1 /* 2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ocsp.h> 11 #include "../ssl_local.h" 12 #include "internal/cryptlib.h" 13 #include "internal/ssl_unwrap.h" 14 #include "statem_local.h" 15 16 EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt, 17 unsigned int context, X509 *x, 18 size_t chainidx) 19 { 20 if (!s->renegotiate) { 21 /* If not renegotiating, send an empty RI extension to indicate support */ 22 23 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 24 # error Internal DTLS version error 25 #endif 26 27 if (!SSL_CONNECTION_IS_DTLS(s) 28 && (s->min_proto_version >= TLS1_3_VERSION 29 || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) 30 && s->min_proto_version <= TLS1_VERSION))) { 31 /* 32 * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this 33 * extension isn't used at all. 34 */ 35 return EXT_RETURN_NOT_SENT; 36 } 37 38 39 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 40 || !WPACKET_start_sub_packet_u16(pkt) 41 || !WPACKET_put_bytes_u8(pkt, 0) 42 || !WPACKET_close(pkt)) { 43 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 44 return EXT_RETURN_FAIL; 45 } 46 47 return EXT_RETURN_SENT; 48 } 49 50 /* Add a complete RI extension if renegotiating */ 51 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 52 || !WPACKET_start_sub_packet_u16(pkt) 53 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished, 54 s->s3.previous_client_finished_len) 55 || !WPACKET_close(pkt)) { 56 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 57 return EXT_RETURN_FAIL; 58 } 59 60 return EXT_RETURN_SENT; 61 } 62 63 EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt, 64 unsigned int context, X509 *x, 65 size_t chainidx) 66 { 67 if (s->ext.hostname == NULL) 68 return EXT_RETURN_NOT_SENT; 69 70 /* Add TLS extension servername to the Client Hello message */ 71 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 72 /* Sub-packet for server_name extension */ 73 || !WPACKET_start_sub_packet_u16(pkt) 74 /* Sub-packet for servername list (always 1 hostname)*/ 75 || !WPACKET_start_sub_packet_u16(pkt) 76 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) 77 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, 78 strlen(s->ext.hostname)) 79 || !WPACKET_close(pkt) 80 || !WPACKET_close(pkt)) { 81 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 82 return EXT_RETURN_FAIL; 83 } 84 85 return EXT_RETURN_SENT; 86 } 87 88 /* Push a Max Fragment Len extension into ClientHello */ 89 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt, 90 unsigned int context, X509 *x, 91 size_t chainidx) 92 { 93 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) 94 return EXT_RETURN_NOT_SENT; 95 96 /* Add Max Fragment Length extension if client enabled it. */ 97 /*- 98 * 4 bytes for this extension type and extension length 99 * 1 byte for the Max Fragment Length code value. 100 */ 101 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 102 /* Sub-packet for Max Fragment Length extension (1 byte) */ 103 || !WPACKET_start_sub_packet_u16(pkt) 104 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) 105 || !WPACKET_close(pkt)) { 106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 107 return EXT_RETURN_FAIL; 108 } 109 110 return EXT_RETURN_SENT; 111 } 112 113 #ifndef OPENSSL_NO_SRP 114 EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt, 115 unsigned int context, 116 X509 *x, size_t chainidx) 117 { 118 /* Add SRP username if there is one */ 119 if (s->srp_ctx.login == NULL) 120 return EXT_RETURN_NOT_SENT; 121 122 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) 123 /* Sub-packet for SRP extension */ 124 || !WPACKET_start_sub_packet_u16(pkt) 125 || !WPACKET_start_sub_packet_u8(pkt) 126 /* login must not be zero...internal error if so */ 127 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 128 || !WPACKET_memcpy(pkt, s->srp_ctx.login, 129 strlen(s->srp_ctx.login)) 130 || !WPACKET_close(pkt) 131 || !WPACKET_close(pkt)) { 132 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 133 return EXT_RETURN_FAIL; 134 } 135 136 return EXT_RETURN_SENT; 137 } 138 #endif 139 140 static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version) 141 { 142 int i, end, ret = 0; 143 unsigned long alg_k, alg_a; 144 STACK_OF(SSL_CIPHER) *cipher_stack = NULL; 145 const uint16_t *pgroups = NULL; 146 size_t num_groups, j; 147 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 148 149 /* See if we support any ECC ciphersuites */ 150 if (s->version == SSL3_VERSION) 151 return 0; 152 153 cipher_stack = SSL_get1_supported_ciphers(ssl); 154 end = sk_SSL_CIPHER_num(cipher_stack); 155 for (i = 0; i < end; i++) { 156 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 157 158 alg_k = c->algorithm_mkey; 159 alg_a = c->algorithm_auth; 160 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 161 || (alg_a & SSL_aECDSA) 162 || c->min_tls >= TLS1_3_VERSION) { 163 ret = 1; 164 break; 165 } 166 } 167 sk_SSL_CIPHER_free(cipher_stack); 168 if (!ret) 169 return 0; 170 171 /* Check we have at least one EC supported group */ 172 tls1_get_supported_groups(s, &pgroups, &num_groups); 173 for (j = 0; j < num_groups; j++) { 174 uint16_t ctmp = pgroups[j]; 175 176 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL) 177 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) 178 return 1; 179 } 180 181 return 0; 182 } 183 184 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt, 185 unsigned int context, X509 *x, 186 size_t chainidx) 187 { 188 const unsigned char *pformats; 189 size_t num_formats; 190 int reason, min_version, max_version; 191 192 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 193 if (reason != 0) { 194 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 195 return EXT_RETURN_FAIL; 196 } 197 if (!use_ecc(s, min_version, max_version)) 198 return EXT_RETURN_NOT_SENT; 199 200 /* Add TLS extension ECPointFormats to the ClientHello message */ 201 tls1_get_formatlist(s, &pformats, &num_formats); 202 203 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 204 /* Sub-packet for formats extension */ 205 || !WPACKET_start_sub_packet_u16(pkt) 206 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) 207 || !WPACKET_close(pkt)) { 208 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 209 return EXT_RETURN_FAIL; 210 } 211 212 return EXT_RETURN_SENT; 213 } 214 215 EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, 216 unsigned int context, X509 *x, 217 size_t chainidx) 218 { 219 const uint16_t *pgroups = NULL; 220 size_t num_groups = 0, i, tls13added = 0, added = 0; 221 int min_version, max_version, reason; 222 223 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 224 if (reason != 0) { 225 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 226 return EXT_RETURN_FAIL; 227 } 228 229 /* 230 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore 231 * if we don't have EC support then we don't send this extension. 232 */ 233 if (!use_ecc(s, min_version, max_version) 234 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)) 235 return EXT_RETURN_NOT_SENT; 236 237 /* 238 * Add TLS extension supported_groups to the ClientHello message 239 */ 240 tls1_get_supported_groups(s, &pgroups, &num_groups); 241 242 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 243 /* Sub-packet for supported_groups extension */ 244 || !WPACKET_start_sub_packet_u16(pkt) 245 || !WPACKET_start_sub_packet_u16(pkt) 246 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { 247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 248 return EXT_RETURN_FAIL; 249 } 250 /* Copy group ID if supported */ 251 for (i = 0; i < num_groups; i++) { 252 uint16_t ctmp = pgroups[i]; 253 int okfortls13; 254 255 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13) 256 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { 257 if (!WPACKET_put_bytes_u16(pkt, ctmp)) { 258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 259 return EXT_RETURN_FAIL; 260 } 261 if (okfortls13 && max_version == TLS1_3_VERSION) 262 tls13added++; 263 added++; 264 } 265 } 266 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 267 if (added == 0) 268 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 269 "No groups enabled for max supported SSL/TLS version"); 270 else 271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 272 return EXT_RETURN_FAIL; 273 } 274 275 if (tls13added == 0 && max_version == TLS1_3_VERSION) { 276 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 277 "No groups enabled for max supported SSL/TLS version"); 278 return EXT_RETURN_FAIL; 279 } 280 281 return EXT_RETURN_SENT; 282 } 283 284 EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt, 