1 /* 2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ocsp.h> 11 #include "../ssl_local.h" 12 #include "internal/cryptlib.h" 13 #include "internal/ssl_unwrap.h" 14 #include "statem_local.h" 15 16 EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt, 17 unsigned int context, X509 *x, 18 size_t chainidx) 19 { 20 if (!s->renegotiate) { 21 /* If not renegotiating, send an empty RI extension to indicate support */ 22 23 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 24 #error Internal DTLS version error 25 #endif 26 27 if (!SSL_CONNECTION_IS_DTLS(s) 28 && (s->min_proto_version >= TLS1_3_VERSION 29 || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) 30 && s->min_proto_version <= TLS1_VERSION))) { 31 /* 32 * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this 33 * extension isn't used at all. 34 */ 35 return EXT_RETURN_NOT_SENT; 36 } 37 38 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 39 || !WPACKET_start_sub_packet_u16(pkt) 40 || !WPACKET_put_bytes_u8(pkt, 0) 41 || !WPACKET_close(pkt)) { 42 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 43 return EXT_RETURN_FAIL; 44 } 45 46 return EXT_RETURN_SENT; 47 } 48 49 /* Add a complete RI extension if renegotiating */ 50 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 51 || !WPACKET_start_sub_packet_u16(pkt) 52 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished, 53 s->s3.previous_client_finished_len) 54 || !WPACKET_close(pkt)) { 55 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 56 return EXT_RETURN_FAIL; 57 } 58 59 return EXT_RETURN_SENT; 60 } 61 62 EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt, 63 unsigned int context, X509 *x, 64 size_t chainidx) 65 { 66 if (s->ext.hostname == NULL) 67 return EXT_RETURN_NOT_SENT; 68 69 /* Add TLS extension servername to the Client Hello message */ 70 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 71 /* Sub-packet for server_name extension */ 72 || !WPACKET_start_sub_packet_u16(pkt) 73 /* Sub-packet for servername list (always 1 hostname)*/ 74 || !WPACKET_start_sub_packet_u16(pkt) 75 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) 76 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, 77 strlen(s->ext.hostname)) 78 || !WPACKET_close(pkt) 79 || !WPACKET_close(pkt)) { 80 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 81 return EXT_RETURN_FAIL; 82 } 83 84 return EXT_RETURN_SENT; 85 } 86 87 /* Push a Max Fragment Len extension into ClientHello */ 88 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt, 89 unsigned int context, X509 *x, 90 size_t chainidx) 91 { 92 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) 93 return EXT_RETURN_NOT_SENT; 94 95 /* Add Max Fragment Length extension if client enabled it. */ 96 /*- 97 * 4 bytes for this extension type and extension length 98 * 1 byte for the Max Fragment Length code value. 99 */ 100 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 101 /* Sub-packet for Max Fragment Length extension (1 byte) */ 102 || !WPACKET_start_sub_packet_u16(pkt) 103 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) 104 || !WPACKET_close(pkt)) { 105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 106 return EXT_RETURN_FAIL; 107 } 108 109 return EXT_RETURN_SENT; 110 } 111 112 #ifndef OPENSSL_NO_SRP 113 EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt, 114 unsigned int context, 115 X509 *x, size_t chainidx) 116 { 117 /* Add SRP username if there is one */ 118 if (s->srp_ctx.login == NULL) 119 return EXT_RETURN_NOT_SENT; 120 121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) 122 /* Sub-packet for SRP extension */ 123 || !WPACKET_start_sub_packet_u16(pkt) 124 || !WPACKET_start_sub_packet_u8(pkt) 125 /* login must not be zero...internal error if so */ 126 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 127 || !WPACKET_memcpy(pkt, s->srp_ctx.login, 128 strlen(s->srp_ctx.login)) 129 || !WPACKET_close(pkt) 130 || !WPACKET_close(pkt)) { 131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 132 return EXT_RETURN_FAIL; 133 } 134 135 return EXT_RETURN_SENT; 136 } 137 #endif 138 139 static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version) 140 { 141 int i, end, ret = 0; 142 unsigned long alg_k, alg_a; 143 STACK_OF(SSL_CIPHER) *cipher_stack = NULL; 144 const uint16_t *pgroups = NULL; 145 size_t num_groups, j; 146 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 147 148 /* See if we support any ECC ciphersuites */ 149 if (s->version == SSL3_VERSION) 150 return 0; 151 152 cipher_stack = SSL_get1_supported_ciphers(ssl); 153 end = sk_SSL_CIPHER_num(cipher_stack); 154 for (i = 0; i < end; i++) { 155 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 156 157 alg_k = c->algorithm_mkey; 158 alg_a = c->algorithm_auth; 159 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 160 || (alg_a & SSL_aECDSA) 161 || c->min_tls >= TLS1_3_VERSION) { 162 ret = 1; 163 break; 164 } 165 } 166 sk_SSL_CIPHER_free(cipher_stack); 167 if (!ret) 168 return 0; 169 170 /* Check we have at least one EC supported group */ 171 tls1_get_supported_groups(s, &pgroups, &num_groups); 172 for (j = 0; j < num_groups; j++) { 173 uint16_t ctmp = pgroups[j]; 174 175 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL) 176 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) 177 return 1; 178 } 179 180 return 0; 181 } 182 183 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt, 184 unsigned int context, X509 *x, 185 size_t chainidx) 186 { 187 const unsigned char *pformats; 188 size_t num_formats; 189 int reason, min_version, max_version; 190 191 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 192 if (reason != 0) { 193 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 194 return EXT_RETURN_FAIL; 195 } 196 if (!use_ecc(s, min_version, max_version)) 197 return EXT_RETURN_NOT_SENT; 198 199 /* Add TLS extension ECPointFormats to the ClientHello message */ 200 tls1_get_formatlist(s, &pformats, &num_formats); 201 202 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 203 /* Sub-packet for formats extension */ 204 || !WPACKET_start_sub_packet_u16(pkt) 205 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) 206 || !WPACKET_close(pkt)) { 207 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 208 return EXT_RETURN_FAIL; 209 } 210 211 return EXT_RETURN_SENT; 212 } 213 214 EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, 215 unsigned int context, X509 *x, 216 size_t chainidx) 217 { 218 const uint16_t *pgroups = NULL; 219 size_t num_groups = 0, i, tls13added = 0, added = 0; 220 int min_version, max_version, reason; 221 222 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 223 if (reason != 0) { 224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 225 return EXT_RETURN_FAIL; 226 } 227 228 /* 229 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore 230 * if we don't have EC support then we don't send this extension. 231 */ 232 if (!use_ecc(s, min_version, max_version) 233 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)) 234 return EXT_RETURN_NOT_SENT; 235 236 /* 237 * Add TLS extension supported_groups to the ClientHello message 238 */ 239 tls1_get_supported_groups(s, &pgroups, &num_groups); 240 241 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 242 /* Sub-packet for supported_groups extension */ 243 || !WPACKET_start_sub_packet_u16(pkt) 244 || !WPACKET_start_sub_packet_u16(pkt) 245 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { 246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 247 return EXT_RETURN_FAIL; 248 } 249 /* Copy group ID if supported */ 250 for (i = 0; i < num_groups; i++) { 251 uint16_t ctmp = pgroups[i]; 252 int okfortls13; 253 254 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13) 255 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { 256 if (!WPACKET_put_bytes_u16(pkt, ctmp)) { 257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 258 return EXT_RETURN_FAIL; 259 } 260 if (okfortls13 && max_version == TLS1_3_VERSION) 261 tls13added++; 262 added++; 263 } 264 } 265 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 266 if (added == 0) 267 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 268 "No groups enabled for max supported SSL/TLS version"); 269 else 270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 271 return EXT_RETURN_FAIL; 272 } 273 274 if (tls13added == 0 && max_version == TLS1_3_VERSION) { 275 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 276 "No groups enabled for max supported SSL/TLS version"); 277 return EXT_RETURN_FAIL; 278 } 279 280 return EXT_RETURN_SENT; 281 } 282 283 EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt, 