1*1dcdf01fSchristos /*
2*1dcdf01fSchristos * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3*1dcdf01fSchristos *
4*1dcdf01fSchristos * Licensed under the OpenSSL license (the "License"). You may not use
5*1dcdf01fSchristos * this file except in compliance with the License. You can obtain a copy
6*1dcdf01fSchristos * in the file LICENSE in the source distribution or at
7*1dcdf01fSchristos * https://www.openssl.org/source/license.html
8*1dcdf01fSchristos */
9*1dcdf01fSchristos
10*1dcdf01fSchristos #include <string.h>
11*1dcdf01fSchristos #include "internal/nelem.h"
12*1dcdf01fSchristos #include "internal/cryptlib.h"
13*1dcdf01fSchristos #include "../ssl_local.h"
14*1dcdf01fSchristos #include "statem_local.h"
15*1dcdf01fSchristos #include "internal/cryptlib.h"
16*1dcdf01fSchristos
17*1dcdf01fSchristos static int final_renegotiate(SSL *s, unsigned int context, int sent);
18*1dcdf01fSchristos static int init_server_name(SSL *s, unsigned int context);
19*1dcdf01fSchristos static int final_server_name(SSL *s, unsigned int context, int sent);
20*1dcdf01fSchristos #ifndef OPENSSL_NO_EC
21*1dcdf01fSchristos static int init_ec_point_formats(SSL *s, unsigned int context);
22*1dcdf01fSchristos static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
23*1dcdf01fSchristos #endif
24*1dcdf01fSchristos static int init_session_ticket(SSL *s, unsigned int context);
25*1dcdf01fSchristos #ifndef OPENSSL_NO_OCSP
26*1dcdf01fSchristos static int init_status_request(SSL *s, unsigned int context);
27*1dcdf01fSchristos #endif
28*1dcdf01fSchristos #ifndef OPENSSL_NO_NEXTPROTONEG
29*1dcdf01fSchristos static int init_npn(SSL *s, unsigned int context);
30*1dcdf01fSchristos #endif
31*1dcdf01fSchristos static int init_alpn(SSL *s, unsigned int context);
32*1dcdf01fSchristos static int final_alpn(SSL *s, unsigned int context, int sent);
33*1dcdf01fSchristos static int init_sig_algs_cert(SSL *s, unsigned int context);
34*1dcdf01fSchristos static int init_sig_algs(SSL *s, unsigned int context);
35*1dcdf01fSchristos static int init_certificate_authorities(SSL *s, unsigned int context);
36*1dcdf01fSchristos static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
37*1dcdf01fSchristos unsigned int context,
38*1dcdf01fSchristos X509 *x,
39*1dcdf01fSchristos size_t chainidx);
40*1dcdf01fSchristos static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
41*1dcdf01fSchristos unsigned int context, X509 *x,
42*1dcdf01fSchristos size_t chainidx);
43*1dcdf01fSchristos #ifndef OPENSSL_NO_SRP
44*1dcdf01fSchristos static int init_srp(SSL *s, unsigned int context);
45*1dcdf01fSchristos #endif
46*1dcdf01fSchristos static int init_etm(SSL *s, unsigned int context);
47*1dcdf01fSchristos static int init_ems(SSL *s, unsigned int context);
48*1dcdf01fSchristos static int final_ems(SSL *s, unsigned int context, int sent);
49*1dcdf01fSchristos static int init_psk_kex_modes(SSL *s, unsigned int context);
50*1dcdf01fSchristos #ifndef OPENSSL_NO_EC
51*1dcdf01fSchristos static int final_key_share(SSL *s, unsigned int context, int sent);
52*1dcdf01fSchristos #endif
53*1dcdf01fSchristos #ifndef OPENSSL_NO_SRTP
54*1dcdf01fSchristos static int init_srtp(SSL *s, unsigned int context);
55*1dcdf01fSchristos #endif
56*1dcdf01fSchristos static int final_sig_algs(SSL *s, unsigned int context, int sent);
57*1dcdf01fSchristos static int final_early_data(SSL *s, unsigned int context, int sent);
58*1dcdf01fSchristos static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
59*1dcdf01fSchristos static int init_post_handshake_auth(SSL *s, unsigned int context);
60*1dcdf01fSchristos static int final_psk(SSL *s, unsigned int context, int sent);
61*1dcdf01fSchristos
62*1dcdf01fSchristos /* Structure to define a built-in extension */
63*1dcdf01fSchristos typedef struct extensions_definition_st {
64*1dcdf01fSchristos /* The defined type for the extension */
65*1dcdf01fSchristos unsigned int type;
66*1dcdf01fSchristos /*
67*1dcdf01fSchristos * The context that this extension applies to, e.g. what messages and
68*1dcdf01fSchristos * protocol versions
69*1dcdf01fSchristos */
70*1dcdf01fSchristos unsigned int context;
71*1dcdf01fSchristos /*
72*1dcdf01fSchristos * Initialise extension before parsing. Always called for relevant contexts
73*1dcdf01fSchristos * even if extension not present
74*1dcdf01fSchristos */
75*1dcdf01fSchristos int (*init)(SSL *s, unsigned int context);
76*1dcdf01fSchristos /* Parse extension sent from client to server */
77*1dcdf01fSchristos int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
78*1dcdf01fSchristos size_t chainidx);
79*1dcdf01fSchristos /* Parse extension send from server to client */
80*1dcdf01fSchristos int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
81*1dcdf01fSchristos size_t chainidx);
82*1dcdf01fSchristos /* Construct extension sent from server to client */
83*1dcdf01fSchristos EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
84*1dcdf01fSchristos X509 *x, size_t chainidx);
85*1dcdf01fSchristos /* Construct extension sent from client to server */
86*1dcdf01fSchristos EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
87*1dcdf01fSchristos X509 *x, size_t chainidx);
88*1dcdf01fSchristos /*
89*1dcdf01fSchristos * Finalise extension after parsing. Always called where an extensions was
90*1dcdf01fSchristos * initialised even if the extension was not present. |sent| is set to 1 if
91*1dcdf01fSchristos * the extension was seen, or 0 otherwise.
92*1dcdf01fSchristos */
93*1dcdf01fSchristos int (*final)(SSL *s, unsigned int context, int sent);
94*1dcdf01fSchristos } EXTENSION_DEFINITION;
95*1dcdf01fSchristos
96*1dcdf01fSchristos /*
97*1dcdf01fSchristos * Definitions of all built-in extensions. NOTE: Changes in the number or order
98*1dcdf01fSchristos * of these extensions should be mirrored with equivalent changes to the
99*1dcdf01fSchristos * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
100*1dcdf01fSchristos * Each extension has an initialiser, a client and
101*1dcdf01fSchristos * server side parser and a finaliser. The initialiser is called (if the
102*1dcdf01fSchristos * extension is relevant to the given context) even if we did not see the
103*1dcdf01fSchristos * extension in the message that we received. The parser functions are only
104*1dcdf01fSchristos * called if we see the extension in the message. The finalisers are always
105*1dcdf01fSchristos * called if the initialiser was called.
106*1dcdf01fSchristos * There are also server and client side constructor functions which are always
107*1dcdf01fSchristos * called during message construction if the extension is relevant for the
108*1dcdf01fSchristos * given context.
109*1dcdf01fSchristos * The initialisation, parsing, finalisation and construction functions are
110*1dcdf01fSchristos * always called in the order defined in this list. Some extensions may depend
111*1dcdf01fSchristos * on others having been processed first, so the order of this list is
112*1dcdf01fSchristos * significant.
113*1dcdf01fSchristos * The extension context is defined by a series of flags which specify which
114*1dcdf01fSchristos * messages the extension is relevant to. These flags also specify whether the
115*1dcdf01fSchristos * extension is relevant to a particular protocol or protocol version.
116*1dcdf01fSchristos *
117*1dcdf01fSchristos * TODO(TLS1.3): Make sure we have a test to check the consistency of these
118*1dcdf01fSchristos *
119*1dcdf01fSchristos * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
120*1dcdf01fSchristos * the end, keep these extensions before signature_algorithm.
121*1dcdf01fSchristos */
122*1dcdf01fSchristos #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
123*1dcdf01fSchristos static const EXTENSION_DEFINITION ext_defs[] = {
124*1dcdf01fSchristos {
125*1dcdf01fSchristos TLSEXT_TYPE_renegotiate,
126*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
127*1dcdf01fSchristos | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
128*1dcdf01fSchristos NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
129*1dcdf01fSchristos tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
130*1dcdf01fSchristos final_renegotiate
131*1dcdf01fSchristos },
132*1dcdf01fSchristos {
133*1dcdf01fSchristos TLSEXT_TYPE_server_name,
134*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
135*1dcdf01fSchristos | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
136*1dcdf01fSchristos init_server_name,
137*1dcdf01fSchristos tls_parse_ctos_server_name, tls_parse_stoc_server_name,
138*1dcdf01fSchristos tls_construct_stoc_server_name, tls_construct_ctos_server_name,
139*1dcdf01fSchristos final_server_name
140*1dcdf01fSchristos },
141*1dcdf01fSchristos {
142*1dcdf01fSchristos TLSEXT_TYPE_max_fragment_length,
143*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
144*1dcdf01fSchristos | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
145*1dcdf01fSchristos NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
146*1dcdf01fSchristos tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
147*1dcdf01fSchristos final_maxfragmentlen
148*1dcdf01fSchristos },
149*1dcdf01fSchristos #ifndef OPENSSL_NO_SRP
150*1dcdf01fSchristos {
151*1dcdf01fSchristos TLSEXT_TYPE_srp,
152*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
153*1dcdf01fSchristos init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
154*1dcdf01fSchristos },
155*1dcdf01fSchristos #else
156*1dcdf01fSchristos INVALID_EXTENSION,
157*1dcdf01fSchristos #endif
158*1dcdf01fSchristos #ifndef OPENSSL_NO_EC
159*1dcdf01fSchristos {
160*1dcdf01fSchristos TLSEXT_TYPE_ec_point_formats,
161*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
162*1dcdf01fSchristos | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
163*1dcdf01fSchristos init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
164*1dcdf01fSchristos tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
165*1dcdf01fSchristos final_ec_pt_formats
166*1dcdf01fSchristos },
167*1dcdf01fSchristos {
168*1dcdf01fSchristos /*
169*1dcdf01fSchristos * "supported_groups" is spread across several specifications.
170*1dcdf01fSchristos * It was originally specified as "elliptic_curves" in RFC 4492,
171*1dcdf01fSchristos * and broadened to include named FFDH groups by RFC 7919.
172*1dcdf01fSchristos * Both RFCs 4492 and 7919 do not include a provision for the server
173*1dcdf01fSchristos * to indicate to the client the complete list of groups supported
174*1dcdf01fSchristos * by the server, with the server instead just indicating the
175*1dcdf01fSchristos * selected group for this connection in the ServerKeyExchange
176*1dcdf01fSchristos * message. TLS 1.3 adds a scheme for the server to indicate
177*1dcdf01fSchristos * to the client its list of supported groups in the
178*1dcdf01fSchristos * EncryptedExtensions message, but none of the relevant
179*1dcdf01fSchristos * specifications permit sending supported_groups in the ServerHello.
180*1dcdf01fSchristos * Nonetheless (possibly due to the close proximity to the
181*1dcdf01fSchristos * "ec_point_formats" extension, which is allowed in the ServerHello),
182*1dcdf01fSchristos * there are several servers that send this extension in the
183*1dcdf01fSchristos * ServerHello anyway. Up to and including the 1.1.0 release,
184*1dcdf01fSchristos * we did not check for the presence of nonpermitted extensions,
185*1dcdf01fSchristos * so to avoid a regression, we must permit this extension in the
186*1dcdf01fSchristos * TLS 1.2 ServerHello as well.
187*1dcdf01fSchristos *
188*1dcdf01fSchristos * Note that there is no tls_parse_stoc_supported_groups function,
189*1dcdf01fSchristos * so we do not perform any additional parsing, validation, or
190*1dcdf01fSchristos * processing on the server's group list -- this is just a minimal
191*1dcdf01fSchristos * change to preserve compatibility with these misbehaving servers.
