1 /* 2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ocsp.h> 11 #include "../ssl_local.h" 12 #include "internal/cryptlib.h" 13 #include "internal/ssl_unwrap.h" 14 #include "statem_local.h" 15 16 EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt, 17 unsigned int context, X509 *x, 18 size_t chainidx) 19 { 20 if (!s->renegotiate) { 21 /* If not renegotiating, send an empty RI extension to indicate support */ 22 23 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION 24 # error Internal DTLS version error 25 #endif 26 27 if (!SSL_CONNECTION_IS_DTLS(s) 28 && (s->min_proto_version >= TLS1_3_VERSION 29 || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) 30 && s->min_proto_version <= TLS1_VERSION))) { 31 /* 32 * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this 33 * extension isn't used at all. 34 */ 35 return EXT_RETURN_NOT_SENT; 36 } 37 38 39 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 40 || !WPACKET_start_sub_packet_u16(pkt) 41 || !WPACKET_put_bytes_u8(pkt, 0) 42 || !WPACKET_close(pkt)) { 43 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 44 return EXT_RETURN_FAIL; 45 } 46 47 return EXT_RETURN_SENT; 48 } 49 50 /* Add a complete RI extension if renegotiating */ 51 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) 52 || !WPACKET_start_sub_packet_u16(pkt) 53 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished, 54 s->s3.previous_client_finished_len) 55 || !WPACKET_close(pkt)) { 56 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 57 return EXT_RETURN_FAIL; 58 } 59 60 return EXT_RETURN_SENT; 61 } 62 63 EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt, 64 unsigned int context, X509 *x, 65 size_t chainidx) 66 { 67 if (s->ext.hostname == NULL) 68 return EXT_RETURN_NOT_SENT; 69 70 /* Add TLS extension servername to the Client Hello message */ 71 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) 72 /* Sub-packet for server_name extension */ 73 || !WPACKET_start_sub_packet_u16(pkt) 74 /* Sub-packet for servername list (always 1 hostname)*/ 75 || !WPACKET_start_sub_packet_u16(pkt) 76 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) 77 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, 78 strlen(s->ext.hostname)) 79 || !WPACKET_close(pkt) 80 || !WPACKET_close(pkt)) { 81 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 82 return EXT_RETURN_FAIL; 83 } 84 85 return EXT_RETURN_SENT; 86 } 87 88 /* Push a Max Fragment Len extension into ClientHello */ 89 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt, 90 unsigned int context, X509 *x, 91 size_t chainidx) 92 { 93 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) 94 return EXT_RETURN_NOT_SENT; 95 96 /* Add Max Fragment Length extension if client enabled it. */ 97 /*- 98 * 4 bytes for this extension type and extension length 99 * 1 byte for the Max Fragment Length code value. 100 */ 101 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) 102 /* Sub-packet for Max Fragment Length extension (1 byte) */ 103 || !WPACKET_start_sub_packet_u16(pkt) 104 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) 105 || !WPACKET_close(pkt)) { 106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 107 return EXT_RETURN_FAIL; 108 } 109 110 return EXT_RETURN_SENT; 111 } 112 113 #ifndef OPENSSL_NO_SRP 114 EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt, 115 unsigned int context, 116 X509 *x, size_t chainidx) 117 { 118 /* Add SRP username if there is one */ 119 if (s->srp_ctx.login == NULL) 120 return EXT_RETURN_NOT_SENT; 121 122 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) 123 /* Sub-packet for SRP extension */ 124 || !WPACKET_start_sub_packet_u16(pkt) 125 || !WPACKET_start_sub_packet_u8(pkt) 126 /* login must not be zero...internal error if so */ 127 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) 128 || !WPACKET_memcpy(pkt, s->srp_ctx.login, 129 strlen(s->srp_ctx.login)) 130 || !WPACKET_close(pkt) 131 || !WPACKET_close(pkt)) { 132 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 133 return EXT_RETURN_FAIL; 134 } 135 136 return EXT_RETURN_SENT; 137 } 138 #endif 139 140 static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version) 141 { 142 int i, end, ret = 0; 143 unsigned long alg_k, alg_a; 144 STACK_OF(SSL_CIPHER) *cipher_stack = NULL; 145 const uint16_t *pgroups = NULL; 146 size_t num_groups, j; 147 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 148 149 /* See if we support any ECC ciphersuites */ 150 if (s->version == SSL3_VERSION) 151 return 0; 152 153 cipher_stack = SSL_get1_supported_ciphers(ssl); 154 end = sk_SSL_CIPHER_num(cipher_stack); 155 for (i = 0; i < end; i++) { 156 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); 157 158 alg_k = c->algorithm_mkey; 159 alg_a = c->algorithm_auth; 160 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) 161 || (alg_a & SSL_aECDSA) 162 || c->min_tls >= TLS1_3_VERSION) { 163 ret = 1; 164 break; 165 } 166 } 167 sk_SSL_CIPHER_free(cipher_stack); 168 if (!ret) 169 return 0; 170 171 /* Check we have at least one EC supported group */ 172 tls1_get_supported_groups(s, &pgroups, &num_groups); 173 for (j = 0; j < num_groups; j++) { 174 uint16_t ctmp = pgroups[j]; 175 176 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL) 177 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) 178 return 1; 179 } 180 181 return 0; 182 } 183 184 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt, 185 unsigned int context, X509 *x, 186 size_t chainidx) 187 { 188 const unsigned char *pformats; 189 size_t num_formats; 190 int reason, min_version, max_version; 191 192 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 193 if (reason != 0) { 194 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 195 return EXT_RETURN_FAIL; 196 } 197 if (!use_ecc(s, min_version, max_version)) 198 return EXT_RETURN_NOT_SENT; 199 200 /* Add TLS extension ECPointFormats to the ClientHello message */ 201 tls1_get_formatlist(s, &pformats, &num_formats); 202 203 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) 204 /* Sub-packet for formats extension */ 205 || !WPACKET_start_sub_packet_u16(pkt) 206 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) 207 || !WPACKET_close(pkt)) { 208 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 209 return EXT_RETURN_FAIL; 210 } 211 212 return EXT_RETURN_SENT; 213 } 214 215 EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, 216 unsigned int context, X509 *x, 217 size_t chainidx) 218 { 219 const uint16_t *pgroups = NULL; 220 size_t num_groups = 0, i, tls13added = 0, added = 0; 221 int min_version, max_version, reason; 222 223 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 224 if (reason != 0) { 225 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 226 return EXT_RETURN_FAIL; 227 } 228 229 /* 230 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore 231 * if we don't have EC support then we don't send this extension. 232 */ 233 if (!use_ecc(s, min_version, max_version) 234 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)) 235 return EXT_RETURN_NOT_SENT; 236 237 /* 238 * Add TLS extension supported_groups to the ClientHello message 239 */ 240 tls1_get_supported_groups(s, &pgroups, &num_groups); 241 242 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) 243 /* Sub-packet for supported_groups extension */ 244 || !WPACKET_start_sub_packet_u16(pkt) 245 || !WPACKET_start_sub_packet_u16(pkt) 246 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { 247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 248 return EXT_RETURN_FAIL; 249 } 250 /* Copy group ID if supported */ 251 for (i = 0; i < num_groups; i++) { 252 uint16_t ctmp = pgroups[i]; 253 int okfortls13; 254 255 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13) 256 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { 257 if (!WPACKET_put_bytes_u16(pkt, ctmp)) { 258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 259 return EXT_RETURN_FAIL; 260 } 261 if (okfortls13 && max_version == TLS1_3_VERSION) 262 tls13added++; 263 added++; 264 } 265 } 266 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 267 if (added == 0) 268 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 269 "No groups enabled for max supported SSL/TLS version"); 270 else 271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 272 return EXT_RETURN_FAIL; 273 } 274 275 if (tls13added == 0 && max_version == TLS1_3_VERSION) { 276 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, 277 "No groups enabled for max supported SSL/TLS version"); 278 return EXT_RETURN_FAIL; 279 } 280 281 return EXT_RETURN_SENT; 282 } 283 284 EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt, 285 unsigned int context, X509 *x, 286 size_t chainidx) 287 { 288 size_t ticklen; 289 290 if (!tls_use_ticket(s)) 291 return EXT_RETURN_NOT_SENT; 292 293 if (!s->new_session && s->session != NULL 294 && s->session->ext.tick != NULL 295 && s->session->ssl_version != TLS1_3_VERSION) { 296 ticklen = s->session->ext.ticklen; 297 } else if (s->session && s->ext.session_ticket != NULL 298 && s->ext.session_ticket->data != NULL) { 299 ticklen = s->ext.session_ticket->length; 300 s->session->ext.tick = OPENSSL_malloc(ticklen); 301 if (s->session->ext.tick == NULL) { 302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 303 return EXT_RETURN_FAIL; 304 } 305 memcpy(s->session->ext.tick, 306 s->ext.session_ticket->data, ticklen); 307 s->session->ext.ticklen = ticklen; 308 } else { 309 ticklen = 0; 310 } 311 312 if (ticklen == 0 && s->ext.session_ticket != NULL && 313 s->ext.session_ticket->data == NULL) 314 return EXT_RETURN_NOT_SENT; 315 316 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) 317 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { 318 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 319 return EXT_RETURN_FAIL; 320 } 321 322 return EXT_RETURN_SENT; 323 } 324 325 EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt, 326 unsigned int context, X509 *x, 327 size_t chainidx) 328 { 329 size_t salglen; 330 const uint16_t *salg; 331 332 /* 333 * This used both in the initial hello and as part of renegotiation, 334 * in the latter case, the client version may be already set and may 335 * be lower than that initially offered in `client_version`. 336 */ 337 if (!SSL_CONNECTION_IS_DTLS(s)) { 338 if (s->client_version < TLS1_2_VERSION 339 || (s->ssl.method->version != TLS_ANY_VERSION 340 && s->version < TLS1_2_VERSION)) 341 return EXT_RETURN_NOT_SENT; 342 } else { 343 if (DTLS_VERSION_LT(s->client_version, DTLS1_2_VERSION) 344 || (s->ssl.method->version != DTLS_ANY_VERSION 345 && DTLS_VERSION_LT(s->version, DTLS1_2_VERSION))) 346 return EXT_RETURN_NOT_SENT; 347 } 348 349 salglen = tls12_get_psigalgs(s, 1, &salg); 350 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) 351 /* Sub-packet for sig-algs extension */ 352 || !WPACKET_start_sub_packet_u16(pkt) 353 /* Sub-packet for the actual list */ 354 || !WPACKET_start_sub_packet_u16(pkt) 355 || !tls12_copy_sigalgs(s, pkt, salg, salglen) 356 || !WPACKET_close(pkt) 357 || !WPACKET_close(pkt)) { 358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 359 return EXT_RETURN_FAIL; 360 } 361 362 return EXT_RETURN_SENT; 363 } 364 365 #ifndef OPENSSL_NO_OCSP 366 EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt, 367 unsigned int context, X509 *x, 368 size_t chainidx) 369 { 370 int i; 371 372 /* This extension isn't defined for client Certificates */ 373 if (x != NULL) 374 return EXT_RETURN_NOT_SENT; 375 376 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) 377 