284 unsigned int context, X509 *x, 285 size_t chainidx) 286 { 287 size_t ticklen; 288 289 if (!tls_use_ticket(s)) 290 return EXT_RETURN_NOT_SENT; 291 292 if (!s->new_session && s->session != NULL 293 && s->session->ext.tick != NULL 294 && s->session->ssl_version != TLS1_3_VERSION) { 295 ticklen = s->session->ext.ticklen; 296 } else if (s->session && s->ext.session_ticket != NULL 297 && s->ext.session_ticket->data != NULL) { 298 ticklen = s->ext.session_ticket->length; 299 s->session->ext.tick = OPENSSL_malloc(ticklen); 300 if (s->session->ext.tick == NULL) { 301 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 302 return EXT_RETURN_FAIL; 303 } 304 memcpy(s->session->ext.tick, 305 s->ext.session_ticket->data, ticklen); 306 s->session->ext.ticklen = ticklen; 307 } else { 308 ticklen = 0; 309 } 310 311 if (ticklen == 0 && s->ext.session_ticket != NULL && s->ext.session_ticket->data == NULL) 312 return EXT_RETURN_NOT_SENT; 313 314 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 315 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { 316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 317 return EXT_RETURN_FAIL; 318 } 319 320 return EXT_RETURN_SENT; 321 } 322 323 EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt, 324 unsigned int context, X509 *x, 325 size_t chainidx) 326 { 327 size_t salglen; 328 const uint16_t *salg; 329 330 /* 331 * This used both in the initial hello and as part of renegotiation, 332 * in the latter case, the client version may be already set and may 333 * be lower than that initially offered in `client_version`. 334 */ 335 if (!SSL_CONNECTION_IS_DTLS(s)) { 336 if (s->client_version < TLS1_2_VERSION 337 || (s->ssl.method->version != TLS_ANY_VERSION 338 && s->version < TLS1_2_VERSION)) 339 return EXT_RETURN_NOT_SENT; 340 } else { 341 if (DTLS_VERSION_LT(s->client_version, DTLS1_2_VERSION) 342 || (s->ssl.method->version != DTLS_ANY_VERSION 343 && DTLS_VERSION_LT(s->version, DTLS1_2_VERSION))) 344 return EXT_RETURN_NOT_SENT; 345 } 346 347 salglen = tls12_get_psigalgs(s, 1, &salg); 348 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) 349 /* Sub-packet for sig-algs extension */ 350 || !WPACKET_start_sub_packet_u16(pkt) 351 /* Sub-packet for the actual list */ 352 || !WPACKET_start_sub_packet_u16(pkt) 353 || !tls12_copy_sigalgs(s, pkt, salg, salglen) 354 || !WPACKET_close(pkt) 355 || !WPACKET_close(pkt)) { 356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 357 return EXT_RETURN_FAIL; 358 } 359 360 return EXT_RETURN_SENT; 361 } 362 363 #ifndef OPENSSL_NO_OCSP 364 EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt, 365 unsigned int context, X509 *x, 366 size_t chainidx) 367 { 368 int i; 369 370 /* This extension isn't defined for client Certificates */ 371 if (x != NULL) 372 return EXT_RETURN_NOT_SENT; 373 374 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) 375 return EXT_RETURN_NOT_SENT; 376 377 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 378 /* Sub-packet for status request extension */ 379 || !WPACKET_start_sub_packet_u16(pkt) 380 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) 381 /* Sub-packet for the ids */ 382 || !WPACKET_start_sub_packet_u16(pkt)) { 383 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 384 return EXT_RETURN_FAIL; 385 } 386 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { 387 unsigned char *idbytes; 388 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); 389 int idlen = i2d_OCSP_RESPID(id, NULL); 390 391 if (idlen <= 0 392 /* Sub-packet for an individual id */ 393 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) 394 || i2d_OCSP_RESPID(id, &idbytes) != idlen) { 395 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 396 return EXT_RETURN_FAIL; 397 } 398 } 399 if (!WPACKET_close(pkt) 400 || !WPACKET_start_sub_packet_u16(pkt)) { 401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 402 return EXT_RETURN_FAIL; 403 } 404 if (s->ext.ocsp.exts) { 405 unsigned char *extbytes; 406 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); 407 408 if (extlen < 0) { 409 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 410 return EXT_RETURN_FAIL; 411 } 412 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) 413 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) 414 != extlen) { 415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 416 return EXT_RETURN_FAIL; 417 } 418 } 419 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 420 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 421 return EXT_RETURN_FAIL; 422 } 423 424 return EXT_RETURN_SENT; 425 } 426 #endif 427 428 #ifndef OPENSSL_NO_NEXTPROTONEG 429 EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt, 430 unsigned int context, 431 X509 *x, size_t chainidx) 432 { 433 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL 434 || !SSL_IS_FIRST_HANDSHAKE(s)) 435 return EXT_RETURN_NOT_SENT; 436 437 /* 438 * The client advertises an empty extension to indicate its support 439 * for Next Protocol Negotiation 440 */ 441 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 442 || !WPACKET_put_bytes_u16(pkt, 0)) { 443 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 444 return EXT_RETURN_FAIL; 445 } 446 447 return EXT_RETURN_SENT; 448 } 449 #endif 450 451 EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt, 452 unsigned int context, 453 X509 *x, size_t chainidx) 454 { 455 s->s3.alpn_sent = 0; 456 457 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 458 return EXT_RETURN_NOT_SENT; 459 460 if (!WPACKET_put_bytes_u16(pkt, 461 TLSEXT_TYPE_application_layer_protocol_negotiation) 462 /* Sub-packet ALPN extension */ 463 || !WPACKET_start_sub_packet_u16(pkt) 464 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) 465 || !WPACKET_close(pkt)) { 466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 467 return EXT_RETURN_FAIL; 468 } 469 s->s3.alpn_sent = 1; 470 471 return EXT_RETURN_SENT; 472 } 473 474 #ifndef OPENSSL_NO_SRTP 475 EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt, 476 unsigned int context, X509 *x, 477 size_t chainidx) 478 { 479 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 480 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl); 481 int i, end; 482 483 if (clnt == NULL) 484 return EXT_RETURN_NOT_SENT; 485 486 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 487 /* Sub-packet for SRTP extension */ 488 || !WPACKET_start_sub_packet_u16(pkt) 489 /* Sub-packet for the protection profile list */ 490 || !WPACKET_start_sub_packet_u16(pkt)) { 491 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 492 return EXT_RETURN_FAIL; 493 } 494 495 end = sk_SRTP_PROTECTION_PROFILE_num(clnt); 496 for (i = 0; i < end; i++) { 497 const SRTP_PROTECTION_PROFILE *prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 498 499 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { 500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 501 return EXT_RETURN_FAIL; 502 } 503 } 504 if (!WPACKET_close(pkt) 505 /* Add an empty use_mki value */ 506 || !WPACKET_put_bytes_u8(pkt, 0) 507 || !WPACKET_close(pkt)) { 508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 509 return EXT_RETURN_FAIL; 510 } 511 512 return EXT_RETURN_SENT; 513 } 514 #endif 515 516 EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt, 517 unsigned int context, 518 X509 *x, size_t chainidx) 519 { 520 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 521 return EXT_RETURN_NOT_SENT; 522 523 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 524 || !WPACKET_put_bytes_u16(pkt, 0)) { 525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 526 return EXT_RETURN_FAIL; 527 } 528 529 return EXT_RETURN_SENT; 530 } 531 532 #ifndef OPENSSL_NO_CT 533 EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt, 534 unsigned int context, 535 X509 *x, size_t chainidx) 536 { 537 if (s->ct_validation_callback == NULL) 538 return EXT_RETURN_NOT_SENT; 539 540 /* Not defined for client Certificates */ 541 if (x != NULL) 542 return EXT_RETURN_NOT_SENT; 543 544 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) 545 || !WPACKET_put_bytes_u16(pkt, 0)) { 546 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 547 return EXT_RETURN_FAIL; 548 } 549 550 return EXT_RETURN_SENT; 551 } 552 #endif 553 554 EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt, 555 unsigned int context, 556 X509 *x, size_t chainidx) 557 { 558 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 559 return EXT_RETURN_NOT_SENT; 560 561 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 562 || !WPACKET_put_bytes_u16(pkt, 0)) { 563 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 564 return