192*1dcdf01fSchristos */
193*1dcdf01fSchristos TLSEXT_TYPE_supported_groups,
194*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
195*1dcdf01fSchristos | SSL_EXT_TLS1_2_SERVER_HELLO,
196*1dcdf01fSchristos NULL, tls_parse_ctos_supported_groups, NULL,
197*1dcdf01fSchristos tls_construct_stoc_supported_groups,
198*1dcdf01fSchristos tls_construct_ctos_supported_groups, NULL
199*1dcdf01fSchristos },
200*1dcdf01fSchristos #else
201*1dcdf01fSchristos INVALID_EXTENSION,
202*1dcdf01fSchristos INVALID_EXTENSION,
203*1dcdf01fSchristos #endif
204*1dcdf01fSchristos {
205*1dcdf01fSchristos TLSEXT_TYPE_session_ticket,
206*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
207*1dcdf01fSchristos | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
208*1dcdf01fSchristos init_session_ticket, tls_parse_ctos_session_ticket,
209*1dcdf01fSchristos tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
210*1dcdf01fSchristos tls_construct_ctos_session_ticket, NULL
211*1dcdf01fSchristos },
212*1dcdf01fSchristos #ifndef OPENSSL_NO_OCSP
213*1dcdf01fSchristos {
214*1dcdf01fSchristos TLSEXT_TYPE_status_request,
215*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
216*1dcdf01fSchristos | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
217*1dcdf01fSchristos init_status_request, tls_parse_ctos_status_request,
218*1dcdf01fSchristos tls_parse_stoc_status_request, tls_construct_stoc_status_request,
219*1dcdf01fSchristos tls_construct_ctos_status_request, NULL
220*1dcdf01fSchristos },
221*1dcdf01fSchristos #else
222*1dcdf01fSchristos INVALID_EXTENSION,
223*1dcdf01fSchristos #endif
224*1dcdf01fSchristos #ifndef OPENSSL_NO_NEXTPROTONEG
225*1dcdf01fSchristos {
226*1dcdf01fSchristos TLSEXT_TYPE_next_proto_neg,
227*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
228*1dcdf01fSchristos | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
229*1dcdf01fSchristos init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
230*1dcdf01fSchristos tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
231*1dcdf01fSchristos },
232*1dcdf01fSchristos #else
233*1dcdf01fSchristos INVALID_EXTENSION,
234*1dcdf01fSchristos #endif
235*1dcdf01fSchristos {
236*1dcdf01fSchristos /*
237*1dcdf01fSchristos * Must appear in this list after server_name so that finalisation
238*1dcdf01fSchristos * happens after server_name callbacks
239*1dcdf01fSchristos */
240*1dcdf01fSchristos TLSEXT_TYPE_application_layer_protocol_negotiation,
241*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
242*1dcdf01fSchristos | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
243*1dcdf01fSchristos init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
244*1dcdf01fSchristos tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
245*1dcdf01fSchristos },
246*1dcdf01fSchristos #ifndef OPENSSL_NO_SRTP
247*1dcdf01fSchristos {
248*1dcdf01fSchristos TLSEXT_TYPE_use_srtp,
249*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
250*1dcdf01fSchristos | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
251*1dcdf01fSchristos init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
252*1dcdf01fSchristos tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
253*1dcdf01fSchristos },
254*1dcdf01fSchristos #else
255*1dcdf01fSchristos INVALID_EXTENSION,
256*1dcdf01fSchristos #endif
257*1dcdf01fSchristos {
258*1dcdf01fSchristos TLSEXT_TYPE_encrypt_then_mac,
259*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
260*1dcdf01fSchristos | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
261*1dcdf01fSchristos init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
262*1dcdf01fSchristos tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
263*1dcdf01fSchristos },
264*1dcdf01fSchristos #ifndef OPENSSL_NO_CT
265*1dcdf01fSchristos {
266*1dcdf01fSchristos TLSEXT_TYPE_signed_certificate_timestamp,
267*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
268*1dcdf01fSchristos | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
269*1dcdf01fSchristos NULL,
270*1dcdf01fSchristos /*
271*1dcdf01fSchristos * No server side support for this, but can be provided by a custom
272*1dcdf01fSchristos * extension. This is an exception to the rule that custom extensions
273*1dcdf01fSchristos * cannot override built in ones.
274*1dcdf01fSchristos */
275*1dcdf01fSchristos NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL
276*1dcdf01fSchristos },
277*1dcdf01fSchristos #else
278*1dcdf01fSchristos INVALID_EXTENSION,
279*1dcdf01fSchristos #endif
280*1dcdf01fSchristos {
281*1dcdf01fSchristos TLSEXT_TYPE_extended_master_secret,
282*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
283*1dcdf01fSchristos | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
284*1dcdf01fSchristos init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
285*1dcdf01fSchristos tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
286*1dcdf01fSchristos },
287*1dcdf01fSchristos {
288*1dcdf01fSchristos TLSEXT_TYPE_signature_algorithms_cert,
289*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
290*1dcdf01fSchristos init_sig_algs_cert, tls_parse_ctos_sig_algs_cert,
291*1dcdf01fSchristos tls_parse_ctos_sig_algs_cert,
292*1dcdf01fSchristos /* We do not generate signature_algorithms_cert at present. */
293*1dcdf01fSchristos NULL, NULL, NULL
294*1dcdf01fSchristos },
295*1dcdf01fSchristos {
296*1dcdf01fSchristos TLSEXT_TYPE_post_handshake_auth,
297*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY,
298*1dcdf01fSchristos init_post_handshake_auth,
299*1dcdf01fSchristos tls_parse_ctos_post_handshake_auth, NULL,
300*1dcdf01fSchristos NULL, tls_construct_ctos_post_handshake_auth,
301*1dcdf01fSchristos NULL,
302*1dcdf01fSchristos },
303*1dcdf01fSchristos {
304*1dcdf01fSchristos TLSEXT_TYPE_signature_algorithms,
305*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
306*1dcdf01fSchristos init_sig_algs, tls_parse_ctos_sig_algs,
307*1dcdf01fSchristos tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
308*1dcdf01fSchristos tls_construct_ctos_sig_algs, final_sig_algs
309*1dcdf01fSchristos },
310*1dcdf01fSchristos {
311*1dcdf01fSchristos TLSEXT_TYPE_supported_versions,
312*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
313*1dcdf01fSchristos | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
314*1dcdf01fSchristos NULL,
315*1dcdf01fSchristos /* Processed inline as part of version selection */
316*1dcdf01fSchristos NULL, tls_parse_stoc_supported_versions,
317*1dcdf01fSchristos tls_construct_stoc_supported_versions,
318*1dcdf01fSchristos tls_construct_ctos_supported_versions, NULL
319*1dcdf01fSchristos },
320*1dcdf01fSchristos {
321*1dcdf01fSchristos TLSEXT_TYPE_psk_kex_modes,
322*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
323*1dcdf01fSchristos | SSL_EXT_TLS1_3_ONLY,
324*1dcdf01fSchristos init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
325*1dcdf01fSchristos tls_construct_ctos_psk_kex_modes, NULL
326*1dcdf01fSchristos },
327*1dcdf01fSchristos #ifndef OPENSSL_NO_EC
328*1dcdf01fSchristos {
329*1dcdf01fSchristos /*
330*1dcdf01fSchristos * Must be in this list after supported_groups. We need that to have
331*1dcdf01fSchristos * been parsed before we do this one.
332*1dcdf01fSchristos */
333*1dcdf01fSchristos TLSEXT_TYPE_key_share,
334*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
335*1dcdf01fSchristos | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
336*1dcdf01fSchristos | SSL_EXT_TLS1_3_ONLY,
337*1dcdf01fSchristos NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
338*1dcdf01fSchristos tls_construct_stoc_key_share, tls_construct_ctos_key_share,
339*1dcdf01fSchristos final_key_share
340*1dcdf01fSchristos },
341*1dcdf01fSchristos #else
342*1dcdf01fSchristos INVALID_EXTENSION,
343*1dcdf01fSchristos #endif
344*1dcdf01fSchristos {
345*1dcdf01fSchristos /* Must be after key_share */
346*1dcdf01fSchristos TLSEXT_TYPE_cookie,
347*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
348*1dcdf01fSchristos | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
349*1dcdf01fSchristos NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
350*1dcdf01fSchristos tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
351*1dcdf01fSchristos },
352*1dcdf01fSchristos {
353*1dcdf01fSchristos /*
354*1dcdf01fSchristos * Special unsolicited ServerHello extension only used when
355*1dcdf01fSchristos * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
356*1dcdf01fSchristos * ignore it.
357*1dcdf01fSchristos */
358*1dcdf01fSchristos TLSEXT_TYPE_cryptopro_bug,
359*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
360*1dcdf01fSchristos | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
361*1dcdf01fSchristos NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
362*1dcdf01fSchristos },
363*1dcdf01fSchristos {
364*1dcdf01fSchristos TLSEXT_TYPE_early_data,
365*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
366*1dcdf01fSchristos | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
367*1dcdf01fSchristos NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
368*1dcdf01fSchristos tls_construct_stoc_early_data, tls_construct_ctos_early_data,
369*1dcdf01fSchristos final_early_data
370*1dcdf01fSchristos },
371*1dcdf01fSchristos {
372*1dcdf01fSchristos TLSEXT_TYPE_certificate_authorities,
373*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
374*1dcdf01fSchristos | SSL_EXT_TLS1_3_ONLY,
375*1dcdf01fSchristos init_certificate_authorities,
376*1dcdf01fSchristos tls_parse_certificate_authorities, tls_parse_certificate_authorities,
377*1dcdf01fSchristos tls_construct_certificate_authorities,
378*1dcdf01fSchristos tls_construct_certificate_authorities, NULL,
379*1dcdf01fSchristos },
380*1dcdf01fSchristos {
381*1dcdf01fSchristos /* Must be immediately before pre_shared_key */
382*1dcdf01fSchristos TLSEXT_TYPE_padding,
383*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO,
384*1dcdf01fSchristos NULL,
385*1dcdf01fSchristos /* We send this, but don't read it */
386*1dcdf01fSchristos NULL, NULL, NULL, tls_construct_ctos_padding, NULL
387*1dcdf01fSchristos },
388*1dcdf01fSchristos {
389*1dcdf01fSchristos /* Required by the TLSv1.3 spec to always be the last extension */
390*1dcdf01fSchristos TLSEXT_TYPE_psk,
391*1dcdf01fSchristos SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
392*1dcdf01fSchristos | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
393*1dcdf01fSchristos NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
394*1dcdf01fSchristos tls_construct_ctos_psk, final_psk
395*1dcdf01fSchristos }
396*1dcdf01fSchristos };
397*1dcdf01fSchristos
398*1dcdf01fSchristos /* Check whether an extension's context matches the current context */
validate_context(SSL * s,unsigned int extctx,unsigned int thisctx)399*1dcdf01fSchristos static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
400*1dcdf01fSchristos {
401*1dcdf01fSchristos /* Check we're allowed to use this extension in this context */
402*1dcdf01fSchristos if ((thisctx & extctx) == 0)
403*1dcdf01fSchristos return 0;
404*1dcdf01fSchristos
405*1dcdf01fSchristos if (SSL_IS_DTLS(s)) {
406*1dcdf01fSchristos if ((extctx & SSL_EXT_TLS_ONLY) != 0)
407*1dcdf01fSchristos return 0;
408*1dcdf01fSchristos } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
409*1dcdf01fSchristos return 0;
410*1dcdf01fSchristos }
411*1dcdf01fSchristos
412*1dcdf01fSchristos return 1;
413*1dcdf01fSchristos }
414*1dcdf01fSchristos
tls_validate_all_contexts(SSL * s,unsigned int thisctx,RAW_EXTENSION * exts)415*1dcdf01fSchristos int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts)
416*1dcdf01fSchristos {
417*1dcdf01fSchristos size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
418*1dcdf01fSchristos RAW_EXTENSION *thisext;
419*1dcdf01fSchristos unsigned int context;
420*1dcdf01fSchristos ENDPOINT role = ENDPOINT_BOTH;
421*1dcdf01fSchristos
422*1dcdf01fSchristos if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
423*1dcdf01fSchristos role = ENDPOINT_SERVER;
424*1dcdf01fSchristos else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
425*1dcdf01fSchristos role = ENDPOINT_CLIENT;
426*1dcdf01fSchristos
427*1dcdf01fSchristos /* Calculate the number of extensions in the extensions list */
428*1dcdf01fSchristos num_exts = builtin_num + s->cert->custext.meths_count;
429*1dcdf01fSchristos
430*1dcdf01fSchristos for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
431*1dcdf01fSchristos if (!thisext->present)
432*1dcdf01fSchristos continue;
433*1dcdf01fSchristos
434*1dcdf01fSchristos if (i < builtin_num) {
435*1dcdf01fSchristos context = ext_defs[i].context;
436*1dcdf01fSchristos } else {
437*1dcdf01fSchristos custom_ext_method *meth = NULL;
438*1dcdf01fSchristos
439*1dcdf01fSchristos meth = custom_ext_find(&s->cert->custext, role, thisext->type,
440*1dcdf01fSchristos &offset);
441*1dcdf01fSchristos if (!ossl_assert(meth != NULL))
442*1dcdf01fSchristos return 0;
443*1dcdf01fSchristos context = meth->context;
444*1dcdf01fSchristos }
445*1dcdf01fSchristos
446*1dcdf01fSchristos if (!validate_context(s, context, thisctx))
447*1dcdf01fSchristos return 0;
448*1dcdf01fSchristos }
449*1dcdf01fSchristos
450*1dcdf01fSchristos return 1;
451*1dcdf01fSchristos }
452*1dcdf01fSchristos
453*1dcdf01fSchristos /*
454*1dcdf01fSchristos * Verify whether we are allowed to use the extension |type| in the current
455*1dcdf01fSchristos * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
456*1dcdf01fSchristos * indicate the extension is not allowed. If returning 1 then |*found| is set to
457*1dcdf01fSchristos * the definition for the extension we found.
