1 /* 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <string.h> 11 #include "internal/nelem.h" 12 #include "internal/cryptlib.h" 13 #include "../ssl_local.h" 14 #include "statem_local.h" 15 #include "internal/cryptlib.h" 16 17 static int final_renegotiate(SSL *s, unsigned int context, int sent); 18 static int init_server_name(SSL *s, unsigned int context); 19 static int final_server_name(SSL *s, unsigned int context, int sent); 20 #ifndef OPENSSL_NO_EC 21 static int init_ec_point_formats(SSL *s, unsigned int context); 22 static int final_ec_pt_formats(SSL *s, unsigned int context, int sent); 23 #endif 24 static int init_session_ticket(SSL *s, unsigned int context); 25 #ifndef OPENSSL_NO_OCSP 26 static int init_status_request(SSL *s, unsigned int context); 27 #endif 28 #ifndef OPENSSL_NO_NEXTPROTONEG 29 static int init_npn(SSL *s, unsigned int context); 30 #endif 31 static int init_alpn(SSL *s, unsigned int context); 32 static int final_alpn(SSL *s, unsigned int context, int sent); 33 static int init_sig_algs_cert(SSL *s, unsigned int context); 34 static int init_sig_algs(SSL *s, unsigned int context); 35 static int init_certificate_authorities(SSL *s, unsigned int context); 36 static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, 37 unsigned int context, 38 X509 *x, 39 size_t chainidx); 40 static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, 41 unsigned int context, X509 *x, 42 size_t chainidx); 43 #ifndef OPENSSL_NO_SRP 44 static int init_srp(SSL *s, unsigned int context); 45 #endif 46 static int init_etm(SSL *s, unsigned int context); 47 static int init_ems(SSL *s, unsigned int context); 48 static int final_ems(SSL *s, unsigned int context, int sent); 49 static int init_psk_kex_modes(SSL *s, unsigned int context); 50 #ifndef OPENSSL_NO_EC 51 static int final_key_share(SSL *s, unsigned int context, int sent); 52 #endif 53 #ifndef OPENSSL_NO_SRTP 54 static int init_srtp(SSL *s, unsigned int context); 55 #endif 56 static int final_sig_algs(SSL *s, unsigned int context, int sent); 57 static int final_early_data(SSL *s, unsigned int context, int sent); 58 static int final_maxfragmentlen(SSL *s, unsigned int context, int sent); 59 static int init_post_handshake_auth(SSL *s, unsigned int context); 60 static int final_psk(SSL *s, unsigned int context, int sent); 61 62 /* Structure to define a built-in extension */ 63 typedef struct extensions_definition_st { 64 /* The defined type for the extension */ 65 unsigned int type; 66 /* 67 * The context that this extension applies to, e.g. what messages and 68 * protocol versions 69 */ 70 unsigned int context; 71 /* 72 * Initialise extension before parsing. Always called for relevant contexts 73 * even if extension not present 74 */ 75 int (*init)(SSL *s, unsigned int context); 76 /* Parse extension sent from client to server */ 77 int (*parse_ctos)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 78 size_t chainidx); 79 /* Parse extension send from server to client */ 80 int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 81 size_t chainidx); 82 /* Construct extension sent from server to client */ 83 EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, 84 X509 *x, size_t chainidx); 85 /* Construct extension sent from client to server */ 86 EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, 87 X509 *x, size_t chainidx); 88 /* 89 * Finalise extension after parsing. Always called where an extensions was 90 * initialised even if the extension was not present. |sent| is set to 1 if 91 * the extension was seen, or 0 otherwise. 92 */ 93 int (*final)(SSL *s, unsigned int context, int sent); 94 } EXTENSION_DEFINITION; 95 96 /* 97 * Definitions of all built-in extensions. NOTE: Changes in the number or order 98 * of these extensions should be mirrored with equivalent changes to the 99 * indexes ( TLSEXT_IDX_* ) defined in ssl_local.h. 100 * Each extension has an initialiser, a client and 101 * server side parser and a finaliser. The initialiser is called (if the 102 * extension is relevant to the given context) even if we did not see the 103 * extension in the message that we received. The parser functions are only 104 * called if we see the extension in the message. The finalisers are always 105 * called if the initialiser was called. 106 * There are also server and client side constructor functions which are always 107 * called during message construction if the extension is relevant for the 108 * given context. 109 * The initialisation, parsing, finalisation and construction functions are 110 * always called in the order defined in this list. Some extensions may depend 111 * on others having been processed first, so the order of this list is 112 * significant. 113 * The extension context is defined by a series of flags which specify which 114 * messages the extension is relevant to. These flags also specify whether the 115 * extension is relevant to a particular protocol or protocol version. 116 * 117 * TODO(TLS1.3): Make sure we have a test to check the consistency of these 118 * 119 * NOTE: WebSphere Application Server 7+ cannot handle empty extensions at 120 * the end, keep these extensions before signature_algorithm. 121 */ 122 #define INVALID_EXTENSION { 0x10000, 0, NULL, NULL, NULL, NULL, NULL, NULL } 123 static const EXTENSION_DEFINITION ext_defs[] = { 124 { 125 TLSEXT_TYPE_renegotiate, 126 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 127 | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 128 NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate, 129 tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate, 130 final_renegotiate 131 }, 132 { 133 TLSEXT_TYPE_server_name, 134 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 135 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 136 init_server_name, 137 tls_parse_ctos_server_name, tls_parse_stoc_server_name, 138 tls_construct_stoc_server_name, tls_construct_ctos_server_name, 139 final_server_name 140 }, 141 { 142 TLSEXT_TYPE_max_fragment_length, 143 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 144 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 145 NULL, tls_parse_ctos_maxfragmentlen, tls_parse_stoc_maxfragmentlen, 146 tls_construct_stoc_maxfragmentlen, tls_construct_ctos_maxfragmentlen, 147 final_maxfragmentlen 148 }, 149 #ifndef OPENSSL_NO_SRP 150 { 151 TLSEXT_TYPE_srp, 152 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 153 init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL 154 }, 155 #else 156 INVALID_EXTENSION, 157 #endif 158 #ifndef OPENSSL_NO_EC 159 { 160 TLSEXT_TYPE_ec_point_formats, 161 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 162 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 163 init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, 164 tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, 165 final_ec_pt_formats 166 }, 167 { 168 /* 169 * "supported_groups" is spread across several specifications. 170 * It was originally specified as "elliptic_curves" in RFC 4492, 171 * and broadened to include named FFDH groups by RFC 7919. 