EXT_RETURN_FAIL; 565 } 566 567 return EXT_RETURN_SENT; 568 } 569 570 EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt, 571 unsigned int context, X509 *x, 572 size_t chainidx) 573 { 574 int currv, min_version, max_version, reason; 575 576 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 577 if (reason != 0) { 578 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 579 return EXT_RETURN_FAIL; 580 } 581 582 /* 583 * Don't include this if we can't negotiate TLSv1.3. We can do a straight 584 * comparison here because we will never be called in DTLS. 585 */ 586 if (max_version < TLS1_3_VERSION) 587 return EXT_RETURN_NOT_SENT; 588 589 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 590 || !WPACKET_start_sub_packet_u16(pkt) 591 || !WPACKET_start_sub_packet_u8(pkt)) { 592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 593 return EXT_RETURN_FAIL; 594 } 595 596 for (currv = max_version; currv >= min_version; currv--) { 597 if (!WPACKET_put_bytes_u16(pkt, currv)) { 598 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 599 return EXT_RETURN_FAIL; 600 } 601 } 602 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 603 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 604 return EXT_RETURN_FAIL; 605 } 606 607 return EXT_RETURN_SENT; 608 } 609 610 /* 611 * Construct a psk_kex_modes extension. 612 */ 613 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, 614 unsigned int context, X509 *x, 615 size_t chainidx) 616 { 617 #ifndef OPENSSL_NO_TLS1_3 618 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; 619 620 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) 621 || !WPACKET_start_sub_packet_u16(pkt) 622 || !WPACKET_start_sub_packet_u8(pkt) 623 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) 624 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) 625 || !WPACKET_close(pkt) 626 || !WPACKET_close(pkt)) { 627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 628 return EXT_RETURN_FAIL; 629 } 630 631 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; 632 if (nodhe) 633 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 634 #endif 635 636 return EXT_RETURN_SENT; 637 } 638 639 #ifndef OPENSSL_NO_TLS1_3 640 static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int group_id, size_t loop_num) 641 { 642 unsigned char *encoded_pubkey = NULL; 643 EVP_PKEY *key_share_key = NULL; 644 size_t encodedlen; 645 646 if (loop_num < s->s3.tmp.num_ks_pkey) { 647 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING) 648 || !ossl_assert(s->s3.tmp.ks_pkey[loop_num] != NULL)) { 649 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 650 return 0; 651 } 652 /* 653 * Could happen if we got an HRR that wasn't requesting a new key_share 654 */ 655 key_share_key = s->s3.tmp.ks_pkey[loop_num]; 656 } else { 657 key_share_key = ssl_generate_pkey_group(s, group_id); 658 if (key_share_key == NULL) { 659 /* SSLfatal() already called */ 660 return 0; 661 } 662 } 663 664 /* Encode the public key. */ 665 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key, 666 &encoded_pubkey); 667 if (encodedlen == 0) { 668 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 669 goto err; 670 } 671 672 /* Create KeyShareEntry */ 673 if (!WPACKET_put_bytes_u16(pkt, group_id) 674 || !WPACKET_sub_memcpy_u16(pkt, encoded_pubkey, encodedlen)) { 675 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 676 goto err; 677 } 678 679 /* For backward compatibility, we use the first valid group to add a key share */ 680 if (loop_num == 0) { 681 s->s3.tmp.pkey = key_share_key; 682 s->s3.group_id = group_id; 683 } 684 /* We ensure in t1_lib.c that the loop number does not exceed OPENSSL_CLIENT_MAX_KEY_SHARES */ 685 s->s3.tmp.ks_pkey[loop_num] = key_share_key; 686 s->s3.tmp.ks_group_id[loop_num] = group_id; 687 if (loop_num >= s->s3.tmp.num_ks_pkey) 688 s->s3.tmp.num_ks_pkey++; 689 690 OPENSSL_free(encoded_pubkey); 691 692 return 1; 693 err: 694 if (key_share_key != s->s3.tmp.ks_pkey[loop_num]) 695 EVP_PKEY_free(key_share_key); 696 OPENSSL_free(encoded_pubkey); 697 return 0; 698 } 699 #endif 700 701 EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, 702 unsigned int context, X509 *x, 703 size_t chainidx) 704 { 705 #ifndef OPENSSL_NO_TLS1_3 706 size_t i, num_groups = 0; 707 const uint16_t *pgroups = NULL; 708 uint16_t group_id = 0; 709 int add_only_one = 0; 710 size_t valid_keyshare = 0; 711 712 /* key_share extension */ 713 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 714 /* Extension data sub-packet */ 715 || !WPACKET_start_sub_packet_u16(pkt) 716 /* KeyShare list sub-packet */ 717 || !WPACKET_start_sub_packet_u16(pkt)) { 718 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 719 return EXT_RETURN_FAIL; 720 } 721 722 tls1_get_requested_keyshare_groups(s, &pgroups, &num_groups); 723 if (num_groups == 1 && pgroups[0] == 0) { /* Indication that no * prefix was used */ 724 tls1_get_supported_groups(s, &pgroups, &num_groups); 725 add_only_one = 1; 726 } 727 728 /* If neither the default nor the keyshares have any entry --> fatal */ 729 if (num_groups == 0) { 730 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 731 return EXT_RETURN_FAIL; 732 } 733 734 /* Add key shares */ 735 736 if (s->s3.group_id != 0 && s->s3.tmp.pkey == NULL) { 737 /* new, single key share */ 738 group_id = s->s3.group_id; 739 s->s3.tmp.num_ks_pkey = 0; 740 if (!add_key_share(s, pkt, group_id, 0)) { 741 /* SSLfatal() already called */ 742 return EXT_RETURN_FAIL; 743 } 744 valid_keyshare++; 745 } else { 746 if (s->ext.supportedgroups == NULL) /* use default */ 747 add_only_one = 1; 748 749 for (i = 0; i < num_groups; i++) { 750 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) 751 continue; 752 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, 753 0, NULL)) 754 continue; 755 756 group_id = pgroups[i]; 757 758 if (group_id == 0) { 759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 760 return EXT_RETURN_FAIL; 761 } 762 if (!add_key_share(s, pkt, group_id, valid_keyshare)) { 763 /* SSLfatal() already called */ 764 return EXT_RETURN_FAIL; 765 } 766 valid_keyshare++; 767 if (add_only_one) 768 break; 769 } 770 } 771 772 if (valid_keyshare == 0) { 773 /* No key shares were allowed */ 774 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 775 return EXT_RETURN_FAIL; 776 } 777 778 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 779 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 780 return EXT_RETURN_FAIL; 781 } 782 return EXT_RETURN_SENT; 783 #else 784 return EXT_RETURN_NOT_SENT; 785 #endif 786 } 787 788 EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt, 789 unsigned int context, 790 X509 *x, size_t chainidx) 791 { 792 EXT_RETURN ret = EXT_RETURN_FAIL; 793 794 /* Should only be set if we've had an HRR */ 795 if (s->ext.tls13_cookie_len == 0) 796 return EXT_RETURN_NOT_SENT; 797 798 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 799 /* Extension data sub-packet */ 800 || !WPACKET_start_sub_packet_u16(pkt) 801 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, 802 s->ext.tls13_cookie_len) 803 || !WPACKET_close(pkt)) { 804 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 805 goto end; 806 } 807 808 ret = EXT_RETURN_SENT; 809 end: 810 OPENSSL_free(s->ext.tls13_cookie); 811 s->ext.tls13_cookie = NULL; 812 s->ext.tls13_cookie_len = 0; 813 814 return ret; 815 } 816 817 EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, 818 unsigned int context, X509 *x, 819 size_t chainidx) 820 { 821 #ifndef OPENSSL_NO_PSK 822 char identity[PSK_MAX_IDENTITY_LEN + 1]; 823 #endif /* OPENSSL_NO_PSK */ 824 const unsigned char *id = NULL; 825 size_t idlen = 0; 826 SSL_SESSION *psksess = NULL; 827 SSL_SESSION *edsess = NULL; 828 const EVP_MD *handmd = NULL; 829 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 830 831 if (s->hello_retry_request == SSL_HRR_PENDING) 832 handmd = ssl_handshake_md(s); 833 834 if (s->psk_use_session_cb != NULL 835 && (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess) 836 || (psksess != NULL 837 && psksess->ssl_version != TLS1_3_VERSION))) { 838 SSL_SESSION_free(psksess); 839 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 840 return EXT_RETURN_FAIL; 841 } 842 843 #ifndef OPENSSL_NO_PSK 844 if (psksess == NULL && s->psk_client_callback != NULL) { 845 unsigned char psk[PSK_MAX_PSK_LEN]; 846 size_t psklen = 0; 847 848 memset(identity, 0, sizeof(identity)); 849 psklen = s->psk_client_callback(ussl, NULL, 850 identity, sizeof(identity) - 1, 851 psk, sizeof(psk)); 852 853 if (psklen > PSK_MAX_PSK_LEN) { 854 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 855 return EXT_RETURN_FAIL; 856 } else