458*1dcdf01fSchristos */
verify_extension(SSL * s,unsigned int context,unsigned int type,custom_ext_methods * meths,RAW_EXTENSION * rawexlist,RAW_EXTENSION ** found)459*1dcdf01fSchristos static int verify_extension(SSL *s, unsigned int context, unsigned int type,
460*1dcdf01fSchristos custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
461*1dcdf01fSchristos RAW_EXTENSION **found)
462*1dcdf01fSchristos {
463*1dcdf01fSchristos size_t i;
464*1dcdf01fSchristos size_t builtin_num = OSSL_NELEM(ext_defs);
465*1dcdf01fSchristos const EXTENSION_DEFINITION *thisext;
466*1dcdf01fSchristos
467*1dcdf01fSchristos for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
468*1dcdf01fSchristos if (type == thisext->type) {
469*1dcdf01fSchristos if (!validate_context(s, thisext->context, context))
470*1dcdf01fSchristos return 0;
471*1dcdf01fSchristos
472*1dcdf01fSchristos *found = &rawexlist[i];
473*1dcdf01fSchristos return 1;
474*1dcdf01fSchristos }
475*1dcdf01fSchristos }
476*1dcdf01fSchristos
477*1dcdf01fSchristos /* Check the custom extensions */
478*1dcdf01fSchristos if (meths != NULL) {
479*1dcdf01fSchristos size_t offset = 0;
480*1dcdf01fSchristos ENDPOINT role = ENDPOINT_BOTH;
481*1dcdf01fSchristos custom_ext_method *meth = NULL;
482*1dcdf01fSchristos
483*1dcdf01fSchristos if ((context & SSL_EXT_CLIENT_HELLO) != 0)
484*1dcdf01fSchristos role = ENDPOINT_SERVER;
485*1dcdf01fSchristos else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
486*1dcdf01fSchristos role = ENDPOINT_CLIENT;
487*1dcdf01fSchristos
488*1dcdf01fSchristos meth = custom_ext_find(meths, role, type, &offset);
489*1dcdf01fSchristos if (meth != NULL) {
490*1dcdf01fSchristos if (!validate_context(s, meth->context, context))
491*1dcdf01fSchristos return 0;
492*1dcdf01fSchristos *found = &rawexlist[offset + builtin_num];
493*1dcdf01fSchristos return 1;
494*1dcdf01fSchristos }
495*1dcdf01fSchristos }
496*1dcdf01fSchristos
497*1dcdf01fSchristos /* Unknown extension. We allow it */
498*1dcdf01fSchristos *found = NULL;
499*1dcdf01fSchristos return 1;
500*1dcdf01fSchristos }
501*1dcdf01fSchristos
502*1dcdf01fSchristos /*
503*1dcdf01fSchristos * Check whether the context defined for an extension |extctx| means whether
504*1dcdf01fSchristos * the extension is relevant for the current context |thisctx| or not. Returns
505*1dcdf01fSchristos * 1 if the extension is relevant for this context, and 0 otherwise
506*1dcdf01fSchristos */
extension_is_relevant(SSL * s,unsigned int extctx,unsigned int thisctx)507*1dcdf01fSchristos int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
508*1dcdf01fSchristos {
509*1dcdf01fSchristos int is_tls13;
510*1dcdf01fSchristos
511*1dcdf01fSchristos /*
512*1dcdf01fSchristos * For HRR we haven't selected the version yet but we know it will be
513*1dcdf01fSchristos * TLSv1.3
514*1dcdf01fSchristos */
515*1dcdf01fSchristos if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
516*1dcdf01fSchristos is_tls13 = 1;
517*1dcdf01fSchristos else
518*1dcdf01fSchristos is_tls13 = SSL_IS_TLS13(s);
519*1dcdf01fSchristos
520*1dcdf01fSchristos if ((SSL_IS_DTLS(s)
521*1dcdf01fSchristos && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
522*1dcdf01fSchristos || (s->version == SSL3_VERSION
523*1dcdf01fSchristos && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
524*1dcdf01fSchristos /*
525*1dcdf01fSchristos * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated",
526*1dcdf01fSchristos * which is never true when generating the ClientHello.
527*1dcdf01fSchristos * However, version negotiation *has* occurred by the time the
528*1dcdf01fSchristos * ClientHello extensions are being parsed.
529*1dcdf01fSchristos * Be careful to allow TLS 1.3-only extensions when generating
530*1dcdf01fSchristos * the ClientHello.
531*1dcdf01fSchristos */
532*1dcdf01fSchristos || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
533*1dcdf01fSchristos || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
534*1dcdf01fSchristos && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
535*1dcdf01fSchristos || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
536*1dcdf01fSchristos || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
537*1dcdf01fSchristos return 0;
538*1dcdf01fSchristos return 1;
539*1dcdf01fSchristos }
540*1dcdf01fSchristos
541*1dcdf01fSchristos /*
542*1dcdf01fSchristos * Gather a list of all the extensions from the data in |packet]. |context|
543*1dcdf01fSchristos * tells us which message this extension is for. The raw extension data is
544*1dcdf01fSchristos * stored in |*res| on success. We don't actually process the content of the
545*1dcdf01fSchristos * extensions yet, except to check their types. This function also runs the
546*1dcdf01fSchristos * initialiser functions for all known extensions if |init| is nonzero (whether
547*1dcdf01fSchristos * we have collected them or not). If successful the caller is responsible for
548*1dcdf01fSchristos * freeing the contents of |*res|.
549*1dcdf01fSchristos *
550*1dcdf01fSchristos * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
551*1dcdf01fSchristos * more than one extension of the same type in a ClientHello or ServerHello.
552*1dcdf01fSchristos * This function returns 1 if all extensions are unique and we have parsed their
553*1dcdf01fSchristos * types, and 0 if the extensions contain duplicates, could not be successfully
554*1dcdf01fSchristos * found, or an internal error occurred. We only check duplicates for
555*1dcdf01fSchristos * extensions that we know about. We ignore others.
556*1dcdf01fSchristos */
tls_collect_extensions(SSL * s,PACKET * packet,unsigned int context,RAW_EXTENSION ** res,size_t * len,int init)557*1dcdf01fSchristos int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
558*1dcdf01fSchristos RAW_EXTENSION **res, size_t *len, int init)
559*1dcdf01fSchristos {
560*1dcdf01fSchristos PACKET extensions = *packet;
561*1dcdf01fSchristos size_t i = 0;
562*1dcdf01fSchristos size_t num_exts;
563*1dcdf01fSchristos custom_ext_methods *exts = &s->cert->custext;
564*1dcdf01fSchristos RAW_EXTENSION *raw_extensions = NULL;
565*1dcdf01fSchristos const EXTENSION_DEFINITION *thisexd;
566*1dcdf01fSchristos
567*1dcdf01fSchristos *res = NULL;
568*1dcdf01fSchristos
569*1dcdf01fSchristos /*
570*1dcdf01fSchristos * Initialise server side custom extensions. Client side is done during
571*1dcdf01fSchristos * construction of extensions for the ClientHello.
572*1dcdf01fSchristos */
573*1dcdf01fSchristos if ((context & SSL_EXT_CLIENT_HELLO) != 0)
574*1dcdf01fSchristos custom_ext_init(&s->cert->custext);
575*1dcdf01fSchristos
576*1dcdf01fSchristos num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
577*1dcdf01fSchristos raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
578*1dcdf01fSchristos if (raw_extensions == NULL) {
579*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
580*1dcdf01fSchristos ERR_R_MALLOC_FAILURE);
581*1dcdf01fSchristos return 0;
582*1dcdf01fSchristos }
583*1dcdf01fSchristos
584*1dcdf01fSchristos i = 0;
585*1dcdf01fSchristos while (PACKET_remaining(&extensions) > 0) {
586*1dcdf01fSchristos unsigned int type, idx;
587*1dcdf01fSchristos PACKET extension;
588*1dcdf01fSchristos RAW_EXTENSION *thisex;
589*1dcdf01fSchristos
590*1dcdf01fSchristos if (!PACKET_get_net_2(&extensions, &type) ||
591*1dcdf01fSchristos !PACKET_get_length_prefixed_2(&extensions, &extension)) {
592*1dcdf01fSchristos SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
593*1dcdf01fSchristos SSL_R_BAD_EXTENSION);
594*1dcdf01fSchristos goto err;
595*1dcdf01fSchristos }
596*1dcdf01fSchristos /*
597*1dcdf01fSchristos * Verify this extension is allowed. We only check duplicates for
598*1dcdf01fSchristos * extensions that we recognise. We also have a special case for the
599*1dcdf01fSchristos * PSK extension, which must be the last one in the ClientHello.
600*1dcdf01fSchristos */
601*1dcdf01fSchristos if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
602*1dcdf01fSchristos || (thisex != NULL && thisex->present == 1)
603*1dcdf01fSchristos || (type == TLSEXT_TYPE_psk
604*1dcdf01fSchristos && (context & SSL_EXT_CLIENT_HELLO) != 0
605*1dcdf01fSchristos && PACKET_remaining(&extensions) != 0)) {
606*1dcdf01fSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
607*1dcdf01fSchristos SSL_R_BAD_EXTENSION);
608*1dcdf01fSchristos goto err;
609*1dcdf01fSchristos }
610*1dcdf01fSchristos idx = thisex - raw_extensions;
611*1dcdf01fSchristos /*-
612*1dcdf01fSchristos * Check that we requested this extension (if appropriate). Requests can
613*1dcdf01fSchristos * be sent in the ClientHello and CertificateRequest. Unsolicited
614*1dcdf01fSchristos * extensions can be sent in the NewSessionTicket. We only do this for
615*1dcdf01fSchristos * the built-in extensions. Custom extensions have a different but
616*1dcdf01fSchristos * similar check elsewhere.
617*1dcdf01fSchristos * Special cases:
618*1dcdf01fSchristos * - The HRR cookie extension is unsolicited
619*1dcdf01fSchristos * - The renegotiate extension is unsolicited (the client signals
620*1dcdf01fSchristos * support via an SCSV)
621*1dcdf01fSchristos * - The signed_certificate_timestamp extension can be provided by a
622*1dcdf01fSchristos * custom extension or by the built-in version. We let the extension
623*1dcdf01fSchristos * itself handle unsolicited response checks.
