;
#endif
+ } else if (r == SSL_TLSEXT_ERR_NOACK) {
+ /* Behave as if no callback was present. */
+ return 1;
} else {
*al = SSL_AD_NO_APPLICATION_PROTOCOL;
return 0;
return 1;
}
-static int tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
- unsigned int context, X509 *x,
- size_t chainidx, int *al)
+static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
+ unsigned int context,
+ X509 *x,
+ size_t chainidx,
+ int *al)
{
const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
- return 1;
+ return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
ERR_R_INTERNAL_ERROR);
- return 0;
+ return EXT_RETURN_FAIL;
}
- return 1;
+ return EXT_RETURN_SENT;
}
static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
static int final_sig_algs(SSL *s, unsigned int context, int sent, int *al)
{
- if (!sent && SSL_IS_TLS13(s)) {
+ if (!sent && SSL_IS_TLS13(s) && !s->hit) {
*al = TLS13_AD_MISSING_EXTENSION;
SSLerr(SSL_F_FINAL_SIG_ALGS, SSL_R_MISSING_SIGALGS_EXTENSION);
return 0;
if (!SSL_IS_TLS13(s))
return 1;
+ /* Nothing to do for key_share in an HRR */
+ if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
+ return 1;
+
/*
* If
* we are a client
&& (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
/* Nothing left we can do - just fail */
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_MISSING_EXTENSION;
SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
return 0;
}
if (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
/* Nothing left we can do - just fail */
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ if (!sent)
+ *al = SSL_AD_MISSING_EXTENSION;
+ else
+ *al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
return 0;
}
int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
size_t binderoffset, const unsigned char *binderin,
- unsigned char *binderout,
- SSL_SESSION *sess, int sign)
+ unsigned char *binderout, SSL_SESSION *sess, int sign,
+ int external)
{
EVP_PKEY *mackey = NULL;
EVP_MD_CTX *mctx = NULL;
unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
- const char resumption_label[] = "resumption psk binder key";
- size_t bindersize, hashsize = EVP_MD_size(md);
+ const char resumption_label[] = "res binder";
+ const char external_label[] = "ext binder";
+ const char *label;
+ size_t bindersize, labelsize, hashsize = EVP_MD_size(md);
int ret = -1;
+ if (external) {
+ label = external_label;
+ labelsize = sizeof(external_label) - 1;
+ } else {
+ label = resumption_label;
+ labelsize = sizeof(resumption_label) - 1;
+ }
+
/* Generate the early_secret */
if (!tls13_generate_secret(s, md, NULL, sess->master_key,
sess->master_key_length,
}
/* Generate the binder key */
- if (!tls13_hkdf_expand(s, md, s->early_secret,
- (unsigned char *)resumption_label,
- sizeof(resumption_label) - 1, hash, binderkey,
- hashsize)) {
+ if (!tls13_hkdf_expand(s, md, s->early_secret, (unsigned char *)label,
+ labelsize, hash, binderkey, hashsize)) {
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
goto err;
}