285 unsigned int context, X509 *x, 286 size_t chainidx) 287 { 288 size_t ticklen; 289 290 if (!tls_use_ticket(s)) 291 return EXT_RETURN_NOT_SENT; 292 293 if (!s->new_session && s->session != NULL 294 && s->session->ext.tick != NULL 295 && s->session->ssl_version != TLS1_3_VERSION) { 296 ticklen = s->session->ext.ticklen; 297 } else if (s->session && s->ext.session_ticket != NULL 298 && s->ext.session_ticket->data != NULL) { 299 ticklen = s->ext.session_ticket->length; 300 s->session->ext.tick = OPENSSL_malloc(ticklen); 301 if (s->session->ext.tick == NULL) { 302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 303 return EXT_RETURN_FAIL; 304 } 305 memcpy(s->session->ext.tick, 306 s->ext.session_ticket->data, ticklen); 307 s->session->ext.ticklen = ticklen; 308 } else { 309 ticklen = 0; 310 } 311 312 if (ticklen == 0 && s->ext.session_ticket != NULL && 313 s->ext.session_ticket->data == NULL) 314 return EXT_RETURN_NOT_SENT; 315 316 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 317 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { 318 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 319 return EXT_RETURN_FAIL; 320 } 321 322 return EXT_RETURN_SENT; 323 } 324 325 EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt, 326 unsigned int context, X509 *x, 327 size_t chainidx) 328 { 329 size_t salglen; 330 const uint16_t *salg; 331 332 /* 333 * This used both in the initial hello and as part of renegotiation, 334 * in the latter case, the client version may be already set and may 335 * be lower than that initially offered in `client_version`. 336 */ 337 if (!SSL_CONNECTION_IS_DTLS(s)) { 338 if (s->client_version < TLS1_2_VERSION 339 || (s->ssl.method->version != TLS_ANY_VERSION 340 && s->version < TLS1_2_VERSION)) 341 return EXT_RETURN_NOT_SENT; 342 } else { 343 if (DTLS_VERSION_LT(s->client_version, DTLS1_2_VERSION) 344 || (s->ssl.method->version != DTLS_ANY_VERSION 345 && DTLS_VERSION_LT(s->version, DTLS1_2_VERSION))) 346 return EXT_RETURN_NOT_SENT; 347 } 348 349 salglen = tls12_get_psigalgs(s, 1, &salg); 350 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) 351 /* Sub-packet for sig-algs extension */ 352 || !WPACKET_start_sub_packet_u16(pkt) 353 /* Sub-packet for the actual list */ 354 || !WPACKET_start_sub_packet_u16(pkt) 355 || !tls12_copy_sigalgs(s, pkt, salg, salglen) 356 || !WPACKET_close(pkt) 357 || !WPACKET_close(pkt)) { 358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 359 return EXT_RETURN_FAIL; 360 } 361 362 return EXT_RETURN_SENT; 363 } 364 365 #ifndef OPENSSL_NO_OCSP 366 EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt, 367 unsigned int context, X509 *x, 368 size_t chainidx) 369 { 370 int i; 371 372 /* This extension isn't defined for client Certificates */ 373 if (x != NULL) 374 return EXT_RETURN_NOT_SENT; 375 376 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) 377 return EXT_RETURN_NOT_SENT; 378 379 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 380 /* Sub-packet for status request extension */ 381 || !WPACKET_start_sub_packet_u16(pkt) 382 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) 383 /* Sub-packet for the ids */ 384 || !WPACKET_start_sub_packet_u16(pkt)) { 385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 386 return EXT_RETURN_FAIL; 387 } 388 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { 389 unsigned char *idbytes; 390 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); 391 int idlen = i2d_OCSP_RESPID(id, NULL); 392 393 if (idlen <= 0 394 /* Sub-packet for an individual id */ 395 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) 396 || i2d_OCSP_RESPID(id, &idbytes) != idlen) { 397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 398 return EXT_RETURN_FAIL; 399 } 400 } 401 if (!WPACKET_close(pkt) 402 || !WPACKET_start_sub_packet_u16(pkt)) { 403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 404 return EXT_RETURN_FAIL; 405 } 406 if (s->ext.ocsp.exts) { 407 unsigned char *extbytes; 408 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); 409 410 if (extlen < 0) { 411 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 412 return EXT_RETURN_FAIL; 413 } 414 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) 415 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) 416 != extlen) { 417 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 418 return EXT_RETURN_FAIL; 419 } 420 } 421 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 423 return EXT_RETURN_FAIL; 424 } 425 426 return EXT_RETURN_SENT; 427 } 428 #endif 429 430 #ifndef OPENSSL_NO_NEXTPROTONEG 431 EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt, 432 unsigned int context, 433 X509 *x, size_t chainidx) 434 { 435 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL 436 || !SSL_IS_FIRST_HANDSHAKE(s)) 437 return EXT_RETURN_NOT_SENT; 438 439 /* 440 * The client advertises an empty extension to indicate its support 441 * for Next Protocol Negotiation 442 */ 443 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 444 || !WPACKET_put_bytes_u16(pkt, 0)) { 445 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 446 return EXT_RETURN_FAIL; 447 } 448 449 return EXT_RETURN_SENT; 450 } 451 #endif 452 453 EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt, 454 unsigned int context, 455 X509 *x, size_t chainidx) 456 { 457 s->s3.alpn_sent = 0; 458 459 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 460 return EXT_RETURN_NOT_SENT; 461 462 if (!WPACKET_put_bytes_u16(pkt, 463 TLSEXT_TYPE_application_layer_protocol_negotiation) 464 /* Sub-packet ALPN extension */ 465 || !WPACKET_start_sub_packet_u16(pkt) 466 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) 467 || !WPACKET_close(pkt)) { 468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 469 return EXT_RETURN_FAIL; 470 } 471 s->s3.alpn_sent = 1; 472 473 return EXT_RETURN_SENT; 474 } 475 476 477 #ifndef OPENSSL_NO_SRTP 478 EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt, 479 unsigned int context, X509 *x, 480 size_t chainidx) 481 { 482 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 483 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl); 484 int i, end; 485 486 if (clnt == NULL) 487 return EXT_RETURN_NOT_SENT; 488 489 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 490 /* Sub-packet for SRTP extension */ 491 || !WPACKET_start_sub_packet_u16(pkt) 492 /* Sub-packet for the protection profile list */ 493 || !WPACKET_start_sub_packet_u16(pkt)) { 494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 495 return EXT_RETURN_FAIL; 496 } 497 498 end = sk_SRTP_PROTECTION_PROFILE_num(clnt); 499 for (i = 0; i < end; i++) { 500 const SRTP_PROTECTION_PROFILE *prof = 501 sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 502 503 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { 504 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 505 return EXT_RETURN_FAIL; 506 } 507 } 508 if (!WPACKET_close(pkt) 509 /* Add an empty use_mki value */ 510 || !WPACKET_put_bytes_u8(pkt, 0) 511 || !WPACKET_close(pkt)) { 512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 513 return EXT_RETURN_FAIL; 514 } 515 516 return EXT_RETURN_SENT; 517 } 518 #endif 519 520 EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt, 521 unsigned int context, 522 X509 *x, size_t chainidx) 523 { 524 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 525 return EXT_RETURN_NOT_SENT; 526 527 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 528 || !WPACKET_put_bytes_u16(pkt, 0)) { 529 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 530 return EXT_RETURN_FAIL; 531 } 532 533 return EXT_RETURN_SENT; 534 } 535 536 #ifndef OPENSSL_NO_CT 537 EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt, 538 unsigned int context, 539 X509 *x, size_t chainidx) 540 { 541 if (s->ct_validation_callback == NULL) 542 return EXT_RETURN_NOT_SENT; 543 544 /* Not defined for client Certificates */ 545 if (x != NULL) 546 return EXT_RETURN_NOT_SENT; 547 548 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) 549 || !WPACKET_put_bytes_u16(pkt, 0)) { 550 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 551 return EXT_RETURN_FAIL; 552 } 553 554 return EXT_RETURN_SENT; 555 } 556 #endif 557 558 EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt, 559 unsigned int context, 560 X509 *x, size_t chainidx) 561 { 562 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 563 return EXT_RETURN_NOT_SENT; 564 565 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 566 || !WPACKET_put_bytes_u16(pkt, 0)) { 567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 568 return EXT_RETURN_FAIL; 569 } 570 571 return EXT_RETURN_SENT; 572 } 573 574 EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt, 575 unsigned int context, X509 *x, 576 size_t chainidx) 577 { 578 int currv, min_version, max_version, reason; 579 580 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 581 if (reason != 0) { 582 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 583 return EXT_RETURN_FAIL; 584 } 585 586 /* 587 * Don't include this if we can't negotiate TLSv1.3. We can do a straight 588 * comparison here because we will never be called in DTLS. 589 */ 590 if (max_version < TLS1_3_VERSION) 591 return EXT_RETURN_NOT_SENT; 592 593 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 594 || !WPACKET_start_sub_packet_u16(pkt) 595 || !WPACKET_start_sub_packet_u8(pkt)) { 596 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 597 return EXT_RETURN_FAIL; 598 } 599 600 for (currv = max_version; currv >= min_version; currv--) { 601 if (!WPACKET_put_bytes_u16(pkt, currv)) { 602 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 603 return EXT_RETURN_FAIL; 604 } 605 } 606 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 607 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 608 return EXT_RETURN_FAIL; 609 } 610 611 return EXT_RETURN_SENT; 612 } 613 614 /* 615 * Construct a psk_kex_modes extension. 616 */ 617 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, 618 unsigned int context, X509 *x, 619 size_t chainidx) 620 { 621 #ifndef OPENSSL_NO_TLS1_3 622 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; 623 624 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) 625 || !WPACKET_start_sub_packet_u16(pkt) 626 || !WPACKET_start_sub_packet_u8(pkt) 627 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) 628 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) 629 || !WPACKET_close(pkt) 630 || !WPACKET_close(pkt)) { 631 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 632 return EXT_RETURN_FAIL; 633 } 634 635 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; 636 if (nodhe) 637 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 638 #endif 639 640 return EXT_RETURN_SENT; 641 } 642 643 #ifndef OPENSSL_NO_TLS1_3 644 static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int group_id, size_t loop_num) 645 { 646 unsigned char *encoded_pubkey = NULL; 647 EVP_PKEY *key_share_key = NULL; 648 size_t encodedlen; 649 650 if (loop_num < s->s3.tmp.num_ks_pkey) { 651 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING) 652 || !ossl_assert(s->s3.tmp.ks_pkey[loop_num] != NULL)) { 653 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 654 return 0; 655 } 656 /* 657 * Could happen if we got an HRR that wasn't requesting a new key_share 658 */ 659 key_share_key = s->s3.tmp.ks_pkey[loop_num]; 660 } else { 661 key_share_key = ssl_generate_pkey_group(s, group_id); 662 if (key_share_key == NULL) { 663 /* SSLfatal() already called */ 664 return 0; 665 } 666 } 667 668 /* Encode the public key. */ 669 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key, 670 &encoded_pubkey); 671 if (encodedlen == 0) { 672 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 673 goto err; 674 } 675 676 /* Create KeyShareEntry */ 677 if (!WPACKET_put_bytes_u16(pkt, group_id) 678 || !WPACKET_sub_memcpy_u16(pkt, encoded_pubkey, encodedlen)) { 679 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 680 goto err; 681 } 682 683 /* For backward compatibility, we use the first valid group to add a key share */ 684 if (loop_num == 0) { 685 s->s3.tmp.pkey = key_share_key; 686 s->s3.group_id = group_id; 687 } 688 /* We ensure in t1_lib.c that the loop number does not exceed OPENSSL_CLIENT_MAX_KEY_SHARES */ 689 s->s3.tmp.ks_pkey[loop_num] = key_share_key; 690 s->s3.tmp.ks_group_id[loop_num] = group_id; 691 if (loop_num >= s->s3.tmp.num_ks_pkey) 692 s->s3.tmp.num_ks_pkey++; 693 694 OPENSSL_free(encoded_pubkey); 695 696 return 1; 697 err: 698 if (key_share_key != s->s3.tmp.ks_pkey[loop_num]) 699 EVP_PKEY_free(key_share_key); 700 OPENSSL_free(encoded_pubkey); 701 return 0; 702 } 703 #endif 704 705 EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, 706 unsigned int context, X509 *x, 707 size_t chainidx) 708 { 709 #ifndef OPENSSL_NO_TLS1_3 710 size_t i, num_groups = 0; 711 const uint16_t *pgroups = NULL; 712 uint16_t group_id = 0; 713 int add_only_one = 0; 714 size_t valid_keyshare = 0; 715 716 /* key_share extension */ 717 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 718 /* Extension data sub-packet */ 719 || !WPACKET_start_sub_packet_u16(pkt) 720 /* KeyShare list sub-packet */ 721 || !WPACKET_start_sub_packet_u16(pkt)) { 722 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 723 return EXT_RETURN_FAIL; 724 } 725 726 tls1_get_requested_keyshare_groups(s, &pgroups, &num_groups); 727 if (num_groups == 1 && pgroups[0] == 0) { /* Indication that no * prefix was used */ 728 tls1_get_supported_groups(s, &pgroups, &num_groups); 729 add_only_one = 1; 730 } 731 732 /* If neither the default nor the keyshares have any entry --> fatal */ 733 if (num_groups == 0) { 734 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 735 return EXT_RETURN_FAIL; 736 } 737 738 /* Add key shares */ 739 740 if (s->s3.group_id != 0 && s->s3.tmp.pkey == NULL) { 741 /* new, single key share */ 742 group_id = s->s3.group_id; 743 s->s3.tmp.num_ks_pkey = 0; 744 if (!add_key_share(s, pkt, group_id, 0)) { 745 /* SSLfatal() already called */ 746 return EXT_RETURN_FAIL; 747 } 748 valid_keyshare++; 749 } else { 750 if (s->ext.supportedgroups == NULL) /* use default */ 751 add_only_one = 1; 752 753 for (i = 0; i < num_groups; i++) { 754 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) 755 continue; 756 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, 757 0, NULL)) 758 continue; 759 760 group_id = pgroups[i]; 761 762 if (group_id == 0) { 763 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 764 return EXT_RETURN_FAIL; 765 } 766 if (!add_key_share(s, pkt, group_id, valid_keyshare)) { 767 /* SSLfatal() already called */ 768 return EXT_RETURN_FAIL; 769 } 770 valid_keyshare++; 771 if (add_only_one) 772 break; 773 } 774 } 775 776 if (valid_keyshare == 0) { 777 /* No key shares were allowed */ 778 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 779 return EXT_RETURN_FAIL; 780 } 781 782 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 783 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 784 return EXT_RETURN_FAIL; 785 } 786 return EXT_RETURN_SENT; 787 #else 788 return EXT_RETURN_NOT_SENT; 789 #endif 790 } 791 792 EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt, 793 unsigned int context, 794 X509 *x, size_t chainidx) 795 { 796 EXT_RETURN ret = EXT_RETURN_FAIL; 797 798 /* Should only be set if we've had an HRR */ 799 if (s->ext.tls13_cookie_len == 0) 800 return EXT_RETURN_NOT_SENT; 801 802 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 803 /* Extension data sub-packet */ 804 || !WPACKET_start_sub_packet_u16(pkt) 805 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, 806 s->ext.tls13_cookie_len) 807 || !WPACKET_close(pkt)) { 808 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 809 goto end; 810 } 811 812 ret = EXT_RETURN_SENT; 813 end: 814 OPENSSL_free(s->ext.tls13_cookie); 815 s->ext.tls13_cookie = NULL; 816 s->ext.tls13_cookie_len = 0; 817 818 return ret; 819 } 820 821 EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, 822 unsigned int context, X509 *x, 823 size_t chainidx) 824 { 825 #ifndef OPENSSL_NO_PSK 826 char identity[PSK_MAX_IDENTITY_LEN + 1]; 827 #endif /* OPENSSL_NO_PSK */ 828 const unsigned char *id = NULL; 829 size_t idlen = 0; 830 SSL_SESSION *psksess = NULL; 831 SSL_SESSION *edsess = NULL; 832 const EVP_MD *handmd = NULL; 833 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 834 835 if (s->hello_retry_request == SSL_HRR_PENDING) 836 handmd = ssl_handshake_md(s); 837 838 if (s->psk_use_session_cb != NULL 839 && (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess) 840 || (psksess != NULL 841 && psksess->ssl_version != TLS1_3_VERSION))) { 842 SSL_SESSION_free(psksess); 843 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 844 return EXT_RETURN_FAIL; 845 } 846 847 #ifndef OPENSSL_NO_PSK 848 if (psksess == NULL && s->psk_client_callback != NULL) { 849 unsigned char psk[PSK_MAX_PSK_LEN]; 850 size_t psklen = 0; 851 852 memset(identity, 0, sizeof(identity)); 853 psklen = s->psk_client_callback(ussl, NULL, 854 identity, sizeof(identity) - 1, 855 psk, sizeof(psk)); 856 857 if (psklen > PSK_MAX_PSK_LEN) { 858 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 859 return EXT_RETURN_FAIL; 860 } else