1 /*
2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
14
15 #define COOKIE_STATE_FORMAT_VERSION 1
16
17 /*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
23 */
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27 /*
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
33 */
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
37
38 /*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
tls_parse_ctos_renegotiate(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)41 int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
42 unsigned int context,
43 X509 *x, size_t chainidx)
44 {
45 unsigned int ilen;
46 const unsigned char *data;
47 int ok;
48
49 /* Parse the length byte */
50 if (!PACKET_get_1(pkt, &ilen)
51 || !PACKET_get_bytes(pkt, &data, ilen)) {
52 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
53 return 0;
54 }
55
56 /* Check that the extension matches */
57 if (ilen != s->s3.previous_client_finished_len) {
58 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
59 return 0;
60 }
61
62 ok = memcmp(data, s->s3.previous_client_finished,
63 s->s3.previous_client_finished_len);
64 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
65 if (ok) {
66 if ((data[0] ^ s->s3.previous_client_finished[0]) != 0xFF) {
67 ok = 0;
68 }
69 }
70 #endif
71 if (ok) {
72 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
73 return 0;
74 }
75
76 s->s3.send_connection_binding = 1;
77
78 return 1;
79 }
80
81 /*-
82 * The servername extension is treated as follows:
83 *
84 * - Only the hostname type is supported with a maximum length of 255.
85 * - The servername is rejected if too long or if it contains zeros,
86 * in which case an fatal alert is generated.
87 * - The servername field is maintained together with the session cache.
88 * - When a session is resumed, the servername call back invoked in order
89 * to allow the application to position itself to the right context.
90 * - The servername is acknowledged if it is new for a session or when
91 * it is identical to a previously used for the same session.
92 * Applications can control the behaviour. They can at any time
93 * set a 'desirable' servername for a new SSL object. This can be the
94 * case for example with HTTPS when a Host: header field is received and
95 * a renegotiation is requested. In this case, a possible servername
96 * presented in the new client hello is only acknowledged if it matches
97 * the value of the Host: field.
98 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
99 * if they provide for changing an explicit servername context for the
100 * session, i.e. when the session has been established with a servername
101 * extension.
102 * - On session reconnect, the servername extension may be absent.
103 */
tls_parse_ctos_server_name(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)104 int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
105 unsigned int context, X509 *x, size_t chainidx)
106 {
107 unsigned int servname_type;
108 PACKET sni, hostname;
109
110 if (!PACKET_as_length_prefixed_2(pkt, &sni)
111 /* ServerNameList must be at least 1 byte long. */
112 || PACKET_remaining(&sni) == 0) {
113 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
114 return 0;
115 }
116
117 /*
118 * Although the intent was for server_name to be extensible, RFC 4366
119 * was not clear about it; and so OpenSSL among other implementations,
120 * always and only allows a 'host_name' name types.
121 * RFC 6066 corrected the mistake but adding new name types
122 * is nevertheless no longer feasible, so act as if no other
123 * SNI types can exist, to simplify parsing.
124 *
125 * Also note that the RFC permits only one SNI value per type,
126 * i.e., we can only have a single hostname.
127 */
128 if (!PACKET_get_1(&sni, &servname_type)
129 || servname_type != TLSEXT_NAMETYPE_host_name
130 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
131 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
132 return 0;
133 }
134
135 /*
136 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
137 * we always use the SNI value from the handshake.
138 */
139 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
140 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
141 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
142 return 0;
143 }
144
145 if (PACKET_contains_zero_byte(&hostname)) {
146 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
147 return 0;
148 }
149
150 /*
151 * Store the requested SNI in the SSL as temporary storage.
152 * If we accept it, it will get stored in the SSL_SESSION as well.
153 */
154 OPENSSL_free(s->ext.hostname);
155 s->ext.hostname = NULL;
156 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
157 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
158 return 0;
159 }
160
161 s->servername_done = 1;
162 } else {
163 /*
164 * In TLSv1.2 and below we should check if the SNI is consistent between
165 * the initial handshake and the resumption. In TLSv1.3 SNI is not
166 * associated with the session.
167 */
168 s->servername_done = (s->session->ext.hostname != NULL)
169 && PACKET_equal(&hostname, s->session->ext.hostname,
170 strlen(s->session->ext.hostname));
171 }
172
173 return 1;
174 }
175
tls_parse_ctos_maxfragmentlen(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)176 int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
177 unsigned int context,
178 X509 *x, size_t chainidx)
179 {
180 unsigned int value;
181
182 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
183 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
184 return 0;
185 }
186
187 /* Received |value| should be a valid max-fragment-length code. */
188 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
189 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
190 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
191 return 0;
192 }
193
194 /*
195 * When doing a full handshake or a renegotiation max_fragment_len_mode will
196 * be TLSEXT_max_fragment_length_UNSPECIFIED
197 *
198 * In case of a resumption max_fragment_len_mode will be one of
199 * TLSEXT_max_fragment_length_DISABLED, TLSEXT_max_fragment_length_512,
200 * TLSEXT_max_fragment_length_1024, TLSEXT_max_fragment_length_2048.
201 * TLSEXT_max_fragment_length_4096
202 *
203 * RFC 6066: The negotiated length applies for the duration of the session
204 * including session resumptions.
205 *
206 * So we only set the value in case it is unspecified.
207 */
208 if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED)
209 /*
210 * Store it in session, so it'll become binding for us
211 * and we'll include it in a next Server Hello.
212 */
213 s->session->ext.max_fragment_len_mode = value;
214
215 return 1;
216 }
217
218 #ifndef OPENSSL_NO_SRP
tls_parse_ctos_srp(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)219 int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
220 X509 *x, size_t chainidx)
221 {
222 PACKET srp_I;
223
224 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
225 || PACKET_contains_zero_byte(&srp_I)) {
226 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
227 return 0;
228 }
229
230 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
231 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
232 return 0;
233 }
234
235 return 1;
236 }
237 #endif
238
tls_parse_ctos_ec_pt_formats(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)239 int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
240 unsigned int context,
241 X509 *x, size_t chainidx)
242 {
243 PACKET ec_point_format_list;
244
245 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
246 || PACKET_remaining(&ec_point_format_list) == 0) {
247 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
248 return 0;
249 }
250
251 if (!s->hit) {
252 if (!PACKET_memdup(&ec_point_format_list,
253 &s->ext.peer_ecpointformats,
254 &s->ext.peer_ecpointformats_len)) {
255 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
256 return 0;
257 }
258 }
259
260 return 1;
261 }
262
tls_parse_ctos_session_ticket(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)263 int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
264 unsigned int context,
265 X509 *x, size_t chainidx)
266 {
267 if (s->ext.session_ticket_cb &&
268 !s->ext.session_ticket_cb(SSL_CONNECTION_GET_USER_SSL(s),
269 PACKET_data(pkt), PACKET_remaining(pkt),
270 s->ext.session_ticket_cb_arg)) {
271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
272 return 0;
273 }
274
275 return 1;
276 }
277
tls_parse_ctos_sig_algs_cert(SSL_CONNECTION * s,PACKET * pkt,ossl_unused unsigned int context,ossl_unused X509 * x,ossl_unused size_t chainidx)278 int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
279 ossl_unused unsigned int context,
280 ossl_unused X509 *x,
281 ossl_unused size_t chainidx)
282 {
283 PACKET supported_sig_algs;
284
285 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
286 || PACKET_remaining(&supported_sig_algs) == 0) {
287 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
288 return 0;
289 }
290
291 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
293 return 0;
294 }
295
296 return 1;
297 }
298
tls_parse_ctos_sig_algs(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)299 int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
300 unsigned int context, X509 *x, size_t chainidx)
301 {
302 PACKET supported_sig_algs;
303
304 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
305 || PACKET_remaining(&supported_sig_algs) == 0) {
306 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
307 return 0;
308 }
309
310 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
311 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
312 return 0;
313 }
314
315 return 1;
316 }
317
318 #ifndef OPENSSL_NO_OCSP
tls_parse_ctos_status_request(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)319 int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
320 unsigned int context,
321 X509 *x, size_t chainidx)
322 {
323 PACKET responder_id_list, exts;
324
325 /* We ignore this in a resumption handshake */
326 if (s->hit)
327 return 1;
328
329 /* Not defined if we get one of these in a client Certificate */
330 if (x != NULL)
331 return 1;
332
333 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
334 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
335 return 0;
336 }
337
338 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
339 /*
340 * We don't know what to do with any other type so ignore it.