624*1dcdf01fSchristos */
625*1dcdf01fSchristos if (idx < OSSL_NELEM(ext_defs)
626*1dcdf01fSchristos && (context & (SSL_EXT_CLIENT_HELLO
627*1dcdf01fSchristos | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
628*1dcdf01fSchristos | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
629*1dcdf01fSchristos && type != TLSEXT_TYPE_cookie
630*1dcdf01fSchristos && type != TLSEXT_TYPE_renegotiate
631*1dcdf01fSchristos && type != TLSEXT_TYPE_signed_certificate_timestamp
632*1dcdf01fSchristos && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
633*1dcdf01fSchristos #ifndef OPENSSL_NO_GOST
634*1dcdf01fSchristos && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
635*1dcdf01fSchristos && type == TLSEXT_TYPE_cryptopro_bug)
636*1dcdf01fSchristos #endif
637*1dcdf01fSchristos ) {
638*1dcdf01fSchristos SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
639*1dcdf01fSchristos SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
640*1dcdf01fSchristos goto err;
641*1dcdf01fSchristos }
642*1dcdf01fSchristos if (thisex != NULL) {
643*1dcdf01fSchristos thisex->data = extension;
644*1dcdf01fSchristos thisex->present = 1;
645*1dcdf01fSchristos thisex->type = type;
646*1dcdf01fSchristos thisex->received_order = i++;
647*1dcdf01fSchristos if (s->ext.debug_cb)
648*1dcdf01fSchristos s->ext.debug_cb(s, !s->server, thisex->type,
649*1dcdf01fSchristos PACKET_data(&thisex->data),
650*1dcdf01fSchristos PACKET_remaining(&thisex->data),
651*1dcdf01fSchristos s->ext.debug_arg);
652*1dcdf01fSchristos }
653*1dcdf01fSchristos }
654*1dcdf01fSchristos
655*1dcdf01fSchristos if (init) {
656*1dcdf01fSchristos /*
657*1dcdf01fSchristos * Initialise all known extensions relevant to this context,
658*1dcdf01fSchristos * whether we have found them or not
659*1dcdf01fSchristos */
660*1dcdf01fSchristos for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
661*1dcdf01fSchristos i++, thisexd++) {
662*1dcdf01fSchristos if (thisexd->init != NULL && (thisexd->context & context) != 0
663*1dcdf01fSchristos && extension_is_relevant(s, thisexd->context, context)
664*1dcdf01fSchristos && !thisexd->init(s, context)) {
665*1dcdf01fSchristos /* SSLfatal() already called */
666*1dcdf01fSchristos goto err;
667*1dcdf01fSchristos }
668*1dcdf01fSchristos }
669*1dcdf01fSchristos }
670*1dcdf01fSchristos
671*1dcdf01fSchristos *res = raw_extensions;
672*1dcdf01fSchristos if (len != NULL)
673*1dcdf01fSchristos *len = num_exts;
674*1dcdf01fSchristos return 1;
675*1dcdf01fSchristos
676*1dcdf01fSchristos err:
677*1dcdf01fSchristos OPENSSL_free(raw_extensions);
678*1dcdf01fSchristos return 0;
679*1dcdf01fSchristos }
680*1dcdf01fSchristos
681*1dcdf01fSchristos /*
682*1dcdf01fSchristos * Runs the parser for a given extension with index |idx|. |exts| contains the
683*1dcdf01fSchristos * list of all parsed extensions previously collected by
684*1dcdf01fSchristos * tls_collect_extensions(). The parser is only run if it is applicable for the
685*1dcdf01fSchristos * given |context| and the parser has not already been run. If this is for a
686*1dcdf01fSchristos * Certificate message, then we also provide the parser with the relevant
687*1dcdf01fSchristos * Certificate |x| and its position in the |chainidx| with 0 being the first
688*1dcdf01fSchristos * Certificate. Returns 1 on success or 0 on failure. If an extension is not
689*1dcdf01fSchristos * present this counted as success.
690*1dcdf01fSchristos */
tls_parse_extension(SSL * s,TLSEXT_INDEX idx,int context,RAW_EXTENSION * exts,X509 * x,size_t chainidx)691*1dcdf01fSchristos int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
692*1dcdf01fSchristos RAW_EXTENSION *exts, X509 *x, size_t chainidx)
693*1dcdf01fSchristos {
694*1dcdf01fSchristos RAW_EXTENSION *currext = &exts[idx];
695*1dcdf01fSchristos int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
696*1dcdf01fSchristos size_t chainidx) = NULL;
697*1dcdf01fSchristos
698*1dcdf01fSchristos /* Skip if the extension is not present */
699*1dcdf01fSchristos if (!currext->present)
700*1dcdf01fSchristos return 1;
701*1dcdf01fSchristos
702*1dcdf01fSchristos /* Skip if we've already parsed this extension */
703*1dcdf01fSchristos if (currext->parsed)
704*1dcdf01fSchristos return 1;
705*1dcdf01fSchristos
706*1dcdf01fSchristos currext->parsed = 1;
707*1dcdf01fSchristos
708*1dcdf01fSchristos if (idx < OSSL_NELEM(ext_defs)) {
709*1dcdf01fSchristos /* We are handling a built-in extension */
710*1dcdf01fSchristos const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
711*1dcdf01fSchristos
712*1dcdf01fSchristos /* Check if extension is defined for our protocol. If not, skip */
713*1dcdf01fSchristos if (!extension_is_relevant(s, extdef->context, context))
714*1dcdf01fSchristos return 1;
715*1dcdf01fSchristos
716*1dcdf01fSchristos parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
717*1dcdf01fSchristos
718*1dcdf01fSchristos if (parser != NULL)
719*1dcdf01fSchristos return parser(s, &currext->data, context, x, chainidx);
720*1dcdf01fSchristos
721*1dcdf01fSchristos /*
722*1dcdf01fSchristos * If the parser is NULL we fall through to the custom extension
723*1dcdf01fSchristos * processing
724*1dcdf01fSchristos */
725*1dcdf01fSchristos }
726*1dcdf01fSchristos
727*1dcdf01fSchristos /* Parse custom extensions */
728*1dcdf01fSchristos return custom_ext_parse(s, context, currext->type,
729*1dcdf01fSchristos PACKET_data(&currext->data),
730*1dcdf01fSchristos PACKET_remaining(&currext->data),
731*1dcdf01fSchristos x, chainidx);
732*1dcdf01fSchristos }
733*1dcdf01fSchristos
734*1dcdf01fSchristos /*
735*1dcdf01fSchristos * Parse all remaining extensions that have not yet been parsed. Also calls the
736*1dcdf01fSchristos * finalisation for all extensions at the end if |fin| is nonzero, whether we
737*1dcdf01fSchristos * collected them or not. Returns 1 for success or 0 for failure. If we are
738*1dcdf01fSchristos * working on a Certificate message then we also pass the Certificate |x| and
739*1dcdf01fSchristos * its position in the |chainidx|, with 0 being the first certificate.
740*1dcdf01fSchristos */
tls_parse_all_extensions(SSL * s,int context,RAW_EXTENSION * exts,X509 * x,size_t chainidx,int fin)741*1dcdf01fSchristos int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
742*1dcdf01fSchristos size_t chainidx, int fin)
743*1dcdf01fSchristos {
744*1dcdf01fSchristos size_t i, numexts = OSSL_NELEM(ext_defs);
745*1dcdf01fSchristos const EXTENSION_DEFINITION *thisexd;
746*1dcdf01fSchristos
747*1dcdf01fSchristos /* Calculate the number of extensions in the extensions list */
748*1dcdf01fSchristos numexts += s->cert->custext.meths_count;
749*1dcdf01fSchristos
750*1dcdf01fSchristos /* Parse each extension in turn */
751*1dcdf01fSchristos for (i = 0; i < numexts; i++) {
752*1dcdf01fSchristos if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
753*1dcdf01fSchristos /* SSLfatal() already called */
754*1dcdf01fSchristos return 0;
755*1dcdf01fSchristos }
756*1dcdf01fSchristos }
757*1dcdf01fSchristos
758*1dcdf01fSchristos if (fin) {
759*1dcdf01fSchristos /*
760*1dcdf01fSchristos * Finalise all known extensions relevant to this context,
761*1dcdf01fSchristos * whether we have found them or not
762*1dcdf01fSchristos */
763*1dcdf01fSchristos for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
764*1dcdf01fSchristos i++, thisexd++) {
765*1dcdf01fSchristos if (thisexd->final != NULL && (thisexd->context & context) != 0
766*1dcdf01fSchristos && !thisexd->final(s, context, exts[i].present)) {
767*1dcdf01fSchristos /* SSLfatal() already called */
768*1dcdf01fSchristos return 0;
769*1dcdf01fSchristos }
770*1dcdf01fSchristos }
771*1dcdf01fSchristos }
772*1dcdf01fSchristos
773*1dcdf01fSchristos return 1;
774*1dcdf01fSchristos }
775*1dcdf01fSchristos
should_add_extension(SSL * s,unsigned int extctx,unsigned int thisctx,int max_version)776*1dcdf01fSchristos int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
777*1dcdf01fSchristos int max_version)
778*1dcdf01fSchristos {
779*1dcdf01fSchristos /* Skip if not relevant for our context */
780*1dcdf01fSchristos if ((extctx & thisctx) == 0)
781*1dcdf01fSchristos return 0;
782*1dcdf01fSchristos
783*1dcdf01fSchristos /* Check if this extension is defined for our protocol. If not, skip */
784*1dcdf01fSchristos if (!extension_is_relevant(s, extctx, thisctx)
785*1dcdf01fSchristos || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
786*1dcdf01fSchristos && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
787*1dcdf01fSchristos && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
788*1dcdf01fSchristos return 0;
789*1dcdf01fSchristos
790*1dcdf01fSchristos return 1;
791*1dcdf01fSchristos }
792*1dcdf01fSchristos
793*1dcdf01fSchristos /*
794*1dcdf01fSchristos * Construct all the extensions relevant to the current |context| and write
795*1dcdf01fSchristos * them to |pkt|. If this is an extension for a Certificate in a Certificate
796*1dcdf01fSchristos * message, then |x| will be set to the Certificate we are handling, and
797*1dcdf01fSchristos * |chainidx| will indicate the position in the chainidx we are processing (with
798*1dcdf01fSchristos * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
799*1dcdf01fSchristos * failure construction stops at the first extension to fail to construct.
800*1dcdf01fSchristos */
tls_construct_extensions(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)801*1dcdf01fSchristos int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
802*1dcdf01fSchristos X509 *x, size_t chainidx)
803*1dcdf01fSchristos {
804*1dcdf01fSchristos size_t i;
805*1dcdf01fSchristos int min_version, max_version = 0, reason;
806*1dcdf01fSchristos const EXTENSION_DEFINITION *thisexd;
807*1dcdf01fSchristos
808*1dcdf01fSchristos if (!WPACKET_start_sub_packet_u16(pkt)
809*1dcdf01fSchristos /*
810*1dcdf01fSchristos * If extensions are of zero length then we don't even add the
811*1dcdf01fSchristos * extensions length bytes to a ClientHello/ServerHello
812*1dcdf01fSchristos * (for non-TLSv1.3).
813*1dcdf01fSchristos */
814*1dcdf01fSchristos || ((context &
815*1dcdf01fSchristos (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
816*1dcdf01fSchristos && !WPACKET_set_flags(pkt,
817*1dcdf01fSchristos WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
818*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
819*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
820*1dcdf01fSchristos return 0;
821*1dcdf01fSchristos }
822*1dcdf01fSchristos
823*1dcdf01fSchristos if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
824*1dcdf01fSchristos reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
825*1dcdf01fSchristos if (reason != 0) {
826*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
827*1dcdf01fSchristos reason);
828*1dcdf01fSchristos return 0;
829*1dcdf01fSchristos }
830*1dcdf01fSchristos }
831*1dcdf01fSchristos
832*1dcdf01fSchristos /* Add custom extensions first */
833*1dcdf01fSchristos if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
834*1dcdf01fSchristos /* On the server side with initialise during ClientHello parsing */
835*1dcdf01fSchristos custom_ext_init(&s->cert->custext);
836*1dcdf01fSchristos }
837*1dcdf01fSchristos if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
838*1dcdf01fSchristos /* SSLfatal() already called */
839*1dcdf01fSchristos return 0;
840*1dcdf01fSchristos }
841*1dcdf01fSchristos
842*1dcdf01fSchristos for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
843*1dcdf01fSchristos EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
844*1dcdf01fSchristos X509 *x, size_t chainidx);
845*1dcdf01fSchristos EXT_RETURN ret;
846*1dcdf01fSchristos
847*1dcdf01fSchristos /* Skip if not relevant for our context */
848*1dcdf01fSchristos if (!should_add_extension(s, thisexd->context, context, max_version))
849*1dcdf01fSchristos continue;
850*1dcdf01fSchristos
851*1dcdf01fSchristos construct = s->server ? thisexd->construct_stoc
852*1dcdf01fSchristos : thisexd->construct_ctos;
853*1dcdf01fSchristos
854*1dcdf01fSchristos if (construct == NULL)
855*1dcdf01fSchristos continue;
856*1dcdf01fSchristos
857*1dcdf01fSchristos ret = construct(s, pkt, context, x, chainidx);
858*1dcdf01fSchristos if (ret == EXT_RETURN_FAIL) {
859*1dcdf01fSchristos /* SSLfatal() already called */
860*1dcdf01fSchristos return 0;
861*1dcdf01fSchristos }
862*1dcdf01fSchristos if (ret == EXT_RETURN_SENT
863*1dcdf01fSchristos && (context & (SSL_EXT_CLIENT_HELLO
864*1dcdf01fSchristos | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
865*1dcdf01fSchristos | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
866*1dcdf01fSchristos s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
867*1dcdf01fSchristos }
868*1dcdf01fSchristos
869*1dcdf01fSchristos if (!WPACKET_close(pkt)) {
870*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
871*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
872*1dcdf01fSchristos return 0;
873*1dcdf01fSchristos }
874*1dcdf01fSchristos
875*1dcdf01fSchristos return 1;
876*1dcdf01fSchristos }
877*1dcdf01fSchristos
878*1dcdf01fSchristos /*
879*1dcdf01fSchristos * Built in extension finalisation and initialisation functions. All initialise
880*1dcdf01fSchristos * or finalise the associated extension type for the given |context|. For
881*1dcdf01fSchristos * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
882*1dcdf01fSchristos * otherwise. These functions return 1 on success or 0 on failure.
