extensions_srvr.c 73 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111
  1. /*
  2. * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ocsp.h>
  10. #include "../ssl_local.h"
  11. #include "statem_local.h"
  12. #include "internal/cryptlib.h"
  13. #define COOKIE_STATE_FORMAT_VERSION 1
  14. /*
  15. * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
  16. * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
  17. * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
  18. * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
  19. * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
  20. */
  21. #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
  22. + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
  23. /*
  24. * Message header + 2 bytes for protocol version + number of random bytes +
  25. * + 1 byte for legacy session id length + number of bytes in legacy session id
  26. * + 2 bytes for ciphersuite + 1 byte for legacy compression
  27. * + 2 bytes for extension block length + 6 bytes for key_share extension
  28. * + 4 bytes for cookie extension header + the number of bytes in the cookie
  29. */
  30. #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
  31. + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
  32. + MAX_COOKIE_SIZE)
  33. /*
  34. * Parse the client's renegotiation binding and abort if it's not right
  35. */
  36. int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
  37. unsigned int context,
  38. X509 *x, size_t chainidx)
  39. {
  40. unsigned int ilen;
  41. const unsigned char *data;
  42. int ok;
  43. /* Parse the length byte */
  44. if (!PACKET_get_1(pkt, &ilen)
  45. || !PACKET_get_bytes(pkt, &data, ilen)) {
  46. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
  47. return 0;
  48. }
  49. /* Check that the extension matches */
  50. if (ilen != s->s3.previous_client_finished_len) {
  51. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
  52. return 0;
  53. }
  54. ok = memcmp(data, s->s3.previous_client_finished,
  55. s->s3.previous_client_finished_len);
  56. #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  57. if (ok) {
  58. if ((data[0] ^ s->s3.previous_client_finished[0]) != 0xFF) {
  59. ok = 0;
  60. }
  61. }
  62. #endif
  63. if (ok) {
  64. SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
  65. return 0;
  66. }
  67. s->s3.send_connection_binding = 1;
  68. return 1;
  69. }
  70. /*-
  71. * The servername extension is treated as follows:
  72. *
  73. * - Only the hostname type is supported with a maximum length of 255.
  74. * - The servername is rejected if too long or if it contains zeros,
  75. * in which case an fatal alert is generated.
  76. * - The servername field is maintained together with the session cache.
  77. * - When a session is resumed, the servername call back invoked in order
  78. * to allow the application to position itself to the right context.
  79. * - The servername is acknowledged if it is new for a session or when
  80. * it is identical to a previously used for the same session.
  81. * Applications can control the behaviour. They can at any time
  82. * set a 'desirable' servername for a new SSL object. This can be the
  83. * case for example with HTTPS when a Host: header field is received and
  84. * a renegotiation is requested. In this case, a possible servername
  85. * presented in the new client hello is only acknowledged if it matches
  86. * the value of the Host: field.
  87. * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  88. * if they provide for changing an explicit servername context for the
  89. * session, i.e. when the session has been established with a servername
  90. * extension.
  91. * - On session reconnect, the servername extension may be absent.
  92. */
  93. int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
  94. unsigned int context, X509 *x, size_t chainidx)
  95. {
  96. unsigned int servname_type;
  97. PACKET sni, hostname;
  98. if (!PACKET_as_length_prefixed_2(pkt, &sni)
  99. /* ServerNameList must be at least 1 byte long. */
  100. || PACKET_remaining(&sni) == 0) {
  101. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  102. return 0;
  103. }
  104. /*
  105. * Although the intent was for server_name to be extensible, RFC 4366
  106. * was not clear about it; and so OpenSSL among other implementations,
  107. * always and only allows a 'host_name' name types.
  108. * RFC 6066 corrected the mistake but adding new name types
  109. * is nevertheless no longer feasible, so act as if no other
  110. * SNI types can exist, to simplify parsing.
  111. *
  112. * Also note that the RFC permits only one SNI value per type,
  113. * i.e., we can only have a single hostname.
  114. */
  115. if (!PACKET_get_1(&sni, &servname_type)
  116. || servname_type != TLSEXT_NAMETYPE_host_name
  117. || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
  118. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  119. return 0;
  120. }
  121. /*
  122. * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
  123. * we always use the SNI value from the handshake.
  124. */
  125. if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
  126. if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
  127. SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
  128. return 0;
  129. }
  130. if (PACKET_contains_zero_byte(&hostname)) {
  131. SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
  132. return 0;
  133. }
  134. /*
  135. * Store the requested SNI in the SSL as temporary storage.
  136. * If we accept it, it will get stored in the SSL_SESSION as well.
  137. */
  138. OPENSSL_free(s->ext.hostname);
  139. s->ext.hostname = NULL;
  140. if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
  141. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  142. return 0;
  143. }
  144. s->servername_done = 1;
  145. } else {
  146. /*
  147. * In TLSv1.2 and below we should check if the SNI is consistent between
  148. * the initial handshake and the resumption. In TLSv1.3 SNI is not
  149. * associated with the session.
  150. */
  151. s->servername_done = (s->session->ext.hostname != NULL)
  152. && PACKET_equal(&hostname, s->session->ext.hostname,
  153. strlen(s->session->ext.hostname));
  154. }
  155. return 1;
  156. }
  157. int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
  158. unsigned int context,
  159. X509 *x, size_t chainidx)
  160. {
  161. unsigned int value;
  162. if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
  163. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  164. return 0;
  165. }
  166. /* Received |value| should be a valid max-fragment-length code. */
  167. if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
  168. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  169. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  170. return 0;
  171. }
  172. /*
  173. * RFC 6066: The negotiated length applies for the duration of the session
  174. * including session resumptions.
  175. * We should receive the same code as in resumed session !
  176. */
  177. if (s->hit && s->session->ext.max_fragment_len_mode != value) {
  178. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  179. SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
  180. return 0;
  181. }
  182. /*
  183. * Store it in session, so it'll become binding for us
  184. * and we'll include it in a next Server Hello.
  185. */
  186. s->session->ext.max_fragment_len_mode = value;
  187. return 1;
  188. }
  189. #ifndef OPENSSL_NO_SRP
  190. int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  191. X509 *x, size_t chainidx)
  192. {
  193. PACKET srp_I;
  194. if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
  195. || PACKET_contains_zero_byte(&srp_I)) {
  196. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  197. return 0;
  198. }
  199. if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
  200. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  201. return 0;
  202. }
  203. return 1;
  204. }
  205. #endif
  206. int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
  207. unsigned int context,
  208. X509 *x, size_t chainidx)
  209. {
  210. PACKET ec_point_format_list;
  211. if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
  212. || PACKET_remaining(&ec_point_format_list) == 0) {
  213. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  214. return 0;
  215. }
  216. if (!s->hit) {
  217. if (!PACKET_memdup(&ec_point_format_list,
  218. &s->ext.peer_ecpointformats,
  219. &s->ext.peer_ecpointformats_len)) {
  220. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  221. return 0;
  222. }
  223. }
  224. return 1;
  225. }
  226. int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
  227. unsigned int context,
  228. X509 *x, size_t chainidx)
  229. {
  230. if (s->ext.session_ticket_cb &&
  231. !s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
  232. PACKET_data(pkt), PACKET_remaining(pkt),
  233. s->ext.session_ticket_cb_arg)) {
  234. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  235. return 0;
  236. }
  237. return 1;
  238. }
  239. int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
  240. ossl_unused unsigned int context,
  241. ossl_unused X509 *x,
  242. ossl_unused size_t chainidx)
  243. {
  244. PACKET supported_sig_algs;
  245. if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
  246. || PACKET_remaining(&supported_sig_algs) == 0) {
  247. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  248. return 0;
  249. }
  250. if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
  251. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  252. return 0;
  253. }
  254. return 1;
  255. }
  256. int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
  257. unsigned int context, X509 *x, size_t chainidx)
  258. {
  259. PACKET supported_sig_algs;
  260. if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
  261. || PACKET_remaining(&supported_sig_algs) == 0) {
  262. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  263. return 0;
  264. }
  265. if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
  266. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  267. return 0;
  268. }
  269. return 1;
  270. }
  271. #ifndef OPENSSL_NO_OCSP
  272. int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
  273. unsigned int context,
  274. X509 *x, size_t chainidx)
  275. {
  276. PACKET responder_id_list, exts;
  277. /* We ignore this in a resumption handshake */
  278. if (s->hit)
  279. return 1;
  280. /* Not defined if we get one of these in a client Certificate */
  281. if (x != NULL)
  282. return 1;
  283. if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
  284. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  285. return 0;
  286. }
  287. if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
  288. /*
  289. * We don't know what to do with any other type so ignore it.