341 */
342 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
343 return 1;
344 }
345
346 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
347 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
348 return 0;
349 }
350
351 /*
352 * We remove any OCSP_RESPIDs from a previous handshake
353 * to prevent unbounded memory growth - CVE-2016-6304
354 */
355 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
356 if (PACKET_remaining(&responder_id_list) > 0) {
357 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
358 if (s->ext.ocsp.ids == NULL) {
359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
360 return 0;
361 }
362 } else {
363 s->ext.ocsp.ids = NULL;
364 }
365
366 while (PACKET_remaining(&responder_id_list) > 0) {
367 OCSP_RESPID *id;
368 PACKET responder_id;
369 const unsigned char *id_data;
370
371 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
372 || PACKET_remaining(&responder_id) == 0) {
373 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
374 return 0;
375 }
376
377 id_data = PACKET_data(&responder_id);
378 id = d2i_OCSP_RESPID(NULL, &id_data,
379 (int)PACKET_remaining(&responder_id));
380 if (id == NULL) {
381 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
382 return 0;
383 }
384
385 if (id_data != PACKET_end(&responder_id)) {
386 OCSP_RESPID_free(id);
387 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
388
389 return 0;
390 }
391
392 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
393 OCSP_RESPID_free(id);
394 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
395
396 return 0;
397 }
398 }
399
400 /* Read in request_extensions */
401 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
402 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
403 return 0;
404 }
405
406 if (PACKET_remaining(&exts) > 0) {
407 const unsigned char *ext_data = PACKET_data(&exts);
408
409 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
410 X509_EXTENSION_free);
411 s->ext.ocsp.exts =
412 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
413 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
414 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
415 return 0;
416 }
417 }
418
419 return 1;
420 }
421 #endif
422
423 #ifndef OPENSSL_NO_NEXTPROTONEG
tls_parse_ctos_npn(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)424 int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
425 X509 *x, size_t chainidx)
426 {
427 /*
428 * We shouldn't accept this extension on a
429 * renegotiation.
430 */
431 if (SSL_IS_FIRST_HANDSHAKE(s))
432 s->s3.npn_seen = 1;
433
434 return 1;
435 }
436 #endif
437
438 /*
439 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
440 * extension, not including type and length. Returns: 1 on success, 0 on error.
441 */
tls_parse_ctos_alpn(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)442 int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
443 X509 *x, size_t chainidx)
444 {
445 PACKET protocol_list, save_protocol_list, protocol;
446
447 if (!SSL_IS_FIRST_HANDSHAKE(s))
448 return 1;
449
450 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
451 || PACKET_remaining(&protocol_list) < 2) {
452 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
453 return 0;
454 }
455
456 save_protocol_list = protocol_list;
457 do {
458 /* Protocol names can't be empty. */
459 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
460 || PACKET_remaining(&protocol) == 0) {
461 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
462 return 0;
463 }
464 } while (PACKET_remaining(&protocol_list) != 0);
465
466 OPENSSL_free(s->s3.alpn_proposed);
467 s->s3.alpn_proposed = NULL;
468 s->s3.alpn_proposed_len = 0;
469 if (!PACKET_memdup(&save_protocol_list,
470 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
471 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
472 return 0;
473 }
474
475 return 1;
476 }
477
478 #ifndef OPENSSL_NO_SRTP
tls_parse_ctos_use_srtp(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)479 int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
480 unsigned int context, X509 *x, size_t chainidx)
481 {
482 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
483 unsigned int ct, mki_len, id;
484 int i, srtp_pref;
485 PACKET subpkt;
486 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
487
488 /* Ignore this if we have no SRTP profiles */
489 if (SSL_get_srtp_profiles(ssl) == NULL)
490 return 1;
491
492 /* Pull off the length of the cipher suite list and check it is even */
493 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
494 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
495 SSLfatal(s, SSL_AD_DECODE_ERROR,
496 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
497 return 0;
498 }
499
500 srvr = SSL_get_srtp_profiles(ssl);
501 s->srtp_profile = NULL;
502 /* Search all profiles for a match initially */
503 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
504
505 while (PACKET_remaining(&subpkt)) {
506 if (!PACKET_get_net_2(&subpkt, &id)) {
507 SSLfatal(s, SSL_AD_DECODE_ERROR,
508 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
509 return 0;
510 }
511
512 /*
513 * Only look for match in profiles of higher preference than
514 * current match.
515 * If no profiles have been have been configured then this
516 * does nothing.
517 */
518 for (i = 0; i < srtp_pref; i++) {
519 SRTP_PROTECTION_PROFILE *sprof =
520 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
521
522 if (sprof->id == id) {
523 s->srtp_profile = sprof;
524 srtp_pref = i;
525 break;
526 }
527 }
528 }
529
530 /* Now extract the MKI value as a sanity check, but discard it for now */
531 if (!PACKET_get_1(pkt, &mki_len)) {
532 SSLfatal(s, SSL_AD_DECODE_ERROR,
533 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
534 return 0;
535 }
536
537 if (!PACKET_forward(pkt, mki_len)
538 || PACKET_remaining(pkt)) {
539 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
540 return 0;
541 }
542
543 return 1;
544 }
545 #endif
546
tls_parse_ctos_etm(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)547 int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
548 X509 *x, size_t chainidx)
549 {
550 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
551 s->ext.use_etm = 1;
552
553 return 1;
554 }
555
556 /*
557 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
558 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
559 */
tls_parse_ctos_psk_kex_modes(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)560 int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
561 unsigned int context,
562 X509 *x, size_t chainidx)
563 {
564 #ifndef OPENSSL_NO_TLS1_3
565 PACKET psk_kex_modes;
566 unsigned int mode;
567
568 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
569 || PACKET_remaining(&psk_kex_modes) == 0) {
570 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
571 return 0;
572 }
573
574 while (PACKET_get_1(&psk_kex_modes, &mode)) {
575 if (mode == TLSEXT_KEX_MODE_KE_DHE)
576 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
577 else if (mode == TLSEXT_KEX_MODE_KE
578 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
579 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
580 }
581
582 if (((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) != 0)
583 && (s->options & SSL_OP_PREFER_NO_DHE_KEX) != 0) {
584
585 /*
586 * If NO_DHE is supported and preferred, then we only remember this
587 * mode. DHE PSK will not be used for sure, because in any case where
588 * it would be supported (i.e. if a key share is present), NO_DHE would
589 * be supported as well. As the latter is preferred it would be
590 * chosen. By removing DHE PSK here, we don't have to deal with the
591 * SSL_OP_PREFER_NO_DHE_KEX option in any other place.