if (psklen > 0) { 857 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 858 const SSL_CIPHER *cipher; 859 860 idlen = strlen(identity); 861 if (idlen > PSK_MAX_IDENTITY_LEN) { 862 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 863 return EXT_RETURN_FAIL; 864 } 865 id = (unsigned char *)identity; 866 867 /* 868 * We found a PSK using an old style callback. We don't know 869 * the digest so we default to SHA256 as per the TLSv1.3 spec 870 */ 871 cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s), 872 tls13_aes128gcmsha256_id); 873 if (cipher == NULL) { 874 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 875 return EXT_RETURN_FAIL; 876 } 877 878 psksess = SSL_SESSION_new(); 879 if (psksess == NULL 880 || !SSL_SESSION_set1_master_key(psksess, psk, psklen) 881 || !SSL_SESSION_set_cipher(psksess, cipher) 882 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { 883 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 884 OPENSSL_cleanse(psk, psklen); 885 return EXT_RETURN_FAIL; 886 } 887 OPENSSL_cleanse(psk, psklen); 888 } 889 } 890 #endif /* OPENSSL_NO_PSK */ 891 892 SSL_SESSION_free(s->psksession); 893 s->psksession = psksess; 894 if (psksess != NULL) { 895 OPENSSL_free(s->psksession_id); 896 s->psksession_id = OPENSSL_memdup(id, idlen); 897 if (s->psksession_id == NULL) { 898 s->psksession_id_len = 0; 899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 900 return EXT_RETURN_FAIL; 901 } 902 s->psksession_id_len = idlen; 903 } 904 905 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING 906 || (s->session->ext.max_early_data == 0 907 && (psksess == NULL || psksess->ext.max_early_data == 0))) { 908 s->max_early_data = 0; 909 return EXT_RETURN_NOT_SENT; 910 } 911 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; 912 s->max_early_data = edsess->ext.max_early_data; 913 914 if (edsess->ext.hostname != NULL) { 915 if (s->ext.hostname == NULL 916 || (s->ext.hostname != NULL 917 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { 918 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 919 SSL_R_INCONSISTENT_EARLY_DATA_SNI); 920 return EXT_RETURN_FAIL; 921 } 922 } 923 924 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { 925 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 926 return EXT_RETURN_FAIL; 927 } 928 929 /* 930 * Verify that we are offering an ALPN protocol consistent with the early 931 * data. 932 */ 933 if (edsess->ext.alpn_selected != NULL) { 934 PACKET prots, alpnpkt; 935 int found = 0; 936 937 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { 938 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 939 return EXT_RETURN_FAIL; 940 } 941 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { 942 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, 943 edsess->ext.alpn_selected_len)) { 944 found = 1; 945 break; 946 } 947 } 948 if (!found) { 949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 950 SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 951 return EXT_RETURN_FAIL; 952 } 953 } 954 955 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 956 || !WPACKET_start_sub_packet_u16(pkt) 957 || !WPACKET_close(pkt)) { 958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 959 return EXT_RETURN_FAIL; 960 } 961 962 /* 963 * We set this to rejected here. Later, if the server acknowledges the 964 * extension, we set it to accepted. 965 */ 966 s->ext.early_data = SSL_EARLY_DATA_REJECTED; 967 s->ext.early_data_ok = 1; 968 969 return EXT_RETURN_SENT; 970 } 971 972 #define F5_WORKAROUND_MIN_MSG_LEN 0xff 973 #define F5_WORKAROUND_MAX_MSG_LEN 0x200 974 975 /* 976 * PSK pre binder overhead = 977 * 2 bytes for TLSEXT_TYPE_psk 978 * 2 bytes for extension length 979 * 2 bytes for identities list length 980 * 2 bytes for identity length 981 * 4 bytes for obfuscated_ticket_age 982 * 2 bytes for binder list length 983 * 1 byte for binder length 984 * The above excludes the number of bytes for the identity itself and the 985 * subsequent binder bytes 986 */ 987 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) 988 989 EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt, 990 unsigned int context, X509 *x, 991 size_t chainidx) 992 { 993 unsigned char *padbytes; 994 size_t hlen; 995 996 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) 997 return EXT_RETURN_NOT_SENT; 998 999 /* 1000 * Add padding to workaround bugs in F5 terminators. See RFC7685. 1001 * This code calculates the length of all extensions added so far but 1002 * excludes the PSK extension (because that MUST be written last). Therefore 1003 * this extension MUST always appear second to last. 1004 */ 1005 if (!WPACKET_get_total_written(pkt, &hlen)) { 1006 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1007 return EXT_RETURN_FAIL; 1008 } 1009 1010 /* 1011 * If we're going to send a PSK then that will be written out after this 1012 * extension, so we need to calculate how long it is going to be. 1013 */ 1014 if (s->session->ssl_version == TLS1_3_VERSION 1015 && s->session->ext.ticklen != 0 1016 && s->session->cipher != NULL) { 1017 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s), 1018 s->session->cipher->algorithm2); 1019 1020 if (md != NULL) { 1021 /* 1022 * Add the fixed PSK overhead, the identity length and the binder 1023 * length. 1024 */ 1025 int md_size = EVP_MD_get_size(md); 1026 1027 if (md_size <= 0) 1028 return EXT_RETURN_FAIL; 1029 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen 1030 + md_size; 1031 } 1032 } 1033 1034 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { 1035 /* Calculate the amount of padding we need to add */ 1036 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; 1037 1038 /* 1039 * Take off the size of extension header itself (2 bytes for type and 1040 * 2 bytes for length bytes), but ensure that the extension is at least 1041 * 1 byte long so as not to have an empty extension last (WebSphere 7.x, 1042 * 8.x are intolerant of that condition) 1043 */ 1044 if (hlen > 4) 1045 hlen -= 4; 1046 else 1047 hlen = 1; 1048 1049 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) 1050 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { 1051 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1052 return EXT_RETURN_FAIL; 1053 } 1054 memset(padbytes, 0, hlen); 1055 } 1056 1057 return EXT_RETURN_SENT; 1058 } 1059 1060 /* 1061 * Construct the pre_shared_key extension 1062 */ 1063 EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, 1064 unsigned int context, 1065 X509 *x, size_t chainidx) 1066 { 1067 #ifndef OPENSSL_NO_TLS1_3 1068 uint32_t agesec, agems = 0; 1069 size_t binderoffset, msglen; 1070 int reshashsize = 0, pskhashsize = 0; 1071 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; 1072 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; 1073 int dores = 0; 1074 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1075 OSSL_TIME t; 1076 1077 s->ext.tick_identity = 0; 1078 1079 /* 1080 * Note: At this stage of the code we only support adding a single 1081 * resumption PSK. If we add support for multiple PSKs then the length 1082 * calculations in the padding extension will need to be adjusted. 1083 */ 1084 1085 /* 1086 * If this is an incompatible or new session then we have nothing to resume 1087 * so don't add this extension. 1088 */ 1089 if (s->session->ssl_version != TLS1_3_VERSION 1090 || (s->session->ext.ticklen == 0 && s->psksession == NULL)) 1091 return EXT_RETURN_NOT_SENT; 1092 1093 if (s->hello_retry_request == SSL_HRR_PENDING) 1094 handmd = ssl_handshake_md(s); 1095 1096 if (s->session->ext.ticklen != 0) { 1097 /* Get the digest associated with the ciphersuite in the session */ 1098 if (s->session->cipher == NULL) { 1099 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1100 return EXT_RETURN_FAIL; 1101 } 1102 mdres = ssl_md(sctx, s->session->cipher->algorithm2); 1103 if (mdres == NULL) { 1104 /* 1105 * Don't recognize this cipher so we can't use the session. 1106 * Ignore it 1107 */ 1108 goto dopsksess; 1109 } 1110 1111 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { 1112 /* 1113 * Selected ciphersuite hash does not match the hash for the session 1114 * so we can't use it. 1115 */ 1116 goto dopsksess; 1117 } 1118 1119 /* 1120 * Technically the C standard just says time() returns a time_t and says 1121 * nothing about the encoding of that type. In practice most 1122 * implementations follow POSIX which holds it as an integral type in 1123 * seconds since epoch. We've already made the assumption that we can do 1124 * this in multiple places in the code, so portability shouldn't be an 1125 * issue. 