if (psklen > 0) { 861 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 862 const SSL_CIPHER *cipher; 863 864 idlen = strlen(identity); 865 if (idlen > PSK_MAX_IDENTITY_LEN) { 866 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 867 return EXT_RETURN_FAIL; 868 } 869 id = (unsigned char *)identity; 870 871 /* 872 * We found a PSK using an old style callback. We don't know 873 * the digest so we default to SHA256 as per the TLSv1.3 spec 874 */ 875 cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s), 876 tls13_aes128gcmsha256_id); 877 if (cipher == NULL) { 878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 879 return EXT_RETURN_FAIL; 880 } 881 882 psksess = SSL_SESSION_new(); 883 if (psksess == NULL 884 || !SSL_SESSION_set1_master_key(psksess, psk, psklen) 885 || !SSL_SESSION_set_cipher(psksess, cipher) 886 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { 887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 888 OPENSSL_cleanse(psk, psklen); 889 return EXT_RETURN_FAIL; 890 } 891 OPENSSL_cleanse(psk, psklen); 892 } 893 } 894 #endif /* OPENSSL_NO_PSK */ 895 896 SSL_SESSION_free(s->psksession); 897 s->psksession = psksess; 898 if (psksess != NULL) { 899 OPENSSL_free(s->psksession_id); 900 s->psksession_id = OPENSSL_memdup(id, idlen); 901 if (s->psksession_id == NULL) { 902 s->psksession_id_len = 0; 903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 904 return EXT_RETURN_FAIL; 905 } 906 s->psksession_id_len = idlen; 907 } 908 909 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING 910 || (s->session->ext.max_early_data == 0 911 && (psksess == NULL || psksess->ext.max_early_data == 0))) { 912 s->max_early_data = 0; 913 return EXT_RETURN_NOT_SENT; 914 } 915 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; 916 s->max_early_data = edsess->ext.max_early_data; 917 918 if (edsess->ext.hostname != NULL) { 919 if (s->ext.hostname == NULL 920 || (s->ext.hostname != NULL 921 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { 922 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 923 SSL_R_INCONSISTENT_EARLY_DATA_SNI); 924 return EXT_RETURN_FAIL; 925 } 926 } 927 928 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { 929 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 930 return EXT_RETURN_FAIL; 931 } 932 933 /* 934 * Verify that we are offering an ALPN protocol consistent with the early 935 * data. 936 */ 937 if (edsess->ext.alpn_selected != NULL) { 938 PACKET prots, alpnpkt; 939 int found = 0; 940 941 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { 942 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 943 return EXT_RETURN_FAIL; 944 } 945 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { 946 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, 947 edsess->ext.alpn_selected_len)) { 948 found = 1; 949 break; 950 } 951 } 952 if (!found) { 953 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 954 SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 955 return EXT_RETURN_FAIL; 956 } 957 } 958 959 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 960 || !WPACKET_start_sub_packet_u16(pkt) 961 || !WPACKET_close(pkt)) { 962 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 963 return EXT_RETURN_FAIL; 964 } 965 966 /* 967 * We set this to rejected here. Later, if the server acknowledges the 968 * extension, we set it to accepted. 969 */ 970 s->ext.early_data = SSL_EARLY_DATA_REJECTED; 971 s->ext.early_data_ok = 1; 972 973 return EXT_RETURN_SENT; 974 } 975 976 #define F5_WORKAROUND_MIN_MSG_LEN 0xff 977 #define F5_WORKAROUND_MAX_MSG_LEN 0x200 978 979 /* 980 * PSK pre binder overhead = 981 * 2 bytes for TLSEXT_TYPE_psk 982 * 2 bytes for extension length 983 * 2 bytes for identities list length 984 * 2 bytes for identity length 985 * 4 bytes for obfuscated_ticket_age 986 * 2 bytes for binder list length 987 * 1 byte for binder length 988 * The above excludes the number of bytes for the identity itself and the 989 * subsequent binder bytes 990 */ 991 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) 992 993 EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt, 994 unsigned int context, X509 *x, 995 size_t chainidx) 996 { 997 unsigned char *padbytes; 998 size_t hlen; 999 1000 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) 1001 return EXT_RETURN_NOT_SENT; 1002 1003 /* 1004 * Add padding to workaround bugs in F5 terminators. See RFC7685. 1005 * This code calculates the length of all extensions added so far but 1006 * excludes the PSK extension (because that MUST be written last). Therefore 1007 * this extension MUST always appear second to last. 1008 */ 1009 if (!WPACKET_get_total_written(pkt, &hlen)) { 1010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1011 return EXT_RETURN_FAIL; 1012 } 1013 1014 /* 1015 * If we're going to send a PSK then that will be written out after this 1016 * extension, so we need to calculate how long it is going to be. 1017 */ 1018 if (s->session->ssl_version == TLS1_3_VERSION 1019 && s->session->ext.ticklen != 0 1020 && s->session->cipher != NULL) { 1021 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s), 1022 s->session->cipher->algorithm2); 1023 1024 if (md != NULL) { 1025 /* 1026 * Add the fixed PSK overhead, the identity length and the binder 1027 * length. 1028 */ 1029 int md_size = EVP_MD_get_size(md); 1030 1031 if (md_size <= 0) 1032 return EXT_RETURN_FAIL; 1033 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen 1034 + md_size; 1035 } 1036 } 1037 1038 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { 1039 /* Calculate the amount of padding we need to add */ 1040 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; 1041 1042 /* 1043 * Take off the size of extension header itself (2 bytes for type and 1044 * 2 bytes for length bytes), but ensure that the extension is at least 1045 * 1 byte long so as not to have an empty extension last (WebSphere 7.x, 1046 * 8.x are intolerant of that condition) 1047 */ 1048 if (hlen > 4) 1049 hlen -= 4; 1050 else 1051 hlen = 1; 1052 1053 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) 1054 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { 1055 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1056 return EXT_RETURN_FAIL; 1057 } 1058 memset(padbytes, 0, hlen); 1059 } 1060 1061 return EXT_RETURN_SENT; 1062 } 1063 1064 /* 1065 * Construct the pre_shared_key extension 1066 */ 1067 EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, 1068 unsigned int context, 1069 X509 *x, size_t chainidx) 1070 { 1071 #ifndef OPENSSL_NO_TLS1_3 1072 uint32_t agesec, agems = 0; 1073 size_t binderoffset, msglen; 1074 int reshashsize = 0, pskhashsize = 0; 1075 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; 1076 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; 1077 int dores = 0; 1078 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1079 OSSL_TIME t; 1080 1081 s->ext.tick_identity = 0; 1082 1083 /* 1084 * Note: At this stage of the code we only support adding a single 1085 * resumption PSK. If we add support for multiple PSKs then the length 1086 * calculations in the padding extension will need to be adjusted. 1087 */ 1088 1089 /* 1090 * If this is an incompatible or new session then we have nothing to resume 1091 * so don't add this extension. 1092 */ 1093 if (s->session->ssl_version != TLS1_3_VERSION 1094 || (s->session->ext.ticklen == 0 && s->psksession == NULL)) 1095 return EXT_RETURN_NOT_SENT; 1096 1097 if (s->hello_retry_request == SSL_HRR_PENDING) 1098 handmd = ssl_handshake_md(s); 1099 1100 if (s->session->ext.ticklen != 0) { 1101 /* Get the digest associated with the ciphersuite in the session */ 1102 if (s->session->cipher == NULL) { 1103 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1104 return EXT_RETURN_FAIL; 1105 } 1106 mdres = ssl_md(sctx, s->session->cipher->algorithm2); 1107 if (mdres == NULL) { 1108 /* 1109 * Don't recognize this cipher so we can't use the session. 1110 * Ignore it 1111 */ 1112 goto dopsksess; 1113 } 1114 1115 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { 1116 /* 1117 * Selected ciphersuite hash does not match the hash for the session 1118 * so we can't use it. 1119 */ 1120 goto dopsksess; 1121 } 1122 1123 /* 1124 * Technically the C standard just says time() returns a time_t and says 1125 * nothing about the encoding of that type. In practice most 1126 * implementations follow POSIX which holds it as an integral type in 1127 * seconds since epoch. We've already made the assumption that we can do 1128 * this in multiple places in the code, so portability shouldn't be an 1129 * issue. 