172 * Both RFCs 4492 and 7919 do not include a provision for the server 173 * to indicate to the client the complete list of groups supported 174 * by the server, with the server instead just indicating the 175 * selected group for this connection in the ServerKeyExchange 176 * message. TLS 1.3 adds a scheme for the server to indicate 177 * to the client its list of supported groups in the 178 * EncryptedExtensions message, but none of the relevant 179 * specifications permit sending supported_groups in the ServerHello. 180 * Nonetheless (possibly due to the close proximity to the 181 * "ec_point_formats" extension, which is allowed in the ServerHello), 182 * there are several servers that send this extension in the 183 * ServerHello anyway. Up to and including the 1.1.0 release, 184 * we did not check for the presence of nonpermitted extensions, 185 * so to avoid a regression, we must permit this extension in the 186 * TLS 1.2 ServerHello as well. 187 * 188 * Note that there is no tls_parse_stoc_supported_groups function, 189 * so we do not perform any additional parsing, validation, or 190 * processing on the server's group list -- this is just a minimal 191 * change to preserve compatibility with these misbehaving servers. 192 */ 193 TLSEXT_TYPE_supported_groups, 194 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 195 | SSL_EXT_TLS1_2_SERVER_HELLO, 196 NULL, tls_parse_ctos_supported_groups, NULL, 197 tls_construct_stoc_supported_groups, 198 tls_construct_ctos_supported_groups, NULL 199 }, 200 #else 201 INVALID_EXTENSION, 202 INVALID_EXTENSION, 203 #endif 204 { 205 TLSEXT_TYPE_session_ticket, 206 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 207 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 208 init_session_ticket, tls_parse_ctos_session_ticket, 209 tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket, 210 tls_construct_ctos_session_ticket, NULL 211 }, 212 #ifndef OPENSSL_NO_OCSP 213 { 214 TLSEXT_TYPE_status_request, 215 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 216 | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 217 init_status_request, tls_parse_ctos_status_request, 218 tls_parse_stoc_status_request, tls_construct_stoc_status_request, 219 tls_construct_ctos_status_request, NULL 220 }, 221 #else 222 INVALID_EXTENSION, 223 #endif 224 #ifndef OPENSSL_NO_NEXTPROTONEG 225 { 226 TLSEXT_TYPE_next_proto_neg, 227 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 228 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 229 init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn, 230 tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL 231 }, 232 #else 233 INVALID_EXTENSION, 234 #endif 235 { 236 /* 237 * Must appear in this list after server_name so that finalisation 238 * happens after server_name callbacks 239 */ 240 TLSEXT_TYPE_application_layer_protocol_negotiation, 241 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 242 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, 243 init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn, 244 tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn 245 }, 246 #ifndef OPENSSL_NO_SRTP 247 { 248 TLSEXT_TYPE_use_srtp, 249 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 250 | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY, 251 init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp, 252 tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL 253 }, 254 #else 255 INVALID_EXTENSION, 256 #endif 257 { 258 TLSEXT_TYPE_encrypt_then_mac, 259 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 260 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 261 init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm, 262 tls_construct_stoc_etm, tls_construct_ctos_etm, NULL 263 }, 264 #ifndef OPENSSL_NO_CT 265 { 266 TLSEXT_TYPE_signed_certificate_timestamp, 267 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 268 | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 269 NULL, 270 /* 271 * No server side support for this, but can be provided by a custom 272 * extension. This is an exception to the rule that custom extensions 273 * cannot override built in ones. 274 */ 275 NULL, tls_parse_stoc_sct, NULL, tls_construct_ctos_sct, NULL 276 }, 277 #else 278 INVALID_EXTENSION, 279 #endif 280 { 281 TLSEXT_TYPE_extended_master_secret, 282 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 283 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 284 init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems, 285 tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems 286 }, 287 { 288 TLSEXT_TYPE_signature_algorithms_cert, 289 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 290 init_sig_algs_cert, tls_parse_ctos_sig_algs_cert, 291 tls_parse_ctos_sig_algs_cert, 292 /* We do not generate signature_algorithms_cert at present. */ 293 NULL, NULL, NULL 294 }, 295 { 296 TLSEXT_TYPE_post_handshake_auth, 297 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY, 298 init_post_handshake_auth, 299 tls_parse_ctos_post_handshake_auth, NULL, 300 NULL, tls_construct_ctos_post_handshake_auth, 301 NULL, 302 }, 303 { 304 TLSEXT_TYPE_signature_algorithms, 305 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, 306 init_sig_algs, tls_parse_ctos_sig_algs, 307 tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs, 308 tls_construct_ctos_sig_algs, final_sig_algs 309 }, 310 { 311 TLSEXT_TYPE_supported_versions, 312 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 313 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY, 314 NULL, 315 /* Processed inline as part of version selection */ 316 NULL, tls_parse_stoc_supported_versions, 317 tls_construct_stoc_supported_versions, 318 tls_construct_ctos_supported_versions, NULL 319 }, 320 { 321 TLSEXT_TYPE_psk_kex_modes, 322 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY 323 | SSL_EXT_TLS1_3_ONLY, 324 init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, 325 tls_construct_ctos_psk_kex_modes, NULL 326 }, 327 #ifndef OPENSSL_NO_EC 328 { 329 /* 330 * Must be in this list after supported_groups. We need that to have 331 * been parsed before we do this one. 332 */ 333 TLSEXT_TYPE_key_share, 334 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 335 | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY 336 | SSL_EXT_TLS1_3_ONLY, 337 NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, 338 tls_construct_stoc_key_share, tls_construct_ctos_key_share, 339 final_key_share 340 }, 341 #else 342 INVALID_EXTENSION, 343 #endif 344 { 345 /* Must be after key_share */ 346 TLSEXT_TYPE_cookie, 347 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 348 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, 349 NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie, 350 tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL 351 }, 352 { 353 /* 354 * Special unsolicited ServerHello extension only used when 355 * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but 356 * ignore it. 357 */ 358 TLSEXT_TYPE_cryptopro_bug, 359 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO 360 | SSL_EXT_TLS1_2_AND_BELOW_ONLY, 361 NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL 362 }, 363 { 364 TLSEXT_TYPE_early_data, 365 