return EXT_RETURN_NOT_SENT; 378 379 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) 380 /* Sub-packet for status request extension */ 381 || !WPACKET_start_sub_packet_u16(pkt) 382 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) 383 /* Sub-packet for the ids */ 384 || !WPACKET_start_sub_packet_u16(pkt)) { 385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 386 return EXT_RETURN_FAIL; 387 } 388 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { 389 unsigned char *idbytes; 390 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); 391 int idlen = i2d_OCSP_RESPID(id, NULL); 392 393 if (idlen <= 0 394 /* Sub-packet for an individual id */ 395 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) 396 || i2d_OCSP_RESPID(id, &idbytes) != idlen) { 397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 398 return EXT_RETURN_FAIL; 399 } 400 } 401 if (!WPACKET_close(pkt) 402 || !WPACKET_start_sub_packet_u16(pkt)) { 403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 404 return EXT_RETURN_FAIL; 405 } 406 if (s->ext.ocsp.exts) { 407 unsigned char *extbytes; 408 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); 409 410 if (extlen < 0) { 411 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 412 return EXT_RETURN_FAIL; 413 } 414 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) 415 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) 416 != extlen) { 417 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 418 return EXT_RETURN_FAIL; 419 } 420 } 421 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 423 return EXT_RETURN_FAIL; 424 } 425 426 return EXT_RETURN_SENT; 427 } 428 #endif 429 430 #ifndef OPENSSL_NO_NEXTPROTONEG 431 EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt, 432 unsigned int context, 433 X509 *x, size_t chainidx) 434 { 435 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL 436 || !SSL_IS_FIRST_HANDSHAKE(s)) 437 return EXT_RETURN_NOT_SENT; 438 439 /* 440 * The client advertises an empty extension to indicate its support 441 * for Next Protocol Negotiation 442 */ 443 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) 444 || !WPACKET_put_bytes_u16(pkt, 0)) { 445 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 446 return EXT_RETURN_FAIL; 447 } 448 449 return EXT_RETURN_SENT; 450 } 451 #endif 452 453 EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt, 454 unsigned int context, 455 X509 *x, size_t chainidx) 456 { 457 s->s3.alpn_sent = 0; 458 459 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) 460 return EXT_RETURN_NOT_SENT; 461 462 if (!WPACKET_put_bytes_u16(pkt, 463 TLSEXT_TYPE_application_layer_protocol_negotiation) 464 /* Sub-packet ALPN extension */ 465 || !WPACKET_start_sub_packet_u16(pkt) 466 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) 467 || !WPACKET_close(pkt)) { 468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 469 return EXT_RETURN_FAIL; 470 } 471 s->s3.alpn_sent = 1; 472 473 return EXT_RETURN_SENT; 474 } 475 476 477 #ifndef OPENSSL_NO_SRTP 478 EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt, 479 unsigned int context, X509 *x, 480 size_t chainidx) 481 { 482 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 483 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl); 484 int i, end; 485 486 if (clnt == NULL) 487 return EXT_RETURN_NOT_SENT; 488 489 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) 490 /* Sub-packet for SRTP extension */ 491 || !WPACKET_start_sub_packet_u16(pkt) 492 /* Sub-packet for the protection profile list */ 493 || !WPACKET_start_sub_packet_u16(pkt)) { 494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 495 return EXT_RETURN_FAIL; 496 } 497 498 end = sk_SRTP_PROTECTION_PROFILE_num(clnt); 499 for (i = 0; i < end; i++) { 500 const SRTP_PROTECTION_PROFILE *prof = 501 sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 502 503 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { 504 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 505 return EXT_RETURN_FAIL; 506 } 507 } 508 if (!WPACKET_close(pkt) 509 /* Add an empty use_mki value */ 510 || !WPACKET_put_bytes_u8(pkt, 0) 511 || !WPACKET_close(pkt)) { 512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 513 return EXT_RETURN_FAIL; 514 } 515 516 return EXT_RETURN_SENT; 517 } 518 #endif 519 520 EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt, 521 unsigned int context, 522 X509 *x, size_t chainidx) 523 { 524 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 525 return EXT_RETURN_NOT_SENT; 526 527 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) 528 || !WPACKET_put_bytes_u16(pkt, 0)) { 529 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 530 return EXT_RETURN_FAIL; 531 } 532 533 return EXT_RETURN_SENT; 534 } 535 536 #ifndef OPENSSL_NO_CT 537 EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt, 538 unsigned int context, 539 X509 *x, size_t chainidx) 540 { 541 if (s->ct_validation_callback == NULL) 542 return EXT_RETURN_NOT_SENT; 543 544 /* Not defined for client Certificates */ 545 if (x != NULL) 546 return EXT_RETURN_NOT_SENT; 547 548 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) 549 || !WPACKET_put_bytes_u16(pkt, 0)) { 550 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 551 return EXT_RETURN_FAIL; 552 } 553 554 return EXT_RETURN_SENT; 555 } 556 #endif 557 558 EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt, 559 unsigned int context, 560 X509 *x, size_t chainidx) 561 { 562 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 563 return EXT_RETURN_NOT_SENT; 564 565 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) 566 || !WPACKET_put_bytes_u16(pkt, 0)) { 567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 568 return EXT_RETURN_FAIL; 569 } 570 571 return EXT_RETURN_SENT; 572 } 573 