592 */
593 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE;
594 }
595
596 #endif
597
598 return 1;
599 }
600
601 /*
602 * Process a key_share extension received in the ClientHello. |pkt| contains
603 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
604 */
tls_parse_ctos_key_share(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)605 int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
606 unsigned int context, X509 *x, size_t chainidx)
607 {
608 #ifndef OPENSSL_NO_TLS1_3
609 unsigned int group_id;
610 PACKET key_share_list, encoded_pt;
611 const uint16_t *clntgroups, *srvrgroups;
612 size_t clnt_num_groups, srvr_num_groups;
613 int found = 0;
614
615 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
616 return 1;
617
618 /* Sanity check */
619 if (s->s3.peer_tmp != NULL) {
620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
621 return 0;
622 }
623
624 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
625 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
626 return 0;
627 }
628
629 /* Get our list of supported groups */
630 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
631 /* Get the clients list of supported groups. */
632 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
633 if (clnt_num_groups == 0) {
634 /*
635 * This can only happen if the supported_groups extension was not sent,
636 * because we verify that the length is non-zero when we process that
637 * extension.
638 */
639 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
640 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
641 return 0;
642 }
643
644 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
645 /*
646 * If we set a group_id already, then we must have sent an HRR
647 * requesting a new key_share. If we haven't got one then that is an
648 * error
649 */
650 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
651 return 0;
652 }
653
654 while (PACKET_remaining(&key_share_list) > 0) {
655 if (!PACKET_get_net_2(&key_share_list, &group_id)
656 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
657 || PACKET_remaining(&encoded_pt) == 0) {
658 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
659 return 0;
660 }
661
662 /*
663 * If we already found a suitable key_share we loop through the
664 * rest to verify the structure, but don't process them.
665 */
666 if (found)
667 continue;
668
669 /*
670 * If we sent an HRR then the key_share sent back MUST be for the group
671 * we requested, and must be the only key_share sent.
672 */
673 if (s->s3.group_id != 0
674 && (group_id != s->s3.group_id
675 || PACKET_remaining(&key_share_list) != 0)) {
676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
677 return 0;
678 }
679
680 /* Check if this share is in supported_groups sent from client */
681 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
682 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
683 return 0;
684 }
685
686 /* Check if this share is for a group we can use */
687 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
688 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
689 /*
690 * We tolerate but ignore a group id that we don't think is
691 * suitable for TLSv1.3
692 */
693 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
694 0, NULL)) {
695 /* Share not suitable */
696 continue;
697 }
698
699 s->s3.group_id = group_id;
700 /* Cache the selected group ID in the SSL_SESSION */
701 s->session->kex_group = group_id;
702
703 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
704 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
705 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
706 return 0;
707 }
708
709 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
710 PACKET_data(&encoded_pt),
711 PACKET_remaining(&encoded_pt)) <= 0) {
712 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
713 return 0;
714 }
715
716 found = 1;
717 }
718 #endif
719
720 return 1;
721 }
722
tls_parse_ctos_cookie(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)723 int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
724 X509 *x, size_t chainidx)
725 {
726 #ifndef OPENSSL_NO_TLS1_3
727 unsigned int format, version, key_share, group_id;
728 EVP_MD_CTX *hctx;
729 EVP_PKEY *pkey;
730 PACKET cookie, raw, chhash, appcookie;
731 WPACKET hrrpkt;
732 const unsigned char *data, *mdin, *ciphdata;
733 unsigned char hmac[SHA256_DIGEST_LENGTH];
734 unsigned char hrr[MAX_HRR_SIZE];
735 size_t rawlen, hmaclen, hrrlen, ciphlen;
736 uint64_t tm, now;
737 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
738 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
739
740 /* Ignore any cookie if we're not set up to verify it */
741 if (sctx->verify_stateless_cookie_cb == NULL
742 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
743 return 1;
744
745 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
746 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
747 return 0;
748 }
749
750 raw = cookie;
751 data = PACKET_data(&raw);
752 rawlen = PACKET_remaining(&raw);
753 if (rawlen < SHA256_DIGEST_LENGTH
754 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
755 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
756 return 0;
757 }
758 mdin = PACKET_data(&raw);
759
760 /* Verify the HMAC of the cookie */
761 hctx = EVP_MD_CTX_create();
762 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
763 sctx->propq,
764 s->session_ctx->ext.cookie_hmac_key,
765 sizeof(s->session_ctx->ext.cookie_hmac_key));
766 if (hctx == NULL || pkey == NULL) {
767 EVP_MD_CTX_free(hctx);
768 EVP_PKEY_free(pkey);
769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
770 return 0;
771 }
772
773 hmaclen = SHA256_DIGEST_LENGTH;
774 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
775 sctx->propq, pkey, NULL) <= 0
776 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
777 rawlen - SHA256_DIGEST_LENGTH) <= 0
778 || hmaclen != SHA256_DIGEST_LENGTH) {
779 EVP_MD_CTX_free(hctx);
780 EVP_PKEY_free(pkey);
781 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
782 return 0;
783 }
784
785 EVP_MD_CTX_free(hctx);
786 EVP_PKEY_free(pkey);
787
788 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
789 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
790 return 0;
791 }
792
793 if (!PACKET_get_net_2(&cookie, &format)) {
794 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
795 return 0;
796 }
797 /* Check the cookie format is something we recognise. Ignore it if not */
798 if (format != COOKIE_STATE_FORMAT_VERSION)
799 return 1;
800
801 /*
802 * The rest of these checks really shouldn't fail since we have verified the
803 * HMAC above.
804 */
805
806 /* Check the version number is sane */
807 if (!PACKET_get_net_2(&cookie, &version)) {
808 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
809 return 0;
810 }
811 if (version != TLS1_3_VERSION) {
812 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
813 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
814 return 0;
815 }
816
817 if (!PACKET_get_net_2(&cookie, &group_id)) {
818 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
819 return 0;
820 }
821
822 ciphdata = PACKET_data(&cookie);
823 if (!PACKET_forward(&cookie, 2)) {
824 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
825 return 0;
826 }
827 if (group_id != s->s3.group_id
828 || s->s3.tmp.new_cipher
829 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
830 /*
831 * We chose a different cipher or group id this time around to what is
832 * in the cookie. Something must have changed.
833 */
834 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
835 return 0;
836 }
837
838 if (!PACKET_get_1(&cookie, &key_share)
839 || !PACKET_get_net_8(&cookie, &tm)
840 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
841 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
842 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
843 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
844 return 0;
845 }
846
847 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
848 now = time(NULL);
849 if (tm > now || (now - tm) > 600) {
850 /* Cookie is stale. Ignore it */
851 return 1;
852 }
853
854 /* Verify the app cookie */
855 if (sctx->verify_stateless_cookie_cb(SSL_CONNECTION_GET_USER_SSL(s),
856 PACKET_data(&appcookie),
857 PACKET_remaining(&appcookie)) == 0) {
858 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
859 return 0;
860 }
861
862 /*
863 * Reconstruct the HRR that we would have sent in response to the original
864 * ClientHello so we can add it to the transcript hash.
