1 /*
2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "internal/cryptlib.h"
13 #include "statem_local.h"
14
tls_construct_ctos_renegotiate(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)15 EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
16 unsigned int context, X509 *x,
17 size_t chainidx)
18 {
19 if (!s->renegotiate) {
20 /* If not renegotiating, send an empty RI extension to indicate support */
21
22 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
23 # error Internal DTLS version error
24 #endif
25
26 if (!SSL_CONNECTION_IS_DTLS(s)
27 && (s->min_proto_version >= TLS1_3_VERSION
28 || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL)
29 && s->min_proto_version <= TLS1_VERSION))) {
30 /*
31 * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this
32 * extension isn't used at all.
33 */
34 return EXT_RETURN_NOT_SENT;
35 }
36
37
38 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
39 || !WPACKET_start_sub_packet_u16(pkt)
40 || !WPACKET_put_bytes_u8(pkt, 0)
41 || !WPACKET_close(pkt)) {
42 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43 return EXT_RETURN_FAIL;
44 }
45
46 return EXT_RETURN_SENT;
47 }
48
49 /* Add a complete RI extension if renegotiating */
50 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
51 || !WPACKET_start_sub_packet_u16(pkt)
52 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
53 s->s3.previous_client_finished_len)
54 || !WPACKET_close(pkt)) {
55 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
56 return EXT_RETURN_FAIL;
57 }
58
59 return EXT_RETURN_SENT;
60 }
61
tls_construct_ctos_server_name(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)62 EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,
63 unsigned int context, X509 *x,
64 size_t chainidx)
65 {
66 if (s->ext.hostname == NULL)
67 return EXT_RETURN_NOT_SENT;
68
69 /* Add TLS extension servername to the Client Hello message */
70 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
71 /* Sub-packet for server_name extension */
72 || !WPACKET_start_sub_packet_u16(pkt)
73 /* Sub-packet for servername list (always 1 hostname)*/
74 || !WPACKET_start_sub_packet_u16(pkt)
75 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
76 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
77 strlen(s->ext.hostname))
78 || !WPACKET_close(pkt)
79 || !WPACKET_close(pkt)) {
80 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
81 return EXT_RETURN_FAIL;
82 }
83
84 return EXT_RETURN_SENT;
85 }
86
87 /* Push a Max Fragment Len extension into ClientHello */
tls_construct_ctos_maxfragmentlen(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)88 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
89 unsigned int context, X509 *x,
90 size_t chainidx)
91 {
92 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
93 return EXT_RETURN_NOT_SENT;
94
95 /* Add Max Fragment Length extension if client enabled it. */
96 /*-
97 * 4 bytes for this extension type and extension length
98 * 1 byte for the Max Fragment Length code value.
99 */
100 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
101 /* Sub-packet for Max Fragment Length extension (1 byte) */
102 || !WPACKET_start_sub_packet_u16(pkt)
103 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
104 || !WPACKET_close(pkt)) {
105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
106 return EXT_RETURN_FAIL;
107 }
108
109 return EXT_RETURN_SENT;
110 }
111
112 #ifndef OPENSSL_NO_SRP
tls_construct_ctos_srp(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)113 EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,
114 unsigned int context,
115 X509 *x, size_t chainidx)
116 {
117 /* Add SRP username if there is one */
118 if (s->srp_ctx.login == NULL)
119 return EXT_RETURN_NOT_SENT;
120
121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
122 /* Sub-packet for SRP extension */
123 || !WPACKET_start_sub_packet_u16(pkt)
124 || !WPACKET_start_sub_packet_u8(pkt)
125 /* login must not be zero...internal error if so */
126 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
127 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
128 strlen(s->srp_ctx.login))
129 || !WPACKET_close(pkt)
130 || !WPACKET_close(pkt)) {
131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
132 return EXT_RETURN_FAIL;
133 }
134
135 return EXT_RETURN_SENT;
136 }
137 #endif
138
use_ecc(SSL_CONNECTION * s,int min_version,int max_version)139 static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)
140 {
141 int i, end, ret = 0;
142 unsigned long alg_k, alg_a;
143 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
144 const uint16_t *pgroups = NULL;
145 size_t num_groups, j;
146 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
147
148 /* See if we support any ECC ciphersuites */
149 if (s->version == SSL3_VERSION)
150 return 0;
151
152 cipher_stack = SSL_get1_supported_ciphers(ssl);
153 end = sk_SSL_CIPHER_num(cipher_stack);
154 for (i = 0; i < end; i++) {
155 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
156
157 alg_k = c->algorithm_mkey;
158 alg_a = c->algorithm_auth;
159 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
160 || (alg_a & SSL_aECDSA)
161 || c->min_tls >= TLS1_3_VERSION) {
162 ret = 1;
163 break;
164 }
165 }
166 sk_SSL_CIPHER_free(cipher_stack);
167 if (!ret)
168 return 0;
169
170 /* Check we have at least one EC supported group */
171 tls1_get_supported_groups(s, &pgroups, &num_groups);
172 for (j = 0; j < num_groups; j++) {
173 uint16_t ctmp = pgroups[j];
174
175 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
176 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
177 return 1;
178 }
179
180 return 0;
181 }
182
tls_construct_ctos_ec_pt_formats(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)183 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
184 unsigned int context, X509 *x,
185 size_t chainidx)
186 {
187 const unsigned char *pformats;
188 size_t num_formats;
189 int reason, min_version, max_version;
190
191 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
192 if (reason != 0) {
193 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
194 return EXT_RETURN_FAIL;
195 }
196 if (!use_ecc(s, min_version, max_version))
197 return EXT_RETURN_NOT_SENT;
198
199 /* Add TLS extension ECPointFormats to the ClientHello message */
200 tls1_get_formatlist(s, &pformats, &num_formats);
201
202 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
203 /* Sub-packet for formats extension */
204 || !WPACKET_start_sub_packet_u16(pkt)
205 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
206 || !WPACKET_close(pkt)) {
207 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
208 return EXT_RETURN_FAIL;
209 }
210
211 return EXT_RETURN_SENT;
212 }
213
tls_construct_ctos_supported_groups(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)214 EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
215 unsigned int context, X509 *x,
216 size_t chainidx)
217 {
218 const uint16_t *pgroups = NULL;
219 size_t num_groups = 0, i, tls13added = 0, added = 0;
220 int min_version, max_version, reason;
221
222 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
223 if (reason != 0) {
224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
225 return EXT_RETURN_FAIL;
226 }
227
228 /*
229 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
230 * if we don't have EC support then we don't send this extension.
