diff options
Diffstat (limited to 'ssl/statem/extensions.c')
| -rw-r--r-- | ssl/statem/extensions.c | 524 |
1 files changed, 361 insertions, 163 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index f8157389b7f1..1e0dc7b05592 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,50 +15,65 @@ #include <string.h> #include "internal/nelem.h" #include "internal/cryptlib.h" +#include "internal/ssl_unwrap.h" #include "../ssl_local.h" #include "statem_local.h" -#include "internal/cryptlib.h" -static int final_renegotiate(SSL *s, unsigned int context, int sent); -static int init_server_name(SSL *s, unsigned int context); -static int final_server_name(SSL *s, unsigned int context, int sent); -static int final_ec_pt_formats(SSL *s, unsigned int context, int sent); -static int init_session_ticket(SSL *s, unsigned int context); +static int final_renegotiate(SSL_CONNECTION *s, unsigned int context, int sent); +static int init_server_name(SSL_CONNECTION *s, unsigned int context); +static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent); +static int final_ec_pt_formats(SSL_CONNECTION *s, unsigned int context, + int sent); +static int init_session_ticket(SSL_CONNECTION *s, unsigned int context); #ifndef OPENSSL_NO_OCSP -static int init_status_request(SSL *s, unsigned int context); +static int init_status_request(SSL_CONNECTION *s, unsigned int context); #endif #ifndef OPENSSL_NO_NEXTPROTONEG -static int init_npn(SSL *s, unsigned int context); +static int init_npn(SSL_CONNECTION *s, unsigned int context); #endif -static int init_alpn(SSL *s, unsigned int context); -static int final_alpn(SSL *s, unsigned int context, int sent); -static int init_sig_algs_cert(SSL *s, unsigned int context); -static int init_sig_algs(SSL *s, unsigned int context); -static int init_certificate_authorities(SSL *s, unsigned int context); -static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, +static int init_alpn(SSL_CONNECTION *s, unsigned int context); +static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent); +static int init_sig_algs_cert(SSL_CONNECTION *s, unsigned int context); +static int init_sig_algs(SSL_CONNECTION *s, unsigned int context); +static int init_server_cert_type(SSL_CONNECTION *sc, unsigned int context); +static int init_client_cert_type(SSL_CONNECTION *sc, unsigned int context); +static int init_certificate_authorities(SSL_CONNECTION *s, + unsigned int context); +static EXT_RETURN tls_construct_certificate_authorities(SSL_CONNECTION *s, + WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, +static int tls_parse_certificate_authorities(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); #ifndef OPENSSL_NO_SRP -static int init_srp(SSL *s, unsigned int context); +static int init_srp(SSL_CONNECTION *s, unsigned int context); #endif -static int init_ec_point_formats(SSL *s, unsigned int context); -static int init_etm(SSL *s, unsigned int context); -static int init_ems(SSL *s, unsigned int context); -static int final_ems(SSL *s, unsigned int context, int sent); -static int init_psk_kex_modes(SSL *s, unsigned int context); -static int final_key_share(SSL *s, unsigned int context, int sent); +static int init_ec_point_formats(SSL_CONNECTION *s, unsigned int context); +static int init_etm(SSL_CONNECTION *s, unsigned int context); +static int init_ems(SSL_CONNECTION *s, unsigned int context); +static int final_ems(SSL_CONNECTION *s, unsigned int context, int sent); +static int init_psk_kex_modes(SSL_CONNECTION *s, unsigned int context); +static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent); #ifndef OPENSSL_NO_SRTP -static int init_srtp(SSL *s, unsigned int context); +static int init_srtp(SSL_CONNECTION *s, unsigned int context); #endif -static int final_sig_algs(SSL *s, unsigned int context, int sent); -static int final_early_data(SSL *s, unsigned int context, int sent); -static int final_maxfragmentlen(SSL *s, unsigned int context, int sent); -static int init_post_handshake_auth(SSL *s, unsigned int context); -static int final_psk(SSL *s, unsigned int context, int sent); +static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent); +static int final_supported_versions(SSL_CONNECTION *s, unsigned int context, + int sent); +static int final_early_data(SSL_CONNECTION *s, unsigned int context, int sent); +static int final_maxfragmentlen(SSL_CONNECTION *s, unsigned int context, + int sent); +static int init_post_handshake_auth(SSL_CONNECTION *s, unsigned int context); +static int final_psk(SSL_CONNECTION *s, unsigned int context, int sent); +static int tls_init_compress_certificate(SSL_CONNECTION *sc, unsigned int context); +static EXT_RETURN tls_construct_compress_certificate(SSL_CONNECTION *sc, WPACKET *pkt, + unsigned int context, + X509 *x, size_t chainidx); +static int tls_parse_compress_certificate(SSL_CONNECTION *sc, PACKET *pkt, + unsigned int context, + X509 *x, size_t chainidx); /* Structure to define a built-in extension */ typedef struct extensions_definition_st { @@ -73,25 +88,27 @@ typedef struct extensions_definition_st { * Initialise extension before parsing. Always called for relevant contexts * even if extension not present */ - int (*init)(SSL *s, unsigned int context); + int (*init)(SSL_CONNECTION *s, unsigned int context); /* Parse extension sent from client to server */ - int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - size_t chainidx); + int (*parse_ctos)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); /* Parse extension send from server to client */ - int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - size_t chainidx); + int (*parse_stoc)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx); /* Construct extension sent from server to client */ - EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, + EXT_RETURN (*construct_stoc)(SSL_CONNECTION *s, WPACKET *pkt, + unsigned int context, X509 *x, size_t chainidx); /* Construct extension sent from client to server */ - EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, + EXT_RETURN (*construct_ctos)(SSL_CONNECTION *s, WPACKET *pkt, + unsigned int context, X509 *x, size_t chainidx); /* * Finalise extension after parsing. Always called where an extensions was * initialised even if the extension was not present. |sent| is set to 1 if * the extension was seen, or 0 otherwise. */ - int (*final)(SSL *s, unsigned int context, int sent); + int (*final)(SSL_CONNECTION *s, unsigned int context, int sent); } EXTENSION_DEFINITION; /* @@ -298,6 +315,24 @@ static const EXTENSION_DEFINITION ext_defs[] = { NULL, }, { + TLSEXT_TYPE_client_cert_type, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS + | SSL_EXT_TLS1_2_SERVER_HELLO, + init_client_cert_type, + tls_parse_ctos_client_cert_type, tls_parse_stoc_client_cert_type, + tls_construct_stoc_client_cert_type, tls_construct_ctos_client_cert_type, + NULL + }, + { + TLSEXT_TYPE_server_cert_type, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS + | SSL_EXT_TLS1_2_SERVER_HELLO, + init_server_cert_type, + tls_parse_ctos_server_cert_type, tls_parse_stoc_server_cert_type, + tls_construct_stoc_server_cert_type, tls_construct_ctos_server_cert_type, + NULL + }, + { TLSEXT_TYPE_signature_algorithms, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, init_sig_algs, tls_parse_ctos_sig_algs, @@ -312,7 +347,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { /* Processed inline as part of version selection */ NULL, tls_parse_stoc_supported_versions, tls_construct_stoc_supported_versions, - tls_construct_ctos_supported_versions, NULL + tls_construct_ctos_supported_versions, final_supported_versions }, { TLSEXT_TYPE_psk_kex_modes, @@ -354,6 +389,15 @@ static const EXTENSION_DEFINITION ext_defs[] = { NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL }, { + TLSEXT_TYPE_compress_certificate, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST + | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, + tls_init_compress_certificate, + tls_parse_compress_certificate, tls_parse_compress_certificate, + tls_construct_compress_certificate, tls_construct_compress_certificate, + NULL + }, + { TLSEXT_TYPE_early_data, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY, @@ -400,13 +444,14 @@ unsigned int ossl_get_extension_type(size_t idx) } /* Check whether an extension's context matches the current context */ -static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx) +static int validate_context(SSL_CONNECTION *s, unsigned int extctx, + unsigned int thisctx) { /* Check we're allowed to use this extension in this context */ if ((thisctx & extctx) == 0) return 0; - if (SSL_IS_DTLS(s)) { + if (SSL_CONNECTION_IS_DTLS(s)) { if ((extctx & SSL_EXT_TLS_ONLY) != 0) return 0; } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) { @@ -416,7 +461,8 @@ static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx) return 