865 * Note: This won't work with custom HRR extensions
866 */
867 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
869 return 0;
870 }
871 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
872 || !WPACKET_start_sub_packet_u24(&hrrpkt)
873 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
874 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
875 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
876 s->tmp_session_id_len)
877 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
878 &ciphlen)
879 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
880 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
881 WPACKET_cleanup(&hrrpkt);
882 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
883 return 0;
884 }
885 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
886 || !WPACKET_start_sub_packet_u16(&hrrpkt)
887 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
888 || !WPACKET_close(&hrrpkt)) {
889 WPACKET_cleanup(&hrrpkt);
890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
891 return 0;
892 }
893 if (key_share) {
894 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
895 || !WPACKET_start_sub_packet_u16(&hrrpkt)
896 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
897 || !WPACKET_close(&hrrpkt)) {
898 WPACKET_cleanup(&hrrpkt);
899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
900 return 0;
901 }
902 }
903 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
904 || !WPACKET_start_sub_packet_u16(&hrrpkt)
905 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
906 || !WPACKET_close(&hrrpkt) /* cookie extension */
907 || !WPACKET_close(&hrrpkt) /* extension block */
908 || !WPACKET_close(&hrrpkt) /* message */
909 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
910 || !WPACKET_finish(&hrrpkt)) {
911 WPACKET_cleanup(&hrrpkt);
912 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
913 return 0;
914 }
915
916 /* Reconstruct the transcript hash */
917 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
918 PACKET_remaining(&chhash), hrr,
919 hrrlen)) {
920 /* SSLfatal() already called */
921 return 0;
922 }
923
924 /* Act as if this ClientHello came after a HelloRetryRequest */
925 s->hello_retry_request = SSL_HRR_PENDING;
926
927 s->ext.cookieok = 1;
928 #endif
929
930 return 1;
931 }
932
tls_parse_ctos_supported_groups(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)933 int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
934 unsigned int context,
935 X509 *x, size_t chainidx)
936 {
937 PACKET supported_groups_list;
938
939 /* Each group is 2 bytes and we must have at least 1. */
940 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
941 || PACKET_remaining(&supported_groups_list) == 0
942 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
943 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
944 return 0;
945 }
946
947 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
948 OPENSSL_free(s->ext.peer_supportedgroups);
949 s->ext.peer_supportedgroups = NULL;
950 s->ext.peer_supportedgroups_len = 0;
951 if (!tls1_save_u16(&supported_groups_list,
952 &s->ext.peer_supportedgroups,
953 &s->ext.peer_supportedgroups_len)) {
954 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
955 return 0;
956 }
957 }
958
959 return 1;
960 }
961
tls_parse_ctos_ems(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)962 int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
963 X509 *x, size_t chainidx)
964 {
965 /* The extension must always be empty */
966 if (PACKET_remaining(pkt) != 0) {
967 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
968 return 0;
969 }
970
971 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
972 return 1;
973
974 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
975
976 return 1;
977 }
978
979
tls_parse_ctos_early_data(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)980 int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
981 X509 *x, size_t chainidx)
982 {
983 if (PACKET_remaining(pkt) != 0) {
984 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
985 return 0;
986 }
987
988 if (s->hello_retry_request != SSL_HRR_NONE) {
989 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
990 return 0;
991 }
992
993 return 1;
994 }
995
tls_get_stateful_ticket(SSL_CONNECTION * s,PACKET * tick,SSL_SESSION ** sess)996 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
997 SSL_SESSION **sess)
998 {
999 SSL_SESSION *tmpsess = NULL;
1000
1001 s->ext.ticket_expected = 1;
1002
1003 switch (PACKET_remaining(tick)) {
1004 case 0:
1005 return SSL_TICKET_EMPTY;
1006
1007 case SSL_MAX_SSL_SESSION_ID_LENGTH:
1008 break;
1009
1010 default:
1011 return SSL_TICKET_NO_DECRYPT;
1012 }
1013
1014 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1015 SSL_MAX_SSL_SESSION_ID_LENGTH);
1016
1017 if (tmpsess == NULL)
1018 return SSL_TICKET_NO_DECRYPT;
1019
1020 *sess = tmpsess;
1021 return SSL_TICKET_SUCCESS;
1022 }
1023
tls_parse_ctos_psk(SSL_CONNECTION * s,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1024 int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1025 X509 *x, size_t chainidx)
1026 {
1027 PACKET identities, binders, binder;
1028 size_t binderoffset;
1029 int hashsize;
1030 SSL_SESSION *sess = NULL;
1031 unsigned int id, i, ext = 0;
1032 const EVP_MD *md = NULL;
1033 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1034 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
1035
1036 /*
1037 * If we have no PSK kex mode that we recognise then we can't resume so
1038 * ignore this extension
1039 */
1040 if ((s->ext.psk_kex_mode
1041 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1042 return 1;
1043
1044 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1045 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1046 return 0;
1047 }
1048
1049 s->ext.ticket_expected = 0;
1050 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1051 PACKET identity;
1052 unsigned long ticket_agel;
1053 size_t idlen;
1054
1055 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1056 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1057 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1058 return 0;
1059 }
1060
1061 idlen = PACKET_remaining(&identity);
1062 if (s->psk_find_session_cb != NULL
1063 && !s->psk_find_session_cb(ussl, PACKET_data(&identity), idlen,
1064 &sess)) {
1065 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
1066 return 0;
1067 }
1068
1069 #ifndef OPENSSL_NO_PSK
1070 if (sess == NULL
1071 && s->psk_server_callback != NULL
1072 && idlen <= PSK_MAX_IDENTITY_LEN) {
1073 char *pskid = NULL;
1074 unsigned char pskdata[PSK_MAX_PSK_LEN];
1075 unsigned int pskdatalen;
1076
1077 if (!PACKET_strndup(&identity, &pskid)) {
1078 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1079 return 0;
1080 }
1081 pskdatalen = s->psk_server_callback(ussl, pskid, pskdata,
1082 sizeof(pskdata));
1083 OPENSSL_free(pskid);
1084 if (pskdatalen > PSK_MAX_PSK_LEN) {
1085 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1086 return 0;
1087 } else if (pskdatalen > 0) {
1088 const SSL_CIPHER *cipher;
1089 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1090
1091 /*
1092 * We found a PSK using an old style callback. We don't know
1093 * the digest so we default to SHA256 as per the TLSv1.3 spec
1094 */
1095 cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s),
1096 tls13_aes128gcmsha256_id);
1097 if (cipher == NULL) {
1098 OPENSSL_cleanse(pskdata, pskdatalen);
1099 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1100 return 0;
1101 }
1102
1103 sess = SSL_SESSION_new();
1104 if (sess == NULL
1105 || !SSL_SESSION_set1_master_key(sess, pskdata,
1106 pskdatalen)
1107 || !SSL_SESSION_set_cipher(sess, cipher)
1108 || !SSL_SESSION_set_protocol_version(sess,
1109 TLS1_3_VERSION)) {
1110 OPENSSL_cleanse(pskdata, pskdatalen);
1111 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1112 goto err;
1113 }
1114 OPENSSL_cleanse(pskdata, pskdatalen);
1115 }
1116 }
1117 #endif /* OPENSSL_NO_PSK */
1118
1119 if (sess != NULL) {
1120 /* We found a PSK */
1121 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1122
1123 if (sesstmp == NULL) {
1124 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1125 goto err;
1126 }
1127 SSL_SESSION_free(sess);
1128 sess = sesstmp;
1129
1130 /*
1131 * We've just been told to use this session for this context so
1132 * make sure the sid_ctx matches up.
1133 */
1134 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1135 sess->sid_ctx_length = s->sid_ctx_length;
1136 ext = 1;
1137 if (id == 0)
1138 s->ext.early_data_ok = 1;
1139 s->ext.ticket_expected = 1;
1140 } else {
1141 OSSL_TIME t, age, expire;
1142 int ret;
1143
1144 /*
1145 * If we are using anti-replay protection then we behave as if
1146 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1147 * is no point in using full stateless tickets.