231 */
232 if (!use_ecc(s, min_version, max_version)
233 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
234 return EXT_RETURN_NOT_SENT;
235
236 /*
237 * Add TLS extension supported_groups to the ClientHello message
238 */
239 tls1_get_supported_groups(s, &pgroups, &num_groups);
240
241 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
242 /* Sub-packet for supported_groups extension */
243 || !WPACKET_start_sub_packet_u16(pkt)
244 || !WPACKET_start_sub_packet_u16(pkt)
245 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
247 return EXT_RETURN_FAIL;
248 }
249 /* Copy group ID if supported */
250 for (i = 0; i < num_groups; i++) {
251 uint16_t ctmp = pgroups[i];
252 int okfortls13;
253
254 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
255 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
256 if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
258 return EXT_RETURN_FAIL;
259 }
260 if (okfortls13 && max_version == TLS1_3_VERSION)
261 tls13added++;
262 added++;
263 }
264 }
265 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
266 if (added == 0)
267 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
268 "No groups enabled for max supported SSL/TLS version");
269 else
270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
271 return EXT_RETURN_FAIL;
272 }
273
274 if (tls13added == 0 && max_version == TLS1_3_VERSION) {
275 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
276 "No groups enabled for max supported SSL/TLS version");
277 return EXT_RETURN_FAIL;
278 }
279
280 return EXT_RETURN_SENT;
281 }
282
tls_construct_ctos_session_ticket(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)283 EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
284 unsigned int context, X509 *x,
285 size_t chainidx)
286 {
287 size_t ticklen;
288
289 if (!tls_use_ticket(s))
290 return EXT_RETURN_NOT_SENT;
291
292 if (!s->new_session && s->session != NULL
293 && s->session->ext.tick != NULL
294 && s->session->ssl_version != TLS1_3_VERSION) {
295 ticklen = s->session->ext.ticklen;
296 } else if (s->session && s->ext.session_ticket != NULL
297 && s->ext.session_ticket->data != NULL) {
298 ticklen = s->ext.session_ticket->length;
299 s->session->ext.tick = OPENSSL_malloc(ticklen);
300 if (s->session->ext.tick == NULL) {
301 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
302 return EXT_RETURN_FAIL;
303 }
304 memcpy(s->session->ext.tick,
305 s->ext.session_ticket->data, ticklen);
306 s->session->ext.ticklen = ticklen;
307 } else {
308 ticklen = 0;
309 }
310
311 if (ticklen == 0 && s->ext.session_ticket != NULL &&
312 s->ext.session_ticket->data == NULL)
313 return EXT_RETURN_NOT_SENT;
314
315 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
316 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
318 return EXT_RETURN_FAIL;
319 }
320
321 return EXT_RETURN_SENT;
322 }
323
tls_construct_ctos_sig_algs(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)324 EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,
325 unsigned int context, X509 *x,
326 size_t chainidx)
327 {
328 size_t salglen;
329 const uint16_t *salg;
330
331 if (!SSL_CLIENT_USE_SIGALGS(s))
332 return EXT_RETURN_NOT_SENT;
333
334 salglen = tls12_get_psigalgs(s, 1, &salg);
335 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
336 /* Sub-packet for sig-algs extension */
337 || !WPACKET_start_sub_packet_u16(pkt)
338 /* Sub-packet for the actual list */
339 || !WPACKET_start_sub_packet_u16(pkt)
340 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
341 || !WPACKET_close(pkt)
342 || !WPACKET_close(pkt)) {
343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
344 return EXT_RETURN_FAIL;
345 }
346
347 return EXT_RETURN_SENT;
348 }
349
350 #ifndef OPENSSL_NO_OCSP
tls_construct_ctos_status_request(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)351 EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,
352 unsigned int context, X509 *x,
353 size_t chainidx)
354 {
355 int i;
356
357 /* This extension isn't defined for client Certificates */
358 if (x != NULL)
359 return EXT_RETURN_NOT_SENT;
360
361 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
362 return EXT_RETURN_NOT_SENT;
363
364 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
365 /* Sub-packet for status request extension */
366 || !WPACKET_start_sub_packet_u16(pkt)
367 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
368 /* Sub-packet for the ids */
369 || !WPACKET_start_sub_packet_u16(pkt)) {
370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
371 return EXT_RETURN_FAIL;
372 }
373 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
374 unsigned char *idbytes;
375 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
376 int idlen = i2d_OCSP_RESPID(id, NULL);
377
378 if (idlen <= 0
379 /* Sub-packet for an individual id */
380 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
381 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
383 return EXT_RETURN_FAIL;
384 }
385 }
386 if (!WPACKET_close(pkt)
387 || !WPACKET_start_sub_packet_u16(pkt)) {
388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
389 return EXT_RETURN_FAIL;
390 }
391 if (s->ext.ocsp.exts) {
392 unsigned char *extbytes;
393 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
394
395 if (extlen < 0) {
396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
397 return EXT_RETURN_FAIL;
398 }
399 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
400 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
401 != extlen) {
402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
403 return EXT_RETURN_FAIL;
404 }
405 }
406 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
408 return EXT_RETURN_FAIL;
409 }
410
411 return EXT_RETURN_SENT;
412 }
413 #endif
414
415 #ifndef OPENSSL_NO_NEXTPROTONEG
tls_construct_ctos_npn(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)416 EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,
417 unsigned int context,
418 X509 *x, size_t chainidx)
419 {
420 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL
421 || !SSL_IS_FIRST_HANDSHAKE(s))
422 return EXT_RETURN_NOT_SENT;
423
424 /*
425 * The client advertises an empty extension to indicate its support
426 * for Next Protocol Negotiation
427 */
428 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
429 || !WPACKET_put_bytes_u16(pkt, 0)) {
430 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
431 return EXT_RETURN_FAIL;
432 }
433
434 return EXT_RETURN_SENT;
435 }
436 #endif
437
tls_construct_ctos_alpn(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)438 EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,
439 unsigned int context,
440 X509 *x, size_t chainidx)
441 {
442 s->s3.alpn_sent = 0;
443
444 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
445 return EXT_RETURN_NOT_SENT;
446
447 if (!WPACKET_put_bytes_u16(pkt,
448 TLSEXT_TYPE_application_layer_protocol_negotiation)
449 /* Sub-packet ALPN extension */
450 || !WPACKET_start_sub_packet_u16(pkt)
451 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
452 || !WPACKET_close(pkt)) {
453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
454 return EXT_RETURN_FAIL;
455 }
456 s->s3.alpn_sent = 1;
457
458 return EXT_RETURN_SENT;
459 }
460
461
462 #ifndef OPENSSL_NO_SRTP
tls_construct_ctos_use_srtp(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)463 EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
464 unsigned int context, X509 *x,
465 size_t chainidx)
466 {
467 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
468 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);
469 int i, end;
470
471 if (clnt == NULL)
472 return EXT_RETURN_NOT_SENT;
473
474 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
475 /* Sub-packet for SRTP extension */
476 || !WPACKET_start_sub_packet_u16(pkt)
477 /* Sub-packet for the protection profile list */
478 || !WPACKET_start_sub_packet_u16(pkt)) {
479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
480 return EXT_RETURN_FAIL;
481 }
482
483 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
484 for (i = 0; i < end; i++) {
485 const SRTP_PROTECTION_PROFILE *prof =
486 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
487
488 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
489 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
490 return EXT_RETURN_FAIL;
491 }
492 }
493 if (!WPACKET_close(pkt)
494 /* Add an empty use_mki value */
495 || !WPACKET_put_bytes_u8(pkt, 0)
496 || !WPACKET_close(pkt)) {
497 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
498 return EXT_RETURN_FAIL;
499 }
500
501 return EXT_RETURN_SENT;
502 }
503 #endif
504
tls_construct_ctos_etm(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)505 EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,
506 unsigned int context,
507 X509 *x, size_t chainidx)
508 {
509 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
510 return EXT_RETURN_NOT_SENT;
511
512 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
513 || !WPACKET_put_bytes_u16(pkt, 0)) {
514 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
515 return EXT_RETURN_FAIL;
516 }
517
518 return EXT_RETURN_SENT;
519 }
520
521 #ifndef OPENSSL_NO_CT
tls_construct_ctos_sct(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)522 EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,
523 unsigned int context,
524 X509 *x, size_t chainidx)
525 {
526 if (s->ct_validation_callback == NULL)
527 return EXT_RETURN_NOT_SENT;
528
529 /* Not defined for client Certificates */
530 if (x != NULL)
531 return EXT_RETURN_NOT_SENT;
532
533 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
534 || !WPACKET_put_bytes_u16(pkt, 0)) {
535 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
536 return EXT_RETURN_FAIL;
537 }
538
539 return EXT_RETURN_SENT;
540 }
541 #endif
542
tls_construct_ctos_ems(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)543 EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,
544 unsigned int context,
545 X509 *x, size_t chainidx)
546 {
547 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
548 return EXT_RETURN_NOT_SENT;
549
550 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
551 || !WPACKET_put_bytes_u16(pkt, 0)) {
552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
553 return EXT_RETURN_FAIL;
554 }
555
556 return EXT_RETURN_SENT;
557 }
558
tls_construct_ctos_supported_versions(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)559 EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
560 unsigned int context, X509 *x,
561 size_t chainidx)
562 {
563 int currv, min_version, max_version, reason;
564
565 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
566 if (reason != 0) {
567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
568 return EXT_RETURN_FAIL;
569 }
570
571 /*
572 * Don't include this if we can't negotiate TLSv1.3. We can do a straight
573 * comparison here because we will never be called in DTLS.