  290. */
  291. s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
  292. return 1;
  293. }
  294. if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
  295. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  296. return 0;
  297. }
  298. /*
  299. * We remove any OCSP_RESPIDs from a previous handshake
  300. * to prevent unbounded memory growth - CVE-2016-6304
  301. */
  302. sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
  303. if (PACKET_remaining(&responder_id_list) > 0) {
  304. s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
  305. if (s->ext.ocsp.ids == NULL) {
  306. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
  307. return 0;
  308. }
  309. } else {
  310. s->ext.ocsp.ids = NULL;
  311. }
  312. while (PACKET_remaining(&responder_id_list) > 0) {
  313. OCSP_RESPID *id;
  314. PACKET responder_id;
  315. const unsigned char *id_data;
  316. if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
  317. || PACKET_remaining(&responder_id) == 0) {
  318. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  319. return 0;
  320. }
  321. id_data = PACKET_data(&responder_id);
  322. id = d2i_OCSP_RESPID(NULL, &id_data,
  323. (int)PACKET_remaining(&responder_id));
  324. if (id == NULL) {
  325. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  326. return 0;
  327. }
  328. if (id_data != PACKET_end(&responder_id)) {
  329. OCSP_RESPID_free(id);
  330. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  331. return 0;
  332. }
  333. if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
  334. OCSP_RESPID_free(id);
  335. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  336. return 0;
  337. }
  338. }
  339. /* Read in request_extensions */
  340. if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
  341. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  342. return 0;
  343. }
  344. if (PACKET_remaining(&exts) > 0) {
  345. const unsigned char *ext_data = PACKET_data(&exts);
  346. sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
  347. X509_EXTENSION_free);
  348. s->ext.ocsp.exts =
  349. d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
  350. if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
  351. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  352. return 0;
  353. }
  354. }
  355. return 1;
  356. }
  357. #endif
  358. #ifndef OPENSSL_NO_NEXTPROTONEG
  359. int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  360. X509 *x, size_t chainidx)
  361. {
  362. /*
  363. * We shouldn't accept this extension on a
  364. * renegotiation.
  365. */
  366. if (SSL_IS_FIRST_HANDSHAKE(s))
  367. s->s3.npn_seen = 1;
  368. return 1;
  369. }
  370. #endif
  371. /*
  372. * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
  373. * extension, not including type and length. Returns: 1 on success, 0 on error.
  374. */
  375. int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  376. X509 *x, size_t chainidx)
  377. {
  378. PACKET protocol_list, save_protocol_list, protocol;
  379. if (!SSL_IS_FIRST_HANDSHAKE(s))
  380. return 1;
  381. if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
  382. || PACKET_remaining(&protocol_list) < 2) {
  383. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  384. return 0;
  385. }
  386. save_protocol_list = protocol_list;
  387. do {
  388. /* Protocol names can't be empty. */
  389. if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
  390. || PACKET_remaining(&protocol) == 0) {
  391. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  392. return 0;
  393. }
  394. } while (PACKET_remaining(&protocol_list) != 0);
  395. OPENSSL_free(s->s3.alpn_proposed);
  396. s->s3.alpn_proposed = NULL;
  397. s->s3.alpn_proposed_len = 0;
  398. if (!PACKET_memdup(&save_protocol_list,
  399. &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
  400. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  401. return 0;
  402. }
  403. return 1;
  404. }
  405. #ifndef OPENSSL_NO_SRTP
  406. int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
  407. unsigned int context, X509 *x, size_t chainidx)
  408. {
  409. STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
  410. unsigned int ct, mki_len, id;
  411. int i, srtp_pref;
  412. PACKET subpkt;
  413. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  414. /* Ignore this if we have no SRTP profiles */
  415. if (SSL_get_srtp_profiles(ssl) == NULL)
  416. return 1;
  417. /* Pull off the length of the cipher suite list and check it is even */
  418. if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
  419. || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
  420. SSLfatal(s, SSL_AD_DECODE_ERROR,
  421. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  422. return 0;
  423. }
  424. srvr = SSL_get_srtp_profiles(ssl);
  425. s->srtp_profile = NULL;
  426. /* Search all profiles for a match initially */
  427. srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
  428. while (PACKET_remaining(&subpkt)) {
  429. if (!PACKET_get_net_2(&subpkt, &id)) {
  430. SSLfatal(s, SSL_AD_DECODE_ERROR,
  431. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  432. return 0;
  433. }
  434. /*
  435. * Only look for match in profiles of higher preference than
  436. * current match.
  437. * If no profiles have been have been configured then this
  438. * does nothing.
  439. */
  440. for (i = 0; i < srtp_pref; i++) {
  441. SRTP_PROTECTION_PROFILE *sprof =
  442. sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
  443. if (sprof->id == id) {
  444. s->srtp_profile = sprof;
  445. srtp_pref = i;
  446. break;
  447. }
  448. }
  449. }
  450. /* Now extract the MKI value as a sanity check, but discard it for now */
  451. if (!PACKET_get_1(pkt, &mki_len)) {
  452. SSLfatal(s, SSL_AD_DECODE_ERROR,
  453. SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
  454. return 0;
  455. }
  456. if (!PACKET_forward(pkt, mki_len)
  457. || PACKET_remaining(pkt)) {
  458. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
  459. return 0;
  460. }
  461. return 1;
  462. }
  463. #endif
  464. int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  465. X509 *x, size_t chainidx)
  466. {
  467. if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
  468. s->ext.use_etm = 1;
  469. return 1;
  470. }
  471. /*
  472. * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
  473. * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
  474. */
  475. int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
  476. unsigned int context,
  477. X509 *x, size_t chainidx)
  478. {
  479. #ifndef OPENSSL_NO_TLS1_3
  480. PACKET psk_kex_modes;
  481. unsigned int mode;
  482. if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
  483. || PACKET_remaining(&psk_kex_modes) == 0) {
  484. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  485. return 0;
  486. }
  487. while (PACKET_get_1(&psk_kex_modes, &mode)) {
  488. if (mode == TLSEXT_KEX_MODE_KE_DHE)
  489. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
  490. else if (mode == TLSEXT_KEX_MODE_KE
  491. && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
  492. s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
  493. }
  494. #endif
  495. return 1;
  496. }
  497. /*
  498. * Process a key_share extension received in the ClientHello. |pkt| contains
  499. * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
  500. */
  501. int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
  502. unsigned int context, X509 *x, size_t chainidx)
  503. {
  504. #ifndef OPENSSL_NO_TLS1_3
  505. unsigned int group_id;
  506. PACKET key_share_list, encoded_pt;
  507. const uint16_t *clntgroups, *srvrgroups;
  508. size_t clnt_num_groups, srvr_num_groups;
  509. int found = 0;
  510. if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
  511. return 1;
  512. /* Sanity check */
  513. if (s->s3.peer_tmp != NULL) {
  514. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  515. return 0;
  516. }
  517. if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
  518. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  519. return 0;
  520. }
  521. /* Get our list of supported groups */
  522. tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
  523. /* Get the clients list of supported groups. */
  524. tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
  525. if (clnt_num_groups == 0) {
  526. /*
  527. * This can only happen if the supported_groups extension was not sent,
  528. * because we verify that the length is non-zero when we process that
  529. * extension.