574 EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt, 575 unsigned int context, X509 *x, 576 size_t chainidx) 577 { 578 int currv, min_version, max_version, reason; 579 580 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); 581 if (reason != 0) { 582 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); 583 return EXT_RETURN_FAIL; 584 } 585 586 /* 587 * Don't include this if we can't negotiate TLSv1.3. We can do a straight 588 * comparison here because we will never be called in DTLS. 589 */ 590 if (max_version < TLS1_3_VERSION) 591 return EXT_RETURN_NOT_SENT; 592 593 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) 594 || !WPACKET_start_sub_packet_u16(pkt) 595 || !WPACKET_start_sub_packet_u8(pkt)) { 596 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 597 return EXT_RETURN_FAIL; 598 } 599 600 for (currv = max_version; currv >= min_version; currv--) { 601 if (!WPACKET_put_bytes_u16(pkt, currv)) { 602 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 603 return EXT_RETURN_FAIL; 604 } 605 } 606 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 607 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 608 return EXT_RETURN_FAIL; 609 } 610 611 return EXT_RETURN_SENT; 612 } 613 614 /* 615 * Construct a psk_kex_modes extension. 616 */ 617 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, 618 unsigned int context, X509 *x, 619 size_t chainidx) 620 { 621 #ifndef OPENSSL_NO_TLS1_3 622 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; 623 624 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) 625 || !WPACKET_start_sub_packet_u16(pkt) 626 || !WPACKET_start_sub_packet_u8(pkt) 627 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) 628 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) 629 || !WPACKET_close(pkt) 630 || !WPACKET_close(pkt)) { 631 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 632 return EXT_RETURN_FAIL; 633 } 634 635 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; 636 if (nodhe) 637 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; 638 #endif 639 640 return EXT_RETURN_SENT; 641 } 642 643 #ifndef OPENSSL_NO_TLS1_3 644 static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int group_id, size_t loop_num) 645 { 646 unsigned char *encoded_pubkey = NULL; 647 EVP_PKEY *key_share_key = NULL; 648 size_t encodedlen; 649 650 if (loop_num < s->s3.tmp.num_ks_pkey) { 651 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING) 652 || !ossl_assert(s->s3.tmp.ks_pkey[loop_num] != NULL)) { 653 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 654 return 0; 655 } 656 /* 657 * Could happen if we got an HRR that wasn't requesting a new key_share 658 */ 659 key_share_key = s->s3.tmp.ks_pkey[loop_num]; 660 } else { 661 key_share_key = ssl_generate_pkey_group(s, group_id); 662 if (key_share_key == NULL) { 663 /* SSLfatal() already called */ 664 return 0; 665 } 666 } 667 668 /* Encode the public key. */ 669 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key, 670 &encoded_pubkey); 671 if (encodedlen == 0) { 672 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); 673 goto err; 674 } 675 676 /* Create KeyShareEntry */ 677 if (!WPACKET_put_bytes_u16(pkt, group_id) 678 || !WPACKET_sub_memcpy_u16(pkt, encoded_pubkey, encodedlen)) { 679 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 680 goto err; 681 } 682 683 /* For backward compatibility, we use the first valid group to add a key share */ 684 if (loop_num == 0) { 685 s->s3.tmp.pkey = key_share_key; 686 s->s3.group_id = group_id; 687 } 688 /* We ensure in t1_lib.c that the loop number does not exceed OPENSSL_CLIENT_MAX_KEY_SHARES */ 689 s->s3.tmp.ks_pkey[loop_num] = key_share_key; 690 s->s3.tmp.ks_group_id[loop_num] = group_id; 691 if (loop_num >= s->s3.tmp.num_ks_pkey) 692 s->s3.tmp.num_ks_pkey++; 693 694 OPENSSL_free(encoded_pubkey); 695 696 return 1; 697 err: 698 if (key_share_key != s->s3.tmp.ks_pkey[loop_num]) 699 EVP_PKEY_free(key_share_key); 700 OPENSSL_free(encoded_pubkey); 701 return 0; 702 } 703 #endif 704 705 EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, 706 unsigned int context, X509 *x, 707 size_t chainidx) 708 { 709 #ifndef OPENSSL_NO_TLS1_3 710 size_t i, num_groups = 0; 711 const uint16_t *pgroups = NULL; 712 uint16_t group_id = 0; 713 int add_only_one = 0; 714 size_t valid_keyshare = 0; 715 716 /* key_share extension */ 717 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) 718 /* Extension data sub-packet */ 719 || !WPACKET_start_sub_packet_u16(pkt) 720 /* KeyShare list sub-packet */ 721 || !WPACKET_start_sub_packet_u16(pkt)) { 722 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 723 return EXT_RETURN_FAIL; 724 } 725 726 tls1_get_requested_keyshare_groups(s, &pgroups, &num_groups); 727 if (num_groups == 1 && pgroups[0] == 0) { /* Indication that no * prefix was used */ 728 tls1_get_supported_groups(s, &pgroups, &num_groups); 729 add_only_one = 1; 730 } 731 732 /* If neither the default nor the keyshares have any entry --> fatal */ 733 if (num_groups == 0) { 734 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 735 return EXT_RETURN_FAIL; 736 } 737 738 /* Add key shares */ 739 740 if (s->s3.group_id != 0 && s->s3.tmp.pkey == NULL) { 741 /* new, single key share */ 742 group_id = s->s3.group_id; 743 s->s3.tmp.num_ks_pkey = 0; 744 if (!add_key_share(s, pkt, group_id, 0)) { 745 /* SSLfatal() already called */ 746 return EXT_RETURN_FAIL; 747 } 748 } else { 749 if (s->ext.supportedgroups == NULL) /* use default */ 750 add_only_one = 1; 751 752 for (i = 0; i < num_groups; i++) { 753 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) 754 continue; 755 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, 756 0, NULL)) 757 continue; 758 759 group_id = pgroups[i]; 760 761 if (group_id == 0) { 762 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); 763 return EXT_RETURN_FAIL; 764 } 765 if (!add_key_share(s, pkt, group_id, valid_keyshare)) { 766 /* SSLfatal() already called */ 767 return EXT_RETURN_FAIL; 768 } 769 if (add_only_one) 770 break; 771 772 valid_keyshare++; 773 } 774 } 775 776 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { 777 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 778 return EXT_RETURN_FAIL; 779 } 780 return EXT_RETURN_SENT; 781 #else 782 return EXT_RETURN_NOT_SENT; 783 #endif 784 } 785 786 EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt, 787 unsigned int context, 788 X509 *x, size_t chainidx) 789 { 790 EXT_RETURN ret = EXT_RETURN_FAIL; 791 792 /* Should only be set if we've had an HRR */ 793 if (s->ext.tls13_cookie_len == 0) 794 return EXT_RETURN_NOT_SENT; 795 796 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) 797 /* Extension data sub-packet */ 798 || !WPACKET_start_sub_packet_u16(pkt) 799 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, 800 s->ext.tls13_cookie_len) 801 || !WPACKET_close(pkt)) { 802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 803 goto end; 804 } 805 806 ret = EXT_RETURN_SENT; 807 end: 808 OPENSSL_free(s->ext.tls13_cookie); 809 s->ext.tls13_cookie = NULL; 810 s->ext.tls13_cookie_len = 0; 811 812 return ret; 813 } 814 815 EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, 816 unsigned int context, X509 *x, 817 size_t chainidx) 818 { 819 #ifndef OPENSSL_NO_PSK 820 char identity[PSK_MAX_IDENTITY_LEN + 1]; 821 #endif /* OPENSSL_NO_PSK */ 822 const unsigned char *id = NULL; 823 size_t idlen = 0; 824 SSL_SESSION *psksess = NULL; 825 SSL_SESSION *edsess = NULL; 826 const EVP_MD *handmd = NULL; 827 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 828 829 if (s->hello_retry_request == SSL_HRR_PENDING) 830 handmd = ssl_handshake_md(s); 831 832 if (s->psk_use_session_cb != NULL 833 && (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess) 834 || (psksess != NULL 835 && psksess->ssl_version != TLS1_3_VERSION))) { 836 SSL_SESSION_free(psksess); 837 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 838 return EXT_RETURN_FAIL; 839 } 840 841 #ifndef OPENSSL_NO_PSK 842 if (psksess == NULL && s->psk_client_callback != NULL) { 843 unsigned char psk[PSK_MAX_PSK_LEN]; 844 size_t psklen = 0; 845 846 memset(identity, 0, sizeof(identity)); 847 psklen = s->psk_client_callback(ussl, NULL, 848 identity, sizeof(identity) - 1, 849 psk, sizeof(psk)); 850 851 if (psklen > PSK_MAX_PSK_LEN) { 852 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); 853 return EXT_RETURN_FAIL; 854 } else if (psklen > 0) { 855 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; 856 const SSL_CIPHER *cipher; 857 858 idlen = strlen(identity); 859 if (idlen > PSK_MAX_IDENTITY_LEN) { 860 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 861 return EXT_RETURN_FAIL; 862 } 863 id = (unsigned char *)identity; 864 865 /* 866 * We found a PSK using an old style callback. We don't know 867 * the digest so we default to SHA256 as per the TLSv1.3 spec 868 */ 869 cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s), 870 tls13_aes128gcmsha256_id); 871 if (cipher == NULL) { 872 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 873 return EXT_RETURN_FAIL; 874 } 875 876 psksess = SSL_SESSION_new(); 877 if (psksess == NULL 878 || !SSL_SESSION_set1_master_key(psksess, psk, psklen) 879 || !SSL_SESSION_set_cipher(psksess, cipher) 880 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { 881 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 882 OPENSSL_cleanse(psk, psklen); 883 return EXT_RETURN_FAIL; 884 } 885 OPENSSL_cleanse(psk, psklen); 886 } 887 } 888 #endif /* OPENSSL_NO_PSK */ 889 890 SSL_SESSION_free(s->psksession); 891 s->psksession = psksess; 892 if (psksess != NULL) { 893 OPENSSL_free(s->psksession_id); 894 s->psksession_id = OPENSSL_memdup(id, idlen); 895 if (s->psksession_id == NULL) { 896 s->psksession_id_len = 0; 897 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 898 return EXT_RETURN_FAIL; 899 } 900 s->psksession_id_len = idlen; 901 } 902 903 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING 904 || (s->session->ext.max_early_data == 0 905 && (psksess == NULL || psksess->ext.max_early_data == 0))) { 906 s->max_early_data = 0; 907 return EXT_RETURN_NOT_SENT; 908 } 909 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; 910 s->max_early_data = edsess->ext.max_early_data; 911 912 if (edsess->ext.hostname != NULL) { 913 if (s->ext.hostname == NULL 914 || (s->ext.hostname != NULL 915 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { 916 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 917 SSL_R_INCONSISTENT_EARLY_DATA_SNI); 918 return EXT_RETURN_FAIL; 919 } 920 } 921 922 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { 923 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 924 return EXT_RETURN_FAIL; 925 } 926 927 /* 928 * Verify that we are offering an ALPN protocol consistent with the early 929 * data. 930 */ 931 if (edsess->ext.alpn_selected != NULL) { 932 PACKET prots, alpnpkt; 933 int found = 0; 934 935 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { 936 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 937 return EXT_RETURN_FAIL; 938 } 939 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { 940 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, 941 edsess->ext.alpn_selected_len)) { 942 found = 1; 943 break; 944 } 945 } 946 if (!found) { 947 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 948 SSL_R_INCONSISTENT_EARLY_DATA_ALPN); 949 return EXT_RETURN_FAIL; 950 } 951 } 952 953 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) 954 || !WPACKET_start_sub_packet_u16(pkt) 955 || !WPACKET_close(pkt)) { 956 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 957 return EXT_RETURN_FAIL; 958 } 959 960 /* 961 * We set this to rejected here. Later, if the server acknowledges the 962 * extension, we set it to accepted. 