1126 */ 1127 t = ossl_time_subtract(ossl_time_now(), s->session->time); 1128 agesec = (uint32_t)ossl_time2seconds(t); 1129 /* 1130 * We calculate the age in seconds but the server may work in ms. Due to 1131 * rounding errors we could overestimate the age by up to 1s. It is 1132 * better to underestimate it. Otherwise, if the RTT is very short, when 1133 * the server calculates the age reported by the client it could be 1134 * bigger than the age calculated on the server - which should never 1135 * happen. 1136 */ 1137 if (agesec > 0) 1138 agesec--; 1139 1140 if (s->session->ext.tick_lifetime_hint < agesec) { 1141 /* Ticket is too old. Ignore it. */ 1142 goto dopsksess; 1143 } 1144 1145 /* 1146 * Calculate age in ms. We're just doing it to nearest second. Should be 1147 * good enough. 1148 */ 1149 agems = agesec * (uint32_t)1000; 1150 1151 if (agesec != 0 && agems / (uint32_t)1000 != agesec) { 1152 /* 1153 * Overflow. Shouldn't happen unless this is a *really* old session. 1154 * If so we just ignore it. 1155 */ 1156 goto dopsksess; 1157 } 1158 1159 /* 1160 * Obfuscate the age. Overflow here is fine, this addition is supposed 1161 * to be mod 2^32. 1162 */ 1163 agems += s->session->ext.tick_age_add; 1164 1165 reshashsize = EVP_MD_get_size(mdres); 1166 if (reshashsize <= 0) 1167 goto dopsksess; 1168 s->ext.tick_identity++; 1169 dores = 1; 1170 } 1171 1172 dopsksess: 1173 if (!dores && s->psksession == NULL) 1174 return EXT_RETURN_NOT_SENT; 1175 1176 if (s->psksession != NULL) { 1177 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2); 1178 if (mdpsk == NULL) { 1179 /* 1180 * Don't recognize this cipher so we can't use the session. 1181 * If this happens it's an application bug. 1182 */ 1183 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1184 return EXT_RETURN_FAIL; 1185 } 1186 1187 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { 1188 /* 1189 * Selected ciphersuite hash does not match the hash for the PSK 1190 * session. This is an application bug. 1191 */ 1192 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1193 return EXT_RETURN_FAIL; 1194 } 1195 1196 pskhashsize = EVP_MD_get_size(mdpsk); 1197 if (pskhashsize <= 0) { 1198 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1199 return EXT_RETURN_FAIL; 1200 } 1201 } 1202 1203 /* Create the extension, but skip over the binder for now */ 1204 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1205 || !WPACKET_start_sub_packet_u16(pkt) 1206 || !WPACKET_start_sub_packet_u16(pkt)) { 1207 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1208 return EXT_RETURN_FAIL; 1209 } 1210 1211 if (dores) { 1212 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, 1213 s->session->ext.ticklen) 1214 || !WPACKET_put_bytes_u32(pkt, agems)) { 1215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1216 return EXT_RETURN_FAIL; 1217 } 1218 } 1219 1220 if (s->psksession != NULL) { 1221 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, 1222 s->psksession_id_len) 1223 || !WPACKET_put_bytes_u32(pkt, 0)) { 1224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1225 return EXT_RETURN_FAIL; 1226 } 1227 s->ext.tick_identity++; 1228 } 1229 1230 if (!WPACKET_close(pkt) 1231 || !WPACKET_get_total_written(pkt, &binderoffset) 1232 || !WPACKET_start_sub_packet_u16(pkt) 1233 || (dores 1234 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) 1235 || (s->psksession != NULL 1236 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) 1237 || !WPACKET_close(pkt) 1238 || !WPACKET_close(pkt) 1239 || !WPACKET_get_total_written(pkt, &msglen) 1240 /* 1241 * We need to fill in all the sub-packet lengths now so we can 1242 * calculate the HMAC of the message up to the binders 1243 */ 1244 || !WPACKET_fill_lengths(pkt)) { 1245 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1246 return EXT_RETURN_FAIL; 1247 } 1248 1249 msgstart = WPACKET_get_curr(pkt) - msglen; 1250 1251 if (dores 1252 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, 1253 resbinder, s->session, 1, 0) 1254 != 1) { 1255 /* SSLfatal() already called */ 1256 return EXT_RETURN_FAIL; 1257 } 1258 1259 if (s->psksession != NULL 1260 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, 1261 pskbinder, s->psksession, 1, 1) 1262 != 1) { 1263 /* SSLfatal() already called */ 1264 return EXT_RETURN_FAIL; 1265 } 1266 1267 return EXT_RETURN_SENT; 1268 #else 1269 return EXT_RETURN_NOT_SENT; 1270 #endif 1271 } 1272 1273 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt, 1274 ossl_unused unsigned int context, 1275 ossl_unused X509 *x, 1276 ossl_unused size_t chainidx) 1277 { 1278 #ifndef OPENSSL_NO_TLS1_3 1279 if (!s->pha_enabled) 1280 return EXT_RETURN_NOT_SENT; 1281 1282 /* construct extension - 0 length, no contents */ 1283 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) 1284 || !WPACKET_start_sub_packet_u16(pkt) 1285 || !WPACKET_close(pkt)) { 1286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1287 return EXT_RETURN_FAIL; 1288 } 1289 1290 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1291 1292 return EXT_RETURN_SENT; 1293 #else 1294 return EXT_RETURN_NOT_SENT; 1295 #endif 1296 } 1297 1298 /* 1299 * Parse the server's renegotiation binding and abort if it's not right 1300 */ 1301 int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt, 1302 unsigned int context, 1303 X509 *x, size_t chainidx) 1304 { 1305 size_t expected_len = s->s3.previous_client_finished_len 1306 + s->s3.previous_server_finished_len; 1307 size_t ilen; 1308 const unsigned char *data; 1309 1310 /* Check for logic errors */ 1311 if (!ossl_assert(expected_len == 0 1312 || s->s3.previous_client_finished_len != 0) 1313 || !ossl_assert(expected_len == 0 1314 || s->s3.previous_server_finished_len != 0)) { 1315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1316 return 0; 1317 } 1318 1319 /* Parse the length byte */ 1320 if (!PACKET_get_1_len(pkt, &ilen)) { 1321 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1322 return 0; 1323 } 1324 1325 /* Consistency check */ 1326 if (PACKET_remaining(pkt) != ilen) { 1327 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1328 return 0; 1329 } 1330 1331 /* Check that the extension matches */ 1332 if (ilen != expected_len) { 1333 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1334 return 0; 1335 } 1336 1337 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len) 1338 || memcmp(data, s->s3.previous_client_finished, 1339 s->s3.previous_client_finished_len) 1340 != 0) { 1341 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1342 return 0; 1343 } 1344 1345 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len) 1346 || memcmp(data, s->s3.previous_server_finished, 1347 s->s3.previous_server_finished_len) 1348 != 0) { 1349 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1350 return 0; 1351 } 1352 s->s3.send_connection_binding = 1; 1353 1354 return 1; 1355 } 1356 1357 /* Parse the server's max fragment len extension packet */ 1358 int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt, 1359 unsigned int context, 1360 X509 *x, size_t chainidx) 1361 { 1362 unsigned int value; 1363 1364 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 1365 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1366 return 0; 1367 } 1368 1369 /* |value| should contains a valid max-fragment-length code. */ 1370 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 1371 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1372 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1373 return 0; 1374 } 1375 1376 /* Must be the same value as client-configured one who was sent to server */ 1377 /*- 1378 * RFC 6066: if a client receives a maximum fragment length negotiation 1379 * response that differs from the length it requested, ... 1380 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert 1381 */ 1382 if (value != s->ext.max_fragment_len_mode) { 1383 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1384 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1385 return 0; 1386 } 1387 1388 /* 1389 * Maximum Fragment Length Negotiation succeeded. 