1130 */ 1131 t = ossl_time_subtract(ossl_time_now(), s->session->time); 1132 agesec = (uint32_t)ossl_time2seconds(t); 1133 /* 1134 * We calculate the age in seconds but the server may work in ms. Due to 1135 * rounding errors we could overestimate the age by up to 1s. It is 1136 * better to underestimate it. Otherwise, if the RTT is very short, when 1137 * the server calculates the age reported by the client it could be 1138 * bigger than the age calculated on the server - which should never 1139 * happen. 1140 */ 1141 if (agesec > 0) 1142 agesec--; 1143 1144 if (s->session->ext.tick_lifetime_hint < agesec) { 1145 /* Ticket is too old. Ignore it. */ 1146 goto dopsksess; 1147 } 1148 1149 /* 1150 * Calculate age in ms. We're just doing it to nearest second. Should be 1151 * good enough. 1152 */ 1153 agems = agesec * (uint32_t)1000; 1154 1155 if (agesec != 0 && agems / (uint32_t)1000 != agesec) { 1156 /* 1157 * Overflow. Shouldn't happen unless this is a *really* old session. 1158 * If so we just ignore it. 1159 */ 1160 goto dopsksess; 1161 } 1162 1163 /* 1164 * Obfuscate the age. Overflow here is fine, this addition is supposed 1165 * to be mod 2^32. 1166 */ 1167 agems += s->session->ext.tick_age_add; 1168 1169 reshashsize = EVP_MD_get_size(mdres); 1170 if (reshashsize <= 0) 1171 goto dopsksess; 1172 s->ext.tick_identity++; 1173 dores = 1; 1174 } 1175 1176 dopsksess: 1177 if (!dores && s->psksession == NULL) 1178 return EXT_RETURN_NOT_SENT; 1179 1180 if (s->psksession != NULL) { 1181 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2); 1182 if (mdpsk == NULL) { 1183 /* 1184 * Don't recognize this cipher so we can't use the session. 1185 * If this happens it's an application bug. 1186 */ 1187 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1188 return EXT_RETURN_FAIL; 1189 } 1190 1191 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { 1192 /* 1193 * Selected ciphersuite hash does not match the hash for the PSK 1194 * session. This is an application bug. 1195 */ 1196 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1197 return EXT_RETURN_FAIL; 1198 } 1199 1200 pskhashsize = EVP_MD_get_size(mdpsk); 1201 if (pskhashsize <= 0) { 1202 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1203 return EXT_RETURN_FAIL; 1204 } 1205 } 1206 1207 /* Create the extension, but skip over the binder for now */ 1208 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1209 || !WPACKET_start_sub_packet_u16(pkt) 1210 || !WPACKET_start_sub_packet_u16(pkt)) { 1211 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1212 return EXT_RETURN_FAIL; 1213 } 1214 1215 if (dores) { 1216 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, 1217 s->session->ext.ticklen) 1218 || !WPACKET_put_bytes_u32(pkt, agems)) { 1219 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1220 return EXT_RETURN_FAIL; 1221 } 1222 } 1223 1224 if (s->psksession != NULL) { 1225 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, 1226 s->psksession_id_len) 1227 || !WPACKET_put_bytes_u32(pkt, 0)) { 1228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1229 return EXT_RETURN_FAIL; 1230 } 1231 s->ext.tick_identity++; 1232 } 1233 1234 if (!WPACKET_close(pkt) 1235 || !WPACKET_get_total_written(pkt, &binderoffset) 1236 || !WPACKET_start_sub_packet_u16(pkt) 1237 || (dores 1238 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) 1239 || (s->psksession != NULL 1240 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) 1241 || !WPACKET_close(pkt) 1242 || !WPACKET_close(pkt) 1243 || !WPACKET_get_total_written(pkt, &msglen) 1244 /* 1245 * We need to fill in all the sub-packet lengths now so we can 1246 * calculate the HMAC of the message up to the binders 1247 */ 1248 || !WPACKET_fill_lengths(pkt)) { 1249 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1250 return EXT_RETURN_FAIL; 1251 } 1252 1253 msgstart = WPACKET_get_curr(pkt) - msglen; 1254 1255 if (dores 1256 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, 1257 resbinder, s->session, 1, 0) != 1) { 1258 /* SSLfatal() already called */ 1259 return EXT_RETURN_FAIL; 1260 } 1261 1262 if (s->psksession != NULL 1263 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, 1264 pskbinder, s->psksession, 1, 1) != 1) { 1265 /* SSLfatal() already called */ 1266 return EXT_RETURN_FAIL; 1267 } 1268 1269 return EXT_RETURN_SENT; 1270 #else 1271 return EXT_RETURN_NOT_SENT; 1272 #endif 1273 } 1274 1275 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt, 1276 ossl_unused unsigned int context, 1277 ossl_unused X509 *x, 1278 ossl_unused size_t chainidx) 1279 { 1280 #ifndef OPENSSL_NO_TLS1_3 1281 if (!s->pha_enabled) 1282 return EXT_RETURN_NOT_SENT; 1283 1284 /* construct extension - 0 length, no contents */ 1285 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) 1286 || !WPACKET_start_sub_packet_u16(pkt) 1287 || !WPACKET_close(pkt)) { 1288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1289 return EXT_RETURN_FAIL; 1290 } 1291 1292 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1293 1294 return EXT_RETURN_SENT; 1295 #else 1296 return EXT_RETURN_NOT_SENT; 1297 #endif 1298 } 1299 1300 1301 /* 1302 * Parse the server's renegotiation binding and abort if it's not right 1303 */ 1304 int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt, 1305 unsigned int context, 1306 X509 *x, size_t chainidx) 1307 { 1308 size_t expected_len = s->s3.previous_client_finished_len 1309 + s->s3.previous_server_finished_len; 1310 size_t ilen; 1311 const unsigned char *data; 1312 1313 /* Check for logic errors */ 1314 if (!ossl_assert(expected_len == 0 1315 || s->s3.previous_client_finished_len != 0) 1316 || !ossl_assert(expected_len == 0 1317 || s->s3.previous_server_finished_len != 0)) { 1318 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1319 return 0; 1320 } 1321 1322 /* Parse the length byte */ 1323 if (!PACKET_get_1_len(pkt, &ilen)) { 1324 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1325 return 0; 1326 } 1327 1328 /* Consistency check */ 1329 if (PACKET_remaining(pkt) != ilen) { 1330 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1331 return 0; 1332 } 1333 1334 /* Check that the extension matches */ 1335 if (ilen != expected_len) { 1336 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1337 return 0; 1338 } 1339 1340 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len) 1341 || memcmp(data, s->s3.previous_client_finished, 1342 s->s3.previous_client_finished_len) != 0) { 1343 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1344 return 0; 1345 } 1346 1347 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len) 1348 || memcmp(data, s->s3.previous_server_finished, 1349 s->s3.previous_server_finished_len) != 0) { 1350 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1351 return 0; 1352 } 1353 s->s3.send_connection_binding = 1; 1354 1355 return 1; 1356 } 1357 1358 /* Parse the server's max fragment len extension packet */ 1359 int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt, 1360 unsigned int context, 1361 X509 *x, size_t chainidx) 1362 { 1363 unsigned int value; 1364 1365 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 1366 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1367 return 0; 1368 } 1369 1370 /* |value| should contains a valid max-fragment-length code. */ 1371 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 1372 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1373 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1374 return 0; 1375 } 1376 1377 /* Must be the same value as client-configured one who was sent to server */ 1378 /*- 1379 * RFC 6066: if a client receives a maximum fragment length negotiation 1380 * response that differs from the length it requested, ... 1381 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert 1382 */ 1383 if (value != s->ext.max_fragment_len_mode) { 1384 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1385 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1386 return 0; 1387 } 1388 1389 /* 1390 * Maximum Fragment Length Negotiation succeeded. 