1148 */
1149 if ((s->options & SSL_OP_NO_TICKET) != 0
1150 || (s->max_early_data > 0
1151 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1152 ret = tls_get_stateful_ticket(s, &identity, &sess);
1153 else
1154 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1155 PACKET_remaining(&identity), NULL, 0,
1156 &sess);
1157
1158 if (ret == SSL_TICKET_EMPTY) {
1159 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1160 return 0;
1161 }
1162
1163 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1164 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1165 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1166 return 0;
1167 }
1168 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1169 continue;
1170
1171 /* Check for replay */
1172 if (s->max_early_data > 0
1173 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1174 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1175 SSL_SESSION_free(sess);
1176 sess = NULL;
1177 continue;
1178 }
1179
1180 age = ossl_time_subtract(ossl_ms2time(ticket_agel),
1181 ossl_ms2time(sess->ext.tick_age_add));
1182 t = ossl_time_subtract(ossl_time_now(), sess->time);
1183
1184 /*
1185 * Although internally we use OSS_TIME which has ns granularity,
1186 * when SSL_SESSION structures are serialised/deserialised we use
1187 * second granularity for the sess->time field. Therefore it could
1188 * appear that the client's ticket age is longer than ours (our
1189 * ticket age calculation should always be slightly longer than the
1190 * client's due to the network latency). Therefore we add 1000ms to
1191 * our age calculation to adjust for rounding errors.
1192 */
1193 expire = ossl_time_add(t, ossl_ms2time(1000));
1194
1195 if (id == 0
1196 && ossl_time_compare(sess->timeout, t) >= 0
1197 && ossl_time_compare(age, expire) <= 0
1198 && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
1199 expire) >= 0) {
1200 /*
1201 * Ticket age is within tolerance and not expired. We allow it
1202 * for early data
1203 */
1204 s->ext.early_data_ok = 1;
1205 }
1206 }
1207
1208 md = ssl_md(sctx, sess->cipher->algorithm2);
1209 if (md == NULL) {
1210 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1211 goto err;
1212 }
1213 if (!EVP_MD_is_a(md,
1214 EVP_MD_get0_name(ssl_md(sctx,
1215 s->s3.tmp.new_cipher->algorithm2)))) {
1216 /* The ciphersuite is not compatible with this session. */
1217 SSL_SESSION_free(sess);
1218 sess = NULL;
1219 s->ext.early_data_ok = 0;
1220 s->ext.ticket_expected = 0;
1221 continue;
1222 }
1223 break;
1224 }
1225
1226 if (sess == NULL)
1227 return 1;
1228
1229 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1230 hashsize = EVP_MD_get_size(md);
1231 if (hashsize <= 0)
1232 goto err;
1233
1234 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1235 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1236 goto err;
1237 }
1238
1239 for (i = 0; i <= id; i++) {
1240 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1241 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1242 goto err;
1243 }
1244 }
1245
1246 if (PACKET_remaining(&binder) != (size_t)hashsize) {
1247 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1248 goto err;
1249 }
1250 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1251 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1252 ext) != 1) {
1253 /* SSLfatal() already called */
1254 goto err;
1255 }
1256
1257 s->ext.tick_identity = id;
1258
1259 SSL_SESSION_free(s->session);
1260 s->session = sess;
1261 return 1;
1262 err:
1263 SSL_SESSION_free(sess);
1264 return 0;
1265 }
1266
tls_parse_ctos_post_handshake_auth(SSL_CONNECTION * s,PACKET * pkt,ossl_unused unsigned int context,ossl_unused X509 * x,ossl_unused size_t chainidx)1267 int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
1268 ossl_unused unsigned int context,
1269 ossl_unused X509 *x,
1270 ossl_unused size_t chainidx)
1271 {
1272 if (PACKET_remaining(pkt) != 0) {
1273 SSLfatal(s, SSL_AD_DECODE_ERROR,
1274 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1275 return 0;
1276 }
1277
1278 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1279
1280 return 1;
1281 }
1282
1283 /*
1284 * Add the server's renegotiation binding
1285 */
tls_construct_stoc_renegotiate(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1286 EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
1287 unsigned int context, X509 *x,
1288 size_t chainidx)
1289 {
1290 if (!s->s3.send_connection_binding)
1291 return EXT_RETURN_NOT_SENT;
1292
1293 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1294 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1295 || !WPACKET_start_sub_packet_u16(pkt)
1296 || !WPACKET_start_sub_packet_u8(pkt)
1297 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1298 s->s3.previous_client_finished_len)
1299 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1300 s->s3.previous_server_finished_len)
1301 || !WPACKET_close(pkt)
1302 || !WPACKET_close(pkt)) {
1303 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1304 return EXT_RETURN_FAIL;
1305 }
1306
1307 return EXT_RETURN_SENT;
1308 }
1309
tls_construct_stoc_server_name(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1310 EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
1311 unsigned int context, X509 *x,
1312 size_t chainidx)
1313 {
1314 if (s->servername_done != 1)
1315 return EXT_RETURN_NOT_SENT;
1316
1317 /*
1318 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1319 * We just use the servername from the initial handshake.
1320 */
1321 if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
1322 return EXT_RETURN_NOT_SENT;
1323
1324 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1325 || !WPACKET_put_bytes_u16(pkt, 0)) {
1326 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1327 return EXT_RETURN_FAIL;
1328 }
1329
1330 return EXT_RETURN_SENT;
1331 }
1332
1333 /* Add/include the server's max fragment len extension into ServerHello */
tls_construct_stoc_maxfragmentlen(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1334 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
1335 unsigned int context, X509 *x,
1336 size_t chainidx)
1337 {
1338 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1339 return EXT_RETURN_NOT_SENT;
1340
1341 /*-
1342 * 4 bytes for this extension type and extension length
1343 * 1 byte for the Max Fragment Length code value.