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 366 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY, 367 NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data, 368 tls_construct_stoc_early_data, tls_construct_ctos_early_data, 369 final_early_data 370 }, 371 { 372 TLSEXT_TYPE_certificate_authorities, 373 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 374 | SSL_EXT_TLS1_3_ONLY, 375 init_certificate_authorities, 376 tls_parse_certificate_authorities, tls_parse_certificate_authorities, 377 tls_construct_certificate_authorities, 378 tls_construct_certificate_authorities, NULL, 379 }, 380 { 381 /* Must be immediately before pre_shared_key */ 382 TLSEXT_TYPE_padding, 383 SSL_EXT_CLIENT_HELLO, 384 NULL, 385 /* We send this, but don't read it */ 386 NULL, NULL, NULL, tls_construct_ctos_padding, NULL 387 }, 388 { 389 /* Required by the TLSv1.3 spec to always be the last extension */ 390 TLSEXT_TYPE_psk, 391 SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO 392 | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, 393 NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, 394 tls_construct_ctos_psk, final_psk 395 } 396 }; 397 398 /* Check whether an extension's context matches the current context */ 399 static int validate_context(SSL *s, unsigned int extctx, unsigned int thisctx) 400 { 401 /* Check we're allowed to use this extension in this context */ 402 if ((thisctx & extctx) == 0) 403 return 0; 404 405 if (SSL_IS_DTLS(s)) { 406 if ((extctx & SSL_EXT_TLS_ONLY) != 0) 407 return 0; 408 } else if ((extctx & SSL_EXT_DTLS_ONLY) != 0) { 409 return 0; 410 } 411 412 return 1; 413 } 414 415 int tls_validate_all_contexts(SSL *s, unsigned int thisctx, RAW_EXTENSION *exts) 416 { 417 size_t i, num_exts, builtin_num = OSSL_NELEM(ext_defs), offset; 418 RAW_EXTENSION *thisext; 419 unsigned int context; 420 ENDPOINT role = ENDPOINT_BOTH; 421 422 if ((thisctx & SSL_EXT_CLIENT_HELLO) != 0) 423 role = ENDPOINT_SERVER; 424 else if ((thisctx & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) 425 role = ENDPOINT_CLIENT; 426 427 /* Calculate the number of extensions in the extensions list */ 428 num_exts = builtin_num + s->cert->custext.meths_count; 429 430 for (thisext = exts, i = 0; i < num_exts; i++, thisext++) { 431 if (!thisext->present) 432 continue; 433 434 if (i < builtin_num) { 435 context = ext_defs[i].context; 436 } else { 437 custom_ext_method *meth = NULL; 438 439 meth = custom_ext_find(&s->cert->custext, role, thisext->type, 440 &offset); 441 if (!ossl_assert(meth != NULL)) 442 return 0; 443 context = meth->context; 444 } 445 446 if (!validate_context(s, context, thisctx)) 447 return 0; 448 } 449 450 return 1; 451 } 452 453 /* 454 * Verify whether we are allowed to use the extension |type| in the current 455 * |context|. Returns 1 to indicate the extension is allowed or unknown or 0 to 456 * indicate the extension is not allowed. If returning 1 then |*found| is set to 457 * the definition for the extension we found. 458 */ 459 static int verify_extension(SSL *s, unsigned int context, unsigned int type, 460 custom_ext_methods *meths, RAW_EXTENSION *rawexlist, 461 RAW_EXTENSION **found) 462 { 463 size_t i; 464 size_t builtin_num = OSSL_NELEM(ext_defs); 465 const EXTENSION_DEFINITION *thisext; 466 467 for (i = 0, thisext = ext_defs; i < builtin_num; i++, thisext++) { 468 if (type == thisext->type) { 469 if (!validate_context(s, thisext->context, context)) 470 return 0; 471 472 *found = &rawexlist[i]; 473 return 1; 474 } 475 } 476 477 /* Check the custom extensions */ 478 if (meths != NULL) { 479 size_t offset = 0; 480 ENDPOINT role = ENDPOINT_BOTH; 481 custom_ext_method *meth = NULL; 482 483 if ((context & SSL_EXT_CLIENT_HELLO) != 0) 484 role = ENDPOINT_SERVER; 485 else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) 486 role = ENDPOINT_CLIENT; 487 488 meth = custom_ext_find(meths, role, type, &offset); 489 if (meth != NULL) { 490 if (!validate_context(s, meth->context, context)) 491 return 0; 492 *found = &rawexlist[offset + builtin_num]; 493 return 1; 494 } 495 } 496 497 /* Unknown extension. We allow it */ 498 *found = NULL; 499 return 1; 500 } 501 502 /* 503 * Check whether the context defined for an extension |extctx| means whether 504 * the extension is relevant for the current context |thisctx| or not. Returns 505 * 1 if the extension is relevant for this context, and 0 otherwise 506 */ 507 int extension_is_relevant(SSL *s, unsigned int extctx, unsigned int thisctx) 508 { 509 int is_tls13; 510 511 /* 512 * For HRR we haven't selected the version yet but we know it will be 513 * TLSv1.3 514 */ 515 if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) 516 is_tls13 = 1; 517 else 518 is_tls13 = SSL_IS_TLS13(s); 519 520 if ((SSL_IS_DTLS(s) 521 && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) 522 || (s->version == SSL3_VERSION 523 && (extctx & SSL_EXT_SSL3_ALLOWED) == 0) 524 /* 525 * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated", 526 * which is never true when generating the ClientHello. 527 * However, version negotiation *has* occurred by the time the 528 * ClientHello extensions are being parsed. 529 * Be careful to allow TLS 1.3-only extensions when generating 530 * the ClientHello. 531 */ 532 || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0) 533 || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0 534 && (thisctx & SSL_EXT_CLIENT_HELLO) == 0) 535 || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0) 536 || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0)) 537 return 0; 538 return 1; 539 } 540 541 /* 542 * Gather a list of all the extensions from the data in |packet]. |context| 543 * tells us which message this extension is for. The raw extension data is 544 * stored in |*res| on success. We don't actually process the content of the 545 * extensions yet, except to check their types. This function also runs the 546 * initialiser functions for all known extensions if |init| is nonzero (whether 547 * we have collected them or not). If successful the caller is responsible for 548 * freeing the contents of |*res|. 549 * 550 * Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be 551 * more than one extension of the same type in a ClientHello or ServerHello. 552 * This function returns 1 if all extensions are unique and we have parsed their 553 * types, and 0 if the extensions contain duplicates, could not be successfully 554 * found, or an internal error occurred. We only check duplicates for 555 * extensions that we know about. We ignore others. 556 */ 557 int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, 558 RAW_EXTENSION **res, size_t *len, int init) 559 { 560 PACKET extensions = *packet; 561 size_t i = 0; 562 size_t num_exts; 563 custom_ext_methods *exts = &s->cert->custext; 564 RAW_EXTENSION *raw_extensions = NULL; 565 const EXTENSION_DEFINITION *thisexd; 566 567 *res = NULL; 568 569 /* 570 * Initialise server side custom extensions. Client side is done during 571 * construction of extensions for the ClientHello. 