1390 * The negotiated Maximum Fragment Length is binding now. 1391 */ 1392 s->session->ext.max_fragment_len_mode = value; 1393 1394 return 1; 1395 } 1396 1397 int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt, 1398 unsigned int context, 1399 X509 *x, size_t chainidx) 1400 { 1401 if (s->ext.hostname == NULL) { 1402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1403 return 0; 1404 } 1405 1406 if (PACKET_remaining(pkt) > 0) { 1407 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1408 return 0; 1409 } 1410 1411 if (!s->hit) { 1412 if (s->session->ext.hostname != NULL) { 1413 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1414 return 0; 1415 } 1416 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 1417 if (s->session->ext.hostname == NULL) { 1418 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1419 return 0; 1420 } 1421 } 1422 1423 return 1; 1424 } 1425 1426 int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt, 1427 unsigned int context, 1428 X509 *x, size_t chainidx) 1429 { 1430 size_t ecpointformats_len; 1431 PACKET ecptformatlist; 1432 1433 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { 1434 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1435 return 0; 1436 } 1437 if (!s->hit) { 1438 ecpointformats_len = PACKET_remaining(&ecptformatlist); 1439 if (ecpointformats_len == 0) { 1440 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1441 return 0; 1442 } 1443 1444 s->ext.peer_ecpointformats_len = 0; 1445 OPENSSL_free(s->ext.peer_ecpointformats); 1446 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); 1447 if (s->ext.peer_ecpointformats == NULL) { 1448 s->ext.peer_ecpointformats_len = 0; 1449 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1450 return 0; 1451 } 1452 1453 s->ext.peer_ecpointformats_len = ecpointformats_len; 1454 1455 if (!PACKET_copy_bytes(&ecptformatlist, 1456 s->ext.peer_ecpointformats, 1457 ecpointformats_len)) { 1458 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1459 return 0; 1460 } 1461 } 1462 1463 return 1; 1464 } 1465 1466 int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt, 1467 unsigned int context, 1468 X509 *x, size_t chainidx) 1469 { 1470 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 1471 1472 if (s->ext.session_ticket_cb != NULL && !s->ext.session_ticket_cb(ssl, PACKET_data(pkt), PACKET_remaining(pkt), s->ext.session_ticket_cb_arg)) { 1473 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1474 return 0; 1475 } 1476 1477 if (!tls_use_ticket(s)) { 1478 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1479 return 0; 1480 } 1481 if (PACKET_remaining(pkt) > 0) { 1482 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1483 return 0; 1484 } 1485 1486 s->ext.ticket_expected = 1; 1487 1488 return 1; 1489 } 1490 1491 #ifndef OPENSSL_NO_OCSP 1492 int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt, 1493 unsigned int context, 1494 X509 *x, size_t chainidx) 1495 { 1496 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1497 /* We ignore this if the server sends a CertificateRequest */ 1498 return 1; 1499 } 1500 1501 /* 1502 * MUST only be sent if we've requested a status 1503 * request message. In TLS <= 1.2 it must also be empty. 1504 */ 1505 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 1506 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1507 return 0; 1508 } 1509 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { 1510 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1511 return 0; 1512 } 1513 1514 if (SSL_CONNECTION_IS_TLS13(s)) { 1515 /* We only know how to handle this if it's for the first Certificate in 1516 * the chain. We ignore any other responses. 1517 */ 1518 if (chainidx != 0) 1519 return 1; 1520 1521 /* SSLfatal() already called */ 1522 return tls_process_cert_status_body(s, pkt); 1523 } 1524 1525 /* Set flag to expect CertificateStatus message */ 1526 s->ext.status_expected = 1; 1527 1528 return 1; 1529 } 1530 #endif 1531 1532 #ifndef OPENSSL_NO_CT 1533 int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1534 X509 *x, size_t chainidx) 1535 { 1536 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1537 /* We ignore this if the server sends it in a CertificateRequest */ 1538 return 1; 1539 } 1540 1541 /* 1542 * Only take it if we asked for it - i.e if there is no CT validation 1543 * callback set, then a custom extension MAY be processing it, so we 1544 * need to let control continue to flow to that. 1545 */ 1546 if (s->ct_validation_callback != NULL) { 1547 size_t size = PACKET_remaining(pkt); 1548 1549 /* Simply copy it off for later processing */ 1550 OPENSSL_free(s->ext.scts); 1551 s->ext.scts = NULL; 1552 1553 s->ext.scts_len = (uint16_t)size; 1554 if (size > 0) { 1555 s->ext.scts = OPENSSL_malloc(size); 1556 if (s->ext.scts == NULL) { 1557 s->ext.scts_len = 0; 1558 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 1559 return 0; 1560 } 1561 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { 1562 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1563 return 0; 1564 } 1565 } 1566 } else { 1567 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 1568 ? ENDPOINT_CLIENT 1569 : ENDPOINT_BOTH; 1570 1571 /* 1572 * If we didn't ask for it then there must be a custom extension, 1573 * otherwise this is unsolicited. 1574 */ 1575 if (custom_ext_find(&s->cert->custext, role, 1576 TLSEXT_TYPE_signed_certificate_timestamp, 1577 NULL) 1578 == NULL) { 1579 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1580 return 0; 1581 } 1582 1583 if (!custom_ext_parse(s, context, 1584 TLSEXT_TYPE_signed_certificate_timestamp, 1585 PACKET_data(pkt), PACKET_remaining(pkt), 1586 x, chainidx)) { 1587 /* SSLfatal already called */ 1588 return 0; 1589 } 1590 } 1591 1592 return 1; 1593 } 1594 #endif 1595 1596 #ifndef OPENSSL_NO_NEXTPROTONEG 1597 /* 1598 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1599 * elements of zero length are allowed and the set of elements must exactly 1600 * fill the length of the block. Returns 1 on success or 0 on failure. 1601 */ 1602 static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt) 1603 { 1604 PACKET tmp_protocol; 1605 1606 while (PACKET_remaining(pkt)) { 1607 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 1608 || PACKET_remaining(&tmp_protocol) == 0) { 1609 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1610 return 0; 1611 } 1612 } 1613 1614 return 1; 1615 } 1616 1617 int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1618 X509 *x, size_t chainidx) 1619 { 1620 unsigned char *selected; 1621 unsigned char selected_len; 1622 PACKET tmppkt; 1623 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1624 1625 /* Check if we are in a renegotiation. If so ignore this extension */ 1626 if (!SSL_IS_FIRST_HANDSHAKE(s)) 1627 return 1; 1628 1629 /* We must have requested it. */ 1630 if (sctx->ext.npn_select_cb == NULL) { 1631 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1632 return 0; 1633 } 1634 1635 /* The data must be valid */ 1636 tmppkt = *pkt; 1637 if (!ssl_next_proto_validate(s, &tmppkt)) { 1638 /* SSLfatal() already called */ 1639 return 0; 1640 } 1641 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s), 1642 &selected, &selected_len, 1643 PACKET_data(pkt), PACKET_remaining(pkt), 1644 sctx->ext.npn_select_cb_arg) 1645 != SSL_TLSEXT_ERR_OK 1646 || selected_len == 0) { 1647 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1648 return 0; 1649 } 1650 1651 /* 1652 * Could be non-NULL if server has sent multiple NPN extensions in 1653 * a single Serverhello 1654 */ 1655 OPENSSL_free(s->ext.npn); 1656 s->ext.npn = OPENSSL_malloc(selected_len); 1657 if (s->ext.npn == NULL) { 1658 s->ext.npn_len = 0; 1659 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1660 return 0; 1661 } 1662 1663 memcpy(s->ext.npn, selected, selected_len); 1664 s->ext.npn_len = selected_len; 1665 s->s3.npn_seen = 1; 1666 1667 return 1; 1668 } 1669 #endif 1670 1671 int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1672 X509 *x, size_t chainidx) 1673 { 1674 size_t len; 1675 PACKET confpkt, protpkt; 1676 int valid = 0; 1677 1678 /* We must have requested it. */ 1679 if (!s->s3.alpn_sent) { 1680 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1681 return 0; 1682 } 1683 /*- 1684 * The extension data consists of: 1685 * uint16 list_length 1686 * uint8 proto_length; 1687 * uint8 proto[proto_length]; 1688 */ 1689 if (!PACKET_get_net_2_len(pkt, &len) 1690 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) 1691 || PACKET_remaining(pkt) != len) { 1692 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1693 return 0; 1694 } 1695 1696 /* It must be a protocol that we sent */ 1697 if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { 1698 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1699 return 0; 1700 } 1701 while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { 1702 if (PACKET_remaining(&protpkt) != len) 1703 continue; 1704 if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { 1705 /* Valid protocol found */ 1706 valid = 1; 1707 break; 1708 } 1709 } 1710 1711 if (!valid) { 1712 /* The protocol sent from the server does not match one we advertised */ 1713 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1714 