  530. */
  531. SSLfatal(s, SSL_AD_MISSING_EXTENSION,
  532. SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
  533. return 0;
  534. }
  535. if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
  536. /*
  537. * If we set a group_id already, then we must have sent an HRR
  538. * requesting a new key_share. If we haven't got one then that is an
  539. * error
  540. */
  541. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  542. return 0;
  543. }
  544. while (PACKET_remaining(&key_share_list) > 0) {
  545. if (!PACKET_get_net_2(&key_share_list, &group_id)
  546. || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
  547. || PACKET_remaining(&encoded_pt) == 0) {
  548. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  549. return 0;
  550. }
  551. /*
  552. * If we already found a suitable key_share we loop through the
  553. * rest to verify the structure, but don't process them.
  554. */
  555. if (found)
  556. continue;
  557. /*
  558. * If we sent an HRR then the key_share sent back MUST be for the group
  559. * we requested, and must be the only key_share sent.
  560. */
  561. if (s->s3.group_id != 0
  562. && (group_id != s->s3.group_id
  563. || PACKET_remaining(&key_share_list) != 0)) {
  564. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  565. return 0;
  566. }
  567. /* Check if this share is in supported_groups sent from client */
  568. if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
  569. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
  570. return 0;
  571. }
  572. /* Check if this share is for a group we can use */
  573. if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
  574. || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
  575. /*
  576. * We tolerate but ignore a group id that we don't think is
  577. * suitable for TLSv1.3
  578. */
  579. || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
  580. 0, NULL)) {
  581. /* Share not suitable */
  582. continue;
  583. }
  584. s->s3.group_id = group_id;
  585. /* Cache the selected group ID in the SSL_SESSION */
  586. s->session->kex_group = group_id;
  587. if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
  588. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  589. SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
  590. return 0;
  591. }
  592. if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
  593. PACKET_data(&encoded_pt),
  594. PACKET_remaining(&encoded_pt)) <= 0) {
  595. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
  596. return 0;
  597. }
  598. found = 1;
  599. }
  600. #endif
  601. return 1;
  602. }
  603. int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  604. X509 *x, size_t chainidx)
  605. {
  606. #ifndef OPENSSL_NO_TLS1_3
  607. unsigned int format, version, key_share, group_id;
  608. EVP_MD_CTX *hctx;
  609. EVP_PKEY *pkey;
  610. PACKET cookie, raw, chhash, appcookie;
  611. WPACKET hrrpkt;
  612. const unsigned char *data, *mdin, *ciphdata;
  613. unsigned char hmac[SHA256_DIGEST_LENGTH];
  614. unsigned char hrr[MAX_HRR_SIZE];
  615. size_t rawlen, hmaclen, hrrlen, ciphlen;
  616. uint64_t tm, now;
  617. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  618. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  619. /* Ignore any cookie if we're not set up to verify it */
  620. if (sctx->verify_stateless_cookie_cb == NULL
  621. || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
  622. return 1;
  623. if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
  624. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  625. return 0;
  626. }
  627. raw = cookie;
  628. data = PACKET_data(&raw);
  629. rawlen = PACKET_remaining(&raw);
  630. if (rawlen < SHA256_DIGEST_LENGTH
  631. || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
  632. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  633. return 0;
  634. }
  635. mdin = PACKET_data(&raw);
  636. /* Verify the HMAC of the cookie */
  637. hctx = EVP_MD_CTX_create();
  638. pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
  639. sctx->propq,
  640. s->session_ctx->ext.cookie_hmac_key,
  641. sizeof(s->session_ctx->ext.cookie_hmac_key));
  642. if (hctx == NULL || pkey == NULL) {
  643. EVP_MD_CTX_free(hctx);
  644. EVP_PKEY_free(pkey);
  645. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  646. return 0;
  647. }
  648. hmaclen = SHA256_DIGEST_LENGTH;
  649. if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
  650. sctx->propq, pkey, NULL) <= 0
  651. || EVP_DigestSign(hctx, hmac, &hmaclen, data,
  652. rawlen - SHA256_DIGEST_LENGTH) <= 0
  653. || hmaclen != SHA256_DIGEST_LENGTH) {
  654. EVP_MD_CTX_free(hctx);
  655. EVP_PKEY_free(pkey);
  656. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  657. return 0;
  658. }
  659. EVP_MD_CTX_free(hctx);
  660. EVP_PKEY_free(pkey);
  661. if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
  662. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
  663. return 0;
  664. }
  665. if (!PACKET_get_net_2(&cookie, &format)) {
  666. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  667. return 0;
  668. }
  669. /* Check the cookie format is something we recognise. Ignore it if not */
  670. if (format != COOKIE_STATE_FORMAT_VERSION)
  671. return 1;
  672. /*
  673. * The rest of these checks really shouldn't fail since we have verified the
  674. * HMAC above.
  675. */
  676. /* Check the version number is sane */
  677. if (!PACKET_get_net_2(&cookie, &version)) {
  678. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  679. return 0;
  680. }
  681. if (version != TLS1_3_VERSION) {
  682. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
  683. SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
  684. return 0;
  685. }
  686. if (!PACKET_get_net_2(&cookie, &group_id)) {
  687. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  688. return 0;
  689. }
  690. ciphdata = PACKET_data(&cookie);
  691. if (!PACKET_forward(&cookie, 2)) {
  692. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  693. return 0;
  694. }
  695. if (group_id != s->s3.group_id
  696. || s->s3.tmp.new_cipher
  697. != ssl_get_cipher_by_char(s, ciphdata, 0)) {
  698. /*
  699. * We chose a different cipher or group id this time around to what is
  700. * in the cookie. Something must have changed.
  701. */
  702. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
  703. return 0;
  704. }
  705. if (!PACKET_get_1(&cookie, &key_share)
  706. || !PACKET_get_net_8(&cookie, &tm)
  707. || !PACKET_get_length_prefixed_2(&cookie, &chhash)
  708. || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
  709. || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
  710. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
  711. return 0;
  712. }
  713. /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
  714. now = time(NULL);
  715. if (tm > now || (now - tm) > 600) {
  716. /* Cookie is stale. Ignore it */
  717. return 1;
  718. }
  719. /* Verify the app cookie */
  720. if (sctx->verify_stateless_cookie_cb(ssl,
  721. PACKET_data(&appcookie),
  722. PACKET_remaining(&appcookie)) == 0) {
  723. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
  724. return 0;
  725. }
  726. /*
  727. * Reconstruct the HRR that we would have sent in response to the original
  728. * ClientHello so we can add it to the transcript hash.