572 */ 573 if ((context & SSL_EXT_CLIENT_HELLO) != 0) 574 custom_ext_init(&s->cert->custext); 575 576 num_exts = OSSL_NELEM(ext_defs) + (exts != NULL ? exts->meths_count : 0); 577 raw_extensions = OPENSSL_zalloc(num_exts * sizeof(*raw_extensions)); 578 if (raw_extensions == NULL) { 579 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS, 580 ERR_R_MALLOC_FAILURE); 581 return 0; 582 } 583 584 i = 0; 585 while (PACKET_remaining(&extensions) > 0) { 586 unsigned int type, idx; 587 PACKET extension; 588 RAW_EXTENSION *thisex; 589 590 if (!PACKET_get_net_2(&extensions, &type) || 591 !PACKET_get_length_prefixed_2(&extensions, &extension)) { 592 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_COLLECT_EXTENSIONS, 593 SSL_R_BAD_EXTENSION); 594 goto err; 595 } 596 /* 597 * Verify this extension is allowed. We only check duplicates for 598 * extensions that we recognise. We also have a special case for the 599 * PSK extension, which must be the last one in the ClientHello. 600 */ 601 if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) 602 || (thisex != NULL && thisex->present == 1) 603 || (type == TLSEXT_TYPE_psk 604 && (context & SSL_EXT_CLIENT_HELLO) != 0 605 && PACKET_remaining(&extensions) != 0)) { 606 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_COLLECT_EXTENSIONS, 607 SSL_R_BAD_EXTENSION); 608 goto err; 609 } 610 idx = thisex - raw_extensions; 611 /*- 612 * Check that we requested this extension (if appropriate). Requests can 613 * be sent in the ClientHello and CertificateRequest. Unsolicited 614 * extensions can be sent in the NewSessionTicket. We only do this for 615 * the built-in extensions. Custom extensions have a different but 616 * similar check elsewhere. 617 * Special cases: 618 * - The HRR cookie extension is unsolicited 619 * - The renegotiate extension is unsolicited (the client signals 620 * support via an SCSV) 621 * - The signed_certificate_timestamp extension can be provided by a 622 * custom extension or by the built-in version. We let the extension 623 * itself handle unsolicited response checks. 624 */ 625 if (idx < OSSL_NELEM(ext_defs) 626 && (context & (SSL_EXT_CLIENT_HELLO 627 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 628 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0 629 && type != TLSEXT_TYPE_cookie 630 && type != TLSEXT_TYPE_renegotiate 631 && type != TLSEXT_TYPE_signed_certificate_timestamp 632 && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0 633 #ifndef OPENSSL_NO_GOST 634 && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 635 && type == TLSEXT_TYPE_cryptopro_bug) 636 #endif 637 ) { 638 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, 639 SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION); 640 goto err; 641 } 642 if (thisex != NULL) { 643 thisex->data = extension; 644 thisex->present = 1; 645 thisex->type = type; 646 thisex->received_order = i++; 647 if (s->ext.debug_cb) 648 s->ext.debug_cb(s, !s->server, thisex->type, 649 PACKET_data(&thisex->data), 650 PACKET_remaining(&thisex->data), 651 s->ext.debug_arg); 652 } 653 } 654 655 if (init) { 656 /* 657 * Initialise all known extensions relevant to this context, 658 * whether we have found them or not 659 */ 660 for (thisexd = ext_defs, i = 0; i < OSSL_NELEM(ext_defs); 661 i++, thisexd++) { 662 if (thisexd->init != NULL && (thisexd->context & context) != 0 663 && extension_is_relevant(s, thisexd->context, context) 664 && !thisexd->init(s, context)) { 665 /* SSLfatal() already called */ 666 goto err; 667 } 668 } 669 } 670 671 *res = raw_extensions; 672 if (len != NULL) 673 *len = num_exts; 674 return 1; 675 676 err: 677 OPENSSL_free(raw_extensions); 678 return 0; 679 } 680 681 /* 682 * Runs the parser for a given extension with index |idx|. |exts| contains the 683 * list of all parsed extensions previously collected by 684 * tls_collect_extensions(). The parser is only run if it is applicable for the 685 * given |context| and the parser has not already been run. If this is for a 686 * Certificate message, then we also provide the parser with the relevant 687 * Certificate |x| and its position in the |chainidx| with 0 being the first 688 * Certificate. Returns 1 on success or 0 on failure. If an extension is not 689 * present this counted as success. 690 */ 691 int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, 692 RAW_EXTENSION *exts, X509 *x, size_t chainidx) 693 { 694 RAW_EXTENSION *currext = &exts[idx]; 695 int (*parser)(SSL *s, PACKET *pkt, unsigned int context, X509 *x, 696 size_t chainidx) = NULL; 697 698 /* Skip if the extension is not present */ 699 if (!currext->present) 700 return 1; 701 702 /* Skip if we've already parsed this extension */ 703 if (currext->parsed) 704 return 1; 705 706 currext->parsed = 1; 707 708 if (idx < OSSL_NELEM(ext_defs)) { 709 /* We are handling a built-in extension */ 710 const EXTENSION_DEFINITION *extdef = &ext_defs[idx]; 711 712 /* Check if extension is defined for our protocol. If not, skip */ 713 if (!extension_is_relevant(s, extdef->context, context)) 714 return 1; 715 716 parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; 717 718 if (parser != NULL) 719 return parser(s, &currext->data, context, x, chainidx); 720 721 /* 722 * If the parser is NULL we fall through to the custom extension 723 * processing 724 */ 725 } 726 727 /* Parse custom extensions */ 728 return custom_ext_parse(s, context, currext->type, 729 PACKET_data(&currext->data), 730 PACKET_remaining(&currext->data), 731 x, chainidx); 732 } 733 734 /* 735 * Parse all remaining extensions that have not yet been parsed. Also calls the 736 * finalisation for all extensions at the end if |fin| is nonzero, whether we 737 * collected them or not. Returns 1 for success or 0 for failure. If we are 738 * working on a Certificate message then we also pass the Certificate |x| and 739 * its position in the |chainidx|, with 0 being the first certificate. 740 */ 741 int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, 742 size_t chainidx, int fin) 743 { 744 size_t i, numexts = OSSL_NELEM(ext_defs); 745 const EXTENSION_DEFINITION *thisexd; 746 747 /* Calculate the number of extensions in the extensions list */ 748 numexts += s->cert->custext.meths_count; 749 750 /* Parse each extension in turn */ 751 for (i = 0; i < numexts; i++) { 752 if (!tls_parse_extension(s, i, context, exts, x, chainidx)) { 753 /* SSLfatal() already called */ 754 return 0; 755 } 756 } 757 758 if (fin) { 759 /* 760 * Finalise all known extensions relevant to this context, 761 * whether we have found them or not 762 */ 763 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); 764 i++, thisexd++) { 765 if (thisexd->final != NULL && (thisexd->context & context) != 0 766 && !thisexd->final(s, context, exts[i].present)) { 767 /* SSLfatal() already called */ 768 return 0; 769 } 770 } 771 } 772 773 return 1; 774 } 775 776 int should_add_extension(SSL *s, unsigned int extctx, unsigned int thisctx, 777 int max_version) 778 { 779 /* Skip if not relevant for our context */ 780 if ((extctx & thisctx) == 0) 781 return 0; 782 783 /* Check if this extension is defined for our protocol. If not, skip */ 784 if (!extension_is_relevant(s, extctx, thisctx) 785 || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0 786 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0 787 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))) 788 return 0; 789 790 return 1; 791 } 792 793 /* 794 * Construct all the extensions relevant to the current |context| and write 795 * them to |pkt|. If this is an extension for a Certificate in a Certificate 796 * message, then |x| will be set to the Certificate we are handling, and 797 * |chainidx| will indicate the position in the chainidx we are processing (with 798 * 0 being the first in the chain). Returns 1 on success or 0 on failure. On a 799 * failure construction stops at the first extension to fail to construct. 