return 0; 1715 } 1716 1717 OPENSSL_free(s->s3.alpn_selected); 1718 s->s3.alpn_selected = OPENSSL_malloc(len); 1719 if (s->s3.alpn_selected == NULL) { 1720 s->s3.alpn_selected_len = 0; 1721 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1722 return 0; 1723 } 1724 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) { 1725 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1726 return 0; 1727 } 1728 s->s3.alpn_selected_len = len; 1729 1730 if (s->session->ext.alpn_selected == NULL 1731 || s->session->ext.alpn_selected_len != len 1732 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len) 1733 != 0) { 1734 /* ALPN not consistent with the old session so cannot use early_data */ 1735 s->ext.early_data_ok = 0; 1736 } 1737 if (!s->hit) { 1738 /* 1739 * This is a new session and so alpn_selected should have been 1740 * initialised to NULL. We should update it with the selected ALPN. 1741 */ 1742 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 1743 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1744 return 0; 1745 } 1746 s->session->ext.alpn_selected = OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); 1747 if (s->session->ext.alpn_selected == NULL) { 1748 s->session->ext.alpn_selected_len = 0; 1749 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1750 return 0; 1751 } 1752 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; 1753 } 1754 1755 return 1; 1756 } 1757 1758 #ifndef OPENSSL_NO_SRTP 1759 int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt, 1760 unsigned int context, X509 *x, size_t chainidx) 1761 { 1762 unsigned int id, ct, mki; 1763 int i; 1764 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1765 SRTP_PROTECTION_PROFILE *prof; 1766 1767 if (!PACKET_get_net_2(pkt, &ct) || ct != 2 1768 || !PACKET_get_net_2(pkt, &id) 1769 || !PACKET_get_1(pkt, &mki) 1770 || PACKET_remaining(pkt) != 0) { 1771 SSLfatal(s, SSL_AD_DECODE_ERROR, 1772 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1773 return 0; 1774 } 1775 1776 if (mki != 0) { 1777 /* Must be no MKI, since we never offer one */ 1778 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE); 1779 return 0; 1780 } 1781 1782 /* Throw an error if the server gave us an unsolicited extension */ 1783 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s)); 1784 if (clnt == NULL) { 1785 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES); 1786 return 0; 1787 } 1788 1789 /* 1790 * Check to see if the server gave us something we support (and 1791 * presumably offered) 1792 */ 1793 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1794 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 1795 1796 if (prof->id == id) { 1797 s->srtp_profile = prof; 1798 return 1; 1799 } 1800 } 1801 1802 SSLfatal(s, SSL_AD_DECODE_ERROR, 1803 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1804 return 0; 1805 } 1806 #endif 1807 1808 int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1809 X509 *x, size_t chainidx) 1810 { 1811 /* Ignore if inappropriate ciphersuite */ 1812 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 1813 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD 1814 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4 1815 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT 1816 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12 1817 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA 1818 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK) 1819 s->ext.use_etm = 1; 1820 1821 return 1; 1822 } 1823 1824 int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1825 X509 *x, size_t chainidx) 1826 { 1827 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 1828 return 1; 1829 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; 1830 if (!s->hit) 1831 s->session->flags |= SSL_SESS_FLAG_EXTMS; 1832 1833 return 1; 1834 } 1835 1836 int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt, 1837 unsigned int context, 1838 X509 *x, size_t chainidx) 1839 { 1840 unsigned int version; 1841 1842 if (!PACKET_get_net_2(pkt, &version) 1843 || PACKET_remaining(pkt) != 0) { 1844 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1845 return 0; 1846 } 1847 1848 /* 1849 * The only protocol version we support which is valid in this extension in 1850 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. 1851 */ 1852 if (version != TLS1_3_VERSION) { 1853 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1854 SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1855 return 0; 1856 } 1857 1858 /* We ignore this extension for HRRs except to sanity check it */ 1859 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) 1860 return 1; 1861 1862 /* We just set it here. We validate it in ssl_choose_client_version */ 1863 s->version = version; 1864 if (!ssl_set_record_protocol_version(s, version)) { 1865 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1866 return 0; 1867 } 1868 1869 return 1; 1870 } 1871 1872 int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, 1873 unsigned int context, X509 *x, 1874 size_t chainidx) 1875 { 1876 #ifndef OPENSSL_NO_TLS1_3 1877 unsigned int group_id; 1878 PACKET encoded_pt; 1879 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; 1880 const TLS_GROUP_INFO *ginf = NULL; 1881 uint16_t valid_ks_id = 0; 1882 size_t i; 1883 1884 /* Sanity check */ 1885 if (ckey == NULL || s->s3.peer_tmp != NULL) { 1886 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1887 return 0; 1888 } 1889 1890 /* Which group ID does the server want -> group_id */ 1891 if (!PACKET_get_net_2(pkt, &group_id)) { 1892 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1893 return 0; 1894 } 1895 1896 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { 1897 const uint16_t *pgroups = NULL; 1898 size_t num_groups; 1899 1900 if (PACKET_remaining(pkt) != 0) { 1901 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1902 return 0; 1903 } 1904 1905 /* 1906 * It is an error if the HelloRetryRequest wants a key_share that we 1907 * already sent in the first ClientHello 1908 */ 1909 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1910 if (s->s3.tmp.ks_group_id[i] == group_id) { 1911 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1912 return 0; 1913 } 1914 } 1915 1916 /* Validate the selected group is one we support */ 1917 tls1_get_supported_groups(s, &pgroups, &num_groups); 1918 for (i = 0; i < num_groups; i++) { 1919 if (group_id == pgroups[i]) 1920 break; 1921 } 1922 if (i >= num_groups 1923 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) 1924 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, 1925 0, NULL)) { 1926 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1927 return 0; 1928 } 1929 1930 /* Memorize which groupID the server wants */ 1931 s->s3.group_id = group_id; 1932 1933 /* The initial keyshares are obsolete now, hence free memory */ 1934 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1935 if (s->s3.tmp.ks_pkey[i] != NULL) { 1936 EVP_PKEY_free(s->s3.tmp.ks_pkey[i]); 1937 s->s3.tmp.ks_pkey[i] = NULL; 1938 } 1939 } 1940 s->s3.tmp.num_ks_pkey = 0; 1941 s->s3.tmp.pkey = NULL; 1942 1943 return 1; 1944 } 1945 1946 /* 1947 * check that the group requested by the server is one we've 1948 * sent a key share for, and if so: memorize which one 1949 */ 1950 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1951 if (s->s3.tmp.ks_group_id[i] == group_id) { 1952 valid_ks_id = group_id; 1953 ckey = s->s3.tmp.ks_pkey[i]; 1954 s->s3.group_id = group_id; 1955 s->s3.tmp.pkey = ckey; 1956 break; 1957 } 1958 } 1959 if (valid_ks_id == 0) { 1960 /* 1961 * This isn't for the group that we sent in the original 1962 * key_share! 1963 */ 1964 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1965 return 0; 1966 } 1967 /* Retain this group in the SSL_SESSION */ 1968 if (!s->hit) { 1969 s->session->kex_group = group_id; 1970 } else if (group_id != s->session->kex_group) { 1971 /* 1972 * If this is a resumption but changed what group was used, we need 1973 * to record the new group in the session, but the session is not 1974 * a new session and could be in use by other threads. So, make 1975 * a copy of the session to record the new information so that it's 1976 * useful for any sessions resumed from tickets issued on this 1977 * connection. 