883*1dcdf01fSchristos */
884*1dcdf01fSchristos
final_renegotiate(SSL * s,unsigned int context,int sent)885*1dcdf01fSchristos static int final_renegotiate(SSL *s, unsigned int context, int sent)
886*1dcdf01fSchristos {
887*1dcdf01fSchristos if (!s->server) {
888*1dcdf01fSchristos /*
889*1dcdf01fSchristos * Check if we can connect to a server that doesn't support safe
890*1dcdf01fSchristos * renegotiation
891*1dcdf01fSchristos */
892*1dcdf01fSchristos if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
893*1dcdf01fSchristos && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
894*1dcdf01fSchristos && !sent) {
895*1dcdf01fSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
896*1dcdf01fSchristos SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
897*1dcdf01fSchristos return 0;
898*1dcdf01fSchristos }
899*1dcdf01fSchristos
900*1dcdf01fSchristos return 1;
901*1dcdf01fSchristos }
902*1dcdf01fSchristos
903*1dcdf01fSchristos /* Need RI if renegotiating */
904*1dcdf01fSchristos if (s->renegotiate
905*1dcdf01fSchristos && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
906*1dcdf01fSchristos && !sent) {
907*1dcdf01fSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
908*1dcdf01fSchristos SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
909*1dcdf01fSchristos return 0;
910*1dcdf01fSchristos }
911*1dcdf01fSchristos
912*1dcdf01fSchristos
913*1dcdf01fSchristos return 1;
914*1dcdf01fSchristos }
915*1dcdf01fSchristos
init_server_name(SSL * s,unsigned int context)916*1dcdf01fSchristos static int init_server_name(SSL *s, unsigned int context)
917*1dcdf01fSchristos {
918*1dcdf01fSchristos if (s->server) {
919*1dcdf01fSchristos s->servername_done = 0;
920*1dcdf01fSchristos
921*1dcdf01fSchristos OPENSSL_free(s->ext.hostname);
922*1dcdf01fSchristos s->ext.hostname = NULL;
923*1dcdf01fSchristos }
924*1dcdf01fSchristos
925*1dcdf01fSchristos return 1;
926*1dcdf01fSchristos }
927*1dcdf01fSchristos
final_server_name(SSL * s,unsigned int context,int sent)928*1dcdf01fSchristos static int final_server_name(SSL *s, unsigned int context, int sent)
929*1dcdf01fSchristos {
930*1dcdf01fSchristos int ret = SSL_TLSEXT_ERR_NOACK;
931*1dcdf01fSchristos int altmp = SSL_AD_UNRECOGNIZED_NAME;
932*1dcdf01fSchristos int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
933*1dcdf01fSchristos
934*1dcdf01fSchristos if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
935*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
936*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
937*1dcdf01fSchristos return 0;
938*1dcdf01fSchristos }
939*1dcdf01fSchristos
940*1dcdf01fSchristos if (s->ctx->ext.servername_cb != NULL)
941*1dcdf01fSchristos ret = s->ctx->ext.servername_cb(s, &altmp,
942*1dcdf01fSchristos s->ctx->ext.servername_arg);
943*1dcdf01fSchristos else if (s->session_ctx->ext.servername_cb != NULL)
944*1dcdf01fSchristos ret = s->session_ctx->ext.servername_cb(s, &altmp,
945*1dcdf01fSchristos s->session_ctx->ext.servername_arg);
946*1dcdf01fSchristos
947*1dcdf01fSchristos /*
948*1dcdf01fSchristos * For servers, propagate the SNI hostname from the temporary
949*1dcdf01fSchristos * storage in the SSL to the persistent SSL_SESSION, now that we
950*1dcdf01fSchristos * know we accepted it.
951*1dcdf01fSchristos * Clients make this copy when parsing the server's response to
952*1dcdf01fSchristos * the extension, which is when they find out that the negotiation
953*1dcdf01fSchristos * was successful.
954*1dcdf01fSchristos */
955*1dcdf01fSchristos if (s->server) {
956*1dcdf01fSchristos if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
957*1dcdf01fSchristos /* Only store the hostname in the session if we accepted it. */
958*1dcdf01fSchristos OPENSSL_free(s->session->ext.hostname);
959*1dcdf01fSchristos s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
960*1dcdf01fSchristos if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
961*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
962*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
963*1dcdf01fSchristos }
964*1dcdf01fSchristos }
965*1dcdf01fSchristos }
966*1dcdf01fSchristos
967*1dcdf01fSchristos /*
968*1dcdf01fSchristos * If we switched contexts (whether here or in the client_hello callback),
969*1dcdf01fSchristos * move the sess_accept increment from the session_ctx to the new
970*1dcdf01fSchristos * context, to avoid the confusing situation of having sess_accept_good
971*1dcdf01fSchristos * exceed sess_accept (zero) for the new context.
972*1dcdf01fSchristos */
973*1dcdf01fSchristos if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
974*1dcdf01fSchristos && s->hello_retry_request == SSL_HRR_NONE) {
975*1dcdf01fSchristos tsan_counter(&s->ctx->stats.sess_accept);
976*1dcdf01fSchristos tsan_decr(&s->session_ctx->stats.sess_accept);
977*1dcdf01fSchristos }
978*1dcdf01fSchristos
979*1dcdf01fSchristos /*
980*1dcdf01fSchristos * If we're expecting to send a ticket, and tickets were previously enabled,
981*1dcdf01fSchristos * and now tickets are disabled, then turn off expected ticket.
982*1dcdf01fSchristos * Also, if this is not a resumption, create a new session ID
983*1dcdf01fSchristos */
984*1dcdf01fSchristos if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
985*1dcdf01fSchristos && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
986*1dcdf01fSchristos s->ext.ticket_expected = 0;
987*1dcdf01fSchristos if (!s->hit) {
988*1dcdf01fSchristos SSL_SESSION* ss = SSL_get_session(s);
989*1dcdf01fSchristos
990*1dcdf01fSchristos if (ss != NULL) {
991*1dcdf01fSchristos OPENSSL_free(ss->ext.tick);
992*1dcdf01fSchristos ss->ext.tick = NULL;
993*1dcdf01fSchristos ss->ext.ticklen = 0;
994*1dcdf01fSchristos ss->ext.tick_lifetime_hint = 0;
995*1dcdf01fSchristos ss->ext.tick_age_add = 0;
996*1dcdf01fSchristos if (!ssl_generate_session_id(s, ss)) {
997*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
998*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
999*1dcdf01fSchristos return 0;
1000*1dcdf01fSchristos }
1001*1dcdf01fSchristos } else {
1002*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
1003*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1004*1dcdf01fSchristos return 0;
1005*1dcdf01fSchristos }
1006*1dcdf01fSchristos }
1007*1dcdf01fSchristos }
1008*1dcdf01fSchristos
1009*1dcdf01fSchristos switch (ret) {
1010*1dcdf01fSchristos case SSL_TLSEXT_ERR_ALERT_FATAL:
1011*1dcdf01fSchristos SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
1012*1dcdf01fSchristos return 0;
1013*1dcdf01fSchristos
1014*1dcdf01fSchristos case SSL_TLSEXT_ERR_ALERT_WARNING:
1015*1dcdf01fSchristos /* TLSv1.3 doesn't have warning alerts so we suppress this */
1016*1dcdf01fSchristos if (!SSL_IS_TLS13(s))
1017*1dcdf01fSchristos ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
1018*1dcdf01fSchristos s->servername_done = 0;
1019*1dcdf01fSchristos return 1;
1020*1dcdf01fSchristos
1021*1dcdf01fSchristos case SSL_TLSEXT_ERR_NOACK:
1022*1dcdf01fSchristos s->servername_done = 0;
1023*1dcdf01fSchristos return 1;
1024*1dcdf01fSchristos
1025*1dcdf01fSchristos default:
1026*1dcdf01fSchristos return 1;
1027*1dcdf01fSchristos }
1028*1dcdf01fSchristos }
1029*1dcdf01fSchristos
1030*1dcdf01fSchristos #ifndef OPENSSL_NO_EC
init_ec_point_formats(SSL * s,unsigned int context)1031*1dcdf01fSchristos static int init_ec_point_formats(SSL *s, unsigned int context)
1032*1dcdf01fSchristos {
1033*1dcdf01fSchristos OPENSSL_free(s->ext.peer_ecpointformats);
1034*1dcdf01fSchristos s->ext.peer_ecpointformats = NULL;
1035*1dcdf01fSchristos s->ext.peer_ecpointformats_len = 0;
1036*1dcdf01fSchristos
1037*1dcdf01fSchristos return 1;
1038*1dcdf01fSchristos }
1039*1dcdf01fSchristos
final_ec_pt_formats(SSL * s,unsigned int context,int sent)1040*1dcdf01fSchristos static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
1041*1dcdf01fSchristos {
1042*1dcdf01fSchristos unsigned long alg_k, alg_a;
1043*1dcdf01fSchristos
1044*1dcdf01fSchristos if (s->server)
1045*1dcdf01fSchristos return 1;
1046*1dcdf01fSchristos
1047*1dcdf01fSchristos alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1048*1dcdf01fSchristos alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1049*1dcdf01fSchristos
1050*1dcdf01fSchristos /*
1051*1dcdf01fSchristos * If we are client and using an elliptic curve cryptography cipher
1052*1dcdf01fSchristos * suite, then if server returns an EC point formats lists extension it
1053*1dcdf01fSchristos * must contain uncompressed.