800 */ 801 int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, 802 X509 *x, size_t chainidx) 803 { 804 size_t i; 805 int min_version, max_version = 0, reason; 806 const EXTENSION_DEFINITION *thisexd; 807 808 if (!WPACKET_start_sub_packet_u16(pkt) 809 /* 810 * If extensions are of zero length then we don't even add the 811 * extensions length bytes to a ClientHello/ServerHello 812 * (for non-TLSv1.3). 813 */ 814 || ((context & 815 (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0 816 && !WPACKET_set_flags(pkt, 817 WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) { 818 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 819 ERR_R_INTERNAL_ERROR); 820 return 0; 821 } 822 823 if ((context & SSL_EXT_CLIENT_HELLO) != 0) { 824 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 825 if (reason != 0) { 826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 827 reason); 828 return 0; 829 } 830 } 831 832 /* Add custom extensions first */ 833 if ((context & SSL_EXT_CLIENT_HELLO) != 0) { 834 /* On the server side with initialise during ClientHello parsing */ 835 custom_ext_init(&s->cert->custext); 836 } 837 if (!custom_ext_add(s, context, pkt, x, chainidx, max_version)) { 838 /* SSLfatal() already called */ 839 return 0; 840 } 841 842 for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) { 843 EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context, 844 X509 *x, size_t chainidx); 845 EXT_RETURN ret; 846 847 /* Skip if not relevant for our context */ 848 if (!should_add_extension(s, thisexd->context, context, max_version)) 849 continue; 850 851 construct = s->server ? thisexd->construct_stoc 852 : thisexd->construct_ctos; 853 854 if (construct == NULL) 855 continue; 856 857 ret = construct(s, pkt, context, x, chainidx); 858 if (ret == EXT_RETURN_FAIL) { 859 /* SSLfatal() already called */ 860 return 0; 861 } 862 if (ret == EXT_RETURN_SENT 863 && (context & (SSL_EXT_CLIENT_HELLO 864 | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 865 | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0) 866 s->ext.extflags[i] |= SSL_EXT_FLAG_SENT; 867 } 868 869 if (!WPACKET_close(pkt)) { 870 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_EXTENSIONS, 871 ERR_R_INTERNAL_ERROR); 872 return 0; 873 } 874 875 return 1; 876 } 877 878 /* 879 * Built in extension finalisation and initialisation functions. All initialise 880 * or finalise the associated extension type for the given |context|. For 881 * finalisers |sent| is set to 1 if we saw the extension during parsing, and 0 882 * otherwise. These functions return 1 on success or 0 on failure. 883 */ 884 885 static int final_renegotiate(SSL *s, unsigned int context, int sent) 886 { 887 if (!s->server) { 888 /* 889 * Check if we can connect to a server that doesn't support safe 890 * renegotiation 891 */ 892 if (!(s->options & SSL_OP_LEGACY_SERVER_CONNECT) 893 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) 894 && !sent) { 895 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE, 896 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 897 return 0; 898 } 899 900 return 1; 901 } 902 903 /* Need RI if renegotiating */ 904 if (s->renegotiate 905 && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) 906 && !sent) { 907 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_RENEGOTIATE, 908 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 909 return 0; 910 } 911 912 913 return 1; 914 } 915 916 static int init_server_name(SSL *s, unsigned int context) 917 { 918 if (s->server) { 919 s->servername_done = 0; 920 921 OPENSSL_free(s->ext.hostname); 922 s->ext.hostname = NULL; 923 } 924 925 return 1; 926 } 927 928 static int final_server_name(SSL *s, unsigned int context, int sent) 929 { 930 int ret = SSL_TLSEXT_ERR_NOACK; 931 int altmp = SSL_AD_UNRECOGNIZED_NAME; 932 int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0; 933 934 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) { 935 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 936 ERR_R_INTERNAL_ERROR); 937 return 0; 938 } 939 940 if (s->ctx->ext.servername_cb != NULL) 941 ret = s->ctx->ext.servername_cb(s, &altmp, 942 s->ctx->ext.servername_arg); 943 else if (s->session_ctx->ext.servername_cb != NULL) 944 ret = s->session_ctx->ext.servername_cb(s, &altmp, 945 s->session_ctx->ext.servername_arg); 946 947 /* 948 * For servers, propagate the SNI hostname from the temporary 949 * storage in the SSL to the persistent SSL_SESSION, now that we 950 * know we accepted it. 951 * Clients make this copy when parsing the server's response to 952 * the extension, which is when they find out that the negotiation 953 * was successful. 954 */ 955 if (s->server) { 956 if (sent && ret == SSL_TLSEXT_ERR_OK && !s->hit) { 957 /* Only store the hostname in the session if we accepted it. */ 958 OPENSSL_free(s->session->ext.hostname); 959 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 960 if (s->session->ext.hostname == NULL && s->ext.hostname != NULL) { 961 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 962 ERR_R_INTERNAL_ERROR); 963 } 964 } 965 } 966 967 /* 968 * If we switched contexts (whether here or in the client_hello callback), 969 * move the sess_accept increment from the session_ctx to the new 970 * context, to avoid the confusing situation of having sess_accept_good 971 * exceed sess_accept (zero) for the new context. 972 */ 973 if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx 974 && s->hello_retry_request == SSL_HRR_NONE) { 975 tsan_counter(&s->ctx->stats.sess_accept); 976 tsan_decr(&s->session_ctx->stats.sess_accept); 977 } 978 979 /* 980 * If we're expecting to send a ticket, and tickets were previously enabled, 981 * and now tickets are disabled, then turn off expected ticket. 