574 */
575 if (max_version < TLS1_3_VERSION)
576 return EXT_RETURN_NOT_SENT;
577
578 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
579 || !WPACKET_start_sub_packet_u16(pkt)
580 || !WPACKET_start_sub_packet_u8(pkt)) {
581 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
582 return EXT_RETURN_FAIL;
583 }
584
585 for (currv = max_version; currv >= min_version; currv--) {
586 if (!WPACKET_put_bytes_u16(pkt, currv)) {
587 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
588 return EXT_RETURN_FAIL;
589 }
590 }
591 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
593 return EXT_RETURN_FAIL;
594 }
595
596 return EXT_RETURN_SENT;
597 }
598
599 /*
600 * Construct a psk_kex_modes extension.
601 */
tls_construct_ctos_psk_kex_modes(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)602 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
603 unsigned int context, X509 *x,
604 size_t chainidx)
605 {
606 #ifndef OPENSSL_NO_TLS1_3
607 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
608
609 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
610 || !WPACKET_start_sub_packet_u16(pkt)
611 || !WPACKET_start_sub_packet_u8(pkt)
612 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
613 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
614 || !WPACKET_close(pkt)
615 || !WPACKET_close(pkt)) {
616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
617 return EXT_RETURN_FAIL;
618 }
619
620 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
621 if (nodhe)
622 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
623 #endif
624
625 return EXT_RETURN_SENT;
626 }
627
628 #ifndef OPENSSL_NO_TLS1_3
add_key_share(SSL_CONNECTION * s,WPACKET * pkt,unsigned int curve_id)629 static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id)
630 {
631 unsigned char *encoded_point = NULL;
632 EVP_PKEY *key_share_key = NULL;
633 size_t encodedlen;
634
635 if (s->s3.tmp.pkey != NULL) {
636 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
638 return 0;
639 }
640 /*
641 * Could happen if we got an HRR that wasn't requesting a new key_share
642 */
643 key_share_key = s->s3.tmp.pkey;
644 } else {
645 key_share_key = ssl_generate_pkey_group(s, curve_id);
646 if (key_share_key == NULL) {
647 /* SSLfatal() already called */
648 return 0;
649 }
650 }
651
652 /* Encode the public key. */
653 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
654 &encoded_point);
655 if (encodedlen == 0) {
656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
657 goto err;
658 }
659
660 /* Create KeyShareEntry */
661 if (!WPACKET_put_bytes_u16(pkt, curve_id)
662 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
663 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
664 goto err;
665 }
666
667 /*
668 * When changing to send more than one key_share we're
669 * going to need to be able to save more than one EVP_PKEY. For now
670 * we reuse the existing tmp.pkey
671 */
672 s->s3.tmp.pkey = key_share_key;
673 s->s3.group_id = curve_id;
674 OPENSSL_free(encoded_point);
675
676 return 1;
677 err:
678 if (s->s3.tmp.pkey == NULL)
679 EVP_PKEY_free(key_share_key);
680 OPENSSL_free(encoded_point);
681 return 0;
682 }
683 #endif
684
tls_construct_ctos_key_share(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)685 EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
686 unsigned int context, X509 *x,
687 size_t chainidx)
688 {
689 #ifndef OPENSSL_NO_TLS1_3
690 size_t i, num_groups = 0;
691 const uint16_t *pgroups = NULL;
692 uint16_t curve_id = 0;
693
694 /* key_share extension */
695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
696 /* Extension data sub-packet */
697 || !WPACKET_start_sub_packet_u16(pkt)
698 /* KeyShare list sub-packet */
699 || !WPACKET_start_sub_packet_u16(pkt)) {
700 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
701 return EXT_RETURN_FAIL;
702 }
703
704 tls1_get_supported_groups(s, &pgroups, &num_groups);
705
706 /*
707 * Make the number of key_shares sent configurable. For
708 * now, we just send one
709 */
710 if (s->s3.group_id != 0) {
711 curve_id = s->s3.group_id;
712 } else {
713 for (i = 0; i < num_groups; i++) {
714 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
715 continue;
716
717 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
718 0, NULL))
719 continue;
720
721 curve_id = pgroups[i];
722 break;
723 }
724 }
725
726 if (curve_id == 0) {
727 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
728 return EXT_RETURN_FAIL;
729 }
730
731 if (!add_key_share(s, pkt, curve_id)) {
732 /* SSLfatal() already called */
733 return EXT_RETURN_FAIL;
734 }
735
736 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
737 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
738 return EXT_RETURN_FAIL;
739 }
740 return EXT_RETURN_SENT;
741 #else
742 return EXT_RETURN_NOT_SENT;
743 #endif
744 }
745
tls_construct_ctos_cookie(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)746 EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,
747 unsigned int context,
748 X509 *x, size_t chainidx)
749 {
750 EXT_RETURN ret = EXT_RETURN_FAIL;
751
752 /* Should only be set if we've had an HRR */
753 if (s->ext.tls13_cookie_len == 0)
754 return EXT_RETURN_NOT_SENT;
755
756 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
757 /* Extension data sub-packet */
758 || !WPACKET_start_sub_packet_u16(pkt)
759 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
760 s->ext.tls13_cookie_len)
761 || !WPACKET_close(pkt)) {
762 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
763 goto end;
764 }
765
766 ret = EXT_RETURN_SENT;
767 end:
768 OPENSSL_free(s->ext.tls13_cookie);
769 s->ext.tls13_cookie = NULL;
770 s->ext.tls13_cookie_len = 0;
771
772 return ret;
773 }
774
tls_construct_ctos_early_data(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)775 EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
776 unsigned int context, X509 *x,
777 size_t chainidx)
778 {
779 #ifndef OPENSSL_NO_PSK
780 char identity[PSK_MAX_IDENTITY_LEN + 1];
781 #endif /* OPENSSL_NO_PSK */
782 const unsigned char *id = NULL;
783 size_t idlen = 0;
784 SSL_SESSION *psksess = NULL;
785 SSL_SESSION *edsess = NULL;
786 const EVP_MD *handmd = NULL;
787 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
788
789 if (s->hello_retry_request == SSL_HRR_PENDING)
790 handmd = ssl_handshake_md(s);
791
792 if (s->psk_use_session_cb != NULL
793 && (!s->psk_use_session_cb(ssl, handmd, &id, &idlen, &psksess)
794 || (psksess != NULL
795 && psksess->ssl_version != TLS1_3_VERSION))) {
796 SSL_SESSION_free(psksess);
797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
798 return EXT_RETURN_FAIL;
799 }
800
801 #ifndef OPENSSL_NO_PSK
802 if (psksess == NULL && s->psk_client_callback != NULL) {
803 unsigned char psk[PSK_MAX_PSK_LEN];
804 size_t psklen = 0;
805
806 memset(identity, 0, sizeof(identity));
807 psklen = s->psk_client_callback(ssl, NULL,
808 identity, sizeof(identity) - 1,
809 psk, sizeof(psk));
810
811 if (psklen > PSK_MAX_PSK_LEN) {
812 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
813 return EXT_RETURN_FAIL;
814 } else if (psklen > 0) {
815 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
816 const SSL_CIPHER *cipher;
817
818 idlen = strlen(identity);
819 if (idlen > PSK_MAX_IDENTITY_LEN) {
820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
821 return EXT_RETURN_FAIL;
822 }
823 id = (unsigned char *)identity;
824
825 /*
826 * We found a PSK using an old style callback. We don't know
827 * the digest so we default to SHA256 as per the TLSv1.3 spec
828 */
829 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
830 if (cipher == NULL) {
831 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
832 return EXT_RETURN_FAIL;
833 }
834
835 psksess = SSL_SESSION_new();
836 if (psksess == NULL
837 || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
838 || !SSL_SESSION_set_cipher(psksess, cipher)
839 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
840 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
841 OPENSSL_cleanse(psk, psklen);
842 return EXT_RETURN_FAIL;
843 }
844 OPENSSL_cleanse(psk, psklen);
845 }
846 }
847 #endif /* OPENSSL_NO_PSK */
848
849 SSL_SESSION_free(s->psksession);
850 s->psksession = psksess;
851 if (psksess != NULL) {
852 OPENSSL_free(s->psksession_id);
853 s->psksession_id = OPENSSL_memdup(id, idlen);
854 if (s->psksession_id == NULL) {
855 s->psksession_id_len = 0;
856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
857 return EXT_RETURN_FAIL;
858 }
859 s->psksession_id_len = idlen;
860 }
861
862 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
863 || (s->session->ext.max_early_data == 0
864 && (psksess == NULL || psksess->ext.max_early_data == 0))) {
865 s->max_early_data = 0;
866 return EXT_RETURN_NOT_SENT;
867 }
868 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
869 s->max_early_data = edsess->ext.max_early_data;
870
871 if (edsess->ext.hostname != NULL) {
872 if (s->ext.hostname == NULL
873 || (s->ext.hostname != NULL
874 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
875 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
876 SSL_R_INCONSISTENT_EARLY_DATA_SNI);
877 return EXT_RETURN_FAIL;
878 }
879 }
880
881 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
882 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
883 return EXT_RETURN_FAIL;
884 }
885
886 /*
887 * Verify that we are offering an ALPN protocol consistent with the early
888 * data.
