xref: /freebsd/crypto/openssl/ssl/statem/extensions.c (revision 6ba2210ee039f2f12878c217bcf058e9c8b26b29)
1 /*
2  * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <string.h>
11 #include "internal/nelem.h"
12 #include "internal/cryptlib.h"
13 #include "../ssl_local.h"
14 #include "statem_local.h"
15 #include "internal/cryptlib.h"
16 
17 static int final_renegotiate(SSL *s, unsigned int context, int sent);
18 static int init_server_name(SSL *s, unsigned int context);
19 static int final_server_name(SSL *s, unsigned int context, int sent);
20 #ifndef OPENSSL_NO_EC
21 static int init_ec_point_formats(SSL *s, unsigned int context);
22 static int final_ec_pt_formats(SSL *s, unsigned int context, int sent);
23 #endif
24 static int init_session_ticket(SSL *s, unsigned int context);
25 #ifndef OPENSSL_NO_OCSP
26 static int init_status_request(SSL *s, unsigned int context);
27 #endif
28 #ifndef OPENSSL_NO_NEXTPROTONEG
29 static int init_npn(SSL *s, unsigned int context);
30 #endif
31 static int init_alpn(SSL *s, unsigned int context);
32 static int final_alpn(SSL *s, unsigned int context, int sent);
33 static int init_sig_algs_cert(SSL *s, unsigned int context);
34 static int init_sig_algs(SSL *s, unsigned int context);
35 static int init_certificate_authorities(SSL *s, unsigned int context);
36 static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
37                                                         unsigned int context,
38                                                         X509 *x,
39                                                         size_t chainidx);
40 static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
41                                              unsigned int context, X509 *x,
42                                              size_t chainidx);
43 #ifndef OPENSSL_NO_SRP
44 static int init_srp(SSL *s, unsigned int context);
45 #endif
46 static int init_etm(SSL *s, unsigned int context);
47 static int init_ems(SSL *s, unsigned int context);
48 static int final_ems(SSL *s, unsigned int context, int sent);
49 static int init_psk_kex_modes(SSL *s, unsigned int context);
50 #ifndef OPENSSL_NO_EC
51 static int final_key_share(SSL *s, unsigned int context, int sent);
52 #endif
53 #ifndef OPENSSL_NO_SRTP
54 static int init_srtp(SSL *s, unsigned int context);
55 #endif
56 static int final_sig_algs(SSL *s, unsigned int context, int sent);
57 static int final_early_data(SSL *s, unsigned int context, int sent);
58 static int final_maxfragmentlen(SSL *s, unsigned int context, int sent);
59 static int init_post_handshake_auth(SSL *s, unsigned int context);
60 static int final_psk(SSL *s, unsigned int context, int sent);
61 
62 /* Structure to define a built-in extension */
63 typedef struct extensions_definition_st {
64     /* The defined type for the extension */
65     unsigned int type;
66     /*
67      * The context that this extension applies to, e.g. what messages and
68      * protocol versions
69      */
70     unsigned int context;
71     /*
72      * Initialise extension before parsing. Always called for relevant contexts
73      * even if extension not present
74      */
75     int (*init)(SSL *s, unsigned int context);
76     /* Parse extension sent from client to server */
77     int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
78                       size_t chainidx);
79     /* Parse extension send from server to client */
80     int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
81                       size_t chainidx);
82     /* Construct extension sent from server to client */
83     EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
84                                  X509 *x, size_t chainidx);
85     /* Construct extension sent from client to server */
86     EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
87                                  X509 *x, size_t chainidx);
88     /*
89      * Finalise extension after parsing. Always called where an extensions was
90      * initialised even if the extension was not present. |sent| is set to 1 if
91      * the extension was seen, or 0 otherwise.
92      */
93     int (*final)(SSL *s, unsigned int context, int sent);
94 } EXTENSION_DEFINITION;
95 
96 /*
97  * Definitions of all built-in extensions. NOTE: Changes in the number or order
98  * of these extensions should be mirrored with equivalent changes to the
99  * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h.
100  * Each extension has an initialiser, a client and
101  * server side parser and a finaliser. The initialiser is called (if the
102  * extension is relevant to the given context) even if we did not see the
103  * extension in the message that we received. The parser functions are only
104  * called if we see the extension in the message. The finalisers are always
105  * called if the initialiser was called.
106  * There are also server and client side constructor functions which are always
107  * called during message construction if the extension is relevant for the
108  * given context.
109  * The initialisation, parsing, finalisation and construction functions are
110  * always called in the order defined in this list. Some extensions may depend
111  * on others having been processed first, so the order of this list is
112  * significant.
113  * The extension context is defined by a series of flags which specify which
114  * messages the extension is relevant to. These flags also specify whether the
115  * extension is relevant to a particular protocol or protocol version.
116  *
117  * TODO(TLS1.3): Make sure we have a test to check the consistency of these
118  *
119  * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at
120  * the end, keep these extensions before signature_algorithm.
121  */
122 #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL }
123 static const EXTENSION_DEFINITION ext_defs[] = {
124     {
125         TLSEXT_TYPE_renegotiate,
126         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
127         | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
128         NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,
129         tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,
130         final_renegotiate
131     },
132     {
133         TLSEXT_TYPE_server_name,
134         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
135         | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
136         init_server_name,
137         tls_parse_ctos_server_name, tls_parse_stoc_server_name,
138         tls_construct_stoc_server_name, tls_construct_ctos_server_name,
139         final_server_name
140     },
141     {
142         TLSEXT_TYPE_max_fragment_length,
143         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
144         | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
145         NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen,
146         tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen,
147         final_maxfragmentlen
148     },
149 #ifndef OPENSSL_NO_SRP
150     {
151         TLSEXT_TYPE_srp,
152         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
153         init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL
154     },
155 #else
156     INVALID_EXTENSION,
157 #endif
158 #ifndef OPENSSL_NO_EC
159     {
160         TLSEXT_TYPE_ec_point_formats,
161         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
162         | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
163         init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,
164         tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
165         final_ec_pt_formats
166     },
167     {
168         /*
169          * "supported_groups" is spread across several specifications.
170          * It was originally specified as "elliptic_curves" in RFC 4492,
171          * and broadened to include named FFDH groups by RFC 7919.
172          * Both RFCs 4492 and 7919 do not include a provision for the server
173          * to indicate to the client the complete list of groups supported
174          * by the server, with the server instead just indicating the
175          * selected group for this connection in the ServerKeyExchange
176          * message.  TLS 1.3 adds a scheme for the server to indicate
177          * to the client its list of supported groups in the
178          * EncryptedExtensions message, but none of the relevant
179          * specifications permit sending supported_groups in the ServerHello.