  729. * Note: This won't work with custom HRR extensions
  730. */
  731. if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
  732. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  733. return 0;
  734. }
  735. if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
  736. || !WPACKET_start_sub_packet_u24(&hrrpkt)
  737. || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
  738. || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
  739. || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
  740. s->tmp_session_id_len)
  741. || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
  742. &ciphlen)
  743. || !WPACKET_put_bytes_u8(&hrrpkt, 0)
  744. || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
  745. WPACKET_cleanup(&hrrpkt);
  746. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  747. return 0;
  748. }
  749. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
  750. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  751. || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
  752. || !WPACKET_close(&hrrpkt)) {
  753. WPACKET_cleanup(&hrrpkt);
  754. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  755. return 0;
  756. }
  757. if (key_share) {
  758. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
  759. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  760. || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
  761. || !WPACKET_close(&hrrpkt)) {
  762. WPACKET_cleanup(&hrrpkt);
  763. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  764. return 0;
  765. }
  766. }
  767. if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
  768. || !WPACKET_start_sub_packet_u16(&hrrpkt)
  769. || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
  770. || !WPACKET_close(&hrrpkt) /* cookie extension */
  771. || !WPACKET_close(&hrrpkt) /* extension block */
  772. || !WPACKET_close(&hrrpkt) /* message */
  773. || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
  774. || !WPACKET_finish(&hrrpkt)) {
  775. WPACKET_cleanup(&hrrpkt);
  776. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  777. return 0;
  778. }
  779. /* Reconstruct the transcript hash */
  780. if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
  781. PACKET_remaining(&chhash), hrr,
  782. hrrlen)) {
  783. /* SSLfatal() already called */
  784. return 0;
  785. }
  786. /* Act as if this ClientHello came after a HelloRetryRequest */
  787. s->hello_retry_request = SSL_HRR_PENDING;
  788. s->ext.cookieok = 1;
  789. #endif
  790. return 1;
  791. }
  792. int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
  793. unsigned int context,
  794. X509 *x, size_t chainidx)
  795. {
  796. PACKET supported_groups_list;
  797. /* Each group is 2 bytes and we must have at least 1. */
  798. if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
  799. || PACKET_remaining(&supported_groups_list) == 0
  800. || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
  801. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  802. return 0;
  803. }
  804. if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
  805. OPENSSL_free(s->ext.peer_supportedgroups);
  806. s->ext.peer_supportedgroups = NULL;
  807. s->ext.peer_supportedgroups_len = 0;
  808. if (!tls1_save_u16(&supported_groups_list,
  809. &s->ext.peer_supportedgroups,
  810. &s->ext.peer_supportedgroups_len)) {
  811. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  812. return 0;
  813. }
  814. }
  815. return 1;
  816. }
  817. int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  818. X509 *x, size_t chainidx)
  819. {
  820. /* The extension must always be empty */
  821. if (PACKET_remaining(pkt) != 0) {
  822. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  823. return 0;
  824. }
  825. if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
  826. return 1;
  827. s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
  828. return 1;
  829. }
  830. int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  831. X509 *x, size_t chainidx)
  832. {
  833. if (PACKET_remaining(pkt) != 0) {
  834. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  835. return 0;
  836. }
  837. if (s->hello_retry_request != SSL_HRR_NONE) {
  838. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
  839. return 0;
  840. }
  841. return 1;
  842. }
  843. static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
  844. SSL_SESSION **sess)
  845. {
  846. SSL_SESSION *tmpsess = NULL;
  847. s->ext.ticket_expected = 1;
  848. switch (PACKET_remaining(tick)) {
  849. case 0:
  850. return SSL_TICKET_EMPTY;
  851. case SSL_MAX_SSL_SESSION_ID_LENGTH:
  852. break;
  853. default:
  854. return SSL_TICKET_NO_DECRYPT;
  855. }
  856. tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
  857. SSL_MAX_SSL_SESSION_ID_LENGTH);
  858. if (tmpsess == NULL)
  859. return SSL_TICKET_NO_DECRYPT;
  860. *sess = tmpsess;
  861. return SSL_TICKET_SUCCESS;
  862. }
  863. int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
  864. X509 *x, size_t chainidx)
  865. {
  866. PACKET identities, binders, binder;
  867. size_t binderoffset, hashsize;
  868. SSL_SESSION *sess = NULL;
  869. unsigned int id, i, ext = 0;
  870. const EVP_MD *md = NULL;
  871. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  872. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  873. /*
  874. * If we have no PSK kex mode that we recognise then we can't resume so
  875. * ignore this extension
  876. */
  877. if ((s->ext.psk_kex_mode
  878. & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
  879. return 1;
  880. if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
  881. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  882. return 0;
  883. }
  884. s->ext.ticket_expected = 0;
  885. for (id = 0; PACKET_remaining(&identities) != 0; id++) {
  886. PACKET identity;
  887. unsigned long ticket_agel;
  888. size_t idlen;
  889. if (!PACKET_get_length_prefixed_2(&identities, &identity)
  890. || !PACKET_get_net_4(&identities, &ticket_agel)) {
  891. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  892. return 0;
  893. }
  894. idlen = PACKET_remaining(&identity);
  895. if (s->psk_find_session_cb != NULL
  896. && !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
  897. &sess)) {
  898. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
  899. return 0;
  900. }
  901. #ifndef OPENSSL_NO_PSK
  902. if (sess == NULL
  903. && s->psk_server_callback != NULL
  904. && idlen <= PSK_MAX_IDENTITY_LEN) {
  905. char *pskid = NULL;
  906. unsigned char pskdata[PSK_MAX_PSK_LEN];
  907. unsigned int pskdatalen;
  908. if (!PACKET_strndup(&identity, &pskid)) {
  909. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  910. return 0;
  911. }
  912. pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
  913. sizeof(pskdata));
  914. OPENSSL_free(pskid);
  915. if (pskdatalen > PSK_MAX_PSK_LEN) {
  916. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  917. return 0;
  918. } else if (pskdatalen > 0) {
  919. const SSL_CIPHER *cipher;
  920. const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
  921. /*
  922. * We found a PSK using an old style callback. We don't know
  923. * the digest so we default to SHA256 as per the TLSv1.3 spec
  924. */
  925. cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
  926. if (cipher == NULL) {
  927. OPENSSL_cleanse(pskdata, pskdatalen);
  928. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  929. return 0;
  930. }
  931. sess = SSL_SESSION_new();
  932. if (sess == NULL
  933. || !SSL_SESSION_set1_master_key(sess, pskdata,
  934. pskdatalen)
  935. || !SSL_SESSION_set_cipher(sess, cipher)
  936. || !SSL_SESSION_set_protocol_version(sess,
  937. TLS1_3_VERSION)) {
  938. OPENSSL_cleanse(pskdata, pskdatalen);
  939. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  940. goto err;
  941. }
  942. OPENSSL_cleanse(pskdata, pskdatalen);
  943. }
  944. }
  945. #endif /* OPENSSL_NO_PSK */
  946. if (sess != NULL) {
  947. /* We found a PSK */
  948. SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
  949. if (sesstmp == NULL) {
  950. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  951. return 0;
  952. }
  953. SSL_SESSION_free(sess);
  954. sess = sesstmp;
  955. /*
  956. * We've just been told to use this session for this context so
  957. * make sure the sid_ctx matches up.
  958. */
  959. memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
  960. sess->sid_ctx_length = s->sid_ctx_length;
  961. ext = 1;
  962. if (id == 0)
  963. s->ext.early_data_ok = 1;
  964. s->ext.ticket_expected = 1;
  965. } else {
  966. OSSL_TIME t, age, expire;
  967. int ret;
  968. /*
  969. * If we are using anti-replay protection then we behave as if
  970. * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
  971. * is no point in using full stateless tickets.