963 */ 964 s->ext.early_data = SSL_EARLY_DATA_REJECTED; 965 s->ext.early_data_ok = 1; 966 967 return EXT_RETURN_SENT; 968 } 969 970 #define F5_WORKAROUND_MIN_MSG_LEN 0xff 971 #define F5_WORKAROUND_MAX_MSG_LEN 0x200 972 973 /* 974 * PSK pre binder overhead = 975 * 2 bytes for TLSEXT_TYPE_psk 976 * 2 bytes for extension length 977 * 2 bytes for identities list length 978 * 2 bytes for identity length 979 * 4 bytes for obfuscated_ticket_age 980 * 2 bytes for binder list length 981 * 1 byte for binder length 982 * The above excludes the number of bytes for the identity itself and the 983 * subsequent binder bytes 984 */ 985 #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) 986 987 EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt, 988 unsigned int context, X509 *x, 989 size_t chainidx) 990 { 991 unsigned char *padbytes; 992 size_t hlen; 993 994 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) 995 return EXT_RETURN_NOT_SENT; 996 997 /* 998 * Add padding to workaround bugs in F5 terminators. See RFC7685. 999 * This code calculates the length of all extensions added so far but 1000 * excludes the PSK extension (because that MUST be written last). Therefore 1001 * this extension MUST always appear second to last. 1002 */ 1003 if (!WPACKET_get_total_written(pkt, &hlen)) { 1004 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1005 return EXT_RETURN_FAIL; 1006 } 1007 1008 /* 1009 * If we're going to send a PSK then that will be written out after this 1010 * extension, so we need to calculate how long it is going to be. 1011 */ 1012 if (s->session->ssl_version == TLS1_3_VERSION 1013 && s->session->ext.ticklen != 0 1014 && s->session->cipher != NULL) { 1015 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s), 1016 s->session->cipher->algorithm2); 1017 1018 if (md != NULL) { 1019 /* 1020 * Add the fixed PSK overhead, the identity length and the binder 1021 * length. 1022 */ 1023 int md_size = EVP_MD_get_size(md); 1024 1025 if (md_size <= 0) 1026 return EXT_RETURN_FAIL; 1027 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen 1028 + md_size; 1029 } 1030 } 1031 1032 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { 1033 /* Calculate the amount of padding we need to add */ 1034 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; 1035 1036 /* 1037 * Take off the size of extension header itself (2 bytes for type and 1038 * 2 bytes for length bytes), but ensure that the extension is at least 1039 * 1 byte long so as not to have an empty extension last (WebSphere 7.x, 1040 * 8.x are intolerant of that condition) 1041 */ 1042 if (hlen > 4) 1043 hlen -= 4; 1044 else 1045 hlen = 1; 1046 1047 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) 1048 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { 1049 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1050 return EXT_RETURN_FAIL; 1051 } 1052 memset(padbytes, 0, hlen); 1053 } 1054 1055 return EXT_RETURN_SENT; 1056 } 1057 1058 /* 1059 * Construct the pre_shared_key extension 1060 */ 1061 EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, 1062 unsigned int context, 1063 X509 *x, size_t chainidx) 1064 { 1065 #ifndef OPENSSL_NO_TLS1_3 1066 uint32_t agesec, agems = 0; 1067 size_t binderoffset, msglen; 1068 int reshashsize = 0, pskhashsize = 0; 1069 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; 1070 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; 1071 int dores = 0; 1072 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1073 OSSL_TIME t; 1074 1075 s->ext.tick_identity = 0; 1076 1077 /* 1078 * Note: At this stage of the code we only support adding a single 1079 * resumption PSK. If we add support for multiple PSKs then the length 1080 * calculations in the padding extension will need to be adjusted. 1081 */ 1082 1083 /* 1084 * If this is an incompatible or new session then we have nothing to resume 1085 * so don't add this extension. 1086 */ 1087 if (s->session->ssl_version != TLS1_3_VERSION 1088 || (s->session->ext.ticklen == 0 && s->psksession == NULL)) 1089 return EXT_RETURN_NOT_SENT; 1090 1091 if (s->hello_retry_request == SSL_HRR_PENDING) 1092 handmd = ssl_handshake_md(s); 1093 1094 if (s->session->ext.ticklen != 0) { 1095 /* Get the digest associated with the ciphersuite in the session */ 1096 if (s->session->cipher == NULL) { 1097 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1098 return EXT_RETURN_FAIL; 1099 } 1100 mdres = ssl_md(sctx, s->session->cipher->algorithm2); 1101 if (mdres == NULL) { 1102 /* 1103 * Don't recognize this cipher so we can't use the session. 1104 * Ignore it 1105 */ 1106 goto dopsksess; 1107 } 1108 1109 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { 1110 /* 1111 * Selected ciphersuite hash does not match the hash for the session 1112 * so we can't use it. 1113 */ 1114 goto dopsksess; 1115 } 1116 1117 /* 1118 * Technically the C standard just says time() returns a time_t and says 1119 * nothing about the encoding of that type. In practice most 1120 * implementations follow POSIX which holds it as an integral type in 1121 * seconds since epoch. We've already made the assumption that we can do 1122 * this in multiple places in the code, so portability shouldn't be an 1123 * issue. 1124 */ 1125 t = ossl_time_subtract(ossl_time_now(), s->session->time); 1126 agesec = (uint32_t)ossl_time2seconds(t); 1127 /* 1128 * We calculate the age in seconds but the server may work in ms. Due to 1129 * rounding errors we could overestimate the age by up to 1s. It is 1130 * better to underestimate it. Otherwise, if the RTT is very short, when 1131 * the server calculates the age reported by the client it could be 1132 * bigger than the age calculated on the server - which should never 1133 * happen. 