180          * Nonetheless (possibly due to the close proximity to the
181          * "ec_point_formats" extension, which is allowed in the ServerHello),
182          * there are several servers that send this extension in the
183          * ServerHello anyway.  Up to and including the 1.1.0 release,
184          * we did not check for the presence of nonpermitted extensions,
185          * so to avoid a regression, we must permit this extension in the
186          * TLS 1.2 ServerHello as well.
187          *
188          * Note that there is no tls_parse_stoc_supported_groups function,
189          * so we do not perform any additional parsing, validation, or
190          * processing on the server's group list -- this is just a minimal
191          * change to preserve compatibility with these misbehaving servers.
192          */
193         TLSEXT_TYPE_supported_groups,
194         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
195         | SSL_EXT_TLS1_2_SERVER_HELLO,
196         NULL, tls_parse_ctos_supported_groups, NULL,
197         tls_construct_stoc_supported_groups,
198         tls_construct_ctos_supported_groups, NULL
199     },
200 #else
201     INVALID_EXTENSION,
202     INVALID_EXTENSION,
203 #endif
204     {
205         TLSEXT_TYPE_session_ticket,
206         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
207         | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
208         init_session_ticket, tls_parse_ctos_session_ticket,
209         tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,
210         tls_construct_ctos_session_ticket, NULL
211     },
212 #ifndef OPENSSL_NO_OCSP
213     {
214         TLSEXT_TYPE_status_request,
215         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
216         | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
217         init_status_request, tls_parse_ctos_status_request,
218         tls_parse_stoc_status_request, tls_construct_stoc_status_request,
219         tls_construct_ctos_status_request, NULL
220     },
221 #else
222     INVALID_EXTENSION,
223 #endif
224 #ifndef OPENSSL_NO_NEXTPROTONEG
225     {
226         TLSEXT_TYPE_next_proto_neg,
227         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
228         | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
229         init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,
230         tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL
231     },
232 #else
233     INVALID_EXTENSION,
234 #endif
235     {
236         /*
237          * Must appear in this list after server_name so that finalisation
238          * happens after server_name callbacks
239          */
240         TLSEXT_TYPE_application_layer_protocol_negotiation,
241         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
242         | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
243         init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,
244         tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn
245     },
246 #ifndef OPENSSL_NO_SRTP
247     {
248         TLSEXT_TYPE_use_srtp,
249         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
250         | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,
251         init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,
252         tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL
253     },
254 #else
255     INVALID_EXTENSION,
256 #endif
257     {
258         TLSEXT_TYPE_encrypt_then_mac,
259         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
260         | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
261         init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
262         tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
263     },
264 #ifndef OPENSSL_NO_CT
265     {
266         TLSEXT_TYPE_signed_certificate_timestamp,
267         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
268         | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
269         NULL,
270         /*
271          * No server side support for this, but can be provided by a custom
272          * extension. This is an exception to the rule that custom extensions
273          * cannot override built in ones.
274          */
275         NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct,  NULL
276     },
277 #else
278     INVALID_EXTENSION,
279 #endif
280     {
281         TLSEXT_TYPE_extended_master_secret,
282         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
283         | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
284         init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,
285         tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems
286     },
287     {
288         TLSEXT_TYPE_signature_algorithms_cert,
289         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
290         init_sig_algs_cert, tls_parse_ctos_sig_algs_cert,
291         tls_parse_ctos_sig_algs_cert,
292         /* We do not generate signature_algorithms_cert at present. */
293         NULL, NULL, NULL
294     },
295     {
296         TLSEXT_TYPE_post_handshake_auth,
297         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY,
298         init_post_handshake_auth,
299         tls_parse_ctos_post_handshake_auth, NULL,
300         NULL, tls_construct_ctos_post_handshake_auth,
301         NULL,
302     },
303     {
304         TLSEXT_TYPE_signature_algorithms,
305         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
306         init_sig_algs, tls_parse_ctos_sig_algs,
307         tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,
308         tls_construct_ctos_sig_algs, final_sig_algs
309     },
310     {
311         TLSEXT_TYPE_supported_versions,
312         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
313         | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY,
314         NULL,
315         /* Processed inline as part of version selection */
316         NULL, tls_parse_stoc_supported_versions,
317         tls_construct_stoc_supported_versions,
318         tls_construct_ctos_supported_versions, NULL
319     },
320     {
321         TLSEXT_TYPE_psk_kex_modes,
322         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY
323         | SSL_EXT_TLS1_3_ONLY,
324         init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,
325         tls_construct_ctos_psk_kex_modes, NULL
326     },
327 #ifndef OPENSSL_NO_EC
328     {
329         /*
330          * Must be in this list after supported_groups. We need that to have
331          * been parsed before we do this one.
332          */
333         TLSEXT_TYPE_key_share,
334         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
335         | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY
336         | SSL_EXT_TLS1_3_ONLY,
337         NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,
338         tls_construct_stoc_key_share, tls_construct_ctos_key_share,
339         final_key_share
340     },
341 #else
342     INVALID_EXTENSION,
343 #endif
344     {
345         /* Must be after key_share */
346         TLSEXT_TYPE_cookie,
347         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
348         | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
349         NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie,
350         tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL
351     },
352     {
353         /*
354          * Special unsolicited ServerHello extension only used when
355          * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
356          * ignore it.
357          */
358         TLSEXT_TYPE_cryptopro_bug,
359         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
360         | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
361         NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
362     },
363     {
364         TLSEXT_TYPE_early_data,
365         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
366         | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY,
367         NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,
368         tls_construct_stoc_early_data, tls_construct_ctos_early_data,
369         final_early_data
370     },
371     {
372         TLSEXT_TYPE_certificate_authorities,
373         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
374         | SSL_EXT_TLS1_3_ONLY,
375         init_certificate_authorities,
376         tls_parse_certificate_authorities, tls_parse_certificate_authorities,
377         tls_construct_certificate_authorities,
378         tls_construct_certificate_authorities, NULL,
379     },
380     {
381         /* Must be immediately before pre_shared_key */
382         TLSEXT_TYPE_padding,
383         SSL_EXT_CLIENT_HELLO,
384         NULL,
385         /* We send this, but don't read it */
386         NULL, NULL, NULL, tls_construct_ctos_padding, NULL
387     },
388     {
389         /* Required by the TLSv1.3 spec to always be the last extension */
390         TLSEXT_TYPE_psk,
391         SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO
392         | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,
393         NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,
394         tls_construct_ctos_psk, final_psk
395     }
396 };
397 
398 /* Check whether an extension's context matches the current context */
399 static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx)
400 {
401     /* Check we're allowed to use this extension in this context */
402     if ((thisctx & extctx) == 0)
403         return 0;
404 
405     if (SSL_IS_DTLS(s)) {
406         if ((extctx & SSL_EXT_TLS_ONLY) != 0)
407             return 0;
408     } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) {
409         return 0;
410     }
411 
412     return 1;
413 }
414 
415 int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts)
416 {
417     size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset;
418     RAW_EXTENSION *thisext;
419     unsigned int context;
420     ENDPOINT role = ENDPOINT_BOTH;
421 
422     if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0)
423         role = ENDPOINT_SERVER;
424     else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
425         role = ENDPOINT_CLIENT;
426 
427     /* Calculate the number of extensions in the extensions list */
428     num_exts = builtin_num + s->cert->custext.meths_count;
429 
430     for (thisext = exts, i = 0; i < num_exts; i++, thisext++) {
431         if (!thisext->present)
432             continue;
433 
434         if (i < builtin_num) {
435             context = ext_defs[i].context;
436         } else {
437             custom_ext_method *meth = NULL;
438 
439             meth = custom_ext_find(&s->cert->custext, role, thisext->type,
440                                    &offset);
441             if (!ossl_assert(meth != NULL))
442                 return 0;
443             context = meth->context;
444         }
445 
446         if (!validate_context(s, context, thisctx))
447             return 0;
448     }
449 
450     return 1;
451 }
452 
453 /*
454  * Verify whether we are allowed to use the extension |type| in the current
455  * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to
456  * indicate the extension is not allowed. If returning 1 then |*found| is set to
457  * the definition for the extension we found.