  972. */
  973. if ((s->options & SSL_OP_NO_TICKET) != 0
  974. || (s->max_early_data > 0
  975. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
  976. ret = tls_get_stateful_ticket(s, &identity, &sess);
  977. else
  978. ret = tls_decrypt_ticket(s, PACKET_data(&identity),
  979. PACKET_remaining(&identity), NULL, 0,
  980. &sess);
  981. if (ret == SSL_TICKET_EMPTY) {
  982. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  983. return 0;
  984. }
  985. if (ret == SSL_TICKET_FATAL_ERR_MALLOC
  986. || ret == SSL_TICKET_FATAL_ERR_OTHER) {
  987. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  988. return 0;
  989. }
  990. if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
  991. continue;
  992. /* Check for replay */
  993. if (s->max_early_data > 0
  994. && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
  995. && !SSL_CTX_remove_session(s->session_ctx, sess)) {
  996. SSL_SESSION_free(sess);
  997. sess = NULL;
  998. continue;
  999. }
  1000. age = ossl_time_subtract(ossl_ms2time(ticket_agel),
  1001. ossl_ms2time(sess->ext.tick_age_add));
  1002. t = ossl_time_subtract(ossl_time_now(), sess->time);
  1003. /*
  1004. * Although internally we use OSS_TIME which has ns granularity,
  1005. * when SSL_SESSION structures are serialised/deserialised we use
  1006. * second granularity for the sess->time field. Therefore it could
  1007. * appear that the client's ticket age is longer than ours (our
  1008. * ticket age calculation should always be slightly longer than the
  1009. * client's due to the network latency). Therefore we add 1000ms to
  1010. * our age calculation to adjust for rounding errors.
  1011. */
  1012. expire = ossl_time_add(t, ossl_ms2time(1000));
  1013. if (id == 0
  1014. && ossl_time_compare(sess->timeout, t) >= 0
  1015. && ossl_time_compare(age, expire) <= 0
  1016. && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
  1017. expire) >= 0) {
  1018. /*
  1019. * Ticket age is within tolerance and not expired. We allow it
  1020. * for early data
  1021. */
  1022. s->ext.early_data_ok = 1;
  1023. }
  1024. }
  1025. md = ssl_md(sctx, sess->cipher->algorithm2);
  1026. if (md == NULL) {
  1027. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1028. goto err;
  1029. }
  1030. if (!EVP_MD_is_a(md,
  1031. EVP_MD_get0_name(ssl_md(sctx,
  1032. s->s3.tmp.new_cipher->algorithm2)))) {
  1033. /* The ciphersuite is not compatible with this session. */
  1034. SSL_SESSION_free(sess);
  1035. sess = NULL;
  1036. s->ext.early_data_ok = 0;
  1037. s->ext.ticket_expected = 0;
  1038. continue;
  1039. }
  1040. break;
  1041. }
  1042. if (sess == NULL)
  1043. return 1;
  1044. binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
  1045. hashsize = EVP_MD_get_size(md);
  1046. if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
  1047. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1048. goto err;
  1049. }
  1050. for (i = 0; i <= id; i++) {
  1051. if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
  1052. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1053. goto err;
  1054. }
  1055. }
  1056. if (PACKET_remaining(&binder) != hashsize) {
  1057. SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1058. goto err;
  1059. }
  1060. if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
  1061. binderoffset, PACKET_data(&binder), NULL, sess, 0,
  1062. ext) != 1) {
  1063. /* SSLfatal() already called */
  1064. goto err;
  1065. }
  1066. s->ext.tick_identity = id;
  1067. SSL_SESSION_free(s->session);
  1068. s->session = sess;
  1069. return 1;
  1070. err:
  1071. SSL_SESSION_free(sess);
  1072. return 0;
  1073. }
  1074. int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
  1075. ossl_unused unsigned int context,
  1076. ossl_unused X509 *x,
  1077. ossl_unused size_t chainidx)
  1078. {
  1079. if (PACKET_remaining(pkt) != 0) {
  1080. SSLfatal(s, SSL_AD_DECODE_ERROR,
  1081. SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
  1082. return 0;
  1083. }
  1084. s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
  1085. return 1;
  1086. }
  1087. /*
  1088. * Add the server's renegotiation binding
  1089. */
  1090. EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
  1091. unsigned int context, X509 *x,
  1092. size_t chainidx)
  1093. {
  1094. if (!s->s3.send_connection_binding)
  1095. return EXT_RETURN_NOT_SENT;
  1096. /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
  1097. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
  1098. || !WPACKET_start_sub_packet_u16(pkt)
  1099. || !WPACKET_start_sub_packet_u8(pkt)
  1100. || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
  1101. s->s3.previous_client_finished_len)
  1102. || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
  1103. s->s3.previous_server_finished_len)
  1104. || !WPACKET_close(pkt)
  1105. || !WPACKET_close(pkt)) {
  1106. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1107. return EXT_RETURN_FAIL;
  1108. }
  1109. return EXT_RETURN_SENT;
  1110. }
  1111. EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
  1112. unsigned int context, X509 *x,
  1113. size_t chainidx)
  1114. {
  1115. if (s->servername_done != 1)
  1116. return EXT_RETURN_NOT_SENT;
  1117. /*
  1118. * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
  1119. * We just use the servername from the initial handshake.
  1120. */
  1121. if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
  1122. return EXT_RETURN_NOT_SENT;
  1123. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
  1124. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1125. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1126. return EXT_RETURN_FAIL;
  1127. }
  1128. return EXT_RETURN_SENT;
  1129. }
  1130. /* Add/include the server's max fragment len extension into ServerHello */
  1131. EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
  1132. unsigned int context, X509 *x,
  1133. size_t chainidx)
  1134. {
  1135. if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
  1136. return EXT_RETURN_NOT_SENT;
  1137. /*-
  1138. * 4 bytes for this extension type and extension length
  1139. * 1 byte for the Max Fragment Length code value.