1344 */
1345 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1346 || !WPACKET_start_sub_packet_u16(pkt)
1347 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1348 || !WPACKET_close(pkt)) {
1349 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1350 return EXT_RETURN_FAIL;
1351 }
1352
1353 return EXT_RETURN_SENT;
1354 }
1355
tls_construct_stoc_ec_pt_formats(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1356 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
1357 unsigned int context, X509 *x,
1358 size_t chainidx)
1359 {
1360 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1361 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1362 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1363 && (s->ext.peer_ecpointformats != NULL);
1364 const unsigned char *plist;
1365 size_t plistlen;
1366
1367 if (!using_ecc)
1368 return EXT_RETURN_NOT_SENT;
1369
1370 tls1_get_formatlist(s, &plist, &plistlen);
1371 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1372 || !WPACKET_start_sub_packet_u16(pkt)
1373 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1374 || !WPACKET_close(pkt)) {
1375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1376 return EXT_RETURN_FAIL;
1377 }
1378
1379 return EXT_RETURN_SENT;
1380 }
1381
tls_construct_stoc_supported_groups(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1382 EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
1383 unsigned int context, X509 *x,
1384 size_t chainidx)
1385 {
1386 const uint16_t *groups;
1387 size_t numgroups, i, first = 1;
1388 int version;
1389
1390 /* s->s3.group_id is non zero if we accepted a key_share */
1391 if (s->s3.group_id == 0)
1392 return EXT_RETURN_NOT_SENT;
1393
1394 /* Get our list of supported groups */
1395 tls1_get_supported_groups(s, &groups, &numgroups);
1396 if (numgroups == 0) {
1397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1398 return EXT_RETURN_FAIL;
1399 }
1400
1401 /* Copy group ID if supported */
1402 version = SSL_version(SSL_CONNECTION_GET_SSL(s));
1403 for (i = 0; i < numgroups; i++) {
1404 uint16_t group = groups[i];
1405
1406 if (tls_valid_group(s, group, version, version, 0, NULL)
1407 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1408 if (first) {
1409 /*
1410 * Check if the client is already using our preferred group. If
1411 * so we don't need to add this extension
1412 */
1413 if (s->s3.group_id == group)
1414 return EXT_RETURN_NOT_SENT;
1415
1416 /* Add extension header */
1417 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1418 /* Sub-packet for supported_groups extension */
1419 || !WPACKET_start_sub_packet_u16(pkt)
1420 || !WPACKET_start_sub_packet_u16(pkt)) {
1421 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1422 return EXT_RETURN_FAIL;
1423 }
1424
1425 first = 0;
1426 }
1427 if (!WPACKET_put_bytes_u16(pkt, group)) {
1428 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1429 return EXT_RETURN_FAIL;
1430 }
1431 }
1432 }
1433
1434 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1435 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1436 return EXT_RETURN_FAIL;
1437 }
1438
1439 return EXT_RETURN_SENT;
1440 }
1441
tls_construct_stoc_session_ticket(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1442 EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
1443 unsigned int context, X509 *x,
1444 size_t chainidx)
1445 {
1446 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1447 s->ext.ticket_expected = 0;
1448 return EXT_RETURN_NOT_SENT;
1449 }
1450
1451 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1452 || !WPACKET_put_bytes_u16(pkt, 0)) {
1453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1454 return EXT_RETURN_FAIL;
1455 }
1456
1457 return EXT_RETURN_SENT;
1458 }
1459
1460 #ifndef OPENSSL_NO_OCSP
tls_construct_stoc_status_request(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1461 EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
1462 unsigned int context, X509 *x,
1463 size_t chainidx)
1464 {
1465 /* We don't currently support this extension inside a CertificateRequest */
1466 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1467 return EXT_RETURN_NOT_SENT;
1468
1469 if (!s->ext.status_expected)
1470 return EXT_RETURN_NOT_SENT;
1471
1472 if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
1473 return EXT_RETURN_NOT_SENT;
1474
1475 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1476 || !WPACKET_start_sub_packet_u16(pkt)) {
1477 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1478 return EXT_RETURN_FAIL;
1479 }
1480
1481 /*
1482 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1483 * send back an empty extension, with the certificate status appearing as a
1484 * separate message
1485 */
1486 if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1487 /* SSLfatal() already called */
1488 return EXT_RETURN_FAIL;
1489 }
1490 if (!WPACKET_close(pkt)) {
1491 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1492 return EXT_RETURN_FAIL;
1493 }
1494
1495 return EXT_RETURN_SENT;
1496 }
1497 #endif
1498
1499 #ifndef OPENSSL_NO_NEXTPROTONEG
tls_construct_stoc_next_proto_neg(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1500 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
1501 unsigned int context, X509 *x,
1502 size_t chainidx)
1503 {
1504 const unsigned char *npa;
1505 unsigned int npalen;
1506 int ret;
1507 int npn_seen = s->s3.npn_seen;
1508 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1509
1510 s->s3.npn_seen = 0;
1511 if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
1512 return EXT_RETURN_NOT_SENT;
1513
1514 ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_USER_SSL(s), &npa,
1515 &npalen, sctx->ext.npn_advertised_cb_arg);
1516 if (ret == SSL_TLSEXT_ERR_OK) {
1517 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1518 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1520 return EXT_RETURN_FAIL;
1521 }
1522 s->s3.npn_seen = 1;
1523 return EXT_RETURN_SENT;
1524 }
1525
1526 return EXT_RETURN_NOT_SENT;
1527 }
1528 #endif
1529
tls_construct_stoc_alpn(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1530 EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
1531 X509 *x, size_t chainidx)
1532 {
1533 if (s->s3.alpn_selected == NULL)
1534 return EXT_RETURN_NOT_SENT;
1535
1536 if (!WPACKET_put_bytes_u16(pkt,
1537 TLSEXT_TYPE_application_layer_protocol_negotiation)
1538 || !WPACKET_start_sub_packet_u16(pkt)
1539 || !WPACKET_start_sub_packet_u16(pkt)
1540 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1541 s->s3.alpn_selected_len)
1542 || !WPACKET_close(pkt)
1543 || !WPACKET_close(pkt)) {
1544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1545 return EXT_RETURN_FAIL;
1546 }
1547
1548 return EXT_RETURN_SENT;
1549 }
1550
1551 #ifndef OPENSSL_NO_SRTP
tls_construct_stoc_use_srtp(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1552 EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
1553 unsigned int context, X509 *x,
1554 size_t chainidx)
1555 {
1556 if (s->srtp_profile == NULL)
1557 return EXT_RETURN_NOT_SENT;
1558
1559 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1560 || !WPACKET_start_sub_packet_u16(pkt)
1561 || !WPACKET_put_bytes_u16(pkt, 2)
1562 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1563 || !WPACKET_put_bytes_u8(pkt, 0)
1564 || !WPACKET_close(pkt)) {
1565 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1566 return EXT_RETURN_FAIL;
1567 }
1568
1569 return EXT_RETURN_SENT;
1570 }
1571 #endif
1572
tls_construct_stoc_etm(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1573 EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1574 unsigned int context,
1575 X509 *x, size_t chainidx)
1576 {
1577 if (!s->ext.use_etm)
1578 return EXT_RETURN_NOT_SENT;
1579
1580 /*
1581 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1582 * for other cases too.
1583 */
1584 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1585 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1586 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1587 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1588 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1589 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1590 s->ext.use_etm = 0;
1591 return EXT_RETURN_NOT_SENT;
1592 }
1593
1594 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1595 || !WPACKET_put_bytes_u16(pkt, 0)) {
1596 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1597 return EXT_RETURN_FAIL;
1598 }
1599
1600 return EXT_RETURN_SENT;
1601 }
1602
tls_construct_stoc_ems(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1603 EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1604 unsigned int context,
1605 X509 *x, size_t chainidx)
1606 {
1607 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1608 return EXT_RETURN_NOT_SENT;
1609
1610 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1611 || !WPACKET_put_bytes_u16(pkt, 0)) {
1612 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1613 return EXT_RETURN_FAIL;
1614 }
1615
1616 return EXT_RETURN_SENT;
1617 }
1618
tls_construct_stoc_supported_versions(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1619 EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
1620 unsigned int context, X509 *x,
1621 size_t chainidx)
1622 {
1623 if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
1624 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1625 return EXT_RETURN_FAIL;
1626 }
1627
1628 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1629 || !WPACKET_start_sub_packet_u16(pkt)
1630 || !WPACKET_put_bytes_u16(pkt, s->version)
1631 || !WPACKET_close(pkt)) {
1632 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1633 return EXT_RETURN_FAIL;
1634 }
1635
1636 return EXT_RETURN_SENT;
1637 }
1638
tls_construct_stoc_key_share(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1639 EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
1640 unsigned int context, X509 *x,
1641 size_t chainidx)
1642 {
1643 #ifndef OPENSSL_NO_TLS1_3
1644 unsigned char *encodedPoint;
1645 size_t encoded_pt_len = 0;
1646 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1647 const TLS_GROUP_INFO *ginf = NULL;
1648
1649 if (s->hello_retry_request == SSL_HRR_PENDING) {
1650 if (ckey != NULL) {
1651 /* Original key_share was acceptable so don't ask for another one */
1652 return EXT_RETURN_NOT_SENT;
1653 }
1654 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1655 || !WPACKET_start_sub_packet_u16(pkt)
1656 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1657 || !WPACKET_close(pkt)) {
1658 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1659 return EXT_RETURN_FAIL;
1660 }
1661
1662 return EXT_RETURN_SENT;
1663 }
1664
1665 if (ckey == NULL) {
1666 /* No key_share received from client - must be resuming */
1667 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1668 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1669 return EXT_RETURN_FAIL;
1670 }
1671 return EXT_RETURN_NOT_SENT;
1672 }
1673
1674 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1675 /*
1676 * PSK ('hit') and explicitly not doing DHE. If the client sent the
1677 * DHE option, we take it by default, except if non-DHE would be
1678 * preferred by config, but this case would have been handled in
1679 * tls_parse_ctos_psk_kex_modes().