1134 */ 1135 if (agesec > 0) 1136 agesec--; 1137 1138 if (s->session->ext.tick_lifetime_hint < agesec) { 1139 /* Ticket is too old. Ignore it. */ 1140 goto dopsksess; 1141 } 1142 1143 /* 1144 * Calculate age in ms. We're just doing it to nearest second. Should be 1145 * good enough. 1146 */ 1147 agems = agesec * (uint32_t)1000; 1148 1149 if (agesec != 0 && agems / (uint32_t)1000 != agesec) { 1150 /* 1151 * Overflow. Shouldn't happen unless this is a *really* old session. 1152 * If so we just ignore it. 1153 */ 1154 goto dopsksess; 1155 } 1156 1157 /* 1158 * Obfuscate the age. Overflow here is fine, this addition is supposed 1159 * to be mod 2^32. 1160 */ 1161 agems += s->session->ext.tick_age_add; 1162 1163 reshashsize = EVP_MD_get_size(mdres); 1164 if (reshashsize <= 0) 1165 goto dopsksess; 1166 s->ext.tick_identity++; 1167 dores = 1; 1168 } 1169 1170 dopsksess: 1171 if (!dores && s->psksession == NULL) 1172 return EXT_RETURN_NOT_SENT; 1173 1174 if (s->psksession != NULL) { 1175 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2); 1176 if (mdpsk == NULL) { 1177 /* 1178 * Don't recognize this cipher so we can't use the session. 1179 * If this happens it's an application bug. 1180 */ 1181 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1182 return EXT_RETURN_FAIL; 1183 } 1184 1185 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { 1186 /* 1187 * Selected ciphersuite hash does not match the hash for the PSK 1188 * session. This is an application bug. 1189 */ 1190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1191 return EXT_RETURN_FAIL; 1192 } 1193 1194 pskhashsize = EVP_MD_get_size(mdpsk); 1195 if (pskhashsize <= 0) { 1196 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 1197 return EXT_RETURN_FAIL; 1198 } 1199 } 1200 1201 /* Create the extension, but skip over the binder for now */ 1202 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) 1203 || !WPACKET_start_sub_packet_u16(pkt) 1204 || !WPACKET_start_sub_packet_u16(pkt)) { 1205 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1206 return EXT_RETURN_FAIL; 1207 } 1208 1209 if (dores) { 1210 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, 1211 s->session->ext.ticklen) 1212 || !WPACKET_put_bytes_u32(pkt, agems)) { 1213 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1214 return EXT_RETURN_FAIL; 1215 } 1216 } 1217 1218 if (s->psksession != NULL) { 1219 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, 1220 s->psksession_id_len) 1221 || !WPACKET_put_bytes_u32(pkt, 0)) { 1222 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1223 return EXT_RETURN_FAIL; 1224 } 1225 s->ext.tick_identity++; 1226 } 1227 1228 if (!WPACKET_close(pkt) 1229 || !WPACKET_get_total_written(pkt, &binderoffset) 1230 || !WPACKET_start_sub_packet_u16(pkt) 1231 || (dores 1232 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) 1233 || (s->psksession != NULL 1234 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) 1235 || !WPACKET_close(pkt) 1236 || !WPACKET_close(pkt) 1237 || !WPACKET_get_total_written(pkt, &msglen) 1238 /* 1239 * We need to fill in all the sub-packet lengths now so we can 1240 * calculate the HMAC of the message up to the binders 1241 */ 1242 || !WPACKET_fill_lengths(pkt)) { 1243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1244 return EXT_RETURN_FAIL; 1245 } 1246 1247 msgstart = WPACKET_get_curr(pkt) - msglen; 1248 1249 if (dores 1250 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, 1251 resbinder, s->session, 1, 0) != 1) { 1252 /* SSLfatal() already called */ 1253 return EXT_RETURN_FAIL; 1254 } 1255 1256 if (s->psksession != NULL 1257 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, 1258 pskbinder, s->psksession, 1, 1) != 1) { 1259 /* SSLfatal() already called */ 1260 return EXT_RETURN_FAIL; 1261 } 1262 1263 return EXT_RETURN_SENT; 1264 #else 1265 return EXT_RETURN_NOT_SENT; 1266 #endif 1267 } 1268 1269 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt, 1270 ossl_unused unsigned int context, 1271 ossl_unused X509 *x, 1272 ossl_unused size_t chainidx) 1273 { 1274 #ifndef OPENSSL_NO_TLS1_3 1275 if (!s->pha_enabled) 1276 return EXT_RETURN_NOT_SENT; 1277 1278 /* construct extension - 0 length, no contents */ 1279 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) 1280 || !WPACKET_start_sub_packet_u16(pkt) 1281 || !WPACKET_close(pkt)) { 1282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1283 return EXT_RETURN_FAIL; 1284 } 1285 1286 s->post_handshake_auth = SSL_PHA_EXT_SENT; 1287 1288 return EXT_RETURN_SENT; 1289 #else 1290 return EXT_RETURN_NOT_SENT; 1291 #endif 1292 } 1293 1294 1295 /* 1296 * Parse the server's renegotiation binding and abort if it's not right 1297 */ 1298 int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt, 1299 unsigned int context, 1300 X509 *x, size_t chainidx) 1301 { 1302 size_t expected_len = s->s3.previous_client_finished_len 1303 + s->s3.previous_server_finished_len; 1304 size_t ilen; 1305 const unsigned char *data; 1306 1307 /* Check for logic errors */ 1308 if (!ossl_assert(expected_len == 0 1309 || s->s3.previous_client_finished_len != 0) 1310 || !ossl_assert(expected_len == 0 1311 || s->s3.previous_server_finished_len != 0)) { 1312 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1313 return 0; 1314 } 1315 1316 /* Parse the length byte */ 1317 if (!PACKET_get_1_len(pkt, &ilen)) { 1318 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1319 return 0; 1320 } 1321 1322 /* Consistency check */ 1323 if (PACKET_remaining(pkt) != ilen) { 1324 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); 