889 */
890 if (edsess->ext.alpn_selected != NULL) {
891 PACKET prots, alpnpkt;
892 int found = 0;
893
894 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
896 return EXT_RETURN_FAIL;
897 }
898 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
899 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
900 edsess->ext.alpn_selected_len)) {
901 found = 1;
902 break;
903 }
904 }
905 if (!found) {
906 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
907 SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
908 return EXT_RETURN_FAIL;
909 }
910 }
911
912 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
913 || !WPACKET_start_sub_packet_u16(pkt)
914 || !WPACKET_close(pkt)) {
915 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
916 return EXT_RETURN_FAIL;
917 }
918
919 /*
920 * We set this to rejected here. Later, if the server acknowledges the
921 * extension, we set it to accepted.
922 */
923 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
924 s->ext.early_data_ok = 1;
925
926 return EXT_RETURN_SENT;
927 }
928
929 #define F5_WORKAROUND_MIN_MSG_LEN 0xff
930 #define F5_WORKAROUND_MAX_MSG_LEN 0x200
931
932 /*
933 * PSK pre binder overhead =
934 * 2 bytes for TLSEXT_TYPE_psk
935 * 2 bytes for extension length
936 * 2 bytes for identities list length
937 * 2 bytes for identity length
938 * 4 bytes for obfuscated_ticket_age
939 * 2 bytes for binder list length
940 * 1 byte for binder length
941 * The above excludes the number of bytes for the identity itself and the
942 * subsequent binder bytes
943 */
944 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
945
tls_construct_ctos_padding(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)946 EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,
947 unsigned int context, X509 *x,
948 size_t chainidx)
949 {
950 unsigned char *padbytes;
951 size_t hlen;
952
953 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
954 return EXT_RETURN_NOT_SENT;
955
956 /*
957 * Add padding to workaround bugs in F5 terminators. See RFC7685.
958 * This code calculates the length of all extensions added so far but
959 * excludes the PSK extension (because that MUST be written last). Therefore
960 * this extension MUST always appear second to last.
961 */
962 if (!WPACKET_get_total_written(pkt, &hlen)) {
963 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
964 return EXT_RETURN_FAIL;
965 }
966
967 /*
968 * If we're going to send a PSK then that will be written out after this
969 * extension, so we need to calculate how long it is going to be.
970 */
971 if (s->session->ssl_version == TLS1_3_VERSION
972 && s->session->ext.ticklen != 0
973 && s->session->cipher != NULL) {
974 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),
975 s->session->cipher->algorithm2);
976
977 if (md != NULL) {
978 /*
979 * Add the fixed PSK overhead, the identity length and the binder
980 * length.
981 */
982 int md_size = EVP_MD_get_size(md);
983
984 if (md_size <= 0)
985 return EXT_RETURN_FAIL;
986 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
987 + md_size;
988 }
989 }
990
991 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
992 /* Calculate the amount of padding we need to add */
993 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
994
995 /*
996 * Take off the size of extension header itself (2 bytes for type and
997 * 2 bytes for length bytes), but ensure that the extension is at least
998 * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
999 * 8.x are intolerant of that condition)
1000 */
1001 if (hlen > 4)
1002 hlen -= 4;
1003 else
1004 hlen = 1;
1005
1006 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
1007 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
1008 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1009 return EXT_RETURN_FAIL;
1010 }
1011 memset(padbytes, 0, hlen);
1012 }
1013
1014 return EXT_RETURN_SENT;
1015 }
1016
1017 /*
1018 * Construct the pre_shared_key extension
1019 */
tls_construct_ctos_psk(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1020 EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
1021 unsigned int context,
1022 X509 *x, size_t chainidx)
1023 {
1024 #ifndef OPENSSL_NO_TLS1_3
1025 uint32_t agesec, agems = 0;
1026 size_t binderoffset, msglen;
1027 int reshashsize = 0, pskhashsize = 0;
1028 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
1029 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
1030 int dores = 0;
1031 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1032 OSSL_TIME t;
1033
1034 s->ext.tick_identity = 0;
1035
1036 /*
1037 * Note: At this stage of the code we only support adding a single
1038 * resumption PSK. If we add support for multiple PSKs then the length
1039 * calculations in the padding extension will need to be adjusted.
1040 */
1041
1042 /*
1043 * If this is an incompatible or new session then we have nothing to resume
1044 * so don't add this extension.
1045 */
1046 if (s->session->ssl_version != TLS1_3_VERSION
1047 || (s->session->ext.ticklen == 0 && s->psksession == NULL))
1048 return EXT_RETURN_NOT_SENT;
1049
1050 if (s->hello_retry_request == SSL_HRR_PENDING)
1051 handmd = ssl_handshake_md(s);
1052
1053 if (s->session->ext.ticklen != 0) {
1054 /* Get the digest associated with the ciphersuite in the session */
1055 if (s->session->cipher == NULL) {
1056 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1057 return EXT_RETURN_FAIL;
1058 }
1059 mdres = ssl_md(sctx, s->session->cipher->algorithm2);
1060 if (mdres == NULL) {
1061 /*
1062 * Don't recognize this cipher so we can't use the session.
1063 * Ignore it
1064 */
1065 goto dopsksess;
1066 }
1067
1068 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
1069 /*
1070 * Selected ciphersuite hash does not match the hash for the session
1071 * so we can't use it.
1072 */
1073 goto dopsksess;
1074 }
1075
1076 /*
1077 * Technically the C standard just says time() returns a time_t and says
1078 * nothing about the encoding of that type. In practice most
1079 * implementations follow POSIX which holds it as an integral type in
1080 * seconds since epoch. We've already made the assumption that we can do
1081 * this in multiple places in the code, so portability shouldn't be an
1082 * issue.