458  */
459 static int verify_extension(SSL *s, unsigned int context, unsigned int type,
460                             custom_ext_methods *meths, RAW_EXTENSION *rawexlist,
461                             RAW_EXTENSION **found)
462 {
463     size_t i;
464     size_t builtin_num = OSSL_NELEM(ext_defs);
465     const EXTENSION_DEFINITION *thisext;
466 
467     for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) {
468         if (type == thisext->type) {
469             if (!validate_context(s, thisext->context, context))
470                 return 0;
471 
472             *found = &rawexlist[i];
473             return 1;
474         }
475     }
476 
477     /* Check the custom extensions */
478     if (meths != NULL) {
479         size_t offset = 0;
480         ENDPOINT role = ENDPOINT_BOTH;
481         custom_ext_method *meth = NULL;
482 
483         if ((context & SSL_EXT_CLIENT_HELLO) != 0)
484             role = ENDPOINT_SERVER;
485         else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0)
486             role = ENDPOINT_CLIENT;
487 
488         meth = custom_ext_find(meths, role, type, &offset);
489         if (meth != NULL) {
490             if (!validate_context(s, meth->context, context))
491                 return 0;
492             *found = &rawexlist[offset + builtin_num];
493             return 1;
494         }
495     }
496 
497     /* Unknown extension. We allow it */
498     *found = NULL;
499     return 1;
500 }
501 
502 /*
503  * Check whether the context defined for an extension |extctx| means whether
504  * the extension is relevant for the current context |thisctx| or not. Returns
505  * 1 if the extension is relevant for this context, and 0 otherwise
506  */
507 int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx)
508 {
509     int is_tls13;
510 
511     /*
512      * For HRR we haven't selected the version yet but we know it will be
513      * TLSv1.3
514      */
515     if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
516         is_tls13 = 1;
517     else
518         is_tls13 = SSL_IS_TLS13(s);
519 
520     if ((SSL_IS_DTLS(s)
521                 && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)
522             || (s->version == SSL3_VERSION
523                     && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)
524             /*
525              * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated",
526              * which is never true when generating the ClientHello.
527              * However, version negotiation *has* occurred by the time the
528              * ClientHello extensions are being parsed.
529              * Be careful to allow TLS 1.3-only extensions when generating
530              * the ClientHello.
531              */
532             || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)
533             || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0
534                 && (thisctx & SSL_EXT_CLIENT_HELLO) == 0)
535             || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0)
536             || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0))
537         return 0;
538     return 1;
539 }
540 
541 /*
542  * Gather a list of all the extensions from the data in |packet]. |context|
543  * tells us which message this extension is for. The raw extension data is
544  * stored in |*res| on success. We don't actually process the content of the
545  * extensions yet, except to check their types. This function also runs the
546  * initialiser functions for all known extensions if |init| is nonzero (whether
547  * we have collected them or not). If successful the caller is responsible for
548  * freeing the contents of |*res|.
549  *
550  * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
551  * more than one extension of the same type in a ClientHello or ServerHello.
552  * This function returns 1 if all extensions are unique and we have parsed their
553  * types, and 0 if the extensions contain duplicates, could not be successfully
554  * found, or an internal error occurred. We only check duplicates for
555  * extensions that we know about. We ignore others.
556  */
557 int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
558                            RAW_EXTENSION **res, size_t *len, int init)
559 {
560     PACKET extensions = *packet;
561     size_t i = 0;
562     size_t num_exts;
563     custom_ext_methods *exts = &s->cert->custext;
564     RAW_EXTENSION *raw_extensions = NULL;
565     const EXTENSION_DEFINITION *thisexd;
566 
567     *res = NULL;
568 
569     /*
570      * Initialise server side custom extensions. Client side is done during
571      * construction of extensions for the ClientHello.
572      */
573     if ((context & SSL_EXT_CLIENT_HELLO) != 0)
574         custom_ext_init(&s->cert->custext);
575 
576     num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0);
577     raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions));
578     if (raw_extensions == NULL) {
579         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
580                  ERR_R_MALLOC_FAILURE);
581         return 0;
582     }
583 
584     i = 0;
585     while (PACKET_remaining(&extensions) > 0) {
586         unsigned int type, idx;
587         PACKET extension;
588         RAW_EXTENSION *thisex;
589 
590         if (!PACKET_get_net_2(&extensions, &type) ||
591             !PACKET_get_length_prefixed_2(&extensions, &extension)) {
592             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS,
593                      SSL_R_BAD_EXTENSION);
594             goto err;
595         }
596         /*
597          * Verify this extension is allowed. We only check duplicates for
598          * extensions that we recognise. We also have a special case for the
599          * PSK extension, which must be the last one in the ClientHello.
600          */
601         if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
602                 || (thisex != NULL && thisex->present == 1)
603                 || (type == TLSEXT_TYPE_psk
604                     && (context & SSL_EXT_CLIENT_HELLO) != 0
605                     && PACKET_remaining(&extensions) != 0)) {
606             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS,
607                      SSL_R_BAD_EXTENSION);
608             goto err;
609         }
610         idx = thisex - raw_extensions;
611         /*-
612          * Check that we requested this extension (if appropriate). Requests can
613          * be sent in the ClientHello and CertificateRequest. Unsolicited
614          * extensions can be sent in the NewSessionTicket. We only do this for
615          * the built-in extensions. Custom extensions have a different but
616          * similar check elsewhere.
617          * Special cases:
618          * - The HRR cookie extension is unsolicited
619          * - The renegotiate extension is unsolicited (the client signals
620          *   support via an SCSV)
621          * - The signed_certificate_timestamp extension can be provided by a
622          * custom extension or by the built-in version. We let the extension
623          * itself handle unsolicited response checks.