1054*1dcdf01fSchristos */
1055*1dcdf01fSchristos if (s->ext.ecpointformats != NULL
1056*1dcdf01fSchristos && s->ext.ecpointformats_len > 0
1057*1dcdf01fSchristos && s->ext.peer_ecpointformats != NULL
1058*1dcdf01fSchristos && s->ext.peer_ecpointformats_len > 0
1059*1dcdf01fSchristos && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
1060*1dcdf01fSchristos /* we are using an ECC cipher */
1061*1dcdf01fSchristos size_t i;
1062*1dcdf01fSchristos unsigned char *list = s->ext.peer_ecpointformats;
1063*1dcdf01fSchristos
1064*1dcdf01fSchristos for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
1065*1dcdf01fSchristos if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
1066*1dcdf01fSchristos break;
1067*1dcdf01fSchristos }
1068*1dcdf01fSchristos if (i == s->ext.peer_ecpointformats_len) {
1069*1dcdf01fSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
1070*1dcdf01fSchristos SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1071*1dcdf01fSchristos return 0;
1072*1dcdf01fSchristos }
1073*1dcdf01fSchristos }
1074*1dcdf01fSchristos
1075*1dcdf01fSchristos return 1;
1076*1dcdf01fSchristos }
1077*1dcdf01fSchristos #endif
1078*1dcdf01fSchristos
init_session_ticket(SSL * s,unsigned int context)1079*1dcdf01fSchristos static int init_session_ticket(SSL *s, unsigned int context)
1080*1dcdf01fSchristos {
1081*1dcdf01fSchristos if (!s->server)
1082*1dcdf01fSchristos s->ext.ticket_expected = 0;
1083*1dcdf01fSchristos
1084*1dcdf01fSchristos return 1;
1085*1dcdf01fSchristos }
1086*1dcdf01fSchristos
1087*1dcdf01fSchristos #ifndef OPENSSL_NO_OCSP
init_status_request(SSL * s,unsigned int context)1088*1dcdf01fSchristos static int init_status_request(SSL *s, unsigned int context)
1089*1dcdf01fSchristos {
1090*1dcdf01fSchristos if (s->server) {
1091*1dcdf01fSchristos s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1092*1dcdf01fSchristos } else {
1093*1dcdf01fSchristos /*
1094*1dcdf01fSchristos * Ensure we get sensible values passed to tlsext_status_cb in the event
1095*1dcdf01fSchristos * that we don't receive a status message
1096*1dcdf01fSchristos */
1097*1dcdf01fSchristos OPENSSL_free(s->ext.ocsp.resp);
1098*1dcdf01fSchristos s->ext.ocsp.resp = NULL;
1099*1dcdf01fSchristos s->ext.ocsp.resp_len = 0;
1100*1dcdf01fSchristos }
1101*1dcdf01fSchristos
1102*1dcdf01fSchristos return 1;
1103*1dcdf01fSchristos }
1104*1dcdf01fSchristos #endif
1105*1dcdf01fSchristos
1106*1dcdf01fSchristos #ifndef OPENSSL_NO_NEXTPROTONEG
init_npn(SSL * s,unsigned int context)1107*1dcdf01fSchristos static int init_npn(SSL *s, unsigned int context)
1108*1dcdf01fSchristos {
1109*1dcdf01fSchristos s->s3->npn_seen = 0;
1110*1dcdf01fSchristos
1111*1dcdf01fSchristos return 1;
1112*1dcdf01fSchristos }
1113*1dcdf01fSchristos #endif
1114*1dcdf01fSchristos
init_alpn(SSL * s,unsigned int context)1115*1dcdf01fSchristos static int init_alpn(SSL *s, unsigned int context)
1116*1dcdf01fSchristos {
1117*1dcdf01fSchristos OPENSSL_free(s->s3->alpn_selected);
1118*1dcdf01fSchristos s->s3->alpn_selected = NULL;
1119*1dcdf01fSchristos s->s3->alpn_selected_len = 0;
1120*1dcdf01fSchristos if (s->server) {
1121*1dcdf01fSchristos OPENSSL_free(s->s3->alpn_proposed);
1122*1dcdf01fSchristos s->s3->alpn_proposed = NULL;
1123*1dcdf01fSchristos s->s3->alpn_proposed_len = 0;
1124*1dcdf01fSchristos }
1125*1dcdf01fSchristos return 1;
1126*1dcdf01fSchristos }
1127*1dcdf01fSchristos
final_alpn(SSL * s,unsigned int context,int sent)1128*1dcdf01fSchristos static int final_alpn(SSL *s, unsigned int context, int sent)
1129*1dcdf01fSchristos {
1130*1dcdf01fSchristos if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
1131*1dcdf01fSchristos s->ext.early_data_ok = 0;
1132*1dcdf01fSchristos
1133*1dcdf01fSchristos if (!s->server || !SSL_IS_TLS13(s))
1134*1dcdf01fSchristos return 1;
1135*1dcdf01fSchristos
1136*1dcdf01fSchristos /*
1137*1dcdf01fSchristos * Call alpn_select callback if needed. Has to be done after SNI and
1138*1dcdf01fSchristos * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
1139*1dcdf01fSchristos * we also have to do this before we decide whether to accept early_data.
1140*1dcdf01fSchristos * In TLSv1.3 we've already negotiated our cipher so we do this call now.
1141*1dcdf01fSchristos * For < TLSv1.3 we defer it until after cipher negotiation.
1142*1dcdf01fSchristos *
1143*1dcdf01fSchristos * On failure SSLfatal() already called.
1144*1dcdf01fSchristos */
1145*1dcdf01fSchristos return tls_handle_alpn(s);
1146*1dcdf01fSchristos }
1147*1dcdf01fSchristos
init_sig_algs(SSL * s,unsigned int context)1148*1dcdf01fSchristos static int init_sig_algs(SSL *s, unsigned int context)
1149*1dcdf01fSchristos {
1150*1dcdf01fSchristos /* Clear any signature algorithms extension received */
1151*1dcdf01fSchristos OPENSSL_free(s->s3->tmp.peer_sigalgs);
1152*1dcdf01fSchristos s->s3->tmp.peer_sigalgs = NULL;
1153*1dcdf01fSchristos s->s3->tmp.peer_sigalgslen = 0;
1154*1dcdf01fSchristos
1155*1dcdf01fSchristos return 1;
1156*1dcdf01fSchristos }
1157*1dcdf01fSchristos
init_sig_algs_cert(SSL * s,unsigned int context)1158*1dcdf01fSchristos static int init_sig_algs_cert(SSL *s, unsigned int context)
1159*1dcdf01fSchristos {
1160*1dcdf01fSchristos /* Clear any signature algorithms extension received */
1161*1dcdf01fSchristos OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
1162*1dcdf01fSchristos s->s3->tmp.peer_cert_sigalgs = NULL;
1163*1dcdf01fSchristos s->s3->tmp.peer_cert_sigalgslen = 0;
1164*1dcdf01fSchristos
1165*1dcdf01fSchristos return 1;
1166*1dcdf01fSchristos }
1167*1dcdf01fSchristos
1168*1dcdf01fSchristos #ifndef OPENSSL_NO_SRP
init_srp(SSL * s,unsigned int context)1169*1dcdf01fSchristos static int init_srp(SSL *s, unsigned int context)
1170*1dcdf01fSchristos {
1171*1dcdf01fSchristos OPENSSL_free(s->srp_ctx.login);
1172*1dcdf01fSchristos s->srp_ctx.login = NULL;
1173*1dcdf01fSchristos
1174*1dcdf01fSchristos return 1;
1175*1dcdf01fSchristos }
1176*1dcdf01fSchristos #endif
1177*1dcdf01fSchristos
init_etm(SSL * s,unsigned int context)1178*1dcdf01fSchristos static int init_etm(SSL *s, unsigned int context)
1179*1dcdf01fSchristos {
1180*1dcdf01fSchristos s->ext.use_etm = 0;
1181*1dcdf01fSchristos
1182*1dcdf01fSchristos return 1;
1183*1dcdf01fSchristos }
1184*1dcdf01fSchristos
init_ems(SSL * s,unsigned int context)1185*1dcdf01fSchristos static int init_ems(SSL *s, unsigned int context)
1186*1dcdf01fSchristos {
1187*1dcdf01fSchristos if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1188*1dcdf01fSchristos s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
1189*1dcdf01fSchristos s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
1190*1dcdf01fSchristos }
1191*1dcdf01fSchristos
1192*1dcdf01fSchristos return 1;
1193*1dcdf01fSchristos }
1194*1dcdf01fSchristos
final_ems(SSL * s,unsigned int context,int sent)1195*1dcdf01fSchristos static int final_ems(SSL *s, unsigned int context, int sent)
1196*1dcdf01fSchristos {
1197*1dcdf01fSchristos /*
1198*1dcdf01fSchristos * Check extended master secret extension is not dropped on
1199*1dcdf01fSchristos * renegotiation.
1200*1dcdf01fSchristos */
1201*1dcdf01fSchristos if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
1202*1dcdf01fSchristos && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
1203*1dcdf01fSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
1204*1dcdf01fSchristos SSL_R_INCONSISTENT_EXTMS);
1205*1dcdf01fSchristos return 0;
1206*1dcdf01fSchristos }
1207*1dcdf01fSchristos if (!s->server && s->hit) {
1208*1dcdf01fSchristos /*
1209*1dcdf01fSchristos * Check extended master secret extension is consistent with
1210*1dcdf01fSchristos * original session.
1211*1dcdf01fSchristos */
1212*1dcdf01fSchristos if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
1213*1dcdf01fSchristos !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
1214*1dcdf01fSchristos SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
1215*1dcdf01fSchristos SSL_R_INCONSISTENT_EXTMS);
1216*1dcdf01fSchristos return 0;
1217*1dcdf01fSchristos }
1218*1dcdf01fSchristos }
1219*1dcdf01fSchristos
1220*1dcdf01fSchristos return 1;
1221*1dcdf01fSchristos }
1222*1dcdf01fSchristos
init_certificate_authorities(SSL * s,unsigned int context)1223*1dcdf01fSchristos static int init_certificate_authorities(SSL *s, unsigned int context)
1224*1dcdf01fSchristos {
1225*1dcdf01fSchristos sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
1226*1dcdf01fSchristos s->s3->tmp.peer_ca_names = NULL;
1227*1dcdf01fSchristos return 1;
1228*1dcdf01fSchristos }
1229*1dcdf01fSchristos
tls_construct_certificate_authorities(SSL * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1230*1dcdf01fSchristos static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
1231*1dcdf01fSchristos unsigned int context,
1232*1dcdf01fSchristos X509 *x,
1233*1dcdf01fSchristos size_t chainidx)
1234*1dcdf01fSchristos {
1235*1dcdf01fSchristos const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
1236*1dcdf01fSchristos
1237*1dcdf01fSchristos if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
1238*1dcdf01fSchristos return EXT_RETURN_NOT_SENT;
1239*1dcdf01fSchristos
1240*1dcdf01fSchristos if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
1241*1dcdf01fSchristos || !WPACKET_start_sub_packet_u16(pkt)) {
1242*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1243*1dcdf01fSchristos SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
1244*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1245*1dcdf01fSchristos return EXT_RETURN_FAIL;
1246*1dcdf01fSchristos }
1247*1dcdf01fSchristos
1248*1dcdf01fSchristos if (!construct_ca_names(s, ca_sk, pkt)) {
1249*1dcdf01fSchristos /* SSLfatal() already called */
1250*1dcdf01fSchristos return EXT_RETURN_FAIL;
1251*1dcdf01fSchristos }
1252*1dcdf01fSchristos
1253*1dcdf01fSchristos if (!WPACKET_close(pkt)) {
1254*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1255*1dcdf01fSchristos SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
1256*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1257*1dcdf01fSchristos return EXT_RETURN_FAIL;
1258*1dcdf01fSchristos }
1259*1dcdf01fSchristos
1260*1dcdf01fSchristos return EXT_RETURN_SENT;
1261*1dcdf01fSchristos }
1262*1dcdf01fSchristos
tls_parse_certificate_authorities(SSL * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1263*1dcdf01fSchristos static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
1264*1dcdf01fSchristos unsigned int context, X509 *x,
1265*1dcdf01fSchristos size_t chainidx)
1266*1dcdf01fSchristos {
1267*1dcdf01fSchristos if (!parse_ca_names(s, pkt))
1268*1dcdf01fSchristos return 0;
1269*1dcdf01fSchristos if (PACKET_remaining(pkt) != 0) {
1270*1dcdf01fSchristos SSLfatal(s, SSL_AD_DECODE_ERROR,
1271*1dcdf01fSchristos SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
1272*1dcdf01fSchristos return 0;
1273*1dcdf01fSchristos }
1274*1dcdf01fSchristos return 1;
1275*1dcdf01fSchristos }
1276*1dcdf01fSchristos
1277*1dcdf01fSchristos #ifndef OPENSSL_NO_SRTP
init_srtp(SSL * s,unsigned int context)1278*1dcdf01fSchristos static int init_srtp(SSL *s, unsigned int context)
1279*1dcdf01fSchristos {
1280*1dcdf01fSchristos if (s->server)
1281*1dcdf01fSchristos s->srtp_profile = NULL;
1282*1dcdf01fSchristos
1283*1dcdf01fSchristos return 1;
1284*1dcdf01fSchristos }
1285*1dcdf01fSchristos #endif
1286*1dcdf01fSchristos
final_sig_algs(SSL * s,unsigned int context,int sent)1287*1dcdf01fSchristos static int final_sig_algs(SSL *s, unsigned int context, int sent)