1391 * The negotiated Maximum Fragment Length is binding now. 1392 */ 1393 s->session->ext.max_fragment_len_mode = value; 1394 1395 return 1; 1396 } 1397 1398 int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt, 1399 unsigned int context, 1400 X509 *x, size_t chainidx) 1401 { 1402 if (s->ext.hostname == NULL) { 1403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1404 return 0; 1405 } 1406 1407 if (PACKET_remaining(pkt) > 0) { 1408 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1409 return 0; 1410 } 1411 1412 if (!s->hit) { 1413 if (s->session->ext.hostname != NULL) { 1414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1415 return 0; 1416 } 1417 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 1418 if (s->session->ext.hostname == NULL) { 1419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1420 return 0; 1421 } 1422 } 1423 1424 return 1; 1425 } 1426 1427 int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt, 1428 unsigned int context, 1429 X509 *x, size_t chainidx) 1430 { 1431 size_t ecpointformats_len; 1432 PACKET ecptformatlist; 1433 1434 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { 1435 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1436 return 0; 1437 } 1438 if (!s->hit) { 1439 ecpointformats_len = PACKET_remaining(&ecptformatlist); 1440 if (ecpointformats_len == 0) { 1441 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1442 return 0; 1443 } 1444 1445 s->ext.peer_ecpointformats_len = 0; 1446 OPENSSL_free(s->ext.peer_ecpointformats); 1447 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); 1448 if (s->ext.peer_ecpointformats == NULL) { 1449 s->ext.peer_ecpointformats_len = 0; 1450 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1451 return 0; 1452 } 1453 1454 s->ext.peer_ecpointformats_len = ecpointformats_len; 1455 1456 if (!PACKET_copy_bytes(&ecptformatlist, 1457 s->ext.peer_ecpointformats, 1458 ecpointformats_len)) { 1459 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1460 return 0; 1461 } 1462 } 1463 1464 return 1; 1465 } 1466 1467 int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt, 1468 unsigned int context, 1469 X509 *x, size_t chainidx) 1470 { 1471 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 1472 1473 if (s->ext.session_ticket_cb != NULL && 1474 !s->ext.session_ticket_cb(ssl, PACKET_data(pkt), 1475 PACKET_remaining(pkt), 1476 s->ext.session_ticket_cb_arg)) { 1477 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1478 return 0; 1479 } 1480 1481 if (!tls_use_ticket(s)) { 1482 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1483 return 0; 1484 } 1485 if (PACKET_remaining(pkt) > 0) { 1486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1487 return 0; 1488 } 1489 1490 s->ext.ticket_expected = 1; 1491 1492 return 1; 1493 } 1494 1495 #ifndef OPENSSL_NO_OCSP 1496 int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt, 1497 unsigned int context, 1498 X509 *x, size_t chainidx) 1499 { 1500 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1501 /* We ignore this if the server sends a CertificateRequest */ 1502 return 1; 1503 } 1504 1505 /* 1506 * MUST only be sent if we've requested a status 1507 * request message. In TLS <= 1.2 it must also be empty. 1508 */ 1509 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 1510 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1511 return 0; 1512 } 1513 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { 1514 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1515 return 0; 1516 } 1517 1518 if (SSL_CONNECTION_IS_TLS13(s)) { 1519 /* We only know how to handle this if it's for the first Certificate in 1520 * the chain. We ignore any other responses. 1521 */ 1522 if (chainidx != 0) 1523 return 1; 1524 1525 /* SSLfatal() already called */ 1526 return tls_process_cert_status_body(s, pkt); 1527 } 1528 1529 /* Set flag to expect CertificateStatus message */ 1530 s->ext.status_expected = 1; 1531 1532 return 1; 1533 } 1534 #endif 1535 1536 1537 #ifndef OPENSSL_NO_CT 1538 int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1539 X509 *x, size_t chainidx) 1540 { 1541 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1542 /* We ignore this if the server sends it in a CertificateRequest */ 1543 return 1; 1544 } 1545 1546 /* 1547 * Only take it if we asked for it - i.e if there is no CT validation 1548 * callback set, then a custom extension MAY be processing it, so we 1549 * need to let control continue to flow to that. 1550 */ 1551 if (s->ct_validation_callback != NULL) { 1552 size_t size = PACKET_remaining(pkt); 1553 1554 /* Simply copy it off for later processing */ 1555 OPENSSL_free(s->ext.scts); 1556 s->ext.scts = NULL; 1557 1558 s->ext.scts_len = (uint16_t)size; 1559 if (size > 0) { 1560 s->ext.scts = OPENSSL_malloc(size); 1561 if (s->ext.scts == NULL) { 1562 s->ext.scts_len = 0; 1563 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 1564 return 0; 1565 } 1566 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { 1567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1568 return 0; 1569 } 1570 } 1571 } else { 1572 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 1573 ? ENDPOINT_CLIENT : ENDPOINT_BOTH; 1574 1575 /* 1576 * If we didn't ask for it then there must be a custom extension, 1577 * otherwise this is unsolicited. 1578 */ 1579 if (custom_ext_find(&s->cert->custext, role, 1580 TLSEXT_TYPE_signed_certificate_timestamp, 1581 NULL) == NULL) { 1582 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1583 return 0; 1584 } 1585 1586 if (!custom_ext_parse(s, context, 1587 TLSEXT_TYPE_signed_certificate_timestamp, 1588 PACKET_data(pkt), PACKET_remaining(pkt), 1589 x, chainidx)) { 1590 /* SSLfatal already called */ 1591 return 0; 1592 } 1593 } 1594 1595 return 1; 1596 } 1597 #endif 1598 1599 1600 #ifndef OPENSSL_NO_NEXTPROTONEG 1601 /* 1602 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1603 * elements of zero length are allowed and the set of elements must exactly 1604 * fill the length of the block. Returns 1 on success or 0 on failure. 1605 */ 1606 static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt) 1607 { 1608 PACKET tmp_protocol; 1609 1610 while (PACKET_remaining(pkt)) { 1611 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 1612 || PACKET_remaining(&tmp_protocol) == 0) { 1613 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1614 return 0; 1615 } 1616 } 1617 1618 return 1; 1619 } 1620 1621 int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1622 X509 *x, size_t chainidx) 1623 { 1624 unsigned char *selected; 1625 unsigned char selected_len; 1626 PACKET tmppkt; 1627 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1628 1629 /* Check if we are in a renegotiation. If so ignore this extension */ 1630 if (!SSL_IS_FIRST_HANDSHAKE(s)) 1631 return 1; 1632 1633 /* We must have requested it. */ 1634 if (sctx->ext.npn_select_cb == NULL) { 1635 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1636 return 0; 1637 } 1638 1639 /* The data must be valid */ 1640 tmppkt = *pkt; 1641 if (!ssl_next_proto_validate(s, &tmppkt)) { 1642 /* SSLfatal() already called */ 1643 return 0; 1644 } 1645 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s), 1646 &selected, &selected_len, 1647 PACKET_data(pkt), PACKET_remaining(pkt), 1648 sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK 1649 || selected_len == 0) { 1650 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1651 return 0; 1652 } 1653 1654 /* 1655 * Could be non-NULL if server has sent multiple NPN extensions in 1656 * a single Serverhello 1657 */ 1658 OPENSSL_free(s->ext.npn); 1659 s->ext.npn = OPENSSL_malloc(selected_len); 1660 if (s->ext.npn == NULL) { 1661 s->ext.npn_len = 0; 1662 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1663 return 0; 1664 } 1665 1666 memcpy(s->ext.npn, selected, selected_len); 1667 s->ext.npn_len = selected_len; 1668 s->s3.npn_seen = 1; 1669 1670 return 1; 1671 } 1672 #endif 1673 1674 int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1675 X509 *x, size_t chainidx) 1676 { 1677 size_t len; 1678 PACKET confpkt, protpkt; 1679 int valid = 0; 1680 1681 /* We must have requested it. */ 1682 if (!s->s3.alpn_sent) { 1683 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1684 return 0; 1685 } 1686 /*- 1687 * The extension data consists of: 1688 * uint16 list_length 1689 * uint8 proto_length; 1690 * uint8 proto[proto_length]; 1691 */ 1692 if (!PACKET_get_net_2_len(pkt, &len) 1693 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) 1694 || PACKET_remaining(pkt) != len) { 1695 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1696 return 0; 1697 } 1698 1699 /* It must be a protocol that we sent */ 1700 if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { 1701 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1702 return 0; 1703 } 1704 while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { 1705 if (PACKET_remaining(&protpkt) != len) 1706 continue; 1707 if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { 1708 /* Valid protocol found */ 1709 valid = 1; 1710 break; 1711 } 1712 } 1713 1714 if (!valid) { 1715 /* The protocol sent from the server does not match one we advertised */ 1716 