624          */
625         if (idx < OSSL_NELEM(ext_defs)
626                 && (context & (SSL_EXT_CLIENT_HELLO
627                                | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
628                                | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
629                 && type != TLSEXT_TYPE_cookie
630                 && type != TLSEXT_TYPE_renegotiate
631                 && type != TLSEXT_TYPE_signed_certificate_timestamp
632                 && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
633 #ifndef OPENSSL_NO_GOST
634                 && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
635                      && type == TLSEXT_TYPE_cryptopro_bug)
636 #endif
637 								) {
638             SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
639                      SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
640             goto err;
641         }
642         if (thisex != NULL) {
643             thisex->data = extension;
644             thisex->present = 1;
645             thisex->type = type;
646             thisex->received_order = i++;
647             if (s->ext.debug_cb)
648                 s->ext.debug_cb(s, !s->server, thisex->type,
649                                 PACKET_data(&thisex->data),
650                                 PACKET_remaining(&thisex->data),
651                                 s->ext.debug_arg);
652         }
653     }
654 
655     if (init) {
656         /*
657          * Initialise all known extensions relevant to this context,
658          * whether we have found them or not
659          */
660         for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs);
661              i++, thisexd++) {
662             if (thisexd->init != NULL && (thisexd->context & context) != 0
663                 && extension_is_relevant(s, thisexd->context, context)
664                 && !thisexd->init(s, context)) {
665                 /* SSLfatal() already called */
666                 goto err;
667             }
668         }
669     }
670 
671     *res = raw_extensions;
672     if (len != NULL)
673         *len = num_exts;
674     return 1;
675 
676  err:
677     OPENSSL_free(raw_extensions);
678     return 0;
679 }
680 
681 /*
682  * Runs the parser for a given extension with index |idx|. |exts| contains the
683  * list of all parsed extensions previously collected by
684  * tls_collect_extensions(). The parser is only run if it is applicable for the
685  * given |context| and the parser has not already been run. If this is for a
686  * Certificate message, then we also provide the parser with the relevant
687  * Certificate |x| and its position in the |chainidx| with 0 being the first
688  * Certificate. Returns 1 on success or 0 on failure. If an extension is not
689  * present this counted as success.
690  */
691 int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
692                         RAW_EXTENSION *exts, X509 *x, size_t chainidx)
693 {
694     RAW_EXTENSION *currext = &exts[idx];
695     int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
696                   size_t chainidx) = NULL;
697 
698     /* Skip if the extension is not present */
699     if (!currext->present)
700         return 1;
701 
702     /* Skip if we've already parsed this extension */
703     if (currext->parsed)
704         return 1;
705 
706     currext->parsed = 1;
707 
708     if (idx < OSSL_NELEM(ext_defs)) {
709         /* We are handling a built-in extension */
710         const EXTENSION_DEFINITION *extdef = &ext_defs[idx];
711 
712         /* Check if extension is defined for our protocol. If not, skip */
713         if (!extension_is_relevant(s, extdef->context, context))
714             return 1;
715 
716         parser = s->server ? extdef->parse_ctos : extdef->parse_stoc;
717 
718         if (parser != NULL)
719             return parser(s, &currext->data, context, x, chainidx);
720 
721         /*
722          * If the parser is NULL we fall through to the custom extension
723          * processing
724          */
725     }
726 
727     /* Parse custom extensions */
728     return custom_ext_parse(s, context, currext->type,
729                             PACKET_data(&currext->data),
730                             PACKET_remaining(&currext->data),
731                             x, chainidx);
732 }
733 
734 /*
735  * Parse all remaining extensions that have not yet been parsed. Also calls the
736  * finalisation for all extensions at the end if |fin| is nonzero, whether we
737  * collected them or not. Returns 1 for success or 0 for failure. If we are
738  * working on a Certificate message then we also pass the Certificate |x| and
739  * its position in the |chainidx|, with 0 being the first certificate.
740  */
741 int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x,
742                              size_t chainidx, int fin)
743 {
744     size_t i, numexts = OSSL_NELEM(ext_defs);
745     const EXTENSION_DEFINITION *thisexd;
746 
747     /* Calculate the number of extensions in the extensions list */
748     numexts += s->cert->custext.meths_count;
749 
750     /* Parse each extension in turn */
751     for (i = 0; i < numexts; i++) {
752         if (!tls_parse_extension(s, i, context, exts, x, chainidx)) {
753             /* SSLfatal() already called */
754             return 0;
755         }
756     }
757 
758     if (fin) {
759         /*
760          * Finalise all known extensions relevant to this context,
761          * whether we have found them or not
762          */
763         for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs);
764              i++, thisexd++) {
765             if (thisexd->final != NULL && (thisexd->context & context) != 0
766                 && !thisexd->final(s, context, exts[i].present)) {
767                 /* SSLfatal() already called */
768                 return 0;
769             }
770         }
771     }
772 
773     return 1;
774 }
775 
776 int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx,
777                          int max_version)
778 {
779     /* Skip if not relevant for our context */
780     if ((extctx & thisctx) == 0)
781         return 0;
782 
783     /* Check if this extension is defined for our protocol. If not, skip */
784     if (!extension_is_relevant(s, extctx, thisctx)
785             || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0
786                 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0
787                 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)))
788         return 0;
789 
790     return 1;
791 }
792 
793 /*
794  * Construct all the extensions relevant to the current |context| and write
795  * them to |pkt|. If this is an extension for a Certificate in a Certificate
796  * message, then |x| will be set to the Certificate we are handling, and
797  * |chainidx| will indicate the position in the chainidx we are processing (with
798  * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a
799  * failure construction stops at the first extension to fail to construct.
800  */
801 int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
802                              X509 *x, size_t chainidx)
803 {
804     size_t i;
805     int min_version, max_version = 0, reason;
806     const EXTENSION_DEFINITION *thisexd;
807 
808     if (!WPACKET_start_sub_packet_u16(pkt)
809                /*
810                 * If extensions are of zero length then we don't even add the
811                 * extensions length bytes to a ClientHello/ServerHello
812                 * (for non-TLSv1.3).