1083 */
1084 t = ossl_time_subtract(ossl_time_now(), s->session->time);
1085 agesec = (uint32_t)ossl_time2seconds(t);
1086 /*
1087 * We calculate the age in seconds but the server may work in ms. Due to
1088 * rounding errors we could overestimate the age by up to 1s. It is
1089 * better to underestimate it. Otherwise, if the RTT is very short, when
1090 * the server calculates the age reported by the client it could be
1091 * bigger than the age calculated on the server - which should never
1092 * happen.
1093 */
1094 if (agesec > 0)
1095 agesec--;
1096
1097 if (s->session->ext.tick_lifetime_hint < agesec) {
1098 /* Ticket is too old. Ignore it. */
1099 goto dopsksess;
1100 }
1101
1102 /*
1103 * Calculate age in ms. We're just doing it to nearest second. Should be
1104 * good enough.
1105 */
1106 agems = agesec * (uint32_t)1000;
1107
1108 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
1109 /*
1110 * Overflow. Shouldn't happen unless this is a *really* old session.
1111 * If so we just ignore it.
1112 */
1113 goto dopsksess;
1114 }
1115
1116 /*
1117 * Obfuscate the age. Overflow here is fine, this addition is supposed
1118 * to be mod 2^32.
1119 */
1120 agems += s->session->ext.tick_age_add;
1121
1122 reshashsize = EVP_MD_get_size(mdres);
1123 if (reshashsize <= 0)
1124 goto dopsksess;
1125 s->ext.tick_identity++;
1126 dores = 1;
1127 }
1128
1129 dopsksess:
1130 if (!dores && s->psksession == NULL)
1131 return EXT_RETURN_NOT_SENT;
1132
1133 if (s->psksession != NULL) {
1134 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);
1135 if (mdpsk == NULL) {
1136 /*
1137 * Don't recognize this cipher so we can't use the session.
1138 * If this happens it's an application bug.
1139 */
1140 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1141 return EXT_RETURN_FAIL;
1142 }
1143
1144 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
1145 /*
1146 * Selected ciphersuite hash does not match the hash for the PSK
1147 * session. This is an application bug.
1148 */
1149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1150 return EXT_RETURN_FAIL;
1151 }
1152
1153 pskhashsize = EVP_MD_get_size(mdpsk);
1154 if (pskhashsize <= 0) {
1155 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1156 return EXT_RETURN_FAIL;
1157 }
1158 }
1159
1160 /* Create the extension, but skip over the binder for now */
1161 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1162 || !WPACKET_start_sub_packet_u16(pkt)
1163 || !WPACKET_start_sub_packet_u16(pkt)) {
1164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1165 return EXT_RETURN_FAIL;
1166 }
1167
1168 if (dores) {
1169 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1170 s->session->ext.ticklen)
1171 || !WPACKET_put_bytes_u32(pkt, agems)) {
1172 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1173 return EXT_RETURN_FAIL;
1174 }
1175 }
1176
1177 if (s->psksession != NULL) {
1178 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1179 s->psksession_id_len)
1180 || !WPACKET_put_bytes_u32(pkt, 0)) {
1181 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1182 return EXT_RETURN_FAIL;
1183 }
1184 s->ext.tick_identity++;
1185 }
1186
1187 if (!WPACKET_close(pkt)
1188 || !WPACKET_get_total_written(pkt, &binderoffset)
1189 || !WPACKET_start_sub_packet_u16(pkt)
1190 || (dores
1191 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
1192 || (s->psksession != NULL
1193 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
1194 || !WPACKET_close(pkt)
1195 || !WPACKET_close(pkt)
1196 || !WPACKET_get_total_written(pkt, &msglen)
1197 /*
1198 * We need to fill in all the sub-packet lengths now so we can
1199 * calculate the HMAC of the message up to the binders
1200 */
1201 || !WPACKET_fill_lengths(pkt)) {
1202 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1203 return EXT_RETURN_FAIL;
1204 }
1205
1206 msgstart = WPACKET_get_curr(pkt) - msglen;
1207
1208 if (dores
1209 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1210 resbinder, s->session, 1, 0) != 1) {
1211 /* SSLfatal() already called */
1212 return EXT_RETURN_FAIL;
1213 }
1214
1215 if (s->psksession != NULL
1216 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
1217 pskbinder, s->psksession, 1, 1) != 1) {
1218 /* SSLfatal() already called */
1219 return EXT_RETURN_FAIL;
1220 }
1221
1222 return EXT_RETURN_SENT;
1223 #else
1224 return EXT_RETURN_NOT_SENT;
1225 #endif
1226 }
1227
tls_construct_ctos_post_handshake_auth(SSL_CONNECTION * s,WPACKET * pkt,ossl_unused unsigned int context,ossl_unused X509 * x,ossl_unused size_t chainidx)1228 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,
1229 ossl_unused unsigned int context,
1230 ossl_unused X509 *x,
1231 ossl_unused size_t chainidx)
1232 {
1233 #ifndef OPENSSL_NO_TLS1_3
1234 if (!s->pha_enabled)
1235 return EXT_RETURN_NOT_SENT;
1236
1237 /* construct extension - 0 length, no contents */
1238 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
1239 || !WPACKET_start_sub_packet_u16(pkt)
1240 || !WPACKET_close(pkt)) {
1241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1242 return EXT_RETURN_FAIL;
1243 }
1244
1245 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1246
1247 return EXT_RETURN_SENT;
1248 #else
1249 return EXT_RETURN_NOT_SENT;
1250 #endif
1251 }
1252
1253
1254 /*
1255 * Parse the server's renegotiation binding and abort if it's not right
1256 */
tls_parse_stoc_renegotiate(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1257 int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
1258 unsigned int context,
1259 X509 *x, size_t chainidx)
1260 {
1261 size_t expected_len = s->s3.previous_client_finished_len
1262 + s->s3.previous_server_finished_len;
1263 size_t ilen;
1264 const unsigned char *data;
1265
1266 /* Check for logic errors */
1267 if (!ossl_assert(expected_len == 0
1268 || s->s3.previous_client_finished_len != 0)
1269 || !ossl_assert(expected_len == 0
1270 || s->s3.previous_server_finished_len != 0)) {
1271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1272 return 0;
1273 }
1274
1275 /* Parse the length byte */
1276 if (!PACKET_get_1_len(pkt, &ilen)) {
1277 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1278 return 0;
1279 }
1280
1281 /* Consistency check */
1282 if (PACKET_remaining(pkt) != ilen) {
1283 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1284 return 0;
1285 }
1286
1287 /* Check that the extension matches */
1288 if (ilen != expected_len) {
1289 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1290 return 0;
1291 }
1292
1293 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
1294 || memcmp(data, s->s3.previous_client_finished,
1295 s->s3.previous_client_finished_len) != 0) {
1296 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1297 return 0;
1298 }
1299
1300 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
1301 || memcmp(data, s->s3.previous_server_finished,
1302 s->s3.previous_server_finished_len) != 0) {
1303 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1304 return 0;
1305 }
1306 s->s3.send_connection_binding = 1;
1307
1308 return 1;
1309 }
1310
1311 /* Parse the server's max fragment len extension packet */
tls_parse_stoc_maxfragmentlen(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1312 int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
1313 unsigned int context,
1314 X509 *x, size_t chainidx)
1315 {
1316 unsigned int value;
1317
1318 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
1319 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1320 return 0;
1321 }
1322
1323 /* |value| should contains a valid max-fragment-length code. */
1324 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
1325 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1326 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1327 return 0;
1328 }
1329
1330 /* Must be the same value as client-configured one who was sent to server */
1331 /*-
1332 * RFC 6066: if a client receives a maximum fragment length negotiation
1333 * response that differs from the length it requested, ...
1334 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
1335 */
1336 if (value != s->ext.max_fragment_len_mode) {
1337 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1338 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
1339 return 0;
1340 }
1341
1342 /*
1343 * Maximum Fragment Length Negotiation succeeded.