1; } -int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts) +int tls_validate_all_contexts(SSL_CONNECTION *s, unsigned int thisctx, + RAW_EXTENSION *exts) { size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset; RAW_EXTENSION *thisext; @@ -460,9 +506,9 @@ int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts) * indicate the extension is not allowed. If returning 1 then |*found| is set to * the definition for the extension we found. */ -static int verify_extension(SSL *s, unsigned int context, unsigned int type, - custom_ext_methods *meths, RAW_EXTENSION *rawexlist, - RAW_EXTENSION **found) +static int verify_extension(SSL_CONNECTION *s, unsigned int context, + unsigned int type, custom_ext_methods *meths, + RAW_EXTENSION *rawexlist, RAW_EXTENSION **found) { size_t i; size_t builtin_num = OSSL_NELEM(ext_defs); @@ -508,7 +554,8 @@ static int verify_extension(SSL *s, unsigned int context, unsigned int type, * the extension is relevant for the current context |thisctx| or not. Returns * 1 if the extension is relevant for this context, and 0 otherwise */ -int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) +int extension_is_relevant(SSL_CONNECTION *s, unsigned int extctx, + unsigned int thisctx) { int is_tls13; @@ -519,9 +566,9 @@ int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) is_tls13 = 1; else - is_tls13 = SSL_IS_TLS13(s); + is_tls13 = SSL_CONNECTION_IS_TLS13(s); - if ((SSL_IS_DTLS(s) + if ((SSL_CONNECTION_IS_DTLS(s) && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) || (s->version == SSL3_VERSION && (extctx & SSL_EXT_SSL3_ALLOWED) == 0) @@ -558,7 +605,8 @@ int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) * found, or an internal error occurred. We only check duplicates for * extensions that we know about. We ignore others. */ -int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, +int tls_collect_extensions(SSL_CONNECTION *s, PACKET *packet, + unsigned int context, RAW_EXTENSION **res, size_t *len, int init) { PACKET extensions = *packet; @@ -580,7 +628,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0); raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions)); if (raw_extensions == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); return 0; } @@ -646,8 +694,8 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, thisex->type = type; thisex->received_order = i++; if (s->ext.debug_cb) - s->ext.debug_cb(s, !s->server, thisex->type, - PACKET_data(&thisex->data), + s->ext.debug_cb(SSL_CONNECTION_GET_USER_SSL(s), !s->server, + thisex->type, PACKET_data(&thisex->data), PACKET_remaining(&thisex->data), s->ext.debug_arg); } @@ -689,11 +737,11 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, * Certificate. Returns 1 on success or 0 on failure. If an extension is not * present this counted as success. */ -int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, +int tls_parse_extension(SSL_CONNECTION *s, TLSEXT_INDEX idx, int context, RAW_EXTENSION *exts, X509 *x, size_t chainidx) { RAW_EXTENSION *currext = &exts[idx]; - int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + int (*parser)(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) = NULL; /* Skip if the extension is not present */ @@ -739,7 +787,8 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, * working on a Certificate message then we also pass the Certificate |x| and * its position in the |chainidx|, with 0 being the first certificate. */ -int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, +int tls_parse_all_extensions(SSL_CONNECTION *s, int context, + RAW_EXTENSION *exts, X509 *x, size_t chainidx, int fin) { size_t i, numexts = OSSL_NELEM(ext_defs); @@ -774,8 +823,8 @@ int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, return 1; } -int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, - int max_version) +int should_add_extension(SSL_CONNECTION *s, unsigned int extctx, + unsigned int thisctx, int max_version) { /* Skip if not relevant for our context */ if ((extctx & thisctx) == 0) @@ -785,7 +834,7 @@ int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, if (!extension_is_relevant(s, extctx, thisctx) || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0 - && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))) + && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))) return 0; return 1; @@ -799,12 +848,14 @@ int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a * failure construction stops at the first extension