813                 */
814             || ((context &
815                  (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0
816                 && !WPACKET_set_flags(pkt,
817                                      WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {
818         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
819                  ERR_R_INTERNAL_ERROR);
820         return 0;
821     }
822 
823     if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
824         reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
825         if (reason != 0) {
826             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
827                      reason);
828             return 0;
829         }
830     }
831 
832     /* Add custom extensions first */
833     if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
834         /* On the server side with initialise during ClientHello parsing */
835         custom_ext_init(&s->cert->custext);
836     }
837     if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) {
838         /* SSLfatal() already called */
839         return 0;
840     }
841 
842     for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
843         EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
844                                 X509 *x, size_t chainidx);
845         EXT_RETURN ret;
846 
847         /* Skip if not relevant for our context */
848         if (!should_add_extension(s, thisexd->context, context, max_version))
849             continue;
850 
851         construct = s->server ? thisexd->construct_stoc
852                               : thisexd->construct_ctos;
853 
854         if (construct == NULL)
855             continue;
856 
857         ret = construct(s, pkt, context, x, chainidx);
858         if (ret == EXT_RETURN_FAIL) {
859             /* SSLfatal() already called */
860             return 0;
861         }
862         if (ret == EXT_RETURN_SENT
863                 && (context & (SSL_EXT_CLIENT_HELLO
864                                | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
865                                | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
866             s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
867     }
868 
869     if (!WPACKET_close(pkt)) {
870         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS,
871                  ERR_R_INTERNAL_ERROR);
872         return 0;
873     }
874 
875     return 1;
876 }
877 
878 /*
879  * Built in extension finalisation and initialisation functions. All initialise
880  * or finalise the associated extension type for the given |context|. For
881  * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0
882  * otherwise. These functions return 1 on success or 0 on failure.
883  */
884 
885 static int final_renegotiate(SSL *s, unsigned int context, int sent)
886 {
887     if (!s->server) {
888         /*
889          * Check if we can connect to a server that doesn't support safe
890          * renegotiation
891          */
892         if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
893                 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
894                 && !sent) {
895             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
896                      SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
897             return 0;
898         }
899 
900         return 1;
901     }
902 
903     /* Need RI if renegotiating */
904     if (s->renegotiate
905             && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
906             && !sent) {
907         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE,
908                  SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
909         return 0;
910     }
911 
912 
913     return 1;
914 }
915 
916 static int init_server_name(SSL *s, unsigned int context)
917 {
918     if (s->server) {
919         s->servername_done = 0;
920 
921         OPENSSL_free(s->ext.hostname);
922         s->ext.hostname = NULL;
923     }
924 
925     return 1;
926 }
927 
928 static int final_server_name(SSL *s, unsigned int context, int sent)
929 {
930     int ret = SSL_TLSEXT_ERR_NOACK;
931     int altmp = SSL_AD_UNRECOGNIZED_NAME;
932     int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;
933 
934     if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) {
935         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
936                  ERR_R_INTERNAL_ERROR);
937         return 0;
938     }
939 
940     if (s->ctx->ext.servername_cb != NULL)
941         ret = s->ctx->ext.servername_cb(s, &altmp,
942                                         s->ctx->ext.servername_arg);
943     else if (s->session_ctx->ext.servername_cb != NULL)
944         ret = s->session_ctx->ext.servername_cb(s, &altmp,
945                                        s->session_ctx->ext.servername_arg);
946 
947     /*
948      * For servers, propagate the SNI hostname from the temporary
949      * storage in the SSL to the persistent SSL_SESSION, now that we
950      * know we accepted it.
951      * Clients make this copy when parsing the server's response to
952      * the extension, which is when they find out that the negotiation
953      * was successful.
954      */
955     if (s->server) {
956         if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) {
957             /* Only store the hostname in the session if we accepted it. */
958             OPENSSL_free(s->session->ext.hostname);
959             s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
960             if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) {
961                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
962                          ERR_R_INTERNAL_ERROR);
963             }
964         }
965     }
966 
967     /*
968      * If we switched contexts (whether here or in the client_hello callback),
969      * move the sess_accept increment from the session_ctx to the new
970      * context, to avoid the confusing situation of having sess_accept_good
971      * exceed sess_accept (zero) for the new context.
972      */
973     if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
974 		    && s->hello_retry_request == SSL_HRR_NONE) {
975         tsan_counter(&s->ctx->stats.sess_accept);
976         tsan_decr(&s->session_ctx->stats.sess_accept);
977     }
978 
979     /*
980      * If we're expecting to send a ticket, and tickets were previously enabled,
981      * and now tickets are disabled, then turn off expected ticket.
982      * Also, if this is not a resumption, create a new session ID
983      */
984     if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected
985             && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) {
986         s->ext.ticket_expected = 0;
987         if (!s->hit) {
988             SSL_SESSION* ss = SSL_get_session(s);
989 
990             if (ss != NULL) {
991                 OPENSSL_free(ss->ext.tick);
992                 ss->ext.tick = NULL;
993                 ss->ext.ticklen = 0;
994                 ss->ext.tick_lifetime_hint = 0;
995                 ss->ext.tick_age_add = 0;
996                 if (!ssl_generate_session_id(s, ss)) {
997                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
998                              ERR_R_INTERNAL_ERROR);
999                     return 0;
1000                 }
1001             } else {
1002                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME,
1003                          ERR_R_INTERNAL_ERROR);
1004                 return 0;
1005             }
1006         }
1007     }
1008 
1009     switch (ret) {
1010     case SSL_TLSEXT_ERR_ALERT_FATAL:
1011         SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
1012         return 0;
1013 
1014     case SSL_TLSEXT_ERR_ALERT_WARNING:
1015         /* TLSv1.3 doesn't have warning alerts so we suppress this */
1016         if (!SSL_IS_TLS13(s))
1017             ssl3_send_alert(s, SSL3_AL_WARNING, altmp);
1018         s->servername_done = 0;
1019         return 1;
1020 
1021     case SSL_TLSEXT_ERR_NOACK:
1022         s->servername_done = 0;
1023         return 1;
1024 
1025     default:
1026         return 1;
1027     }
1028 }
1029 
1030 #ifndef OPENSSL_NO_EC
1031 static int init_ec_point_formats(SSL *s, unsigned int context)
1032 {
1033     OPENSSL_free(s->ext.peer_ecpointformats);
1034     s->ext.peer_ecpointformats = NULL;
1035     s->ext.peer_ecpointformats_len = 0;
1036 
1037     return 1;
1038 }
1039 
1040 static int final_ec_pt_formats(SSL *s, unsigned int context, int sent)
1041 {
1042     unsigned long alg_k, alg_a;
1043 
1044     if (s->server)
1045         return 1;
1046 
1047     alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1048     alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1049 
1050     /*
1051      * If we are client and using an elliptic curve cryptography cipher
1052      * suite, then if server returns an EC point formats lists extension it
1053      * must contain uncompressed.