982 * Also, if this is not a resumption, create a new session ID 983 */ 984 if (ret == SSL_TLSEXT_ERR_OK && s->ext.ticket_expected 985 && was_ticket && (SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) { 986 s->ext.ticket_expected = 0; 987 if (!s->hit) { 988 SSL_SESSION* ss = SSL_get_session(s); 989 990 if (ss != NULL) { 991 OPENSSL_free(ss->ext.tick); 992 ss->ext.tick = NULL; 993 ss->ext.ticklen = 0; 994 ss->ext.tick_lifetime_hint = 0; 995 ss->ext.tick_age_add = 0; 996 if (!ssl_generate_session_id(s, ss)) { 997 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 998 ERR_R_INTERNAL_ERROR); 999 return 0; 1000 } 1001 } else { 1002 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_SERVER_NAME, 1003 ERR_R_INTERNAL_ERROR); 1004 return 0; 1005 } 1006 } 1007 } 1008 1009 switch (ret) { 1010 case SSL_TLSEXT_ERR_ALERT_FATAL: 1011 SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED); 1012 return 0; 1013 1014 case SSL_TLSEXT_ERR_ALERT_WARNING: 1015 /* TLSv1.3 doesn't have warning alerts so we suppress this */ 1016 if (!SSL_IS_TLS13(s)) 1017 ssl3_send_alert(s, SSL3_AL_WARNING, altmp); 1018 s->servername_done = 0; 1019 return 1; 1020 1021 case SSL_TLSEXT_ERR_NOACK: 1022 s->servername_done = 0; 1023 return 1; 1024 1025 default: 1026 return 1; 1027 } 1028 } 1029 1030 #ifndef OPENSSL_NO_EC 1031 static int init_ec_point_formats(SSL *s, unsigned int context) 1032 { 1033 OPENSSL_free(s->ext.peer_ecpointformats); 1034 s->ext.peer_ecpointformats = NULL; 1035 s->ext.peer_ecpointformats_len = 0; 1036 1037 return 1; 1038 } 1039 1040 static int final_ec_pt_formats(SSL *s, unsigned int context, int sent) 1041 { 1042 unsigned long alg_k, alg_a; 1043 1044 if (s->server) 1045 return 1; 1046 1047 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1048 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1049 1050 /* 1051 * If we are client and using an elliptic curve cryptography cipher 1052 * suite, then if server returns an EC point formats lists extension it 1053 * must contain uncompressed. 1054 */ 1055 if (s->ext.ecpointformats != NULL 1056 && s->ext.ecpointformats_len > 0 1057 && s->ext.peer_ecpointformats != NULL 1058 && s->ext.peer_ecpointformats_len > 0 1059 && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) { 1060 /* we are using an ECC cipher */ 1061 size_t i; 1062 unsigned char *list = s->ext.peer_ecpointformats; 1063 1064 for (i = 0; i < s->ext.peer_ecpointformats_len; i++) { 1065 if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed) 1066 break; 1067 } 1068 if (i == s->ext.peer_ecpointformats_len) { 1069 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EC_PT_FORMATS, 1070 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); 1071 return 0; 1072 } 1073 } 1074 1075 return 1; 1076 } 1077 #endif 1078 1079 static int init_session_ticket(SSL *s, unsigned int context) 1080 { 1081 if (!s->server) 1082 s->ext.ticket_expected = 0; 1083 1084 return 1; 1085 } 1086 1087 #ifndef OPENSSL_NO_OCSP 1088 static int init_status_request(SSL *s, unsigned int context) 1089 { 1090 if (s->server) { 1091 s->ext.status_type = TLSEXT_STATUSTYPE_nothing; 1092 } else { 1093 /* 1094 * Ensure we get sensible values passed to tlsext_status_cb in the event 1095 * that we don't receive a status message 1096 */ 1097 OPENSSL_free(s->ext.ocsp.resp); 1098 s->ext.ocsp.resp = NULL; 1099 s->ext.ocsp.resp_len = 0; 1100 } 1101 1102 return 1; 1103 } 1104 #endif 1105 1106 #ifndef OPENSSL_NO_NEXTPROTONEG 1107 static int init_npn(SSL *s, unsigned int context) 1108 { 1109 s->s3->npn_seen = 0; 1110 1111 return 1; 1112 } 1113 #endif 1114 1115 static int init_alpn(SSL *s, unsigned int context) 1116 { 1117 OPENSSL_free(s->s3->alpn_selected); 1118 s->s3->alpn_selected = NULL; 1119 s->s3->alpn_selected_len = 0; 1120 if (s->server) { 1121 OPENSSL_free(s->s3->alpn_proposed); 1122 s->s3->alpn_proposed = NULL; 1123 s->s3->alpn_proposed_len = 0; 1124 } 1125 return 1; 1126 } 1127 1128 static int final_alpn(SSL *s, unsigned int context, int sent) 1129 { 1130 if (!s->server && !sent && s->session->ext.alpn_selected != NULL) 1131 s->ext.early_data_ok = 0; 1132 1133 if (!s->server || !SSL_IS_TLS13(s)) 1134 return 1; 1135 1136 /* 1137 * Call alpn_select callback if needed. Has to be done after SNI and 1138 * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 1139 * we also have to do this before we decide whether to accept early_data. 1140 * In TLSv1.3 we've already negotiated our cipher so we do this call now. 1141 * For < TLSv1.3 we defer it until after cipher negotiation. 1142 * 1143 * On failure SSLfatal() already called. 1144 */ 1145 return tls_handle_alpn(s); 1146 } 1147 1148 static int init_sig_algs(SSL *s, unsigned int context) 1149 { 1150 /* Clear any signature algorithms extension received */ 1151 OPENSSL_free(s->s3->tmp.peer_sigalgs); 1152 s->s3->tmp.peer_sigalgs = NULL; 1153 s->s3->tmp.peer_sigalgslen = 0; 1154 1155 return 1; 1156 } 1157 1158 static int init_sig_algs_cert(SSL *s, unsigned int context) 1159 { 1160 /* Clear any signature algorithms extension received */ 1161 OPENSSL_free(s->s3->tmp.peer_cert_sigalgs); 1162 s->s3->tmp.peer_cert_sigalgs = NULL; 1163 s->s3->tmp.peer_cert_sigalgslen = 0; 1164 1165 return 1; 1166 } 1167 1168 #ifndef OPENSSL_NO_SRP 1169 static int init_srp(SSL *s, unsigned int context) 1170 { 1171 OPENSSL_free(s->srp_ctx.login); 1172 s->srp_ctx.login = NULL; 1173 1174 return 1; 1175 } 1176 #endif 1177 1178 static int init_etm(SSL *s, unsigned int context) 1179 { 1180 s->ext.use_etm = 0; 1181 1182 return 1; 1183 } 1184 1185 static int init_ems(SSL *s, unsigned int context) 1186 { 1187 if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { 1188 s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; 1189 s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS; 1190 } 1191 1192 return 1; 1193 } 1194 1195 static int final_ems(SSL *s, unsigned int context, int sent) 1196 { 1197 /* 1198 * Check extended master secret extension is not dropped on 1199 * renegotiation. 1200 */ 1201 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) 1202 && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) { 1203 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, 1204 SSL_R_INCONSISTENT_EXTMS); 1205 return 0; 1206 } 1207 if (!s->server && s->hit) { 1208 /* 1209 * Check extended master secret extension is consistent with 1210 * original session. 1211 */ 1212 if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) != 1213 !(s->session->flags & SSL_SESS_FLAG_EXTMS)) { 1214 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, 1215 SSL_R_INCONSISTENT_EXTMS); 1216 return 0; 1217 } 1218 } 1219 1220 return 1; 1221 } 1222 1223 static int init_certificate_authorities(SSL *s, unsigned int context) 1224 { 1225 sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); 1226 s->s3->tmp.peer_ca_names = NULL; 1227 return 1; 1228 } 1229 1230 static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt, 1231 unsigned int context, 1232 X509 *x, 1233 size_t chainidx) 1234 { 1235 const STACK_OF(X509_NAME) *ca_sk = get_ca_names(s); 1236 1237 if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0) 1238 return EXT_RETURN_NOT_SENT; 1239 1240 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities) 1241 || !WPACKET_start_sub_packet_u16(pkt)) { 1242 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1243 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, 1244 ERR_R_INTERNAL_ERROR); 1245 return EXT_RETURN_FAIL; 1246 } 1247 1248 if (!construct_ca_names(s, ca_sk, pkt)) { 1249 /* SSLfatal() already called */ 1250 return EXT_RETURN_FAIL; 1251 } 1252 1253 if (!WPACKET_close(pkt)) { 1254 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 1255 SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES, 1256 ERR_R_INTERNAL_ERROR); 1257 return EXT_RETURN_FAIL; 1258 } 1259 1260 return EXT_RETURN_SENT; 1261 } 1262 1263 static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt, 1264 unsigned int context, X509 *x, 1265 