to fail to construct. */ -int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, +int tls_construct_extensions(SSL_CONNECTION *s, WPACKET *pkt, + unsigned int context, X509 *x, size_t chainidx) { size_t i; int min_version, max_version = 0, reason; const EXTENSION_DEFINITION *thisexd; + int for_comp = (context & SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION) != 0; if (!WPACKET_start_sub_packet_u16(pkt) /* @@ -815,15 +866,17 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, || ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0 && !WPACKET_set_flags(pkt, - WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { + if (!for_comp) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } if ((context & SSL_EXT_CLIENT_HELLO) != 0) { reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); if (reason != 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); + if (!for_comp) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); return 0; } } @@ -839,7 +892,8 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, } for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { - EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context, + EXT_RETURN (*construct)(SSL_CONNECTION *s, WPACKET *pkt, + unsigned int context, X509 *x, size_t chainidx); EXT_RETURN ret; @@ -866,7 +920,8 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, } if (!WPACKET_close(pkt)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + if (!for_comp) + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -880,7 +935,7 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, * otherwise. These functions return 1 on success or 0 on failure. */ -static int final_renegotiate(SSL *s, unsigned int context, int sent) +static int final_renegotiate(SSL_CONNECTION *s, unsigned int context, int sent) { if (!s->server) { /* @@ -920,7 +975,7 @@ static ossl_inline void ssl_tsan_decr(const SSL_CTX *ctx, } } -static int init_server_name(SSL *s, unsigned int context) +static int init_server_name(SSL_CONNECTION *s, unsigned int context) { if (s->server) { s->servername_done = 0; @@ -932,23 +987,26 @@ static int init_server_name(SSL *s, unsigned int context) return 1; } -static int final_server_name(SSL *s, unsigned int context, int sent) +static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent) { int ret = SSL_TLSEXT_ERR_NOACK; int altmp = SSL_AD_UNRECOGNIZED_NAME; - int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0; + SSL *ssl = SSL_CONNECTION_GET_SSL(s); + SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); + int was_ticket = (SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0; - if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) { + if (!ossl_assert(sctx != NULL) || !ossl_assert(s->session_ctx != NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } - if (s->ctx->ext.servername_cb != NULL) - ret = s->ctx->ext.servername_cb(s, &altmp, - s->ctx->ext.servername_arg); + if (sctx->ext.servername_cb != NULL) + ret = sctx->ext.servername_cb(ussl, &altmp, + sctx->ext.servername_arg); else if (s->session_ctx->ext.servername_cb != NULL) - ret = s->session_ctx->ext.servername_cb(s, &altmp, - s->session_ctx->ext.servername_arg); + ret = s->session_ctx->ext.servername_cb(ussl, &altmp, + s->session_ctx->ext.servername_arg); /* * For servers, propagate the SNI hostname from the temporary @@ -975,9 +1033,9 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * context, to avoid the confusing situation of having sess_accept_good * exceed sess_accept (zero) for the new context. */ - if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx + if (SSL_IS_FIRST_HANDSHAKE(s) && sctx != s->session_ctx && s->hello_retry_request == SSL_HRR_NONE) { - ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept); + ssl_tsan_counter(sctx, &sctx->stats.sess_accept); ssl_tsan_decr(s->session_ctx, &s->session_ctx->stats.sess_accept); } @@ -987,10 +1045,10 @@ static int final_server_name(SSL *s, unsigned int context, int sent) * Also, if this is not a resumption, create a new session ID */ if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected - && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) { + && was_ticket && (SSL_get_options(ssl) & SSL_OP_NO_TICKET) != 0) { s->ext.ticket_expected = 0; if (!s->hit) { - SSL_SESSION* ss = SSL_get_session(s); + SSL_SESSION* ss = SSL_get_session(ssl); if (ss != NULL) { OPENSSL_free(ss->ext.tick); @@ -1016,7 +1074,7 @@ static int