1978 */ 1979 SSL_SESSION *new_sess; 1980 1981 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) { 1982 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 1983 return 0; 1984 } 1985 SSL_SESSION_free(s->session); 1986 s->session = new_sess; 1987 s->session->kex_group = group_id; 1988 } 1989 1990 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), 1991 group_id)) 1992 == NULL) { 1993 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1994 return 0; 1995 } 1996 1997 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) 1998 || PACKET_remaining(&encoded_pt) == 0) { 1999 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2000 return 0; 2001 } 2002 2003 if (!ginf->is_kem) { 2004 /* Regular KEX */ 2005 skey = EVP_PKEY_new(); 2006 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { 2007 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); 2008 EVP_PKEY_free(skey); 2009 return 0; 2010 } 2011 2012 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt), 2013 PACKET_remaining(&encoded_pt)) 2014 <= 0) { 2015 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 2016 EVP_PKEY_free(skey); 2017 return 0; 2018 } 2019 2020 if (ssl_derive(s, ckey, skey, 1) == 0) { 2021 /* SSLfatal() already called */ 2022 EVP_PKEY_free(skey); 2023 return 0; 2024 } 2025 s->s3.peer_tmp = skey; 2026 } else { 2027 /* KEM Mode */ 2028 const unsigned char *ct = PACKET_data(&encoded_pt); 2029 size_t ctlen = PACKET_remaining(&encoded_pt); 2030 2031 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) { 2032 /* SSLfatal() already called */ 2033 return 0; 2034 } 2035 } 2036 s->s3.did_kex = 1; 2037 #endif 2038 2039 return 1; 2040 } 2041 2042 int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 2043 X509 *x, size_t chainidx) 2044 { 2045 PACKET cookie; 2046 2047 if (!PACKET_as_length_prefixed_2(pkt, &cookie) 2048 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, 2049 &s->ext.tls13_cookie_len)) { 2050 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2051 return 0; 2052 } 2053 2054 return 1; 2055 } 2056 2057 int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt, 2058 unsigned int context, 2059 X509 *x, size_t chainidx) 2060 { 2061 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 2062 unsigned long max_early_data; 2063 2064 if (!PACKET_get_net_4(pkt, &max_early_data) 2065 || PACKET_remaining(pkt) != 0) { 2066 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA); 2067 return 0; 2068 } 2069 2070 s->session->ext.max_early_data = max_early_data; 2071 2072 if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) { 2073 /* 2074 * QUIC allows missing max_early_data, or a max_early_data value 2075 * of 0xffffffff. Missing max_early_data is stored in the session 2076 * as 0. This is indistinguishable in OpenSSL from a present 2077 * max_early_data value that was 0. In order that later checks for 2078 * invalid max_early_data correctly treat as an error the case where 2079 * max_early_data is present and it is 0, we store any invalid 2080 * value in the same (non-zero) way. Otherwise we would have to 2081 * introduce a new flag just for this. 2082 */ 2083 s->session->ext.max_early_data = 1; 2084 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA); 2085 return 0; 2086 } 2087 2088 return 1; 2089 } 2090 2091 if (PACKET_remaining(pkt) != 0) { 2092 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2093 return 0; 2094 } 2095 2096 if (!s->ext.early_data_ok 2097 || !s->hit) { 2098 /* 2099 * If we get here then we didn't send early data, or we didn't resume 2100 * using the first identity, or the SNI/ALPN is not consistent so the 2101 * server should not be accepting it. 2102 */ 2103 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 2104 return 0; 2105 } 2106 2107 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 2108 2109 return 1; 2110 } 2111 2112 int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt, 2113 unsigned int context, X509 *x, 2114 size_t chainidx) 2115 { 2116 #ifndef OPENSSL_NO_TLS1_3 2117 unsigned int identity; 2118 2119 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { 2120 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2121 return 0; 2122 } 2123 2124 if (identity >= (unsigned int)s->ext.tick_identity) { 2125 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY); 2126 return 0; 2127 } 2128 2129 /* 2130 * Session resumption tickets are always sent before PSK tickets. If the 2131 * ticket index is 0 then it must be for a session resumption ticket if we 2132 * sent two tickets, or if we didn't send a PSK ticket. 2133 */ 2134 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { 2135 s->hit = 1; 2136 SSL_SESSION_free(s->psksession); 2137 s->psksession = NULL; 2138 return 1; 2139 } 2140 2141 if (s->psksession == NULL) { 2142 /* Should never happen */ 2143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2144 return 0; 2145 } 2146 2147 /* 2148 * If we used the external PSK for sending early_data then s->early_secret 2149 * is already set up, so don't overwrite it. Otherwise we copy the 2150 * early_secret across that we generated earlier. 2151 */ 2152 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 2153 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 2154 || s->session->ext.max_early_data > 0 2155 || s->psksession->ext.max_early_data == 0) 2156 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); 2157 2158 SSL_SESSION_free(s->session); 2159 s->session = s->psksession; 2160 s->psksession = NULL; 2161 s->hit = 1; 2162 /* Early data is only allowed if we used the first ticket */ 2163 if (identity != 0) 2164 s->ext.early_data_ok = 0; 2165 #endif 2166 2167 return 1; 2168 } 2169 2170 EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, 2171 unsigned int context, 2172 X509 *x, size_t chainidx) 2173 { 2174 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; 2175 if (sc->client_cert_type == NULL) 2176 return EXT_RETURN_NOT_SENT; 2177 2178 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type) 2179 || !WPACKET_start_sub_packet_u16(pkt) 2180 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len) 2181 || !WPACKET_close(pkt)) { 2182 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2183 return EXT_RETURN_FAIL; 2184 } 2185 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; 2186 return EXT_RETURN_SENT; 2187 } 2188 2189 int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt, 2190 unsigned int context, 2191 X509 *x, size_t chainidx) 2192 { 2193 unsigned int type; 2194 2195 if (PACKET_remaining(pkt) != 1) { 2196 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2197 return 0; 2198 } 2199 if (!PACKET_get_1(pkt, &type)) { 2200 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2201 return 0; 2202 } 2203 /* We did not send/ask for this */ 2204 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { 2205 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2206 return 0; 2207 } 2208 /* We don't have this enabled */ 2209 if (sc->client_cert_type == NULL) { 2210 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2211 return 0; 2212 } 2213 /* Given back a value we didn't configure */ 2214 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) { 2215 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); 2216 return 0; 2217 } 2218 sc->ext.client_cert_type = type; 2219 return 1; 2220 } 2221 2222 EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, 2223 unsigned int context, 2224 X509 *x, size_t chainidx) 2225 { 2226 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; 2227 if (sc->server_cert_type == NULL) 2228 return EXT_RETURN_NOT_SENT; 2229 2230 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type) 2231 || !WPACKET_start_sub_packet_u16(pkt) 2232 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len) 2233 || !WPACKET_close(pkt)) { 2234 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2235 return EXT_RETURN_FAIL; 2236 } 2237 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; 2238 return EXT_RETURN_SENT; 2239 } 2240 2241 int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt, 2242 unsigned int context, 2243 X509 *x, size_t chainidx) 2244 { 2245 unsigned int type; 2246 2247 if (PACKET_remaining(pkt) != 1) { 2248 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2249 return 0; 2250 } 2251 if (!PACKET_get_1(pkt, &type)) { 2252 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2253 return 0; 2254 } 2255 /* We did not send/ask for this */ 2256 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { 2257 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2258 return 0; 2259 } 2260 /* We don't have this enabled */ 2261 if (sc->server_cert_type == NULL) { 2262 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2263 return 0; 2264 } 2265 /* Given back a value we didn't configure */ 2266 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) { 2267 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); 2268 return 0; 2269 } 2270 sc->ext.server_cert_type = type; 2271 return 1; 2272 } 2273
Indexes created Mon Mar 02 05:31:46 UTC 2026