1054      */
1055     if (s->ext.ecpointformats != NULL
1056             && s->ext.ecpointformats_len > 0
1057             && s->ext.peer_ecpointformats != NULL
1058             && s->ext.peer_ecpointformats_len > 0
1059             && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
1060         /* we are using an ECC cipher */
1061         size_t i;
1062         unsigned char *list = s->ext.peer_ecpointformats;
1063 
1064         for (i = 0; i < s->ext.peer_ecpointformats_len; i++) {
1065             if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
1066                 break;
1067         }
1068         if (i == s->ext.peer_ecpointformats_len) {
1069             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS,
1070                      SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
1071             return 0;
1072         }
1073     }
1074 
1075     return 1;
1076 }
1077 #endif
1078 
1079 static int init_session_ticket(SSL *s, unsigned int context)
1080 {
1081     if (!s->server)
1082         s->ext.ticket_expected = 0;
1083 
1084     return 1;
1085 }
1086 
1087 #ifndef OPENSSL_NO_OCSP
1088 static int init_status_request(SSL *s, unsigned int context)
1089 {
1090     if (s->server) {
1091         s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1092     } else {
1093         /*
1094          * Ensure we get sensible values passed to tlsext_status_cb in the event
1095          * that we don't receive a status message
1096          */
1097         OPENSSL_free(s->ext.ocsp.resp);
1098         s->ext.ocsp.resp = NULL;
1099         s->ext.ocsp.resp_len = 0;
1100     }
1101 
1102     return 1;
1103 }
1104 #endif
1105 
1106 #ifndef OPENSSL_NO_NEXTPROTONEG
1107 static int init_npn(SSL *s, unsigned int context)
1108 {
1109     s->s3->npn_seen = 0;
1110 
1111     return 1;
1112 }
1113 #endif
1114 
1115 static int init_alpn(SSL *s, unsigned int context)
1116 {
1117     OPENSSL_free(s->s3->alpn_selected);
1118     s->s3->alpn_selected = NULL;
1119     s->s3->alpn_selected_len = 0;
1120     if (s->server) {
1121         OPENSSL_free(s->s3->alpn_proposed);
1122         s->s3->alpn_proposed = NULL;
1123         s->s3->alpn_proposed_len = 0;
1124     }
1125     return 1;
1126 }
1127 
1128 static int final_alpn(SSL *s, unsigned int context, int sent)
1129 {
1130     if (!s->server && !sent && s->session->ext.alpn_selected != NULL)
1131             s->ext.early_data_ok = 0;
1132 
1133     if (!s->server || !SSL_IS_TLS13(s))
1134         return 1;
1135 
1136     /*
1137      * Call alpn_select callback if needed.  Has to be done after SNI and
1138      * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
1139      * we also have to do this before we decide whether to accept early_data.
1140      * In TLSv1.3 we've already negotiated our cipher so we do this call now.
1141      * For < TLSv1.3 we defer it until after cipher negotiation.
1142      *
1143      * On failure SSLfatal() already called.
1144      */
1145     return tls_handle_alpn(s);
1146 }
1147 
1148 static int init_sig_algs(SSL *s, unsigned int context)
1149 {
1150     /* Clear any signature algorithms extension received */
1151     OPENSSL_free(s->s3->tmp.peer_sigalgs);
1152     s->s3->tmp.peer_sigalgs = NULL;
1153     s->s3->tmp.peer_sigalgslen = 0;
1154 
1155     return 1;
1156 }
1157 
1158 static int init_sig_algs_cert(SSL *s, unsigned int context)
1159 {
1160     /* Clear any signature algorithms extension received */
1161     OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
1162     s->s3->tmp.peer_cert_sigalgs = NULL;
1163     s->s3->tmp.peer_cert_sigalgslen = 0;
1164 
1165     return 1;
1166 }
1167 
1168 #ifndef OPENSSL_NO_SRP
1169 static int init_srp(SSL *s, unsigned int context)
1170 {
1171     OPENSSL_free(s->srp_ctx.login);
1172     s->srp_ctx.login = NULL;
1173 
1174     return 1;
1175 }
1176 #endif
1177 
1178 static int init_etm(SSL *s, unsigned int context)
1179 {
1180     s->ext.use_etm = 0;
1181 
1182     return 1;
1183 }
1184 
1185 static int init_ems(SSL *s, unsigned int context)
1186 {
1187     if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
1188         s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
1189         s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
1190     }
1191 
1192     return 1;
1193 }
1194 
1195 static int final_ems(SSL *s, unsigned int context, int sent)
1196 {
1197     /*
1198      * Check extended master secret extension is not dropped on
1199      * renegotiation.
1200      */
1201     if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
1202         && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
1203         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
1204                  SSL_R_INCONSISTENT_EXTMS);
1205         return 0;
1206     }
1207     if (!s->server && s->hit) {
1208         /*
1209          * Check extended master secret extension is consistent with
1210          * original session.
1211          */
1212         if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) !=
1213             !(s->session->flags & SSL_SESS_FLAG_EXTMS)) {
1214             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
1215                      SSL_R_INCONSISTENT_EXTMS);
1216             return 0;
1217         }
1218     }
1219 
1220     return 1;
1221 }
1222 
1223 static int init_certificate_authorities(SSL *s, unsigned int context)
1224 {
1225     sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
1226     s->s3->tmp.peer_ca_names = NULL;
1227     return 1;
1228 }
1229 
1230 static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
1231                                                         unsigned int context,
1232                                                         X509 *x,
1233                                                         size_t chainidx)
1234 {
1235     const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s);
1236 
1237     if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
1238         return EXT_RETURN_NOT_SENT;
1239 
1240     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
1241         || !WPACKET_start_sub_packet_u16(pkt)) {
1242         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1243                  SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
1244                ERR_R_INTERNAL_ERROR);
1245         return EXT_RETURN_FAIL;
1246     }
1247 
1248     if (!construct_ca_names(s, ca_sk, pkt)) {
1249         /* SSLfatal() already called */
1250         return EXT_RETURN_FAIL;
1251     }
1252 
1253     if (!WPACKET_close(pkt)) {
1254         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1255                  SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
1256                  ERR_R_INTERNAL_ERROR);
1257         return EXT_RETURN_FAIL;
1258     }
1259 
1260     return EXT_RETURN_SENT;
1261 }
1262 
1263 static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
1264                                              unsigned int context, X509 *x,
1265                                              size_t chainidx)
1266 {
1267     if (!parse_ca_names(s, pkt))
1268         return 0;
1269     if (PACKET_remaining(pkt) != 0) {
1270         SSLfatal(s, SSL_AD_DECODE_ERROR,
1271                  SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION);
1272         return 0;
1273     }
1274     return 1;
1275 }
1276 
1277 #ifndef OPENSSL_NO_SRTP
1278 static int init_srtp(SSL *s, unsigned int context)
1279 {
1280     if (s->server)
1281         s->srtp_profile = NULL;
1282 
1283     return 1;
1284 }
1285 #endif
1286 
1287 static int final_sig_algs(SSL *s, unsigned int context, int sent)
1288 {
1289     if (!sent && SSL_IS_TLS13(s) && !s->hit) {
1290         SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS,
1291                  SSL_R_MISSING_SIGALGS_EXTENSION);
1292         return 0;
1293     }
1294 
1295     return 1;
1296 }
1297 
1298 #ifndef OPENSSL_NO_EC
1299 static int final_key_share(SSL *s, unsigned int context, int sent)
1300 {
1301     if (!SSL_IS_TLS13(s))
1302         return 1;
1303 
1304     /* Nothing to do for key_share in an HRR */
1305     if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0)
1306         return 1;
1307 
1308     /*
1309      * If
1310      *     we are a client
1311      *     AND
1312      *     we have no key_share
1313      *     AND
1314      *     (we are not resuming
1315      *      OR the kex_mode doesn't allow non key_share resumes)
1316      * THEN
1317      *     fail;