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1717 return 0; 1718 } 1719 1720 OPENSSL_free(s->s3.alpn_selected); 1721 s->s3.alpn_selected = OPENSSL_malloc(len); 1722 if (s->s3.alpn_selected == NULL) { 1723 s->s3.alpn_selected_len = 0; 1724 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1725 return 0; 1726 } 1727 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) { 1728 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1729 return 0; 1730 } 1731 s->s3.alpn_selected_len = len; 1732 1733 if (s->session->ext.alpn_selected == NULL 1734 || s->session->ext.alpn_selected_len != len 1735 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len) 1736 != 0) { 1737 /* ALPN not consistent with the old session so cannot use early_data */ 1738 s->ext.early_data_ok = 0; 1739 } 1740 if (!s->hit) { 1741 /* 1742 * This is a new session and so alpn_selected should have been 1743 * initialised to NULL. We should update it with the selected ALPN. 1744 */ 1745 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 1746 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1747 return 0; 1748 } 1749 s->session->ext.alpn_selected = 1750 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); 1751 if (s->session->ext.alpn_selected == NULL) { 1752 s->session->ext.alpn_selected_len = 0; 1753 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1754 return 0; 1755 } 1756 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; 1757 } 1758 1759 return 1; 1760 } 1761 1762 #ifndef OPENSSL_NO_SRTP 1763 int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt, 1764 unsigned int context, X509 *x, size_t chainidx) 1765 { 1766 unsigned int id, ct, mki; 1767 int i; 1768 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1769 SRTP_PROTECTION_PROFILE *prof; 1770 1771 if (!PACKET_get_net_2(pkt, &ct) || ct != 2 1772 || !PACKET_get_net_2(pkt, &id) 1773 || !PACKET_get_1(pkt, &mki) 1774 || PACKET_remaining(pkt) != 0) { 1775 SSLfatal(s, SSL_AD_DECODE_ERROR, 1776 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1777 return 0; 1778 } 1779 1780 if (mki != 0) { 1781 /* Must be no MKI, since we never offer one */ 1782 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE); 1783 return 0; 1784 } 1785 1786 /* Throw an error if the server gave us an unsolicited extension */ 1787 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s)); 1788 if (clnt == NULL) { 1789 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES); 1790 return 0; 1791 } 1792 1793 /* 1794 * Check to see if the server gave us something we support (and 1795 * presumably offered) 1796 */ 1797 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1798 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 1799 1800 if (prof->id == id) { 1801 s->srtp_profile = prof; 1802 return 1; 1803 } 1804 } 1805 1806 SSLfatal(s, SSL_AD_DECODE_ERROR, 1807 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1808 return 0; 1809 } 1810 #endif 1811 1812 int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1813 X509 *x, size_t chainidx) 1814 { 1815 /* Ignore if inappropriate ciphersuite */ 1816 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 1817 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD 1818 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4 1819 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT 1820 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12 1821 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA 1822 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK) 1823 s->ext.use_etm = 1; 1824 1825 return 1; 1826 } 1827 1828 int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1829 X509 *x, size_t chainidx) 1830 { 1831 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 1832 return 1; 1833 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; 1834 if (!s->hit) 1835 s->session->flags |= SSL_SESS_FLAG_EXTMS; 1836 1837 return 1; 1838 } 1839 1840 int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt, 1841 unsigned int context, 1842 X509 *x, size_t chainidx) 1843 { 1844 unsigned int version; 1845 1846 if (!PACKET_get_net_2(pkt, &version) 1847 || PACKET_remaining(pkt) != 0) { 1848 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1849 return 0; 1850 } 1851 1852 /* 1853 * The only protocol version we support which is valid in this extension in 1854 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. 1855 */ 1856 if (version != TLS1_3_VERSION) { 1857 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1858 SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1859 return 0; 1860 } 1861 1862 /* We ignore this extension for HRRs except to sanity check it */ 1863 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) 1864 return 1; 1865 1866 /* We just set it here. We validate it in ssl_choose_client_version */ 1867 s->version = version; 1868 if (!ssl_set_record_protocol_version(s, version)) { 1869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1870 return 0; 1871 } 1872 1873 return 1; 1874 } 1875 1876 int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, 1877 unsigned int context, X509 *x, 1878 size_t chainidx) 1879 { 1880 #ifndef OPENSSL_NO_TLS1_3 1881 unsigned int group_id; 1882 PACKET encoded_pt; 1883 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; 1884 const TLS_GROUP_INFO *ginf = NULL; 1885 uint16_t valid_ks_id = 0; 1886 size_t i; 1887 1888 /* Sanity check */ 1889 if (ckey == NULL || s->s3.peer_tmp != NULL) { 1890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1891 return 0; 1892 } 1893 1894 /* Which group ID does the server want -> group_id */ 1895 if (!PACKET_get_net_2(pkt, &group_id)) { 1896 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1897 return 0; 1898 } 1899 1900 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { 1901 const uint16_t *pgroups = NULL; 1902 size_t num_groups; 1903 1904 if (PACKET_remaining(pkt) != 0) { 1905 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1906 return 0; 1907 } 1908 1909 /* 1910 * It is an error if the HelloRetryRequest wants a key_share that we 1911 * already sent in the first ClientHello 1912 */ 1913 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1914 if (s->s3.tmp.ks_group_id[i] == group_id) { 1915 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1916 return 0; 1917 } 1918 } 1919 1920 /* Validate the selected group is one we support */ 1921 tls1_get_supported_groups(s, &pgroups, &num_groups); 1922 for (i = 0; i < num_groups; i++) { 1923 if (group_id == pgroups[i]) 1924 break; 1925 } 1926 if (i >= num_groups 1927 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) 1928 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, 1929 0, NULL)) { 1930 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1931 return 0; 1932 } 1933 1934 /* Memorize which groupID the server wants */ 1935 s->s3.group_id = group_id; 1936 1937 /* The initial keyshares are obsolete now, hence free memory */ 1938 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1939 if (s->s3.tmp.ks_pkey[i] != NULL) { 1940 EVP_PKEY_free(s->s3.tmp.ks_pkey[i]); 1941 s->s3.tmp.ks_pkey[i] = NULL; 1942 } 1943 } 1944 s->s3.tmp.num_ks_pkey = 0; 1945 s->s3.tmp.pkey = NULL; 1946 1947 return 1; 1948 } 1949 1950 /* 1951 * check that the group requested by the server is one we've 1952 * sent a key share for, and if so: memorize which one 1953 */ 1954 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1955 if (s->s3.tmp.ks_group_id[i] == group_id) { 1956 valid_ks_id = group_id; 1957 ckey = s->s3.tmp.ks_pkey[i]; 1958 s->s3.group_id = group_id; 1959 s->s3.tmp.pkey = ckey; 1960 break; 1961 } 1962 } 1963 if (valid_ks_id == 0) { 1964 /* 1965 * This isn't for the group that we sent in the original 1966 * key_share! 1967 */ 1968 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1969 return 0; 1970 } 1971 /* Retain this group in the SSL_SESSION */ 1972 if (!s->hit) { 1973 s->session->kex_group = group_id; 1974 } else if (group_id != s->session->kex_group) { 1975 /* 1976 * If this is a resumption but changed what group was used, we need 1977 * to record the new group in the session, but the session is not 1978 * a new session and could be in use by other threads. So, make 1979 * a copy of the session to record the new information so that it's 1980 * useful for any sessions resumed from tickets issued on this 1981 * connection. 