1344 * The negotiated Maximum Fragment Length is binding now.
1345 */
1346 s->session->ext.max_fragment_len_mode = value;
1347
1348 return 1;
1349 }
1350
tls_parse_stoc_server_name(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1351 int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,
1352 unsigned int context,
1353 X509 *x, size_t chainidx)
1354 {
1355 if (s->ext.hostname == NULL) {
1356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1357 return 0;
1358 }
1359
1360 if (PACKET_remaining(pkt) > 0) {
1361 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1362 return 0;
1363 }
1364
1365 if (!s->hit) {
1366 if (s->session->ext.hostname != NULL) {
1367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1368 return 0;
1369 }
1370 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1371 if (s->session->ext.hostname == NULL) {
1372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1373 return 0;
1374 }
1375 }
1376
1377 return 1;
1378 }
1379
tls_parse_stoc_ec_pt_formats(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1380 int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
1381 unsigned int context,
1382 X509 *x, size_t chainidx)
1383 {
1384 size_t ecpointformats_len;
1385 PACKET ecptformatlist;
1386
1387 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
1388 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1389 return 0;
1390 }
1391 if (!s->hit) {
1392 ecpointformats_len = PACKET_remaining(&ecptformatlist);
1393 if (ecpointformats_len == 0) {
1394 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1395 return 0;
1396 }
1397
1398 s->ext.peer_ecpointformats_len = 0;
1399 OPENSSL_free(s->ext.peer_ecpointformats);
1400 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
1401 if (s->ext.peer_ecpointformats == NULL) {
1402 s->ext.peer_ecpointformats_len = 0;
1403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1404 return 0;
1405 }
1406
1407 s->ext.peer_ecpointformats_len = ecpointformats_len;
1408
1409 if (!PACKET_copy_bytes(&ecptformatlist,
1410 s->ext.peer_ecpointformats,
1411 ecpointformats_len)) {
1412 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1413 return 0;
1414 }
1415 }
1416
1417 return 1;
1418 }
1419
tls_parse_stoc_session_ticket(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1420 int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
1421 unsigned int context,
1422 X509 *x, size_t chainidx)
1423 {
1424 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1425
1426 if (s->ext.session_ticket_cb != NULL &&
1427 !s->ext.session_ticket_cb(ssl, PACKET_data(pkt),
1428 PACKET_remaining(pkt),
1429 s->ext.session_ticket_cb_arg)) {
1430 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1431 return 0;
1432 }
1433
1434 if (!tls_use_ticket(s)) {
1435 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1436 return 0;
1437 }
1438 if (PACKET_remaining(pkt) > 0) {
1439 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1440 return 0;
1441 }
1442
1443 s->ext.ticket_expected = 1;
1444
1445 return 1;
1446 }
1447
1448 #ifndef OPENSSL_NO_OCSP
tls_parse_stoc_status_request(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1449 int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
1450 unsigned int context,
1451 X509 *x, size_t chainidx)
1452 {
1453 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1454 /* We ignore this if the server sends a CertificateRequest */
1455 return 1;
1456 }
1457
1458 /*
1459 * MUST only be sent if we've requested a status
1460 * request message. In TLS <= 1.2 it must also be empty.
1461 */
1462 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
1463 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1464 return 0;
1465 }
1466 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
1467 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1468 return 0;
1469 }
1470
1471 if (SSL_CONNECTION_IS_TLS13(s)) {
1472 /* We only know how to handle this if it's for the first Certificate in
1473 * the chain. We ignore any other responses.
1474 */
1475 if (chainidx != 0)
1476 return 1;
1477
1478 /* SSLfatal() already called */
1479 return tls_process_cert_status_body(s, pkt);
1480 }
1481
1482 /* Set flag to expect CertificateStatus message */
1483 s->ext.status_expected = 1;
1484
1485 return 1;
1486 }
1487 #endif
1488
1489
1490 #ifndef OPENSSL_NO_CT
tls_parse_stoc_sct(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1491 int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1492 X509 *x, size_t chainidx)
1493 {
1494 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1495 /* We ignore this if the server sends it in a CertificateRequest */
1496 return 1;
1497 }
1498
1499 /*
1500 * Only take it if we asked for it - i.e if there is no CT validation
1501 * callback set, then a custom extension MAY be processing it, so we
1502 * need to let control continue to flow to that.
1503 */
1504 if (s->ct_validation_callback != NULL) {
1505 size_t size = PACKET_remaining(pkt);
1506
1507 /* Simply copy it off for later processing */
1508 OPENSSL_free(s->ext.scts);
1509 s->ext.scts = NULL;
1510
1511 s->ext.scts_len = (uint16_t)size;
1512 if (size > 0) {
1513 s->ext.scts = OPENSSL_malloc(size);
1514 if (s->ext.scts == NULL) {
1515 s->ext.scts_len = 0;
1516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
1517 return 0;
1518 }
1519 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1520 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1521 return 0;
1522 }
1523 }
1524 } else {
1525 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1526 ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1527
1528 /*
1529 * If we didn't ask for it then there must be a custom extension,
1530 * otherwise this is unsolicited.
1531 */
1532 if (custom_ext_find(&s->cert->custext, role,
1533 TLSEXT_TYPE_signed_certificate_timestamp,
1534 NULL) == NULL) {
1535 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1536 return 0;
1537 }
1538
1539 if (!custom_ext_parse(s, context,
1540 TLSEXT_TYPE_signed_certificate_timestamp,
1541 PACKET_data(pkt), PACKET_remaining(pkt),
1542 x, chainidx)) {
1543 /* SSLfatal already called */
1544 return 0;
1545 }
1546 }
1547
1548 return 1;
1549 }
1550 #endif
1551
1552
1553 #ifndef OPENSSL_NO_NEXTPROTONEG
1554 /*
1555 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1556 * elements of zero length are allowed and the set of elements must exactly
1557 * fill the length of the block. Returns 1 on success or 0 on failure.