final_server_name(SSL *s, unsigned int context, int sent) case SSL_TLSEXT_ERR_ALERT_WARNING: /* TLSv1.3 doesn't have warning alerts so we suppress this */ - if (!SSL_IS_TLS13(s)) + if (!SSL_CONNECTION_IS_TLS13(s)) ssl3_send_alert(s, SSL3_AL_WARNING, altmp); s->servername_done = 0; return 1; @@ -1030,7 +1088,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent) } } -static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) +static int final_ec_pt_formats(SSL_CONNECTION *s, unsigned int context, + int sent) { unsigned long alg_k, alg_a; @@ -1068,7 +1127,7 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) return 1; } -static int init_session_ticket(SSL *s, unsigned int context) +static int init_session_ticket(SSL_CONNECTION *s, unsigned int context) { if (!s->server) s->ext.ticket_expected = 0; @@ -1077,7 +1136,7 @@ static int init_session_ticket(SSL *s, unsigned int context) } #ifndef OPENSSL_NO_OCSP -static int init_status_request(SSL *s, unsigned int context) +static int init_status_request(SSL_CONNECTION *s, unsigned int context) { if (s->server) { s->ext.status_type = TLSEXT_STATUSTYPE_nothing; @@ -1096,7 +1155,7 @@ static int init_status_request(SSL *s, unsigned int context) #endif #ifndef OPENSSL_NO_NEXTPROTONEG -static int init_npn(SSL *s, unsigned int context) +static int init_npn(SSL_CONNECTION *s, unsigned int context) { s->s3.npn_seen = 0; @@ -1104,7 +1163,7 @@ static int init_npn(SSL *s, unsigned int context) } #endif -static int init_alpn(SSL *s, unsigned int context) +static int init_alpn(SSL_CONNECTION *s, unsigned int context) { OPENSSL_free(s->s3.alpn_selected); s->s3.alpn_selected = NULL; @@ -1117,12 +1176,12 @@ static int init_alpn(SSL *s, unsigned int context) return 1; } -static int final_alpn(SSL *s, unsigned int context, int sent) +static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent) { if (!s->server && !sent && s->session->ext.alpn_selected != NULL) s->ext.early_data_ok = 0; - if (!s->server || !SSL_IS_TLS13(s)) + if (!s->server || !SSL_CONNECTION_IS_TLS13(s)) return 1; /* @@ -1137,7 +1196,7 @@ static int final_alpn(SSL *s, unsigned int context, int sent) return tls_handle_alpn(s); } -static int init_sig_algs(SSL *s, unsigned int context) +static int init_sig_algs(SSL_CONNECTION *s, unsigned int context) { /* Clear any signature algorithms extension received */ OPENSSL_free(s->s3.tmp.peer_sigalgs); @@ -1147,7 +1206,8 @@ static int init_sig_algs(SSL *s, unsigned int context) return 1; } -static int init_sig_algs_cert(SSL *s, ossl_unused unsigned int context) +static int init_sig_algs_cert(SSL_CONNECTION *s, + ossl_unused unsigned int context) { /* Clear any signature algorithms extension received */ OPENSSL_free(s->s3.tmp.peer_cert_sigalgs); @@ -1158,7 +1218,7 @@ static int init_sig_algs_cert(SSL *s, ossl_unused unsigned int context) } #ifndef OPENSSL_NO_SRP -static int init_srp(SSL *s, unsigned int context) +static int init_srp(SSL_CONNECTION *s, unsigned int context) { OPENSSL_free(s->srp_ctx.login); s->srp_ctx.login = NULL; @@ -1167,7 +1227,7 @@ static int init_srp(SSL *s, unsigned int context) } #endif -static int init_ec_point_formats(SSL *s, unsigned int context) +static int init_ec_point_formats(SSL_CONNECTION *s, unsigned int context) { OPENSSL_free(s->ext.peer_ecpointformats); s->ext.peer_ecpointformats = NULL; @@ -1176,14 +1236,14 @@ static int init_ec_point_formats(SSL *s, unsigned int context) return 1; } -static int init_etm(SSL *s, unsigned int context) +static int init_etm(SSL_CONNECTION *s, unsigned int context) { s->ext.use_etm = 0; return 1; } -static int init_ems(SSL *s, unsigned int context) +static int init_ems(SSL_CONNECTION *s, unsigned int context) { if (s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) { s->s3.flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; @@ -1193,7 +1253,7 @@ static int init_ems(SSL *s, unsigned int context) return 1; } -static int final_ems(SSL *s, unsigned int context, int sent) +static int final_ems(SSL_CONNECTION *s, unsigned int context, int sent) { /* * Check extended master secret extension is not dropped on @@ -1219,14 +1279,15 @@ static int final_ems(SSL *s, unsigned int context, int sent) return 1; } -static int init_certificate_authorities(SSL *s, unsigned int context) +static int init_certificate_authorities(SSL_CONNECTION *s, unsigned int context) { sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); s->s3.tmp.peer_ca_names = NULL; return 