1982 */ 1983 SSL_SESSION *new_sess; 1984 1985 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) { 1986 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 1987 return 0; 1988 } 1989 SSL_SESSION_free(s->session); 1990 s->session = new_sess; 1991 s->session->kex_group = group_id; 1992 } 1993 1994 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), 1995 group_id)) == NULL) { 1996 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1997 return 0; 1998 } 1999 2000 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) 2001 || PACKET_remaining(&encoded_pt) == 0) { 2002 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2003 return 0; 2004 } 2005 2006 if (!ginf->is_kem) { 2007 /* Regular KEX */ 2008 skey = EVP_PKEY_new(); 2009 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { 2010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); 2011 EVP_PKEY_free(skey); 2012 return 0; 2013 } 2014 2015 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt), 2016 PACKET_remaining(&encoded_pt)) <= 0) { 2017 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 2018 EVP_PKEY_free(skey); 2019 return 0; 2020 } 2021 2022 if (ssl_derive(s, ckey, skey, 1) == 0) { 2023 /* SSLfatal() already called */ 2024 EVP_PKEY_free(skey); 2025 return 0; 2026 } 2027 s->s3.peer_tmp = skey; 2028 } else { 2029 /* KEM Mode */ 2030 const unsigned char *ct = PACKET_data(&encoded_pt); 2031 size_t ctlen = PACKET_remaining(&encoded_pt); 2032 2033 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) { 2034 /* SSLfatal() already called */ 2035 return 0; 2036 } 2037 } 2038 s->s3.did_kex = 1; 2039 #endif 2040 2041 return 1; 2042 } 2043 2044 int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 2045 X509 *x, size_t chainidx) 2046 { 2047 PACKET cookie; 2048 2049 if (!PACKET_as_length_prefixed_2(pkt, &cookie) 2050 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, 2051 &s->ext.tls13_cookie_len)) { 2052 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2053 return 0; 2054 } 2055 2056 return 1; 2057 } 2058 2059 int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt, 2060 unsigned int context, 2061 X509 *x, size_t chainidx) 2062 { 2063 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 2064 unsigned long max_early_data; 2065 2066 if (!PACKET_get_net_4(pkt, &max_early_data) 2067 || PACKET_remaining(pkt) != 0) { 2068 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA); 2069 return 0; 2070 } 2071 2072 s->session->ext.max_early_data = max_early_data; 2073 2074 if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) { 2075 /* 2076 * QUIC allows missing max_early_data, or a max_early_data value 2077 * of 0xffffffff. Missing max_early_data is stored in the session 2078 * as 0. This is indistinguishable in OpenSSL from a present 2079 * max_early_data value that was 0. In order that later checks for 2080 * invalid max_early_data correctly treat as an error the case where 2081 * max_early_data is present and it is 0, we store any invalid 2082 * value in the same (non-zero) way. Otherwise we would have to 2083 * introduce a new flag just for this. 2084 */ 2085 s->session->ext.max_early_data = 1; 2086 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA); 2087 return 0; 2088 } 2089 2090 return 1; 2091 } 2092 2093 if (PACKET_remaining(pkt) != 0) { 2094 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2095 return 0; 2096 } 2097 2098 if (!s->ext.early_data_ok 2099 || !s->hit) { 2100 /* 2101 * If we get here then we didn't send early data, or we didn't resume 2102 * using the first identity, or the SNI/ALPN is not consistent so the 2103 * server should not be accepting it. 2104 */ 2105 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 2106 return 0; 2107 } 2108 2109 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 2110 2111 return 1; 2112 } 2113 2114 int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt, 2115 unsigned int context, X509 *x, 2116 size_t chainidx) 2117 { 2118 #ifndef OPENSSL_NO_TLS1_3 2119 unsigned int identity; 2120 2121 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { 2122 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2123 return 0; 2124 } 2125 2126 if (identity >= (unsigned int)s->ext.tick_identity) { 2127 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY); 2128 return 0; 2129 } 2130 2131 /* 2132 * Session resumption tickets are always sent before PSK tickets. If the 2133 * ticket index is 0 then it must be for a session resumption ticket if we 2134 * sent two tickets, or if we didn't send a PSK ticket. 2135 */ 2136 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { 2137 s->hit = 1; 2138 SSL_SESSION_free(s->psksession); 2139 s->psksession = NULL; 2140 return 1; 2141 } 2142 2143 if (s->psksession == NULL) { 2144 /* Should never happen */ 2145 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2146 return 0; 2147 } 2148 2149 /* 2150 * If we used the external PSK for sending early_data then s->early_secret 2151 * is already set up, so don't overwrite it. Otherwise we copy the 2152 * early_secret across that we generated earlier. 2153 */ 2154 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 2155 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 2156 || s->session->ext.max_early_data > 0 2157 || s->psksession->ext.max_early_data == 0) 2158 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); 2159 2160 SSL_SESSION_free(s->session); 2161 s->session = s->psksession; 2162 s->psksession = NULL; 2163 s->hit = 1; 2164 /* Early data is only allowed if we used the first ticket */ 2165 if (identity != 0) 2166 s->ext.early_data_ok = 0; 2167 #endif 2168 2169 return 1; 2170 } 2171 2172 EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, 2173 unsigned int context, 2174 X509 *x, size_t chainidx) 2175 { 2176 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; 2177 if (sc->client_cert_type == NULL) 2178 return EXT_RETURN_NOT_SENT; 2179 2180 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type) 2181 || !WPACKET_start_sub_packet_u16(pkt) 2182 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len) 2183 || !WPACKET_close(pkt)) { 2184 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2185 return EXT_RETURN_FAIL; 2186 } 2187 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; 2188 return EXT_RETURN_SENT; 2189 } 2190 2191 int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt, 2192 unsigned int context, 2193 X509 *x, size_t chainidx) 2194 { 2195 unsigned int type; 2196 2197 if (PACKET_remaining(pkt) != 1) { 2198 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2199 return 0; 2200 } 2201 if (!PACKET_get_1(pkt, &type)) { 2202 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2203 return 0; 2204 } 2205 /* We did not send/ask for this */ 2206 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { 2207 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2208 return 0; 2209 } 2210 /* We don't have this enabled */ 2211 if (sc->client_cert_type == NULL) { 2212 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2213 return 0; 2214 } 2215 /* Given back a value we didn't configure */ 2216 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) { 2217 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); 2218 return 0; 2219 } 2220 sc->ext.client_cert_type = type; 2221 return 1; 2222 } 2223 2224 EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, 2225 unsigned int context, 2226 X509 *x, size_t chainidx) 2227 { 2228 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; 2229 if (sc->server_cert_type == NULL) 2230 return EXT_RETURN_NOT_SENT; 2231 2232 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type) 2233 || !WPACKET_start_sub_packet_u16(pkt) 2234 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len) 2235 || !WPACKET_close(pkt)) { 2236 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2237 return EXT_RETURN_FAIL; 2238 } 2239 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; 2240 return EXT_RETURN_SENT; 2241 } 2242 2243 int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt, 2244 unsigned int context, 2245 X509 *x, size_t chainidx) 2246 { 2247 unsigned int type; 2248 2249 if (PACKET_remaining(pkt) != 1) { 2250 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2251 return 0; 2252 } 2253 if (!PACKET_get_1(pkt, &type)) { 2254 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2255 return 0; 2256 } 2257 /* We did not send/ask for this */ 2258 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { 2259 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2260 return 0; 2261 } 2262 /* We don't have this enabled */ 2263 if (sc->server_cert_type == NULL) { 2264 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2265 return 0; 2266 } 2267 /* Given back a value we didn't configure */ 2268 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) { 2269 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); 2270 return 0; 2271 } 2272 sc->ext.server_cert_type = type; 2273 return 1; 2274 } 2275