size_t chainidx) 1266 { 1267 if (!parse_ca_names(s, pkt)) 1268 return 0; 1269 if (PACKET_remaining(pkt) != 0) { 1270 SSLfatal(s, SSL_AD_DECODE_ERROR, 1271 SSL_F_TLS_PARSE_CERTIFICATE_AUTHORITIES, SSL_R_BAD_EXTENSION); 1272 return 0; 1273 } 1274 return 1; 1275 } 1276 1277 #ifndef OPENSSL_NO_SRTP 1278 static int init_srtp(SSL *s, unsigned int context) 1279 { 1280 if (s->server) 1281 s->srtp_profile = NULL; 1282 1283 return 1; 1284 } 1285 #endif 1286 1287 static int final_sig_algs(SSL *s, unsigned int context, int sent) 1288 { 1289 if (!sent && SSL_IS_TLS13(s) && !s->hit) { 1290 SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_SIG_ALGS, 1291 SSL_R_MISSING_SIGALGS_EXTENSION); 1292 return 0; 1293 } 1294 1295 return 1; 1296 } 1297 1298 #ifndef OPENSSL_NO_EC 1299 static int final_key_share(SSL *s, unsigned int context, int sent) 1300 { 1301 if (!SSL_IS_TLS13(s)) 1302 return 1; 1303 1304 /* Nothing to do for key_share in an HRR */ 1305 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) 1306 return 1; 1307 1308 /* 1309 * If 1310 * we are a client 1311 * AND 1312 * we have no key_share 1313 * AND 1314 * (we are not resuming 1315 * OR the kex_mode doesn't allow non key_share resumes) 1316 * THEN 1317 * fail; 1318 */ 1319 if (!s->server 1320 && !sent 1321 && (!s->hit 1322 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0)) { 1323 /* Nothing left we can do - just fail */ 1324 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_KEY_SHARE, 1325 SSL_R_NO_SUITABLE_KEY_SHARE); 1326 return 0; 1327 } 1328 /* 1329 * IF 1330 * we are a server 1331 * THEN 1332 * IF 1333 * we have a suitable key_share 1334 * THEN 1335 * IF 1336 * we are stateless AND we have no cookie 1337 * THEN 1338 * send a HelloRetryRequest 1339 * ELSE 1340 * IF 1341 * we didn't already send a HelloRetryRequest 1342 * AND 1343 * the client sent a key_share extension 1344 * AND 1345 * (we are not resuming 1346 * OR the kex_mode allows key_share resumes) 1347 * AND 1348 * a shared group exists 1349 * THEN 1350 * send a HelloRetryRequest 1351 * ELSE IF 1352 * we are not resuming 1353 * OR 1354 * the kex_mode doesn't allow non key_share resumes 1355 * THEN 1356 * fail 1357 * ELSE IF 1358 * we are stateless AND we have no cookie 1359 * THEN 1360 * send a HelloRetryRequest 1361 */ 1362 if (s->server) { 1363 if (s->s3->peer_tmp != NULL) { 1364 /* We have a suitable key_share */ 1365 if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0 1366 && !s->ext.cookieok) { 1367 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) { 1368 /* 1369 * If we are stateless then we wouldn't know about any 1370 * previously sent HRR - so how can this be anything other 1371 * than 0? 1372 */ 1373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1374 ERR_R_INTERNAL_ERROR); 1375 return 0; 1376 } 1377 s->hello_retry_request = SSL_HRR_PENDING; 1378 return 1; 1379 } 1380 } else { 1381 /* No suitable key_share */ 1382 if (s->hello_retry_request == SSL_HRR_NONE && sent 1383 && (!s->hit 1384 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) 1385 != 0)) { 1386 const uint16_t *pgroups, *clntgroups; 1387 size_t num_groups, clnt_num_groups, i; 1388 unsigned int group_id = 0; 1389 1390 /* Check if a shared group exists */ 1391 1392 /* Get the clients list of supported groups. */ 1393 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups); 1394 tls1_get_supported_groups(s, &pgroups, &num_groups); 1395 1396 /* 1397 * Find the first group we allow that is also in client's list 1398 */ 1399 for (i = 0; i < num_groups; i++) { 1400 group_id = pgroups[i]; 1401 1402 if (check_in_list(s, group_id, clntgroups, clnt_num_groups, 1403 1)) 1404 break; 1405 } 1406 1407 if (i < num_groups) { 1408 /* A shared group exists so send a HelloRetryRequest */ 1409 s->s3->group_id = group_id; 1410 s->hello_retry_request = SSL_HRR_PENDING; 1411 return 1; 1412 } 1413 } 1414 if (!s->hit 1415 || (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) { 1416 /* Nothing left we can do - just fail */ 1417 SSLfatal(s, sent ? SSL_AD_HANDSHAKE_FAILURE 1418 : SSL_AD_MISSING_EXTENSION, 1419 SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE); 1420 return 0; 1421 } 1422 1423 if ((s->s3->flags & TLS1_FLAGS_STATELESS) != 0 1424 && !s->ext.cookieok) { 1425 if (!ossl_assert(s->hello_retry_request == SSL_HRR_NONE)) { 1426 /* 1427 * If we are stateless then we wouldn't know about any 1428 * previously sent HRR - so how can this be anything other 1429 * than 0? 1430 */ 1431 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1432 ERR_R_INTERNAL_ERROR); 1433 return 0; 1434 } 1435 s->hello_retry_request = SSL_HRR_PENDING; 1436 return 1; 1437 } 1438 } 1439 1440 /* 1441 * We have a key_share so don't send any more HelloRetryRequest 1442 * messages 1443 */ 1444 if (s->hello_retry_request == SSL_HRR_PENDING) 1445 s->hello_retry_request = SSL_HRR_COMPLETE; 1446 } else { 1447 /* 1448 * For a client side resumption with no key_share we need to generate 1449 * the handshake secret (otherwise this is done during key_share 1450 * processing). 1451 */ 1452 if (!sent && !tls13_generate_handshake_secret(s, NULL, 0)) { 1453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_FINAL_KEY_SHARE, 1454 ERR_R_INTERNAL_ERROR); 1455 return 0; 1456 } 1457 } 1458 1459 return 1; 1460 } 1461 #endif 1462 1463 static int init_psk_kex_modes(SSL *s, unsigned int context) 1464 { 1465 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_NONE; 1466 return 1; 1467 } 1468 1469 int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 1470 size_t binderoffset, const unsigned char *binderin, 1471 unsigned char *binderout, SSL_SESSION *sess, int sign, 1472 int external) 1473 { 1474 EVP_PKEY *mackey = NULL; 1475 EVP_MD_CTX *mctx = NULL; 1476 unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; 1477 unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; 1478 unsigned char *early_secret; 1479 #ifdef CHARSET_EBCDIC 1480 static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; 1481 static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; 1482 #else 1483 static const unsigned char resumption_label[] = "res binder"; 1484 static const unsigned char external_label[] = "ext binder"; 1485 #endif 1486 const unsigned char *label; 1487 size_t bindersize, labelsize, hashsize; 1488 int hashsizei = EVP_MD_size(md); 1489 int ret = -1; 1490 int usepskfored = 0; 1491 1492 /* Ensure cast to size_t is safe */ 1493 if (!ossl_assert(hashsizei >= 0)) { 1494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1495 ERR_R_INTERNAL_ERROR); 1496 goto err; 1497 } 1498 hashsize = (size_t)hashsizei; 1499 1500 if (external 1501 && s->early_data_state == SSL_EARLY_DATA_CONNECTING 1502 && s->session->ext.max_early_data == 0 1503 && sess->ext.max_early_data > 0) 1504 usepskfored = 1; 1505 1506 if (external) { 1507 label = external_label; 1508 labelsize = sizeof(external_label) - 1; 1509 } else { 1510 label = resumption_label; 1511 labelsize = sizeof(resumption_label) - 1; 1512 } 1513 1514 /* 1515 * Generate the early_secret. On the server side we've selected a PSK to 1516 * resume with (internal or external) so we always do this. On the client 1517 * side we do this for a non-external (i.e. resumption) PSK or external PSK 1518 * that will be used for early_data so that it is in place for sending early 1519 * data. For client side external PSK not being used for early_data we 1520 * generate it but store it away for later use. 1521 */ 1522 if (s->server || !external || usepskfored) 1523 early_secret = (unsigned char *)s->early_secret; 1524 else 1525 early_secret = (unsigned char *)sess->early_secret; 1526 1527 if (!tls13_generate_secret(s, md, NULL, sess->master_key, 1528 sess->master_key_length, early_secret)) { 1529 /* SSLfatal() already called */ 1530 goto err; 1531 } 1532 1533 /* 1534 * Create the handshake hash for the binder key...the messages so far are 1535 * empty! 