1558 */
ssl_next_proto_validate(SSL_CONNECTION * s,PACKET * pkt)1559 static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)
1560 {
1561 PACKET tmp_protocol;
1562
1563 while (PACKET_remaining(pkt)) {
1564 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
1565 || PACKET_remaining(&tmp_protocol) == 0) {
1566 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1567 return 0;
1568 }
1569 }
1570
1571 return 1;
1572 }
1573
tls_parse_stoc_npn(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1574 int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1575 X509 *x, size_t chainidx)
1576 {
1577 unsigned char *selected;
1578 unsigned char selected_len;
1579 PACKET tmppkt;
1580 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1581
1582 /* Check if we are in a renegotiation. If so ignore this extension */
1583 if (!SSL_IS_FIRST_HANDSHAKE(s))
1584 return 1;
1585
1586 /* We must have requested it. */
1587 if (sctx->ext.npn_select_cb == NULL) {
1588 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1589 return 0;
1590 }
1591
1592 /* The data must be valid */
1593 tmppkt = *pkt;
1594 if (!ssl_next_proto_validate(s, &tmppkt)) {
1595 /* SSLfatal() already called */
1596 return 0;
1597 }
1598 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
1599 &selected, &selected_len,
1600 PACKET_data(pkt), PACKET_remaining(pkt),
1601 sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
1602 || selected_len == 0) {
1603 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1604 return 0;
1605 }
1606
1607 /*
1608 * Could be non-NULL if server has sent multiple NPN extensions in
1609 * a single Serverhello
1610 */
1611 OPENSSL_free(s->ext.npn);
1612 s->ext.npn = OPENSSL_malloc(selected_len);
1613 if (s->ext.npn == NULL) {
1614 s->ext.npn_len = 0;
1615 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1616 return 0;
1617 }
1618
1619 memcpy(s->ext.npn, selected, selected_len);
1620 s->ext.npn_len = selected_len;
1621 s->s3.npn_seen = 1;
1622
1623 return 1;
1624 }
1625 #endif
1626
tls_parse_stoc_alpn(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1627 int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1628 X509 *x, size_t chainidx)
1629 {
1630 size_t len;
1631 PACKET confpkt, protpkt;
1632 int valid = 0;
1633
1634 /* We must have requested it. */
1635 if (!s->s3.alpn_sent) {
1636 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1637 return 0;
1638 }
1639 /*-
1640 * The extension data consists of:
1641 * uint16 list_length
1642 * uint8 proto_length;
1643 * uint8 proto[proto_length];
1644 */
1645 if (!PACKET_get_net_2_len(pkt, &len)
1646 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1647 || PACKET_remaining(pkt) != len) {
1648 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1649 return 0;
1650 }
1651
1652 /* It must be a protocol that we sent */
1653 if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
1654 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1655 return 0;
1656 }
1657 while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
1658 if (PACKET_remaining(&protpkt) != len)
1659 continue;
1660 if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
1661 /* Valid protocol found */
1662 valid = 1;
1663 break;
1664 }
1665 }
1666
1667 if (!valid) {
1668 /* The protocol sent from the server does not match one we advertised */
1669 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1670 return 0;
1671 }
1672
1673 OPENSSL_free(s->s3.alpn_selected);
1674 s->s3.alpn_selected = OPENSSL_malloc(len);
1675 if (s->s3.alpn_selected == NULL) {
1676 s->s3.alpn_selected_len = 0;
1677 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1678 return 0;
1679 }
1680 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
1681 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1682 return 0;
1683 }
1684 s->s3.alpn_selected_len = len;
1685
1686 if (s->session->ext.alpn_selected == NULL
1687 || s->session->ext.alpn_selected_len != len
1688 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
1689 != 0) {
1690 /* ALPN not consistent with the old session so cannot use early_data */
1691 s->ext.early_data_ok = 0;
1692 }
1693 if (!s->hit) {
1694 /*
1695 * This is a new session and so alpn_selected should have been
1696 * initialised to NULL. We should update it with the selected ALPN.
1697 */
1698 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
1699 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1700 return 0;
1701 }
1702 s->session->ext.alpn_selected =
1703 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
1704 if (s->session->ext.alpn_selected == NULL) {
1705 s->session->ext.alpn_selected_len = 0;
1706 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1707 return 0;
1708 }
1709 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
1710 }
1711
1712 return 1;
1713 }
1714
1715 #ifndef OPENSSL_NO_SRTP
tls_parse_stoc_use_srtp(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1716 int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
1717 unsigned int context, X509 *x, size_t chainidx)
1718 {
1719 unsigned int id, ct, mki;
1720 int i;
1721 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1722 SRTP_PROTECTION_PROFILE *prof;
1723
1724 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1725 || !PACKET_get_net_2(pkt, &id)
1726 || !PACKET_get_1(pkt, &mki)
1727 || PACKET_remaining(pkt) != 0) {
1728 SSLfatal(s, SSL_AD_DECODE_ERROR,
1729 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1730 return 0;
1731 }
1732
1733 if (mki != 0) {
1734 /* Must be no MKI, since we never offer one */
1735 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
1736 return 0;
1737 }
1738
1739 /* Throw an error if the server gave us an unsolicited extension */
1740 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));
1741 if (clnt == NULL) {
1742 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
1743 return 0;
1744 }
1745
1746 /*
1747 * Check to see if the server gave us something we support (and
1748 * presumably offered)
1749 */
1750 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1751 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1752
1753 if (prof->id == id) {
1754 s->srtp_profile = prof;
1755 return 1;
1756 }
1757 }
1758
1759 SSLfatal(s, SSL_AD_DECODE_ERROR,
1760 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
1761 return 0;
1762 }
1763 #endif
1764
tls_parse_stoc_etm(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1765 int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1766 X509 *x, size_t chainidx)
1767 {
1768 /* Ignore if inappropriate ciphersuite */
1769 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
1770 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
1771 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
1772 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
1773 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
1774 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
1775 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
1776 s->ext.use_etm = 1;
1777
1778 return 1;
1779 }
1780
tls_parse_stoc_ems(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1781 int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1782 X509 *x, size_t chainidx)
1783 {
1784 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1785 return 1;
1786 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1787 if (!s->hit)
1788 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1789
1790 return 1;
1791 }
1792
tls_parse_stoc_supported_versions(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1793 int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,
1794 unsigned int context,
1795 X509 *x, size_t chainidx)
1796 {
1797 unsigned int version;
1798
1799 if (!PACKET_get_net_2(pkt, &version)
1800 || PACKET_remaining(pkt) != 0) {
1801 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1802 return 0;
1803 }
1804
1805 /*
1806 * The only protocol version we support which is valid in this extension in
1807 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1808 */
1809 if (version != TLS1_3_VERSION) {
1810 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1811 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1812 return 0;
1813 }
1814
1815 /* We ignore this extension for HRRs except to sanity check it */
1816 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
1817 return 1;
1818
1819 /* We just set it here. We validate it in ssl_choose_client_version */
1820 s->version = version;
1821 if (!ssl_set_record_protocol_version(s, version)) {
1822 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1823 return 0;
1824 }
1825
1826 return 1;
1827 }
1828
tls_parse_stoc_key_share(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1829 int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
1830 unsigned int context, X509 *x,
1831 size_t chainidx)
1832 {
1833 #ifndef OPENSSL_NO_TLS1_3
1834 unsigned int group_id;
1835 PACKET encoded_pt;
1836 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
1837 const TLS_GROUP_INFO *ginf = NULL;
1838
1839 /* Sanity check */
1840 if (ckey == NULL || s->s3.peer_tmp != NULL) {
1841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1842 return 0;
1843 }
1844
1845 if (!PACKET_get_net_2(pkt, &group_id)) {
1846 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1847 return 0;
1848 }
1849
1850 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
1851 const uint16_t *pgroups = NULL;
1852 size_t i, num_groups;
1853
1854 if (PACKET_remaining(pkt) != 0) {
1855 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1856 return 0;
1857 }
1858
1859 /*
1860 * It is an error if the HelloRetryRequest wants a key_share that we
1861 * already sent in the first ClientHello
1862 */
1863 if (group_id == s->s3.group_id) {
1864 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1865 return 0;
1866 }
1867
1868 /* Validate the selected group is one we support */
1869 tls1_get_supported_groups(s, &pgroups, &num_groups);
1870 for (i = 0; i < num_groups; i++) {
1871 if (group_id == pgroups[i])
1872 break;
1873 }
1874 if (i >= num_groups
1875 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
1876 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
1877 0, NULL)) {
1878 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1879 return 0;
1880 }
1881
1882 s->s3.group_id = group_id;
1883 EVP_PKEY_free(s->s3.tmp.pkey);
1884 s->s3.tmp.pkey = NULL;
1885 return 1;
1886 }
1887
1888 if (group_id != s->s3.group_id) {
1889 /*
1890 * This isn't for the group that we sent in the original
1891 * key_share!
1892 */
1893 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1894 return 0;
1895 }
1896 /* Retain this group in the SSL_SESSION */
1897 if (!s->hit) {
1898 s->session->kex_group = group_id;
1899 } else if (group_id != s->session->kex_group) {
1900 /*
1901 * If this is a resumption but changed what group was used, we need
1902 * to record the new group in the session, but the session is not
1903 * a new session and could be in use by other threads. So, make
1904 * a copy of the session to record the new information so that it's
1905 * useful for any sessions resumed from tickets issued on this
1906 * connection.