1318      */
1319     if (!s->server
1320             && !sent
1321             && (!s->hit
1322                 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) {
1323         /* Nothing left we can do - just fail */
1324         SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE,
1325                  SSL_R_NO_SUITABLE_KEY_SHARE);
1326         return 0;
1327     }
1328     /*
1329      * IF
1330      *     we are a server
1331      * THEN
1332      *     IF
1333      *         we have a suitable key_share
1334      *     THEN
1335      *         IF
1336      *             we are stateless AND we have no cookie
1337      *         THEN
1338      *             send a HelloRetryRequest
1339      *     ELSE
1340      *         IF
1341      *             we didn't already send a HelloRetryRequest
1342      *             AND
1343      *             the client sent a key_share extension
1344      *             AND
1345      *             (we are not resuming
1346      *              OR the kex_mode allows key_share resumes)
1347      *             AND
1348      *             a shared group exists
1349      *         THEN
1350      *             send a HelloRetryRequest
1351      *         ELSE IF
1352      *             we are not resuming
1353      *             OR
1354      *             the kex_mode doesn't allow non key_share resumes
1355      *         THEN
1356      *             fail
1357      *         ELSE IF
1358      *             we are stateless AND we have no cookie
1359      *         THEN
1360      *             send a HelloRetryRequest
1361      */
1362     if (s->server) {
1363         if (s->s3->peer_tmp != NULL) {
1364             /* We have a suitable key_share */
1365             if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
1366                     && !s->ext.cookieok) {
1367                 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1368                     /*
1369                      * If we are stateless then we wouldn't know about any
1370                      * previously sent HRR - so how can this be anything other
1371                      * than 0?
1372                      */
1373                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1374                              ERR_R_INTERNAL_ERROR);
1375                     return 0;
1376                 }
1377                 s->hello_retry_request = SSL_HRR_PENDING;
1378                 return 1;
1379             }
1380         } else {
1381             /* No suitable key_share */
1382             if (s->hello_retry_request == SSL_HRR_NONE && sent
1383                     && (!s->hit
1384                         || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE)
1385                            != 0)) {
1386                 const uint16_t *pgroups, *clntgroups;
1387                 size_t num_groups, clnt_num_groups, i;
1388                 unsigned int group_id = 0;
1389 
1390                 /* Check if a shared group exists */
1391 
1392                 /* Get the clients list of supported groups. */
1393                 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
1394                 tls1_get_supported_groups(s, &pgroups, &num_groups);
1395 
1396                 /*
1397                  * Find the first group we allow that is also in client's list
1398                  */
1399                 for (i = 0; i < num_groups; i++) {
1400                     group_id = pgroups[i];
1401 
1402                     if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
1403                                       1))
1404                         break;
1405                 }
1406 
1407                 if (i < num_groups) {
1408                     /* A shared group exists so send a HelloRetryRequest */
1409                     s->s3->group_id = group_id;
1410                     s->hello_retry_request = SSL_HRR_PENDING;
1411                     return 1;
1412                 }
1413             }
1414             if (!s->hit
1415                     || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
1416                 /* Nothing left we can do - just fail */
1417                 SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE
1418                                  : SSL_AD_MISSING_EXTENSION,
1419                          SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
1420                 return 0;
1421             }
1422 
1423             if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0
1424                     && !s->ext.cookieok) {
1425                 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) {
1426                     /*
1427                      * If we are stateless then we wouldn't know about any
1428                      * previously sent HRR - so how can this be anything other
1429                      * than 0?
1430                      */
1431                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1432                              ERR_R_INTERNAL_ERROR);
1433                     return 0;
1434                 }
1435                 s->hello_retry_request = SSL_HRR_PENDING;
1436                 return 1;
1437             }
1438         }
1439 
1440         /*
1441          * We have a key_share so don't send any more HelloRetryRequest
1442          * messages
1443          */
1444         if (s->hello_retry_request == SSL_HRR_PENDING)
1445             s->hello_retry_request = SSL_HRR_COMPLETE;
1446     } else {
1447         /*
1448          * For a client side resumption with no key_share we need to generate
1449          * the handshake secret (otherwise this is done during key_share
1450          * processing).
1451          */
1452         if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) {
1453             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE,
1454                      ERR_R_INTERNAL_ERROR);
1455             return 0;
1456         }
1457     }
1458 
1459     return 1;
1460 }
1461 #endif
1462 
1463 static int init_psk_kex_modes(SSL *s, unsigned int context)
1464 {
1465     s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE;
1466     return 1;
1467 }
1468 
1469 int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
1470                       size_t binderoffset, const unsigned char *binderin,
1471                       unsigned char *binderout, SSL_SESSION *sess, int sign,
1472                       int external)
1473 {
1474     EVP_PKEY *mackey = NULL;
1475     EVP_MD_CTX *mctx = NULL;
1476     unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE];
1477     unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE];
1478     unsigned char *early_secret;
1479 #ifdef CHARSET_EBCDIC
1480     static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
1481     static const unsigned char external_label[]   = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 };
1482 #else
1483     static const unsigned char resumption_label[] = "res binder";
1484     static const unsigned char external_label[] = "ext binder";
1485 #endif
1486     const unsigned char *label;
1487     size_t bindersize, labelsize, hashsize;
1488     int hashsizei = EVP_MD_size(md);
1489     int ret = -1;
1490     int usepskfored = 0;
1491 
1492     /* Ensure cast to size_t is safe */
1493     if (!ossl_assert(hashsizei >= 0)) {
1494         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1495                  ERR_R_INTERNAL_ERROR);
1496         goto err;
1497     }
1498     hashsize = (size_t)hashsizei;
1499 
1500     if (external
1501             && s->early_data_state == SSL_EARLY_DATA_CONNECTING
1502             && s->session->ext.max_early_data == 0
1503             && sess->ext.max_early_data > 0)
1504         usepskfored = 1;
1505 
1506     if (external) {
1507         label = external_label;
1508         labelsize = sizeof(external_label) - 1;
1509     } else {
1510         label = resumption_label;
1511         labelsize = sizeof(resumption_label) - 1;
1512     }
1513 
1514     /*
1515      * Generate the early_secret. On the server side we've selected a PSK to
1516      * resume with (internal or external) so we always do this. On the client
1517      * side we do this for a non-external (i.e. resumption) PSK or external PSK
1518      * that will be used for early_data so that it is in place for sending early
1519      * data. For client side external PSK not being used for early_data we
1520      * generate it but store it away for later use.