1680 */
1681 return EXT_RETURN_NOT_SENT;
1682 }
1683
1684 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1685 || !WPACKET_start_sub_packet_u16(pkt)
1686 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1687 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1688 return EXT_RETURN_FAIL;
1689 }
1690
1691 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1692 s->s3.group_id)) == NULL) {
1693 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1694 return EXT_RETURN_FAIL;
1695 }
1696
1697 if (!ginf->is_kem) {
1698 /* Regular KEX */
1699 skey = ssl_generate_pkey(s, ckey);
1700 if (skey == NULL) {
1701 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
1702 return EXT_RETURN_FAIL;
1703 }
1704
1705 /* Generate encoding of server key */
1706 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
1707 if (encoded_pt_len == 0) {
1708 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
1709 EVP_PKEY_free(skey);
1710 return EXT_RETURN_FAIL;
1711 }
1712
1713 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1714 || !WPACKET_close(pkt)) {
1715 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1716 EVP_PKEY_free(skey);
1717 OPENSSL_free(encodedPoint);
1718 return EXT_RETURN_FAIL;
1719 }
1720 OPENSSL_free(encodedPoint);
1721
1722 /*
1723 * This causes the crypto state to be updated based on the derived keys
1724 */
1725 s->s3.tmp.pkey = skey;
1726 if (ssl_derive(s, skey, ckey, 1) == 0) {
1727 /* SSLfatal() already called */
1728 return EXT_RETURN_FAIL;
1729 }
1730 } else {
1731 /* KEM mode */
1732 unsigned char *ct = NULL;
1733 size_t ctlen = 0;
1734
1735 /*
1736 * This does not update the crypto state.
1737 *
1738 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1739 * ssl_gensecret().
1740 */
1741 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1742 /* SSLfatal() already called */
1743 return EXT_RETURN_FAIL;
1744 }
1745
1746 if (ctlen == 0) {
1747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1748 OPENSSL_free(ct);
1749 return EXT_RETURN_FAIL;
1750 }
1751
1752 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1753 || !WPACKET_close(pkt)) {
1754 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1755 OPENSSL_free(ct);
1756 return EXT_RETURN_FAIL;
1757 }
1758 OPENSSL_free(ct);
1759
1760 /*
1761 * This causes the crypto state to be updated based on the generated pms
1762 */
1763 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1764 /* SSLfatal() already called */
1765 return EXT_RETURN_FAIL;
1766 }
1767 }
1768 s->s3.did_kex = 1;
1769 return EXT_RETURN_SENT;
1770 #else
1771 return EXT_RETURN_FAIL;
1772 #endif
1773 }
1774
tls_construct_stoc_cookie(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1775 EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
1776 unsigned int context,
1777 X509 *x, size_t chainidx)
1778 {
1779 #ifndef OPENSSL_NO_TLS1_3
1780 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1781 unsigned char *hmac, *hmac2;
1782 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1783 EVP_MD_CTX *hctx;
1784 EVP_PKEY *pkey;
1785 int ret = EXT_RETURN_FAIL;
1786 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1787 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1788 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);
1789
1790 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1791 return EXT_RETURN_NOT_SENT;
1792
1793 if (sctx->gen_stateless_cookie_cb == NULL) {
1794 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
1795 return EXT_RETURN_FAIL;
1796 }
1797
1798 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1799 || !WPACKET_start_sub_packet_u16(pkt)
1800 || !WPACKET_start_sub_packet_u16(pkt)
1801 || !WPACKET_get_total_written(pkt, &startlen)
1802 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1803 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1804 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1805 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1806 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1807 &ciphlen)
1808 /* Is there a key_share extension present in this HRR? */
1809 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1810 || !WPACKET_put_bytes_u64(pkt, time(NULL))
1811 || !WPACKET_start_sub_packet_u16(pkt)
1812 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1813 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1814 return EXT_RETURN_FAIL;
1815 }
1816
1817 /*
1818 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1819 * on raw buffers, so we first reserve sufficient bytes (above) and then
1820 * subsequently allocate them (below)
1821 */
1822 if (!ssl3_digest_cached_records(s, 0)
1823 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1824 /* SSLfatal() already called */
1825 return EXT_RETURN_FAIL;
1826 }
1827
1828 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1829 || !ossl_assert(hashval1 == hashval2)
1830 || !WPACKET_close(pkt)
1831 || !WPACKET_start_sub_packet_u8(pkt)
1832 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1833 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1834 return EXT_RETURN_FAIL;
1835 }
1836
1837 /* Generate the application cookie */
1838 if (sctx->gen_stateless_cookie_cb(ussl, appcookie1,
1839 &appcookielen) == 0) {
1840 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1841 return EXT_RETURN_FAIL;
1842 }
1843
1844 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1845 || !ossl_assert(appcookie1 == appcookie2)
1846 || !WPACKET_close(pkt)
1847 || !WPACKET_get_total_written(pkt, &totcookielen)
1848 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1849 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1850 return EXT_RETURN_FAIL;
1851 }
1852 hmaclen = SHA256_DIGEST_LENGTH;
1853
1854 totcookielen -= startlen;
1855 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1857 return EXT_RETURN_FAIL;
1858 }
1859
1860 /* HMAC the cookie */
1861 hctx = EVP_MD_CTX_create();
1862 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1863 sctx->propq,
1864 s->session_ctx->ext.cookie_hmac_key,
1865 sizeof(s->session_ctx->ext.cookie_hmac_key));
1866 if (hctx == NULL || pkey == NULL) {
1867 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
1868 goto err;
1869 }
1870
1871 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1872 sctx->propq, pkey, NULL) <= 0
1873 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1874 totcookielen) <= 0) {
1875 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1876 goto err;
1877 }
1878
1879 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1880 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1881 goto err;
1882 }
1883
1884 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1885 || !ossl_assert(hmac == hmac2)
1886 || !ossl_assert(cookie == hmac - totcookielen)
1887 || !WPACKET_close(pkt)
1888 || !WPACKET_close(pkt)) {
1889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1890 goto err;
1891 }
1892
1893 ret = EXT_RETURN_SENT;
1894
1895 err:
1896 EVP_MD_CTX_free(hctx);
1897 EVP_PKEY_free(pkey);
1898 return ret;
1899 #else
1900 return EXT_RETURN_FAIL;
1901 #endif
1902 }
1903
tls_construct_stoc_cryptopro_bug(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1904 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
1905 unsigned int context, X509 *x,
1906 size_t chainidx)
1907 {
1908 const unsigned char cryptopro_ext[36] = {
1909 0xfd, 0xe8, /* 65000 */
1910 0x00, 0x20, /* 32 bytes length */
1911 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1912 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1913 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1914 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1915 };
1916
1917 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1918 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1919 || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1920 & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1921 return EXT_RETURN_NOT_SENT;
1922
1923 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1924 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1925 return EXT_RETURN_FAIL;