1907 */
1908 SSL_SESSION *new_sess;
1909
1910 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
1911 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
1912 return 0;
1913 }
1914 SSL_SESSION_free(s->session);
1915 s->session = new_sess;
1916 s->session->kex_group = group_id;
1917 }
1918
1919 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1920 group_id)) == NULL) {
1921 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1922 return 0;
1923 }
1924
1925 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1926 || PACKET_remaining(&encoded_pt) == 0) {
1927 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1928 return 0;
1929 }
1930
1931 if (!ginf->is_kem) {
1932 /* Regular KEX */
1933 skey = EVP_PKEY_new();
1934 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
1935 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
1936 EVP_PKEY_free(skey);
1937 return 0;
1938 }
1939
1940 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
1941 PACKET_remaining(&encoded_pt)) <= 0) {
1942 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
1943 EVP_PKEY_free(skey);
1944 return 0;
1945 }
1946
1947 if (ssl_derive(s, ckey, skey, 1) == 0) {
1948 /* SSLfatal() already called */
1949 EVP_PKEY_free(skey);
1950 return 0;
1951 }
1952 s->s3.peer_tmp = skey;
1953 } else {
1954 /* KEM Mode */
1955 const unsigned char *ct = PACKET_data(&encoded_pt);
1956 size_t ctlen = PACKET_remaining(&encoded_pt);
1957
1958 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
1959 /* SSLfatal() already called */
1960 return 0;
1961 }
1962 }
1963 s->s3.did_kex = 1;
1964 #endif
1965
1966 return 1;
1967 }
1968
tls_parse_stoc_cookie(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1969 int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1970 X509 *x, size_t chainidx)
1971 {
1972 PACKET cookie;
1973
1974 if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1975 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1976 &s->ext.tls13_cookie_len)) {
1977 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1978 return 0;
1979 }
1980
1981 return 1;
1982 }
1983
tls_parse_stoc_early_data(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1984 int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,
1985 unsigned int context,
1986 X509 *x, size_t chainidx)
1987 {
1988 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1989 unsigned long max_early_data;
1990
1991 if (!PACKET_get_net_4(pkt, &max_early_data)
1992 || PACKET_remaining(pkt) != 0) {
1993 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
1994 return 0;
1995 }
1996
1997 s->session->ext.max_early_data = max_early_data;
1998
1999 if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) {
2000 /*
2001 * QUIC allows missing max_early_data, or a max_early_data value
2002 * of 0xffffffff. Missing max_early_data is stored in the session
2003 * as 0. This is indistinguishable in OpenSSL from a present
2004 * max_early_data value that was 0. In order that later checks for
2005 * invalid max_early_data correctly treat as an error the case where
2006 * max_early_data is present and it is 0, we store any invalid
2007 * value in the same (non-zero) way. Otherwise we would have to
2008 * introduce a new flag just for this.
2009 */
2010 s->session->ext.max_early_data = 1;
2011 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
2012 return 0;
2013 }
2014
2015 return 1;
2016 }
2017
2018 if (PACKET_remaining(pkt) != 0) {
2019 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2020 return 0;
2021 }
2022
2023 if (!s->ext.early_data_ok
2024 || !s->hit) {
2025 /*
2026 * If we get here then we didn't send early data, or we didn't resume
2027 * using the first identity, or the SNI/ALPN is not consistent so the
2028 * server should not be accepting it.
2029 */
2030 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
2031 return 0;
2032 }
2033
2034 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
2035
2036 return 1;
2037 }
2038
tls_parse_stoc_psk(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)2039 int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,
2040 unsigned int context, X509 *x,
2041 size_t chainidx)
2042 {
2043 #ifndef OPENSSL_NO_TLS1_3
2044 unsigned int identity;
2045
2046 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
2047 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2048 return 0;
2049 }
2050
2051 if (identity >= (unsigned int)s->ext.tick_identity) {
2052 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
2053 return 0;
2054 }
2055
2056 /*
2057 * Session resumption tickets are always sent before PSK tickets. If the
2058 * ticket index is 0 then it must be for a session resumption ticket if we
2059 * sent two tickets, or if we didn't send a PSK ticket.
2060 */
2061 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
2062 s->hit = 1;
2063 SSL_SESSION_free(s->psksession);
2064 s->psksession = NULL;
2065 return 1;
2066 }
2067
2068 if (s->psksession == NULL) {
2069 /* Should never happen */
2070 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2071 return 0;
2072 }
2073
2074 /*
2075 * If we used the external PSK for sending early_data then s->early_secret
2076 * is already set up, so don't overwrite it. Otherwise we copy the
2077 * early_secret across that we generated earlier.
2078 */
2079 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
2080 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
2081 || s->session->ext.max_early_data > 0
2082 || s->psksession->ext.max_early_data == 0)
2083 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
2084
2085 SSL_SESSION_free(s->session);
2086 s->session = s->psksession;
2087 s->psksession = NULL;
2088 s->hit = 1;
2089 /* Early data is only allowed if we used the first ticket */
2090 if (identity != 0)
2091 s->ext.early_data_ok = 0;
2092 #endif
2093
2094 return 1;
2095 }
2096
tls_construct_ctos_client_cert_type(SSL_CONNECTION * sc,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)2097 EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2098 unsigned int context,
2099 X509 *x, size_t chainidx)
2100 {
2101 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2102 if (sc->client_cert_type == NULL)
2103 return EXT_RETURN_NOT_SENT;
2104
2105 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2106 || !WPACKET_start_sub_packet_u16(pkt)
2107 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len)
2108 || !WPACKET_close(pkt)) {
2109 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2110 return EXT_RETURN_FAIL;
2111 }
2112 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2113 return EXT_RETURN_SENT;
2114 }
2115
tls_parse_stoc_client_cert_type(SSL_CONNECTION * sc,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)2116 int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2117 unsigned int context,
2118 X509 *x, size_t chainidx)
2119 {
2120 unsigned int type;
2121
2122 if (PACKET_remaining(pkt) != 1) {
2123 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2124 return 0;
2125 }
2126 if (!PACKET_get_1(pkt, &type)) {
2127 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2128 return 0;
2129 }
2130 /* We did not send/ask for this */
2131 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2132 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2133 return 0;
2134 }
2135 /* We don't have this enabled */
2136 if (sc->client_cert_type == NULL) {
2137 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2138 return 0;
2139 }
2140 /* Given back a value we didn't configure */
2141 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) {
2142 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2143 return 0;
2144 }
2145 sc->ext.client_cert_type = type;
2146 return 1;
2147 }
2148
tls_construct_ctos_server_cert_type(SSL_CONNECTION * sc,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)2149 EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2150 unsigned int context,
2151 X509 *x, size_t chainidx)
2152 {
2153 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2154 if (sc->server_cert_type == NULL)
2155 return EXT_RETURN_NOT_SENT;
2156
2157 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2158 || !WPACKET_start_sub_packet_u16(pkt)
2159 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len)
2160 || !WPACKET_close(pkt)) {
2161 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2162 return EXT_RETURN_FAIL;
2163 }
2164 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2165 return EXT_RETURN_SENT;
2166 }
2167
tls_parse_stoc_server_cert_type(SSL_CONNECTION * sc,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)2168 int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2169 unsigned int context,
2170 X509 *x, size_t chainidx)
2171 {
2172 unsigned int type;
2173
2174 if (PACKET_remaining(pkt) != 1) {
2175 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2176 return 0;
2177 }
2178 if (!PACKET_get_1(pkt, &type)) {
2179 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2180 return 0;
2181 }
2182 /* We did not send/ask for this */
2183 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2184 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2185 return 0;
2186 }
2187 /* We don't have this enabled */
2188 if (sc->server_cert_type == NULL) {
2189 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2190 return 0;
2191 }
2192 /* Given back a value we didn't configure */
2193 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) {
2194 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2195 return 0;
2196 }
2197 sc->ext.server_cert_type = type;
2198 return 1;
2199 }
2200