  1140. */
  1141. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
  1142. || !WPACKET_start_sub_packet_u16(pkt)
  1143. || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
  1144. || !WPACKET_close(pkt)) {
  1145. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1146. return EXT_RETURN_FAIL;
  1147. }
  1148. return EXT_RETURN_SENT;
  1149. }
  1150. EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
  1151. unsigned int context, X509 *x,
  1152. size_t chainidx)
  1153. {
  1154. unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
  1155. unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
  1156. int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
  1157. && (s->ext.peer_ecpointformats != NULL);
  1158. const unsigned char *plist;
  1159. size_t plistlen;
  1160. if (!using_ecc)
  1161. return EXT_RETURN_NOT_SENT;
  1162. tls1_get_formatlist(s, &plist, &plistlen);
  1163. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
  1164. || !WPACKET_start_sub_packet_u16(pkt)
  1165. || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
  1166. || !WPACKET_close(pkt)) {
  1167. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1168. return EXT_RETURN_FAIL;
  1169. }
  1170. return EXT_RETURN_SENT;
  1171. }
  1172. EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
  1173. unsigned int context, X509 *x,
  1174. size_t chainidx)
  1175. {
  1176. const uint16_t *groups;
  1177. size_t numgroups, i, first = 1;
  1178. int version;
  1179. /* s->s3.group_id is non zero if we accepted a key_share */
  1180. if (s->s3.group_id == 0)
  1181. return EXT_RETURN_NOT_SENT;
  1182. /* Get our list of supported groups */
  1183. tls1_get_supported_groups(s, &groups, &numgroups);
  1184. if (numgroups == 0) {
  1185. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1186. return EXT_RETURN_FAIL;
  1187. }
  1188. /* Copy group ID if supported */
  1189. version = SSL_version(SSL_CONNECTION_GET_SSL(s));
  1190. for (i = 0; i < numgroups; i++) {
  1191. uint16_t group = groups[i];
  1192. if (tls_valid_group(s, group, version, version, 0, NULL)
  1193. && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
  1194. if (first) {
  1195. /*
  1196. * Check if the client is already using our preferred group. If
  1197. * so we don't need to add this extension
  1198. */
  1199. if (s->s3.group_id == group)
  1200. return EXT_RETURN_NOT_SENT;
  1201. /* Add extension header */
  1202. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
  1203. /* Sub-packet for supported_groups extension */
  1204. || !WPACKET_start_sub_packet_u16(pkt)
  1205. || !WPACKET_start_sub_packet_u16(pkt)) {
  1206. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1207. return EXT_RETURN_FAIL;
  1208. }
  1209. first = 0;
  1210. }
  1211. if (!WPACKET_put_bytes_u16(pkt, group)) {
  1212. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1213. return EXT_RETURN_FAIL;
  1214. }
  1215. }
  1216. }
  1217. if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
  1218. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1219. return EXT_RETURN_FAIL;
  1220. }
  1221. return EXT_RETURN_SENT;
  1222. }
  1223. EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
  1224. unsigned int context, X509 *x,
  1225. size_t chainidx)
  1226. {
  1227. if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
  1228. s->ext.ticket_expected = 0;
  1229. return EXT_RETURN_NOT_SENT;
  1230. }
  1231. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
  1232. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1233. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1234. return EXT_RETURN_FAIL;
  1235. }
  1236. return EXT_RETURN_SENT;
  1237. }
  1238. #ifndef OPENSSL_NO_OCSP
  1239. EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
  1240. unsigned int context, X509 *x,
  1241. size_t chainidx)
  1242. {
  1243. /* We don't currently support this extension inside a CertificateRequest */
  1244. if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
  1245. return EXT_RETURN_NOT_SENT;
  1246. if (!s->ext.status_expected)
  1247. return EXT_RETURN_NOT_SENT;
  1248. if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
  1249. return EXT_RETURN_NOT_SENT;
  1250. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
  1251. || !WPACKET_start_sub_packet_u16(pkt)) {
  1252. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1253. return EXT_RETURN_FAIL;
  1254. }
  1255. /*
  1256. * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
  1257. * send back an empty extension, with the certificate status appearing as a
  1258. * separate message
  1259. */
  1260. if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
  1261. /* SSLfatal() already called */
  1262. return EXT_RETURN_FAIL;
  1263. }
  1264. if (!WPACKET_close(pkt)) {
  1265. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1266. return EXT_RETURN_FAIL;
  1267. }
  1268. return EXT_RETURN_SENT;
  1269. }
  1270. #endif
  1271. #ifndef OPENSSL_NO_NEXTPROTONEG
  1272. EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
  1273. unsigned int context, X509 *x,
  1274. size_t chainidx)
  1275. {
  1276. const unsigned char *npa;
  1277. unsigned int npalen;
  1278. int ret;
  1279. int npn_seen = s->s3.npn_seen;
  1280. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1281. s->s3.npn_seen = 0;
  1282. if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
  1283. return EXT_RETURN_NOT_SENT;
  1284. ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
  1285. sctx->ext.npn_advertised_cb_arg);
  1286. if (ret == SSL_TLSEXT_ERR_OK) {
  1287. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
  1288. || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
  1289. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1290. return EXT_RETURN_FAIL;
  1291. }
  1292. s->s3.npn_seen = 1;
  1293. }
  1294. return EXT_RETURN_SENT;
  1295. }
  1296. #endif
  1297. EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
  1298. X509 *x, size_t chainidx)
  1299. {
  1300. if (s->s3.alpn_selected == NULL)
  1301. return EXT_RETURN_NOT_SENT;
  1302. if (!WPACKET_put_bytes_u16(pkt,
  1303. TLSEXT_TYPE_application_layer_protocol_negotiation)
  1304. || !WPACKET_start_sub_packet_u16(pkt)
  1305. || !WPACKET_start_sub_packet_u16(pkt)
  1306. || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
  1307. s->s3.alpn_selected_len)
  1308. || !WPACKET_close(pkt)
  1309. || !WPACKET_close(pkt)) {
  1310. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1311. return EXT_RETURN_FAIL;
  1312. }
  1313. return EXT_RETURN_SENT;
  1314. }
  1315. #ifndef OPENSSL_NO_SRTP
  1316. EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
  1317. unsigned int context, X509 *x,
  1318. size_t chainidx)
  1319. {
  1320. if (s->srtp_profile == NULL)
  1321. return EXT_RETURN_NOT_SENT;
  1322. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
  1323. || !WPACKET_start_sub_packet_u16(pkt)
  1324. || !WPACKET_put_bytes_u16(pkt, 2)
  1325. || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
  1326. || !WPACKET_put_bytes_u8(pkt, 0)
  1327. || !WPACKET_close(pkt)) {
  1328. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1329. return EXT_RETURN_FAIL;
  1330. }
  1331. return EXT_RETURN_SENT;
  1332. }
  1333. #endif
  1334. EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
  1335. unsigned int context,
  1336. X509 *x, size_t chainidx)
  1337. {
  1338. if (!s->ext.use_etm)
  1339. return EXT_RETURN_NOT_SENT;
  1340. /*
  1341. * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
  1342. * for other cases too.
  1343. */
  1344. if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
  1345. || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
  1346. || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
  1347. || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
  1348. || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
  1349. || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
  1350. s->ext.use_etm = 0;
  1351. return EXT_RETURN_NOT_SENT;
  1352. }
  1353. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
  1354. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1355. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1356. return EXT_RETURN_FAIL;
  1357. }
  1358. return EXT_RETURN_SENT;
  1359. }
  1360. EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
  1361. unsigned int context,
  1362. X509 *x, size_t chainidx)
  1363. {
  1364. if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
  1365. return EXT_RETURN_NOT_SENT;
  1366. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
  1367. || !WPACKET_put_bytes_u16(pkt, 0)) {
  1368. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1369. return EXT_RETURN_FAIL;
  1370. }
  1371. return EXT_RETURN_SENT;
  1372. }
  1373. EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
  1374. unsigned int context, X509 *x,
  1375. size_t chainidx)
  1376. {
  1377. if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
  1378. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1379. return EXT_RETURN_FAIL;
  1380. }
  1381. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
  1382. || !WPACKET_start_sub_packet_u16(pkt)
  1383. || !WPACKET_put_bytes_u16(pkt, s->version)
  1384. || !WPACKET_close(pkt)) {
  1385. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1386. return EXT_RETURN_FAIL;
  1387. }
  1388. return EXT_RETURN_SENT;
  1389. }
  1390. EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
  1391. unsigned int context, X509 *x,
  1392. size_t chainidx)
  1393. {
  1394. #ifndef OPENSSL_NO_TLS1_3
  1395. unsigned char *encodedPoint;
  1396. size_t encoded_pt_len = 0;
  1397. EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
  1398. const TLS_GROUP_INFO *ginf = NULL;
  1399. if (s->hello_retry_request == SSL_HRR_PENDING) {
  1400. if (ckey != NULL) {
  1401. /* Original key_share was acceptable so don't ask for another one */
  1402. return EXT_RETURN_NOT_SENT;
  1403. }
  1404. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  1405. || !WPACKET_start_sub_packet_u16(pkt)
  1406. || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
  1407. || !WPACKET_close(pkt)) {
  1408. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1409. return EXT_RETURN_FAIL;
  1410. }
  1411. return EXT_RETURN_SENT;
  1412. }
  1413. if (ckey == NULL) {
  1414. /* No key_share received from client - must be resuming */
  1415. if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
  1416. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1417. return EXT_RETURN_FAIL;
  1418. }
  1419. return EXT_RETURN_NOT_SENT;
  1420. }
  1421. if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
  1422. /*
  1423. * PSK ('hit') and explicitly not doing DHE (if the client sent the
  1424. * DHE option we always take it); don't send key share.