1; } -static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, +static EXT_RETURN tls_construct_certificate_authorities(SSL_CONNECTION *s, + WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1255,7 +1316,7 @@ static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } -static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, +static int tls_parse_certificate_authorities(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -1269,7 +1330,7 @@ static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, } #ifndef OPENSSL_NO_SRTP -static int init_srtp(SSL *s, unsigned int context) +static int init_srtp(SSL_CONNECTION *s, unsigned int context) { if (s->server) s->srtp_profile = NULL; @@ -1278,9 +1339,9 @@ static int init_srtp(SSL *s, unsigned int context) } #endif -static int final_sig_algs(SSL *s, unsigned int context, int sent) +static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent) { - if (!sent && SSL_IS_TLS13(s) && !s->hit) { + if (!sent && SSL_CONNECTION_IS_TLS13(s) && !s->hit) { SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_R_MISSING_SIGALGS_EXTENSION); return 0; @@ -1289,10 +1350,22 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent) return 1; } -static int final_key_share(SSL *s, unsigned int context, int sent) +static int final_supported_versions(SSL_CONNECTION *s, unsigned int context, + int sent) +{ + if (!sent && context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) { + SSLfatal(s, TLS13_AD_MISSING_EXTENSION, + SSL_R_MISSING_SUPPORTED_VERSIONS_EXTENSION); + return 0; + } + + return 1; +} + +static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) { #if !defined(OPENSSL_NO_TLS1_3) - if (!SSL_IS_TLS13(s)) + if (!SSL_CONNECTION_IS_TLS13(s)) return 1; /* Nothing to do for key_share in an HRR */ @@ -1311,12 +1384,15 @@ static int final_key_share(SSL *s, unsigned int context, int sent) * fail; */ if (!s->server - && !sent - && (!s->hit - || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) { - /* Nothing left we can do - just fail */ - SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_NO_SUITABLE_KEY_SHARE); - return 0; + && !sent) { + if ((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) { + SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_SUITABLE_KEY_SHARE); + return 0; + } + if (!s->hit) { + SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_R_NO_SUITABLE_KEY_SHARE); + return 0; + } } /* * IF @@ -1373,36 +1449,12 @@ static int final_key_share(SSL *s, unsigned int context, int sent) /* No suitable key_share */ if (s->hello_retry_request == SSL_HRR_NONE && sent && (!s->hit - || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) - != 0)) { - const uint16_t *pgroups, *clntgroups; - size_t num_groups, clnt_num_groups, i; - unsigned int group_id = 0; - - /* Check if a shared group exists */ - - /* Get the clients list of supported groups. */ - tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); - tls1_get_supported_groups(s, &pgroups, &num_groups); - - /* - * Find the first group we allow that is also in client's list - */ - for (i = 0; i < num_groups; i++) { - group_id = pgroups[i]; - - if (check_in_list(s, group_id, clntgroups, clnt_num_groups, - 1) - && tls_group_allowed(s, group_id, - SSL_SECOP_CURVE_SUPPORTED) - && tls_valid_group(s, group_id, TLS1_3_VERSION, - TLS1_3_VERSION, 0, NULL)) - break; - } + || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) != 0)) { - if (i < num_groups) { + /* Did we detect group overlap in tls_parse_ctos_key_share ? */ + if (s->s3.group_id_candidate != 0) { /* A shared group exists so send a HelloRetryRequest */ - s->s3.group_id = group_id; + s->s3.group_id = s->s3.group_id_candidate; s->hello_retry_request = SSL_HRR_PENDING; return 1; } @@ -1453,13 +1505,14 @@ static int final_key_share(SSL *s, unsigned int context, int sent) return 1; } -static int init_psk_kex_modes(SSL *s, unsigned int context) +static int init_psk_kex_modes(SSL_CONNECTION *s, unsigned int context) { s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE; return 1; } -int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, +int tls_psk_do_binder(SSL_CONNECTION *s, const EVP_MD *md, + const unsigned char *msgstart, size_t binderoffset, const unsigned char *binderin, unsigned char *binderout, SSL_SESSION *sess, int sign, int external) @@ -1469,21 +1522,19 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; unsigned char *early_secret; -#ifdef CHARSET_EBCDIC - static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; - static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; -#else - static const unsigned char resumption_label[] = "res binder"; - static const unsigned char external_label[] = "ext binder"; -#endif + /* ASCII: "res binder", in hex for EBCDIC compatibility */ + static const unsigned char resumption_label[] = "\x72\x65\x73\x20\x62\x69\x6E\x64\x65\x72"; + /* ASCII: "ext binder", in hex for EBCDIC compatibility */ + static const unsigned char external_label[] = "\x65\x78\x74\x20\x62\x69\x6E\x64\x65\x72"; const unsigned char *label; size_t bindersize, labelsize, hashsize; int hashsizei = EVP_MD_get_size(md); int ret = -1; int usepskfored = 0; + SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); /* Ensure cast to size_t is safe */ - if (!ossl_assert(hashsizei >= 0)) { + if (!ossl_assert(hashsizei > 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -1600,8 +1651,8 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, goto err; } - mackey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", - s->ctx->propq, finishedkey, + mackey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC", + sctx->propq, finishedkey, hashsize); if (mackey == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -1612,8 +1663,8 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, binderout = tmpbinder; bindersize = hashsize; - if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_get0_name(md), s->ctx->libctx, - s->ctx->propq, mackey, NULL) <= 0 + if (EVP_DigestSignInit_ex(mctx, NULL, EVP_MD_get0_name(md), sctx->libctx, + sctx->propq, mackey, NULL) <= 0 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0 || bindersize != hashsize) { @@ -1627,7 +1678,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */ ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0); if (!ret) - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BINDER_DOES_NOT_VERIFY); + SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BINDER_DOES_NOT_VERIFY); } err: @@ -1639,7 +1690,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, return ret; } -static int final_early_data(SSL *s, unsigned int context, int sent) +static int final_early_data(SSL_CONNECTION *s, unsigned int context, int sent) { if (!sent) return 1; @@ -1666,8 +1717,8 @@ static int final_early_data(SSL *s, unsigned int context, int sent) || !s->ext.early_data_ok || s->hello_retry_request != SSL_HRR_NONE || (s->allow_early_data_cb != NULL - && !s->allow_early_data_cb(s, - s->allow_early_data_cb_data))) { + && !s->allow_early_data_cb(SSL_CONNECTION_GET_USER_SSL(s), + s->allow_early_data_cb_data))) { s->ext.early_data = SSL_EARLY_DATA_REJECTED; } else { s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; @@ -1682,25 +1733,25 @@ static int final_early_data(SSL *s, unsigned int context, int sent) return 1; } -static int final_maxfragmentlen(SSL *s, unsigned int context, int sent) +static int final_maxfragmentlen(SSL_CONNECTION *s, unsigned int context, + int sent) { /* MaxFragmentLength defaults to disabled */ if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED) s->session->ext.max_fragment_len_mode = TLSEXT_max_fragment_length_DISABLED; - /* Current SSL buffer is lower than requested MFL */ - if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) - && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session)) - /* trigger a larger buffer reallocation */ - if (!ssl3_setup_buffers(s)) { - /* SSLfatal() already called */ - return 0; - } + if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) { + s->rlayer.rrlmethod->set_max_frag_len(s->rlayer.rrl, + GET_MAX_FRAGMENT_LENGTH(s->session)); + s->rlayer.wrlmethod->set_max_frag_len(s->rlayer.wrl, + ssl_get_max_send_fragment(s)); + } return 1; } -static int init_post_handshake_auth(SSL *s, ossl_unused unsigned int context) +static int init_post_handshake_auth(SSL_CONNECTION *s, + ossl_unused unsigned int context) { s->post_handshake_auth = SSL_PHA_NONE; @@ -1711,7 +1762,7 @@ static int init_post_handshake_auth(SSL *s, ossl_unused unsigned int context) * If clients offer "pre_shared_key" without a "psk_key_exchange_modes" * extension, servers MUST abort the handshake. */ -static int final_psk(SSL *s, unsigned int context, int sent) +static int final_psk(SSL_CONNECTION *s, unsigned int context, int sent) { if (s->server && sent && s->clienthello != NULL && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) { @@ -1722,3 +1773,150 @@ static int final_psk(SSL *s, unsigned int context, int sent) return 1; } + +static int tls_init_compress_certificate(SSL_CONNECTION *sc, unsigned int context) +{ + memset(sc->ext.compress_certificate_from_peer, 0, + sizeof(sc->ext.compress_certificate_from_peer)); + return 1; +} + +/* The order these are put into the packet imply a preference order: [brotli, zlib, zstd] */ +static EXT_RETURN tls_construct_compress_certificate(SSL_CONNECTION *sc, WPACKET *pkt, + unsigned int context, + X509 *x, size_t chainidx) +{ +#ifndef OPENSSL_NO_COMP_ALG + int i; + + if (!ossl_comp_has_alg(0)) + return EXT_RETURN_NOT_SENT; + + /* Server: Don't attempt to compress a non-X509 (i.e. an RPK) */ + if (sc->server && sc->ext.server_cert_type != TLSEXT_cert_type_x509) { + sc->cert_comp_prefs[0] = TLSEXT_comp_cert_none; + return EXT_RETURN_NOT_SENT; + } + + /* Client: If we sent a client cert-type extension, don't indicate compression */ + if (!sc->server && sc->ext.client_cert_type_ctos) { + sc->cert_comp_prefs[0] = TLSEXT_comp_cert_none; + return EXT_RETURN_NOT_SENT; + } + + /* Do not indicate we support receiving compressed certificates */ + if ((sc->options & SSL_OP_NO_RX_CERTIFICATE_COMPRESSION) != 0) + return EXT_RETURN_NOT_SENT; + + if (sc->cert_comp_prefs[0] == TLSEXT_comp_cert_none) + return EXT_RETURN_NOT_SENT; + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_compress_certificate) + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_start_sub_packet_u8(pkt)) + goto err; + + for (i = 0; sc->cert_comp_prefs[i] != TLSEXT_comp_cert_none; i++) { + if (!WPACKET_put_bytes_u16(pkt, sc->cert_comp_prefs[i])) + goto err; + } + if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) + goto err; + + sc->ext.compress_certificate_sent = 1; + return EXT_RETURN_SENT; + err: + SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; +#else + return EXT_RETURN_NOT_SENT; +#endif +} + +#ifndef OPENSSL_NO_COMP_ALG +static int tls_comp_in_pref(SSL_CONNECTION *sc, int alg) +{ + int i; + + /* ossl_comp_has_alg() considers 0 as "any" */ + if (alg == 0) + return 0; + /* Make sure algorithm is enabled */ + if (!ossl_comp_has_alg(alg)) + return 0; + /* If no preferences are set, it's ok */ + if (sc->cert_comp_prefs[0] == TLSEXT_comp_cert_none) + return 1; + /* Find the algorithm */ + for (i = 0; i < TLSEXT_comp_cert_limit; i++) + if (sc->cert_comp_prefs[i] == alg) + return 1; + return 0; +} +#endif + +int tls_parse_compress_certificate(SSL_CONNECTION *sc, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) +{ +#ifndef OPENSSL_NO_COMP_ALG + PACKET supported_comp_algs; + unsigned int comp; + int already_set[TLSEXT_comp_cert_limit]; + int j = 0; + + /* If no algorithms are available, ignore the extension */ + if (!ossl_comp_has_alg(0)) + return 1; + + /* Don't attempt to compress a non-X509 (i.e. an RPK) */ + if (sc->server && sc->ext.server_cert_type != TLSEXT_cert_type_x509) + return 1; + if (!sc->server && sc->ext.client_cert_type != TLSEXT_cert_type_x509) + return 1; + + /* Ignore the extension and don't send compressed certificates */ + if ((sc->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) + return 1; + + if (!PACKET_as_length_prefixed_1(pkt, &supported_comp_algs) + || PACKET_remaining(&supported_comp_algs) == 0) { + SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); + return 0; + } + + memset(already_set, 0, sizeof(already_set)); + /* + * The preference array has real values, so take a look at each + * value coming in, and make sure it's in our preference list + * The array is 0 (i.e. "none") terminated + * The preference list only contains supported algorithms + */ + while (PACKET_get_net_2(&supported_comp_algs, &comp)) { + if (tls_comp_in_pref(sc, comp) && !already_set[comp]) { + sc->ext.compress_certificate_from_peer[j++] = comp; + already_set[comp] = 1; + } + } +#endif + return 1; +} + +static int init_server_cert_type(SSL_CONNECTION *sc, unsigned int context) +{ + /* Only reset when parsing client hello */ + if (sc->server) { + sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; + sc->ext.server_cert_type = TLSEXT_cert_type_x509; + } + return 1; +} + +static int init_client_cert_type(SSL_CONNECTION *sc, unsigned int context) +{ + /* Only reset when parsing client hello */ + if (sc->server) { + sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; + sc->ext.client_cert_type = TLSEXT_cert_type_x509; + } + return 1; +} |