1521      */
1522     if (s->server || !external || usepskfored)
1523         early_secret = (unsigned char *)s->early_secret;
1524     else
1525         early_secret = (unsigned char *)sess->early_secret;
1526 
1527     if (!tls13_generate_secret(s, md, NULL, sess->master_key,
1528                                sess->master_key_length, early_secret)) {
1529         /* SSLfatal() already called */
1530         goto err;
1531     }
1532 
1533     /*
1534      * Create the handshake hash for the binder key...the messages so far are
1535      * empty!
1536      */
1537     mctx = EVP_MD_CTX_new();
1538     if (mctx == NULL
1539             || EVP_DigestInit_ex(mctx, md, NULL) <= 0
1540             || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1541         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1542                  ERR_R_INTERNAL_ERROR);
1543         goto err;
1544     }
1545 
1546     /* Generate the binder key */
1547     if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
1548                            hashsize, binderkey, hashsize, 1)) {
1549         /* SSLfatal() already called */
1550         goto err;
1551     }
1552 
1553     /* Generate the finished key */
1554     if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) {
1555         /* SSLfatal() already called */
1556         goto err;
1557     }
1558 
1559     if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) {
1560         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1561                  ERR_R_INTERNAL_ERROR);
1562         goto err;
1563     }
1564 
1565     /*
1566      * Get a hash of the ClientHello up to the start of the binders. If we are
1567      * following a HelloRetryRequest then this includes the hash of the first
1568      * ClientHello and the HelloRetryRequest itself.
1569      */
1570     if (s->hello_retry_request == SSL_HRR_PENDING) {
1571         size_t hdatalen;
1572         long hdatalen_l;
1573         void *hdata;
1574 
1575         hdatalen = hdatalen_l =
1576             BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
1577         if (hdatalen_l <= 0) {
1578             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1579                      SSL_R_BAD_HANDSHAKE_LENGTH);
1580             goto err;
1581         }
1582 
1583         /*
1584          * For servers the handshake buffer data will include the second
1585          * ClientHello - which we don't want - so we need to take that bit off.
1586          */
1587         if (s->server) {
1588             PACKET hashprefix, msg;
1589 
1590             /* Find how many bytes are left after the first two messages */
1591             if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
1592                     || !PACKET_forward(&hashprefix, 1)
1593                     || !PACKET_get_length_prefixed_3(&hashprefix, &msg)
1594                     || !PACKET_forward(&hashprefix, 1)
1595                     || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
1596                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1597                          ERR_R_INTERNAL_ERROR);
1598                 goto err;
1599             }
1600             hdatalen -= PACKET_remaining(&hashprefix);
1601         }
1602 
1603         if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
1604             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1605                      ERR_R_INTERNAL_ERROR);
1606             goto err;
1607         }
1608     }
1609 
1610     if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0
1611             || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
1612         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1613                  ERR_R_INTERNAL_ERROR);
1614         goto err;
1615     }
1616 
1617     mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey,
1618                                           hashsize);
1619     if (mackey == NULL) {
1620         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1621                  ERR_R_INTERNAL_ERROR);
1622         goto err;
1623     }
1624 
1625     if (!sign)
1626         binderout = tmpbinder;
1627 
1628     bindersize = hashsize;
1629     if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0
1630             || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0
1631             || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0
1632             || bindersize != hashsize) {
1633         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
1634                  ERR_R_INTERNAL_ERROR);
1635         goto err;
1636     }
1637 
1638     if (sign) {
1639         ret = 1;
1640     } else {
1641         /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */
1642         ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0);
1643         if (!ret)
1644             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER,
1645                      SSL_R_BINDER_DOES_NOT_VERIFY);
1646     }
1647 
1648  err:
1649     OPENSSL_cleanse(binderkey, sizeof(binderkey));
1650     OPENSSL_cleanse(finishedkey, sizeof(finishedkey));
1651     EVP_PKEY_free(mackey);
1652     EVP_MD_CTX_free(mctx);
1653 
1654     return ret;
1655 }
1656 
1657 static int final_early_data(SSL *s, unsigned int context, int sent)
1658 {
1659     if (!sent)
1660         return 1;
1661 
1662     if (!s->server) {
1663         if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
1664                 && sent
1665                 && !s->ext.early_data_ok) {
1666             /*
1667              * If we get here then the server accepted our early_data but we
1668              * later realised that it shouldn't have done (e.g. inconsistent
1669              * ALPN)
1670              */
1671             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA,
1672                      SSL_R_BAD_EARLY_DATA);
1673             return 0;
1674         }
1675 
1676         return 1;
1677     }
1678 
1679     if (s->max_early_data == 0
1680             || !s->hit
1681             || s->early_data_state != SSL_EARLY_DATA_ACCEPTING
1682             || !s->ext.early_data_ok
1683             || s->hello_retry_request != SSL_HRR_NONE
1684             || (s->allow_early_data_cb != NULL
1685                 && !s->allow_early_data_cb(s,
1686                                          s->allow_early_data_cb_data))) {
1687         s->ext.early_data = SSL_EARLY_DATA_REJECTED;
1688     } else {
1689         s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1690 
1691         if (!tls13_change_cipher_state(s,
1692                     SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) {
1693             /* SSLfatal() already called */
1694             return 0;
1695         }
1696     }
1697 
1698     return 1;
1699 }
1700 
1701 static int final_maxfragmentlen(SSL *s, unsigned int context, int sent)
1702 {
1703     /*
1704      * Session resumption on server-side with MFL extension active
1705      *  BUT MFL extension packet was not resent (i.e. sent == 0)
1706      */
1707     if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1708             && !sent ) {
1709         SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN,
1710                  SSL_R_BAD_EXTENSION);
1711         return 0;
1712     }
1713 
1714     /* Current SSL buffer is lower than requested MFL */
1715     if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)
1716             && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session))
1717         /* trigger a larger buffer reallocation */
1718         if (!ssl3_setup_buffers(s)) {
1719             /* SSLfatal() already called */
1720             return 0;
1721         }
1722 
1723     return 1;
1724 }
1725 
1726 static int init_post_handshake_auth(SSL *s, unsigned int context)
1727 {
1728     s->post_handshake_auth = SSL_PHA_NONE;
1729 
1730     return 1;
1731 }
1732 
1733 /*
1734  * If clients offer "pre_shared_key" without a "psk_key_exchange_modes"
1735  * extension, servers MUST abort the handshake.
1736  */
1737 static int final_psk(SSL *s, unsigned int context, int sent)
1738 {
1739     if (s->server && sent && s->clienthello != NULL
1740             && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) {
1741         SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_PSK,
1742                  SSL_R_MISSING_PSK_KEX_MODES_EXTENSION);
1743         return 0;
1744     }
1745 
1746     return 1;
1747 }
1748