  1425. */
  1426. return EXT_RETURN_NOT_SENT;
  1427. }
  1428. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
  1429. || !WPACKET_start_sub_packet_u16(pkt)
  1430. || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
  1431. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1432. return EXT_RETURN_FAIL;
  1433. }
  1434. if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
  1435. s->s3.group_id)) == NULL) {
  1436. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1437. return EXT_RETURN_FAIL;
  1438. }
  1439. if (!ginf->is_kem) {
  1440. /* Regular KEX */
  1441. skey = ssl_generate_pkey(s, ckey);
  1442. if (skey == NULL) {
  1443. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
  1444. return EXT_RETURN_FAIL;
  1445. }
  1446. /* Generate encoding of server key */
  1447. encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
  1448. if (encoded_pt_len == 0) {
  1449. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
  1450. EVP_PKEY_free(skey);
  1451. return EXT_RETURN_FAIL;
  1452. }
  1453. if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
  1454. || !WPACKET_close(pkt)) {
  1455. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1456. EVP_PKEY_free(skey);
  1457. OPENSSL_free(encodedPoint);
  1458. return EXT_RETURN_FAIL;
  1459. }
  1460. OPENSSL_free(encodedPoint);
  1461. /*
  1462. * This causes the crypto state to be updated based on the derived keys
  1463. */
  1464. s->s3.tmp.pkey = skey;
  1465. if (ssl_derive(s, skey, ckey, 1) == 0) {
  1466. /* SSLfatal() already called */
  1467. return EXT_RETURN_FAIL;
  1468. }
  1469. } else {
  1470. /* KEM mode */
  1471. unsigned char *ct = NULL;
  1472. size_t ctlen = 0;
  1473. /*
  1474. * This does not update the crypto state.
  1475. *
  1476. * The generated pms is stored in `s->s3.tmp.pms` to be later used via
  1477. * ssl_gensecret().
  1478. */
  1479. if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
  1480. /* SSLfatal() already called */
  1481. return EXT_RETURN_FAIL;
  1482. }
  1483. if (ctlen == 0) {
  1484. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1485. OPENSSL_free(ct);
  1486. return EXT_RETURN_FAIL;
  1487. }
  1488. if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
  1489. || !WPACKET_close(pkt)) {
  1490. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1491. OPENSSL_free(ct);
  1492. return EXT_RETURN_FAIL;
  1493. }
  1494. OPENSSL_free(ct);
  1495. /*
  1496. * This causes the crypto state to be updated based on the generated pms
  1497. */
  1498. if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
  1499. /* SSLfatal() already called */
  1500. return EXT_RETURN_FAIL;
  1501. }
  1502. }
  1503. s->s3.did_kex = 1;
  1504. return EXT_RETURN_SENT;
  1505. #else
  1506. return EXT_RETURN_FAIL;
  1507. #endif
  1508. }
  1509. EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
  1510. unsigned int context,
  1511. X509 *x, size_t chainidx)
  1512. {
  1513. #ifndef OPENSSL_NO_TLS1_3
  1514. unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
  1515. unsigned char *hmac, *hmac2;
  1516. size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
  1517. EVP_MD_CTX *hctx;
  1518. EVP_PKEY *pkey;
  1519. int ret = EXT_RETURN_FAIL;
  1520. SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
  1521. SSL *ssl = SSL_CONNECTION_GET_SSL(s);
  1522. if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
  1523. return EXT_RETURN_NOT_SENT;
  1524. if (sctx->gen_stateless_cookie_cb == NULL) {
  1525. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
  1526. return EXT_RETURN_FAIL;
  1527. }
  1528. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
  1529. || !WPACKET_start_sub_packet_u16(pkt)
  1530. || !WPACKET_start_sub_packet_u16(pkt)
  1531. || !WPACKET_get_total_written(pkt, &startlen)
  1532. || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
  1533. || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
  1534. || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
  1535. || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
  1536. || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
  1537. &ciphlen)
  1538. /* Is there a key_share extension present in this HRR? */
  1539. || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
  1540. || !WPACKET_put_bytes_u64(pkt, time(NULL))
  1541. || !WPACKET_start_sub_packet_u16(pkt)
  1542. || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
  1543. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1544. return EXT_RETURN_FAIL;
  1545. }
  1546. /*
  1547. * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
  1548. * on raw buffers, so we first reserve sufficient bytes (above) and then
  1549. * subsequently allocate them (below)
  1550. */
  1551. if (!ssl3_digest_cached_records(s, 0)
  1552. || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
  1553. /* SSLfatal() already called */
  1554. return EXT_RETURN_FAIL;
  1555. }
  1556. if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
  1557. || !ossl_assert(hashval1 == hashval2)
  1558. || !WPACKET_close(pkt)
  1559. || !WPACKET_start_sub_packet_u8(pkt)
  1560. || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
  1561. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1562. return EXT_RETURN_FAIL;
  1563. }
  1564. /* Generate the application cookie */
  1565. if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
  1566. &appcookielen) == 0) {
  1567. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
  1568. return EXT_RETURN_FAIL;
  1569. }
  1570. if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
  1571. || !ossl_assert(appcookie1 == appcookie2)
  1572. || !WPACKET_close(pkt)
  1573. || !WPACKET_get_total_written(pkt, &totcookielen)
  1574. || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
  1575. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1576. return EXT_RETURN_FAIL;
  1577. }
  1578. hmaclen = SHA256_DIGEST_LENGTH;
  1579. totcookielen -= startlen;
  1580. if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
  1581. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1582. return EXT_RETURN_FAIL;
  1583. }
  1584. /* HMAC the cookie */
  1585. hctx = EVP_MD_CTX_create();
  1586. pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
  1587. sctx->propq,
  1588. s->session_ctx->ext.cookie_hmac_key,
  1589. sizeof(s->session_ctx->ext.cookie_hmac_key));
  1590. if (hctx == NULL || pkey == NULL) {
  1591. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  1592. goto err;
  1593. }
  1594. if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
  1595. sctx->propq, pkey, NULL) <= 0
  1596. || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
  1597. totcookielen) <= 0) {
  1598. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1599. goto err;
  1600. }
  1601. if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
  1602. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1603. goto err;
  1604. }
  1605. if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
  1606. || !ossl_assert(hmac == hmac2)
  1607. || !ossl_assert(cookie == hmac - totcookielen)
  1608. || !WPACKET_close(pkt)
  1609. || !WPACKET_close(pkt)) {
  1610. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1611. goto err;
  1612. }
  1613. ret = EXT_RETURN_SENT;
  1614. err:
  1615. EVP_MD_CTX_free(hctx);
  1616. EVP_PKEY_free(pkey);
  1617. return ret;
  1618. #else
  1619. return EXT_RETURN_FAIL;
  1620. #endif
  1621. }
  1622. EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
  1623. unsigned int context, X509 *x,
  1624. size_t chainidx)
  1625. {
  1626. const unsigned char cryptopro_ext[36] = {
  1627. 0xfd, 0xe8, /* 65000 */
  1628. 0x00, 0x20, /* 32 bytes length */
  1629. 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
  1630. 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
  1631. 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
  1632. 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
  1633. };
  1634. if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