1926 }
1927
1928 return EXT_RETURN_SENT;
1929 }
1930
tls_construct_stoc_early_data(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1931 EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
1932 unsigned int context, X509 *x,
1933 size_t chainidx)
1934 {
1935 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1936 if (s->max_early_data == 0)
1937 return EXT_RETURN_NOT_SENT;
1938
1939 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1940 || !WPACKET_start_sub_packet_u16(pkt)
1941 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1942 || !WPACKET_close(pkt)) {
1943 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1944 return EXT_RETURN_FAIL;
1945 }
1946
1947 return EXT_RETURN_SENT;
1948 }
1949
1950 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1951 return EXT_RETURN_NOT_SENT;
1952
1953 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1954 || !WPACKET_start_sub_packet_u16(pkt)
1955 || !WPACKET_close(pkt)) {
1956 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1957 return EXT_RETURN_FAIL;
1958 }
1959
1960 return EXT_RETURN_SENT;
1961 }
1962
tls_construct_stoc_psk(SSL_CONNECTION * s,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1963 EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
1964 unsigned int context,
1965 X509 *x, size_t chainidx)
1966 {
1967 if (!s->hit)
1968 return EXT_RETURN_NOT_SENT;
1969
1970 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1971 || !WPACKET_start_sub_packet_u16(pkt)
1972 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1973 || !WPACKET_close(pkt)) {
1974 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1975 return EXT_RETURN_FAIL;
1976 }
1977
1978 return EXT_RETURN_SENT;
1979 }
1980
tls_construct_stoc_client_cert_type(SSL_CONNECTION * sc,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)1981 EXT_RETURN tls_construct_stoc_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
1982 unsigned int context,
1983 X509 *x, size_t chainidx)
1984 {
1985 if (sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_ERROR
1986 && (send_certificate_request(sc)
1987 || sc->post_handshake_auth == SSL_PHA_EXT_RECEIVED)) {
1988 /* Did not receive an acceptable cert type - and doing client auth */
1989 SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
1990 return EXT_RETURN_FAIL;
1991 }
1992
1993 if (sc->ext.client_cert_type == TLSEXT_cert_type_x509) {
1994 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
1995 return EXT_RETURN_NOT_SENT;
1996 }
1997
1998 /*
1999 * Note: only supposed to send this if we are going to do a cert request,
2000 * but TLSv1.3 could do a PHA request if the client supports it
2001 */
2002 if ((!send_certificate_request(sc) && sc->post_handshake_auth != SSL_PHA_EXT_RECEIVED)
2003 || sc->ext.client_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
2004 || sc->client_cert_type == NULL) {
2005 /* if we don't send it, reset to TLSEXT_cert_type_x509 */
2006 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2007 sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2008 return EXT_RETURN_NOT_SENT;
2009 }
2010
2011 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2012 || !WPACKET_start_sub_packet_u16(pkt)
2013 || !WPACKET_put_bytes_u8(pkt, sc->ext.client_cert_type)
2014 || !WPACKET_close(pkt)) {
2015 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2016 return EXT_RETURN_FAIL;
2017 }
2018 return EXT_RETURN_SENT;
2019 }
2020
2021 /* One of |pref|, |other| is configured and the values are sanitized */
reconcile_cert_type(const unsigned char * pref,size_t pref_len,const unsigned char * other,size_t other_len,uint8_t * chosen_cert_type)2022 static int reconcile_cert_type(const unsigned char *pref, size_t pref_len,
2023 const unsigned char *other, size_t other_len,
2024 uint8_t *chosen_cert_type)
2025 {
2026 size_t i;
2027
2028 for (i = 0; i < pref_len; i++) {
2029 if (memchr(other, pref[i], other_len) != NULL) {
2030 *chosen_cert_type = pref[i];
2031 return OSSL_CERT_TYPE_CTOS_GOOD;
2032 }
2033 }
2034 return OSSL_CERT_TYPE_CTOS_ERROR;
2035 }
2036
tls_parse_ctos_client_cert_type(SSL_CONNECTION * sc,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)2037 int tls_parse_ctos_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2038 unsigned int context,
2039 X509 *x, size_t chainidx)
2040 {
2041 PACKET supported_cert_types;
2042 const unsigned char *data;
2043 size_t len;
2044
2045 /* Ignore the extension */
2046 if (sc->client_cert_type == NULL) {
2047 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2048 sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2049 return 1;
2050 }
2051
2052 if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2053 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2054 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2055 return 0;
2056 }
2057 if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2058 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2059 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2060 return 0;
2061 }
2062 if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2063 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2064 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2065 return 0;
2066 }
2067 /* client_cert_type: client (peer) has priority */
2068 sc->ext.client_cert_type_ctos = reconcile_cert_type(data, len,
2069 sc->client_cert_type, sc->client_cert_type_len,
2070 &sc->ext.client_cert_type);
2071
2072 /* Ignore the error until sending - so we can check cert auth*/
2073 return 1;
2074 }
2075
tls_construct_stoc_server_cert_type(SSL_CONNECTION * sc,WPACKET * pkt,unsigned int context,X509 * x,size_t chainidx)2076 EXT_RETURN tls_construct_stoc_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2077 unsigned int context,
2078 X509 *x, size_t chainidx)
2079 {
2080 if (sc->ext.server_cert_type == TLSEXT_cert_type_x509) {
2081 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2082 return EXT_RETURN_NOT_SENT;
2083 }
2084 if (sc->ext.server_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
2085 || sc->server_cert_type == NULL) {
2086 /* if we don't send it, reset to TLSEXT_cert_type_x509 */
2087 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2088 sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2089 return EXT_RETURN_NOT_SENT;
2090 }
2091
2092 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2093 || !WPACKET_start_sub_packet_u16(pkt)
2094 || !WPACKET_put_bytes_u8(pkt, sc->ext.server_cert_type)
2095 || !WPACKET_close(pkt)) {
2096 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2097 return EXT_RETURN_FAIL;
2098 }
2099 return EXT_RETURN_SENT;
2100 }
2101
tls_parse_ctos_server_cert_type(SSL_CONNECTION * sc,PACKET * pkt,unsigned int context,X509 * x,size_t chainidx)2102 int tls_parse_ctos_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2103 unsigned int context,
2104 X509 *x, size_t chainidx)
2105 {
2106 PACKET supported_cert_types;
2107 const unsigned char *data;
2108 size_t len;
2109
2110 /* Ignore the extension */
2111 if (sc->server_cert_type == NULL) {
2112 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2113 sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2114 return 1;
2115 }
2116
2117 if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2118 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2119 return 0;
2120 }
2121
2122 if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2123 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2124 return 0;
2125 }
2126 if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2127 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2128 return 0;
2129 }
2130 /* server_cert_type: server (this) has priority */
2131 sc->ext.server_cert_type_ctos = reconcile_cert_type(sc->server_cert_type, sc->server_cert_type_len,
2132 data, len,
2133 &sc->ext.server_cert_type);
2134 if (sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)
2135 return 1;
2136
2137 /* Did not receive an acceptable cert type */
2138 SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
2139 return 0;
2140 }
2141