1288*1dcdf01fSchristos {
1289*1dcdf01fSchristos if (!sent && SSL_IS_TLS13(s) && !s->hit) {
1290*1dcdf01fSchristos SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
1291*1dcdf01fSchristos SSL_R_MISSING_SIGALGS_EXTENSION);
1292*1dcdf01fSchristos return 0;
1293*1dcdf01fSchristos }
1294*1dcdf01fSchristos
1295*1dcdf01fSchristos return 1;
1296*1dcdf01fSchristos }
1297*1dcdf01fSchristos
1298*1dcdf01fSchristos #ifndef OPENSSL_NO_EC
final_key_share(SSL * s,unsigned int context,int sent)1299*1dcdf01fSchristos static int final_key_share(SSL *s, unsigned int context, int sent)
1300*1dcdf01fSchristos {
1301*1dcdf01fSchristos if (!SSL_IS_TLS13(s))
1302*1dcdf01fSchristos return 1;
1303*1dcdf01fSchristos
1304*1dcdf01fSchristos /* Nothing to do for key_share in an HRR */
1305*1dcdf01fSchristos if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
1306*1dcdf01fSchristos return 1;
1307*1dcdf01fSchristos
1308*1dcdf01fSchristos /*
1309*1dcdf01fSchristos * If
1310*1dcdf01fSchristos * we are a client
1311*1dcdf01fSchristos * AND
1312*1dcdf01fSchristos * we have no key_share
1313*1dcdf01fSchristos * AND
1314*1dcdf01fSchristos * (we are not resuming
1315*1dcdf01fSchristos * OR the kex_mode doesn't allow non key_share resumes)
1316*1dcdf01fSchristos * THEN
1317*1dcdf01fSchristos * fail;
1318*1dcdf01fSchristos */
1319*1dcdf01fSchristos if (!s->server
1320*1dcdf01fSchristos && !sent
1321*1dcdf01fSchristos && (!s->hit
1322*1dcdf01fSchristos || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
1323*1dcdf01fSchristos /* Nothing left we can do - just fail */
1324*1dcdf01fSchristos SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
1325*1dcdf01fSchristos SSL_R_NO_SUITABLE_KEY_SHARE);
1326*1dcdf01fSchristos return 0;
1327*1dcdf01fSchristos }
1328*1dcdf01fSchristos /*
1329*1dcdf01fSchristos * IF
1330*1dcdf01fSchristos * we are a server
1331*1dcdf01fSchristos * THEN
1332*1dcdf01fSchristos * IF
1333*1dcdf01fSchristos * we have a suitable key_share
1334*1dcdf01fSchristos * THEN
1335*1dcdf01fSchristos * IF
1336*1dcdf01fSchristos * we are stateless AND we have no cookie
1337*1dcdf01fSchristos * THEN
1338*1dcdf01fSchristos * send a HelloRetryRequest
1339*1dcdf01fSchristos * ELSE
1340*1dcdf01fSchristos * IF
1341*1dcdf01fSchristos * we didn't already send a HelloRetryRequest
1342*1dcdf01fSchristos * AND
1343*1dcdf01fSchristos * the client sent a key_share extension
1344*1dcdf01fSchristos * AND
1345*1dcdf01fSchristos * (we are not resuming
1346*1dcdf01fSchristos * OR the kex_mode allows key_share resumes)
1347*1dcdf01fSchristos * AND
1348*1dcdf01fSchristos * a shared group exists
1349*1dcdf01fSchristos * THEN
1350*1dcdf01fSchristos * send a HelloRetryRequest
1351*1dcdf01fSchristos * ELSE IF
1352*1dcdf01fSchristos * we are not resuming
1353*1dcdf01fSchristos * OR
1354*1dcdf01fSchristos * the kex_mode doesn't allow non key_share resumes
1355*1dcdf01fSchristos * THEN
1356*1dcdf01fSchristos * fail
1357*1dcdf01fSchristos * ELSE IF
1358*1dcdf01fSchristos * we are stateless AND we have no cookie
1359*1dcdf01fSchristos * THEN
1360*1dcdf01fSchristos * send a HelloRetryRequest
1361*1dcdf01fSchristos */
1362*1dcdf01fSchristos if (s->server) {
1363*1dcdf01fSchristos if (s->s3->peer_tmp != NULL) {
1364*1dcdf01fSchristos /* We have a suitable key_share */
1365*1dcdf01fSchristos if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
1366*1dcdf01fSchristos && !s->ext.cookieok) {
1367*1dcdf01fSchristos if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1368*1dcdf01fSchristos /*
1369*1dcdf01fSchristos * If we are stateless then we wouldn't know about any
1370*1dcdf01fSchristos * previously sent HRR - so how can this be anything other
1371*1dcdf01fSchristos * than 0?
1372*1dcdf01fSchristos */
1373*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1374*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1375*1dcdf01fSchristos return 0;
1376*1dcdf01fSchristos }
1377*1dcdf01fSchristos s->hello_retry_request = SSL_HRR_PENDING;
1378*1dcdf01fSchristos return 1;
1379*1dcdf01fSchristos }
1380*1dcdf01fSchristos } else {
1381*1dcdf01fSchristos /* No suitable key_share */
1382*1dcdf01fSchristos if (s->hello_retry_request == SSL_HRR_NONE && sent
1383*1dcdf01fSchristos && (!s->hit
1384*1dcdf01fSchristos || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
1385*1dcdf01fSchristos != 0)) {
1386*1dcdf01fSchristos const uint16_t *pgroups, *clntgroups;
1387*1dcdf01fSchristos size_t num_groups, clnt_num_groups, i;
1388*1dcdf01fSchristos unsigned int group_id = 0;
1389*1dcdf01fSchristos
1390*1dcdf01fSchristos /* Check if a shared group exists */
1391*1dcdf01fSchristos
1392*1dcdf01fSchristos /* Get the clients list of supported groups. */
1393*1dcdf01fSchristos tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
1394*1dcdf01fSchristos tls1_get_supported_groups(s, &pgroups, &num_groups);
1395*1dcdf01fSchristos
1396*1dcdf01fSchristos /*
1397*1dcdf01fSchristos * Find the first group we allow that is also in client's list
1398*1dcdf01fSchristos */
1399*1dcdf01fSchristos for (i = 0; i < num_groups; i++) {
1400*1dcdf01fSchristos group_id = pgroups[i];
1401*1dcdf01fSchristos
1402*1dcdf01fSchristos if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
1403*1dcdf01fSchristos 1))
1404*1dcdf01fSchristos break;
1405*1dcdf01fSchristos }
1406*1dcdf01fSchristos
1407*1dcdf01fSchristos if (i < num_groups) {
1408*1dcdf01fSchristos /* A shared group exists so send a HelloRetryRequest */
1409*1dcdf01fSchristos s->s3->group_id = group_id;
1410*1dcdf01fSchristos s->hello_retry_request = SSL_HRR_PENDING;
1411*1dcdf01fSchristos return 1;
1412*1dcdf01fSchristos }
1413*1dcdf01fSchristos }
1414*1dcdf01fSchristos if (!s->hit
1415*1dcdf01fSchristos || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
1416*1dcdf01fSchristos /* Nothing left we can do - just fail */
1417*1dcdf01fSchristos SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
1418*1dcdf01fSchristos : SSL_AD_MISSING_EXTENSION,
1419*1dcdf01fSchristos SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
1420*1dcdf01fSchristos return 0;
1421*1dcdf01fSchristos }
1422*1dcdf01fSchristos
1423*1dcdf01fSchristos if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
1424*1dcdf01fSchristos && !s->ext.cookieok) {
1425*1dcdf01fSchristos if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1426*1dcdf01fSchristos /*
1427*1dcdf01fSchristos * If we are stateless then we wouldn't know about any
1428*1dcdf01fSchristos * previously sent HRR - so how can this be anything other
1429*1dcdf01fSchristos * than 0?
1430*1dcdf01fSchristos */
1431*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1432*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1433*1dcdf01fSchristos return 0;
1434*1dcdf01fSchristos }
1435*1dcdf01fSchristos s->hello_retry_request = SSL_HRR_PENDING;
1436*1dcdf01fSchristos return 1;
1437*1dcdf01fSchristos }
1438*1dcdf01fSchristos }
1439*1dcdf01fSchristos
1440*1dcdf01fSchristos /*
1441*1dcdf01fSchristos * We have a key_share so don't send any more HelloRetryRequest
1442*1dcdf01fSchristos * messages
1443*1dcdf01fSchristos */
1444*1dcdf01fSchristos if (s->hello_retry_request == SSL_HRR_PENDING)
1445*1dcdf01fSchristos s->hello_retry_request = SSL_HRR_COMPLETE;
1446*1dcdf01fSchristos } else {
1447*1dcdf01fSchristos /*
1448*1dcdf01fSchristos * For a client side resumption with no key_share we need to generate
1449*1dcdf01fSchristos * the handshake secret (otherwise this is done during key_share
1450*1dcdf01fSchristos * processing).
1451*1dcdf01fSchristos */
1452*1dcdf01fSchristos if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
1453*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1454*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1455*1dcdf01fSchristos return 0;
1456*1dcdf01fSchristos }
1457*1dcdf01fSchristos }
1458*1dcdf01fSchristos
1459*1dcdf01fSchristos return 1;
1460*1dcdf01fSchristos }
1461*1dcdf01fSchristos #endif
1462*1dcdf01fSchristos
init_psk_kex_modes(SSL * s,unsigned int context)1463*1dcdf01fSchristos static int init_psk_kex_modes(SSL *s, unsigned int context)
1464*1dcdf01fSchristos {
1465*1dcdf01fSchristos s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
1466*1dcdf01fSchristos return 1;
1467*1dcdf01fSchristos }
1468*1dcdf01fSchristos
tls_psk_do_binder(SSL * s,const EVP_MD * md,const unsigned char * msgstart,size_t binderoffset,const unsigned char * binderin,unsigned char * binderout,SSL_SESSION * sess,int sign,int external)1469*1dcdf01fSchristos int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
1470*1dcdf01fSchristos size_t binderoffset, const unsigned char *binderin,
1471*1dcdf01fSchristos unsigned char *binderout, SSL_SESSION *sess, int sign,
1472*1dcdf01fSchristos int external)
1473*1dcdf01fSchristos {
1474*1dcdf01fSchristos EVP_PKEY *mackey = NULL;
1475*1dcdf01fSchristos EVP_MD_CTX *mctx = NULL;
1476*1dcdf01fSchristos unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
1477*1dcdf01fSchristos unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
1478*1dcdf01fSchristos unsigned char *early_secret;
1479*1dcdf01fSchristos #ifdef CHARSET_EBCDIC
1480*1dcdf01fSchristos static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
1481*1dcdf01fSchristos static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
1482*1dcdf01fSchristos #else
1483*1dcdf01fSchristos static const unsigned char resumption_label[] = "res binder";
1484*1dcdf01fSchristos static const unsigned char external_label[] = "ext binder";
1485*1dcdf01fSchristos #endif
1486*1dcdf01fSchristos const unsigned char *label;
1487*1dcdf01fSchristos size_t bindersize, labelsize, hashsize;
1488*1dcdf01fSchristos int hashsizei = EVP_MD_size(md);
1489*1dcdf01fSchristos int ret = -1;
1490*1dcdf01fSchristos int usepskfored = 0;
1491*1dcdf01fSchristos
1492*1dcdf01fSchristos /* Ensure cast to size_t is safe */
1493*1dcdf01fSchristos if (!ossl_assert(hashsizei >= 0)) {
1494*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1495*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1496*1dcdf01fSchristos goto err;
1497*1dcdf01fSchristos }
1498*1dcdf01fSchristos hashsize = (size_t)hashsizei;
1499*1dcdf01fSchristos
1500*1dcdf01fSchristos if (external
1501*1dcdf01fSchristos && s->early_data_state == SSL_EARLY_DATA_CONNECTING
1502*1dcdf01fSchristos && s->session->ext.max_early_data == 0
1503*1dcdf01fSchristos && sess->ext.max_early_data > 0)
1504*1dcdf01fSchristos usepskfored = 1;
1505*1dcdf01fSchristos
1506*1dcdf01fSchristos if (external) {
1507*1dcdf01fSchristos label = external_label;
1508*1dcdf01fSchristos labelsize = sizeof(external_label) - 1;
1509*1dcdf01fSchristos } else {
1510*1dcdf01fSchristos label = resumption_label;
1511*1dcdf01fSchristos labelsize = sizeof(resumption_label) - 1;
1512*1dcdf01fSchristos }
1513*1dcdf01fSchristos
1514*1dcdf01fSchristos /*
1515*1dcdf01fSchristos * Generate the early_secret. On the server side we've selected a PSK to
1516*1dcdf01fSchristos * resume with (internal or external) so we always do this. On the client
1517*1dcdf01fSchristos * side we do this for a non-external (i.e. resumption) PSK or external PSK
1518*1dcdf01fSchristos * that will be used for early_data so that it is in place for sending early
1519*1dcdf01fSchristos * data. For client side external PSK not being used for early_data we
1520*1dcdf01fSchristos * generate it but store it away for later use.