  1635. && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
  1636. || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
  1637. & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
  1638. return EXT_RETURN_NOT_SENT;
  1639. if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
  1640. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1641. return EXT_RETURN_FAIL;
  1642. }
  1643. return EXT_RETURN_SENT;
  1644. }
  1645. EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
  1646. unsigned int context, X509 *x,
  1647. size_t chainidx)
  1648. {
  1649. if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
  1650. if (s->max_early_data == 0)
  1651. return EXT_RETURN_NOT_SENT;
  1652. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  1653. || !WPACKET_start_sub_packet_u16(pkt)
  1654. || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
  1655. || !WPACKET_close(pkt)) {
  1656. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1657. return EXT_RETURN_FAIL;
  1658. }
  1659. return EXT_RETURN_SENT;
  1660. }
  1661. if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
  1662. return EXT_RETURN_NOT_SENT;
  1663. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
  1664. || !WPACKET_start_sub_packet_u16(pkt)
  1665. || !WPACKET_close(pkt)) {
  1666. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1667. return EXT_RETURN_FAIL;
  1668. }
  1669. return EXT_RETURN_SENT;
  1670. }
  1671. EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
  1672. unsigned int context,
  1673. X509 *x, size_t chainidx)
  1674. {
  1675. if (!s->hit)
  1676. return EXT_RETURN_NOT_SENT;
  1677. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
  1678. || !WPACKET_start_sub_packet_u16(pkt)
  1679. || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
  1680. || !WPACKET_close(pkt)) {
  1681. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1682. return EXT_RETURN_FAIL;
  1683. }
  1684. return EXT_RETURN_SENT;
  1685. }
  1686. EXT_RETURN tls_construct_stoc_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
  1687. unsigned int context,
  1688. X509 *x, size_t chainidx)
  1689. {
  1690. if (sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_ERROR
  1691. && (send_certificate_request(sc)
  1692. || sc->post_handshake_auth == SSL_PHA_EXT_RECEIVED)) {
  1693. /* Did not receive an acceptable cert type - and doing client auth */
  1694. SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
  1695. return EXT_RETURN_FAIL;
  1696. }
  1697. if (sc->ext.client_cert_type == TLSEXT_cert_type_x509) {
  1698. sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
  1699. return EXT_RETURN_NOT_SENT;
  1700. }
  1701. /*
  1702. * Note: only supposed to send this if we are going to do a cert request,
  1703. * but TLSv1.3 could do a PHA request if the client supports it
  1704. */
  1705. if ((!send_certificate_request(sc) && sc->post_handshake_auth != SSL_PHA_EXT_RECEIVED)
  1706. || sc->ext.client_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
  1707. || sc->client_cert_type == NULL) {
  1708. /* if we don't send it, reset to TLSEXT_cert_type_x509 */
  1709. sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
  1710. sc->ext.client_cert_type = TLSEXT_cert_type_x509;
  1711. return EXT_RETURN_NOT_SENT;
  1712. }
  1713. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
  1714. || !WPACKET_start_sub_packet_u16(pkt)
  1715. || !WPACKET_put_bytes_u8(pkt, sc->ext.client_cert_type)
  1716. || !WPACKET_close(pkt)) {
  1717. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1718. return EXT_RETURN_FAIL;
  1719. }
  1720. return EXT_RETURN_SENT;
  1721. }
  1722. /* One of |pref|, |other| is configured and the values are sanitized */
  1723. static int reconcile_cert_type(const unsigned char *pref, size_t pref_len,
  1724. const unsigned char *other, size_t other_len,
  1725. uint8_t *chosen_cert_type)
  1726. {
  1727. size_t i;
  1728. for (i = 0; i < pref_len; i++) {
  1729. if (memchr(other, pref[i], other_len) != NULL) {
  1730. *chosen_cert_type = pref[i];
  1731. return OSSL_CERT_TYPE_CTOS_GOOD;
  1732. }
  1733. }
  1734. return OSSL_CERT_TYPE_CTOS_ERROR;
  1735. }
  1736. int tls_parse_ctos_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
  1737. unsigned int context,
  1738. X509 *x, size_t chainidx)
  1739. {
  1740. PACKET supported_cert_types;
  1741. const unsigned char *data;
  1742. size_t len;
  1743. /* Ignore the extension */
  1744. if (sc->client_cert_type == NULL) {
  1745. sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
  1746. sc->ext.client_cert_type = TLSEXT_cert_type_x509;
  1747. return 1;
  1748. }
  1749. if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
  1750. sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
  1751. SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1752. return 0;
  1753. }
  1754. if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
  1755. sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
  1756. SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1757. return 0;
  1758. }
  1759. if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
  1760. sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
  1761. SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1762. return 0;
  1763. }
  1764. /* client_cert_type: client (peer) has priority */
  1765. sc->ext.client_cert_type_ctos = reconcile_cert_type(data, len,
  1766. sc->client_cert_type, sc->client_cert_type_len,
  1767. &sc->ext.client_cert_type);
  1768. /* Ignore the error until sending - so we can check cert auth*/
  1769. return 1;
  1770. }
  1771. EXT_RETURN tls_construct_stoc_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
  1772. unsigned int context,
  1773. X509 *x, size_t chainidx)
  1774. {
  1775. if (sc->ext.server_cert_type == TLSEXT_cert_type_x509) {
  1776. sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
  1777. return EXT_RETURN_NOT_SENT;
  1778. }
  1779. if (sc->ext.server_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
  1780. || sc->server_cert_type == NULL) {
  1781. /* if we don't send it, reset to TLSEXT_cert_type_x509 */
  1782. sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
  1783. sc->ext.server_cert_type = TLSEXT_cert_type_x509;
  1784. return EXT_RETURN_NOT_SENT;
  1785. }
  1786. if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
  1787. || !WPACKET_start_sub_packet_u16(pkt)
  1788. || !WPACKET_put_bytes_u8(pkt, sc->ext.server_cert_type)
  1789. || !WPACKET_close(pkt)) {
  1790. SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  1791. return EXT_RETURN_FAIL;
  1792. }
  1793. return EXT_RETURN_SENT;
  1794. }
  1795. int tls_parse_ctos_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
  1796. unsigned int context,
  1797. X509 *x, size_t chainidx)
  1798. {
  1799. PACKET supported_cert_types;
  1800. const unsigned char *data;
  1801. size_t len;
  1802. /* Ignore the extension */
  1803. if (sc->server_cert_type == NULL) {
  1804. sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
  1805. sc->ext.server_cert_type = TLSEXT_cert_type_x509;
  1806. return 1;
  1807. }
  1808. if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
  1809. SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1810. return 0;
  1811. }
  1812. if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
  1813. SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1814. return 0;
  1815. }
  1816. if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
  1817. SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
  1818. return 0;
  1819. }
  1820. /* server_cert_type: server (this) has priority */
  1821. sc->ext.server_cert_type_ctos = reconcile_cert_type(sc->server_cert_type, sc->server_cert_type_len,
  1822. data, len,
  1823. &sc->ext.server_cert_type);
  1824. if (sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)
  1825. return 1;
  1826. /* Did not receive an acceptable cert type */
  1827. SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
  1828. return 0;
  1829. }