1536 */ 1537 mctx = EVP_MD_CTX_new(); 1538 if (mctx == NULL 1539 || EVP_DigestInit_ex(mctx, md, NULL) <= 0 1540 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 1541 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1542 ERR_R_INTERNAL_ERROR); 1543 goto err; 1544 } 1545 1546 /* Generate the binder key */ 1547 if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash, 1548 hashsize, binderkey, hashsize, 1)) { 1549 /* SSLfatal() already called */ 1550 goto err; 1551 } 1552 1553 /* Generate the finished key */ 1554 if (!tls13_derive_finishedkey(s, md, binderkey, finishedkey, hashsize)) { 1555 /* SSLfatal() already called */ 1556 goto err; 1557 } 1558 1559 if (EVP_DigestInit_ex(mctx, md, NULL) <= 0) { 1560 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1561 ERR_R_INTERNAL_ERROR); 1562 goto err; 1563 } 1564 1565 /* 1566 * Get a hash of the ClientHello up to the start of the binders. If we are 1567 * following a HelloRetryRequest then this includes the hash of the first 1568 * ClientHello and the HelloRetryRequest itself. 1569 */ 1570 if (s->hello_retry_request == SSL_HRR_PENDING) { 1571 size_t hdatalen; 1572 long hdatalen_l; 1573 void *hdata; 1574 1575 hdatalen = hdatalen_l = 1576 BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 1577 if (hdatalen_l <= 0) { 1578 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1579 SSL_R_BAD_HANDSHAKE_LENGTH); 1580 goto err; 1581 } 1582 1583 /* 1584 * For servers the handshake buffer data will include the second 1585 * ClientHello - which we don't want - so we need to take that bit off. 1586 */ 1587 if (s->server) { 1588 PACKET hashprefix, msg; 1589 1590 /* Find how many bytes are left after the first two messages */ 1591 if (!PACKET_buf_init(&hashprefix, hdata, hdatalen) 1592 || !PACKET_forward(&hashprefix, 1) 1593 || !PACKET_get_length_prefixed_3(&hashprefix, &msg) 1594 || !PACKET_forward(&hashprefix, 1) 1595 || !PACKET_get_length_prefixed_3(&hashprefix, &msg)) { 1596 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1597 ERR_R_INTERNAL_ERROR); 1598 goto err; 1599 } 1600 hdatalen -= PACKET_remaining(&hashprefix); 1601 } 1602 1603 if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) { 1604 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1605 ERR_R_INTERNAL_ERROR); 1606 goto err; 1607 } 1608 } 1609 1610 if (EVP_DigestUpdate(mctx, msgstart, binderoffset) <= 0 1611 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 1612 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1613 ERR_R_INTERNAL_ERROR); 1614 goto err; 1615 } 1616 1617 mackey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finishedkey, 1618 hashsize); 1619 if (mackey == NULL) { 1620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1621 ERR_R_INTERNAL_ERROR); 1622 goto err; 1623 } 1624 1625 if (!sign) 1626 binderout = tmpbinder; 1627 1628 bindersize = hashsize; 1629 if (EVP_DigestSignInit(mctx, NULL, md, NULL, mackey) <= 0 1630 || EVP_DigestSignUpdate(mctx, hash, hashsize) <= 0 1631 || EVP_DigestSignFinal(mctx, binderout, &bindersize) <= 0 1632 || bindersize != hashsize) { 1633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER, 1634 ERR_R_INTERNAL_ERROR); 1635 goto err; 1636 } 1637 1638 if (sign) { 1639 ret = 1; 1640 } else { 1641 /* HMAC keys can't do EVP_DigestVerify* - use CRYPTO_memcmp instead */ 1642 ret = (CRYPTO_memcmp(binderin, binderout, hashsize) == 0); 1643 if (!ret) 1644 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PSK_DO_BINDER, 1645 SSL_R_BINDER_DOES_NOT_VERIFY); 1646 } 1647 1648 err: 1649 OPENSSL_cleanse(binderkey, sizeof(binderkey)); 1650 OPENSSL_cleanse(finishedkey, sizeof(finishedkey)); 1651 EVP_PKEY_free(mackey); 1652 EVP_MD_CTX_free(mctx); 1653 1654 return ret; 1655 } 1656 1657 static int final_early_data(SSL *s, unsigned int context, int sent) 1658 { 1659 if (!sent) 1660 return 1; 1661 1662 if (!s->server) { 1663 if (context == SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 1664 && sent 1665 && !s->ext.early_data_ok) { 1666 /* 1667 * If we get here then the server accepted our early_data but we 1668 * later realised that it shouldn't have done (e.g. inconsistent 1669 * ALPN) 1670 */ 1671 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_FINAL_EARLY_DATA, 1672 SSL_R_BAD_EARLY_DATA); 1673 return 0; 1674 } 1675 1676 return 1; 1677 } 1678 1679 if (s->max_early_data == 0 1680 || !s->hit 1681 || s->early_data_state != SSL_EARLY_DATA_ACCEPTING 1682 || !s->ext.early_data_ok 1683 || s->hello_retry_request != SSL_HRR_NONE 1684 || (s->allow_early_data_cb != NULL 1685 && !s->allow_early_data_cb(s, 1686 s->allow_early_data_cb_data))) { 1687 s->ext.early_data = SSL_EARLY_DATA_REJECTED; 1688 } else { 1689 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 1690 1691 if (!tls13_change_cipher_state(s, 1692 SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_SERVER_READ)) { 1693 /* SSLfatal() already called */ 1694 return 0; 1695 } 1696 } 1697 1698 return 1; 1699 } 1700 1701 static int final_maxfragmentlen(SSL *s, unsigned int context, int sent) 1702 { 1703 /* 1704 * Session resumption on server-side with MFL extension active 1705 * BUT MFL extension packet was not resent (i.e. sent == 0) 1706 */ 1707 if (s->server && s->hit && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 1708 && !sent ) { 1709 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_FINAL_MAXFRAGMENTLEN, 1710 SSL_R_BAD_EXTENSION); 1711 return 0; 1712 } 1713 1714 /* Current SSL buffer is lower than requested MFL */ 1715 if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) 1716 && s->max_send_fragment < GET_MAX_FRAGMENT_LENGTH(s->session)) 1717 /* trigger a larger buffer reallocation */ 1718 if (!ssl3_setup_buffers(s)) { 1719 /* SSLfatal() already called */ 1720 return 0; 1721 } 1722 1723 return 1; 1724 } 1725 1726 static int init_post_handshake_auth(SSL *s, unsigned int context) 1727 { 1728 s->post_handshake_auth = SSL_PHA_NONE; 1729 1730 return 1; 1731 } 1732 1733 /* 1734 * If clients offer "pre_shared_key" without a "psk_key_exchange_modes" 1735 * extension, servers MUST abort the handshake. 1736 */ 1737 static int final_psk(SSL *s, unsigned int context, int sent) 1738 { 1739 if (s->server && sent && s->clienthello != NULL 1740 && !s->clienthello->pre_proc_exts[TLSEXT_IDX_psk_kex_modes].present) { 1741 SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_F_FINAL_PSK, 1742 SSL_R_MISSING_PSK_KEX_MODES_EXTENSION); 1743 return 0; 1744 } 1745 1746 return 1; 1747 } 1748