1521*1dcdf01fSchristos */
1522*1dcdf01fSchristos if (s->server || !external || usepskfored)
1523*1dcdf01fSchristos early_secret = (unsigned char *)s->early_secret;
1524*1dcdf01fSchristos else
1525*1dcdf01fSchristos early_secret = (unsigned char *)sess->early_secret;
1526*1dcdf01fSchristos
1527*1dcdf01fSchristos if (!tls13_generate_secret(s, md, NULL, sess->master_key,
1528*1dcdf01fSchristos sess->master_key_length, early_secret)) {
1529*1dcdf01fSchristos /* SSLfatal() already called */
1530*1dcdf01fSchristos goto err;
1531*1dcdf01fSchristos }
1532*1dcdf01fSchristos
1533*1dcdf01fSchristos /*
1534*1dcdf01fSchristos * Create the handshake hash for the binder key...the messages so far are
1535*1dcdf01fSchristos * empty!
1536*1dcdf01fSchristos */
1537*1dcdf01fSchristos mctx = EVP_MD_CTX_new();
1538*1dcdf01fSchristos if (mctx == NULL
1539*1dcdf01fSchristos || EVP_DigestInit_ex(mctx, md, NULL) <= 0
1540*1dcdf01fSchristos || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1541*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1542*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1543*1dcdf01fSchristos goto err;
1544*1dcdf01fSchristos }
1545*1dcdf01fSchristos
1546*1dcdf01fSchristos /* Generate the binder key */
1547*1dcdf01fSchristos if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
1548*1dcdf01fSchristos hashsize, binderkey, hashsize, 1)) {
1549*1dcdf01fSchristos /* SSLfatal() already called */
1550*1dcdf01fSchristos goto err;
1551*1dcdf01fSchristos }
1552*1dcdf01fSchristos
1553*1dcdf01fSchristos /* Generate the finished key */
1554*1dcdf01fSchristos if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
1555*1dcdf01fSchristos /* SSLfatal() already called */
1556*1dcdf01fSchristos goto err;
1557*1dcdf01fSchristos }
1558*1dcdf01fSchristos
1559*1dcdf01fSchristos if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
1560*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1561*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1562*1dcdf01fSchristos goto err;
1563*1dcdf01fSchristos }
1564*1dcdf01fSchristos
1565*1dcdf01fSchristos /*
1566*1dcdf01fSchristos * Get a hash of the ClientHello up to the start of the binders. If we are
1567*1dcdf01fSchristos * following a HelloRetryRequest then this includes the hash of the first
1568*1dcdf01fSchristos * ClientHello and the HelloRetryRequest itself.
1569*1dcdf01fSchristos */
1570*1dcdf01fSchristos if (s->hello_retry_request == SSL_HRR_PENDING) {
1571*1dcdf01fSchristos size_t hdatalen;
1572*1dcdf01fSchristos long hdatalen_l;
1573*1dcdf01fSchristos void *hdata;
1574*1dcdf01fSchristos
1575*1dcdf01fSchristos hdatalen = hdatalen_l =
1576*1dcdf01fSchristos BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
1577*1dcdf01fSchristos if (hdatalen_l <= 0) {
1578*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1579*1dcdf01fSchristos SSL_R_BAD_HANDSHAKE_LENGTH);
1580*1dcdf01fSchristos goto err;
1581*1dcdf01fSchristos }
1582*1dcdf01fSchristos
1583*1dcdf01fSchristos /*
1584*1dcdf01fSchristos * For servers the handshake buffer data will include the second
1585*1dcdf01fSchristos * ClientHello - which we don't want - so we need to take that bit off.
1586*1dcdf01fSchristos */
1587*1dcdf01fSchristos if (s->server) {
1588*1dcdf01fSchristos PACKET hashprefix, msg;
1589*1dcdf01fSchristos
1590*1dcdf01fSchristos /* Find how many bytes are left after the first two messages */
1591*1dcdf01fSchristos if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
1592*1dcdf01fSchristos || !PACKET_forward(&hashprefix, 1)
1593*1dcdf01fSchristos || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
1594*1dcdf01fSchristos || !PACKET_forward(&hashprefix, 1)
1595*1dcdf01fSchristos || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
1596*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1597*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1598*1dcdf01fSchristos goto err;
1599*1dcdf01fSchristos }
1600*1dcdf01fSchristos hdatalen -= PACKET_remaining(&hashprefix);
1601*1dcdf01fSchristos }
1602*1dcdf01fSchristos
1603*1dcdf01fSchristos if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
1604*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1605*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1606*1dcdf01fSchristos goto err;
1607*1dcdf01fSchristos }
1608*1dcdf01fSchristos }
1609*1dcdf01fSchristos
1610*1dcdf01fSchristos if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
1611*1dcdf01fSchristos || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1612*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1613*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1614*1dcdf01fSchristos goto err;
1615*1dcdf01fSchristos }
1616*1dcdf01fSchristos
1617*1dcdf01fSchristos mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey,
1618*1dcdf01fSchristos hashsize);
1619*1dcdf01fSchristos if (mackey == NULL) {
1620*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1621*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1622*1dcdf01fSchristos goto err;
1623*1dcdf01fSchristos }
1624*1dcdf01fSchristos
1625*1dcdf01fSchristos if (!sign)
1626*1dcdf01fSchristos binderout = tmpbinder;
1627*1dcdf01fSchristos
1628*1dcdf01fSchristos bindersize = hashsize;
1629*1dcdf01fSchristos if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
1630*1dcdf01fSchristos || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
1631*1dcdf01fSchristos || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
1632*1dcdf01fSchristos || bindersize != hashsize) {
1633*1dcdf01fSchristos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1634*1dcdf01fSchristos ERR_R_INTERNAL_ERROR);
1635*1dcdf01fSchristos goto err;
1636*1dcdf01fSchristos }
1637*1dcdf01fSchristos
1638*1dcdf01fSchristos if (sign) {
1639*1dcdf01fSchristos ret = 1;
1640*1dcdf01fSchristos } else {
1641*1dcdf01fSchristos /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
1642*1dcdf01fSchristos ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
1643*1dcdf01fSchristos if (!ret)
1644*1dcdf01fSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
1645*1dcdf01fSchristos SSL_R_BINDER_DOES_NOT_VERIFY);
1646*1dcdf01fSchristos }
1647*1dcdf01fSchristos
1648*1dcdf01fSchristos err:
1649*1dcdf01fSchristos OPENSSL_cleanse(binderkey, sizeof(binderkey));
1650*1dcdf01fSchristos OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
1651*1dcdf01fSchristos EVP_PKEY_free(mackey);
1652*1dcdf01fSchristos EVP_MD_CTX_free(mctx);
1653*1dcdf01fSchristos
1654*1dcdf01fSchristos return ret;
1655*1dcdf01fSchristos }
1656*1dcdf01fSchristos
final_early_data(SSL * s,unsigned int context,int sent)1657*1dcdf01fSchristos static int final_early_data(SSL *s, unsigned int context, int sent)
1658*1dcdf01fSchristos {
1659*1dcdf01fSchristos if (!sent)
1660*1dcdf01fSchristos return 1;
1661*1dcdf01fSchristos
1662*1dcdf01fSchristos if (!s->server) {
1663*1dcdf01fSchristos if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
1664*1dcdf01fSchristos && sent
1665*1dcdf01fSchristos && !s->ext.early_data_ok) {
1666*1dcdf01fSchristos /*
1667*1dcdf01fSchristos * If we get here then the server accepted our early_data but we
1668*1dcdf01fSchristos * later realised that it shouldn't have done (e.g. inconsistent
1669*1dcdf01fSchristos * ALPN)
1670*1dcdf01fSchristos */
1671*1dcdf01fSchristos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
1672*1dcdf01fSchristos SSL_R_BAD_EARLY_DATA);
1673*1dcdf01fSchristos return 0;
1674*1dcdf01fSchristos }
1675*1dcdf01fSchristos
1676*1dcdf01fSchristos return 1;
1677*1dcdf01fSchristos }
1678*1dcdf01fSchristos
1679*1dcdf01fSchristos if (s->max_early_data == 0
1680*1dcdf01fSchristos || !s->hit
1681*1dcdf01fSchristos || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
1682*1dcdf01fSchristos || !s->ext.early_data_ok
1683*1dcdf01fSchristos || s->hello_retry_request != SSL_HRR_NONE
1684*1dcdf01fSchristos || (s->allow_early_data_cb != NULL
1685*1dcdf01fSchristos && !s->allow_early_data_cb(s,
1686*1dcdf01fSchristos s->allow_early_data_cb_data))) {
1687*1dcdf01fSchristos s->ext.early_data = SSL_EARLY_DATA_REJECTED;
1688*1dcdf01fSchristos } else {
1689*1dcdf01fSchristos s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1690*1dcdf01fSchristos
1691*1dcdf01fSchristos if (!tls13_change_cipher_state(s,
1692*1dcdf01fSchristos SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
1693*1dcdf01fSchristos /* SSLfatal() already called */
1694*1dcdf01fSchristos return 0;
1695*1dcdf01fSchristos }
1696*1dcdf01fSchristos }
1697*1dcdf01fSchristos
1698*1dcdf01fSchristos return 1;
1699*1dcdf01fSchristos }
1700*1dcdf01fSchristos
final_maxfragmentlen(SSL * s,unsigned int context,int sent)1701*1dcdf01fSchristos static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
1702*1dcdf01fSchristos {
1703*1dcdf01fSchristos /*
1704*1dcdf01fSchristos * Session resumption on server-side with MFL extension active
1705*1dcdf01fSchristos * BUT MFL extension packet was not resent (i.e. sent == 0)
1706*1dcdf01fSchristos */
1707*1dcdf01fSchristos if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1708*1dcdf01fSchristos && !sent ) {
1709*1dcdf01fSchristos SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
1710*1dcdf01fSchristos SSL_R_BAD_EXTENSION);
1711*1dcdf01fSchristos return 0;
1712*1dcdf01fSchristos }
1713*1dcdf01fSchristos
1714*1dcdf01fSchristos /* Current SSL buffer is lower than requested MFL */
1715*1dcdf01fSchristos if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1716*1dcdf01fSchristos && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
1717*1dcdf01fSchristos /* trigger a larger buffer reallocation */
1718*1dcdf01fSchristos if (!ssl3_setup_buffers(s)) {
1719*1dcdf01fSchristos /* SSLfatal() already called */
1720*1dcdf01fSchristos return 0;
1721*1dcdf01fSchristos }
1722*1dcdf01fSchristos
1723*1dcdf01fSchristos return 1;
1724*1dcdf01fSchristos }
1725*1dcdf01fSchristos
init_post_handshake_auth(SSL * s,unsigned int context)1726*1dcdf01fSchristos static int init_post_handshake_auth(SSL *s, unsigned int context)
1727*1dcdf01fSchristos {
1728*1dcdf01fSchristos s->post_handshake_auth = SSL_PHA_NONE;
1729*1dcdf01fSchristos
1730*1dcdf01fSchristos return 1;
1731*1dcdf01fSchristos }
1732*1dcdf01fSchristos
1733*1dcdf01fSchristos /*
1734*1dcdf01fSchristos * If clients offer "pre_shared_key" without a "psk_key_exchange_modes"
1735*1dcdf01fSchristos * extension, servers MUST abort the handshake.
1736*1dcdf01fSchristos */
final_psk(SSL * s,unsigned int context,int sent)1737*1dcdf01fSchristos static int final_psk(SSL *s, unsigned int context, int sent)
1738*1dcdf01fSchristos {
1739*1dcdf01fSchristos if (s->server && sent && s->clienthello != NULL
1740*1dcdf01fSchristos && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) {
1741*1dcdf01fSchristos SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_PSK,
1742*1dcdf01fSchristos SSL_R_MISSING_PSK_KEX_MODES_EXTENSION);
1743*1dcdf01fSchristos return 0;
1744*1dcdf01fSchristos }
1745*1dcdf01fSchristos
1746*1dcdf01fSchristos return 1;
1747*1dcdf01fSchristos }
1748