1325 return 0; 1326 } 1327 1328 /* Check that the extension matches */ 1329 if (ilen != expected_len) { 1330 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1331 return 0; 1332 } 1333 1334 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len) 1335 || memcmp(data, s->s3.previous_client_finished, 1336 s->s3.previous_client_finished_len) != 0) { 1337 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1338 return 0; 1339 } 1340 1341 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len) 1342 || memcmp(data, s->s3.previous_server_finished, 1343 s->s3.previous_server_finished_len) != 0) { 1344 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); 1345 return 0; 1346 } 1347 s->s3.send_connection_binding = 1; 1348 1349 return 1; 1350 } 1351 1352 /* Parse the server's max fragment len extension packet */ 1353 int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt, 1354 unsigned int context, 1355 X509 *x, size_t chainidx) 1356 { 1357 unsigned int value; 1358 1359 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { 1360 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1361 return 0; 1362 } 1363 1364 /* |value| should contains a valid max-fragment-length code. */ 1365 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { 1366 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1367 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1368 return 0; 1369 } 1370 1371 /* Must be the same value as client-configured one who was sent to server */ 1372 /*- 1373 * RFC 6066: if a client receives a maximum fragment length negotiation 1374 * response that differs from the length it requested, ... 1375 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert 1376 */ 1377 if (value != s->ext.max_fragment_len_mode) { 1378 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1379 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); 1380 return 0; 1381 } 1382 1383 /* 1384 * Maximum Fragment Length Negotiation succeeded. 1385 * The negotiated Maximum Fragment Length is binding now. 1386 */ 1387 s->session->ext.max_fragment_len_mode = value; 1388 1389 return 1; 1390 } 1391 1392 int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt, 1393 unsigned int context, 1394 X509 *x, size_t chainidx) 1395 { 1396 if (s->ext.hostname == NULL) { 1397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1398 return 0; 1399 } 1400 1401 if (PACKET_remaining(pkt) > 0) { 1402 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1403 return 0; 1404 } 1405 1406 if (!s->hit) { 1407 if (s->session->ext.hostname != NULL) { 1408 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1409 return 0; 1410 } 1411 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); 1412 if (s->session->ext.hostname == NULL) { 1413 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1414 return 0; 1415 } 1416 } 1417 1418 return 1; 1419 } 1420 1421 int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt, 1422 unsigned int context, 1423 X509 *x, size_t chainidx) 1424 { 1425 size_t ecpointformats_len; 1426 PACKET ecptformatlist; 1427 1428 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { 1429 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1430 return 0; 1431 } 1432 if (!s->hit) { 1433 ecpointformats_len = PACKET_remaining(&ecptformatlist); 1434 if (ecpointformats_len == 0) { 1435 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); 1436 return 0; 1437 } 1438 1439 s->ext.peer_ecpointformats_len = 0; 1440 OPENSSL_free(s->ext.peer_ecpointformats); 1441 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); 1442 if (s->ext.peer_ecpointformats == NULL) { 1443 s->ext.peer_ecpointformats_len = 0; 1444 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1445 return 0; 1446 } 1447 1448 s->ext.peer_ecpointformats_len = ecpointformats_len; 1449 1450 if (!PACKET_copy_bytes(&ecptformatlist, 1451 s->ext.peer_ecpointformats, 1452 ecpointformats_len)) { 1453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1454 return 0; 1455 } 1456 } 1457 1458 return 1; 1459 } 1460 1461 int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt, 1462 unsigned int context, 1463 X509 *x, size_t chainidx) 1464 { 1465 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 1466 1467 if (s->ext.session_ticket_cb != NULL && 1468 !s->ext.session_ticket_cb(ssl, PACKET_data(pkt), 1469 PACKET_remaining(pkt), 1470 s->ext.session_ticket_cb_arg)) { 1471 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1472 return 0; 1473 } 1474 1475 if (!tls_use_ticket(s)) { 1476 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1477 return 0; 1478 } 1479 if (PACKET_remaining(pkt) > 0) { 1480 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1481 return 0; 1482 } 1483 1484 s->ext.ticket_expected = 1; 1485 1486 return 1; 1487 } 1488 1489 #ifndef OPENSSL_NO_OCSP 1490 int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt, 1491 unsigned int context, 1492 X509 *x, size_t chainidx) 1493 { 1494 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1495 /* We ignore this if the server sends a CertificateRequest */ 1496 return 1; 1497 } 1498 1499 /* 1500 * MUST only be sent if we've requested a status 1501 * request message. In TLS <= 1.2 it must also be empty. 1502 */ 1503 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { 1504 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1505 return 0; 1506 } 1507 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { 1508 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1509 return 0; 1510 } 1511 1512 if (SSL_CONNECTION_IS_TLS13(s)) { 1513 /* We only know how to handle this if it's for the first Certificate in 1514 * the chain. We ignore any other responses. 1515 */ 1516 if (chainidx != 0) 1517 return 1; 1518 1519 /* SSLfatal() already called */ 1520 return tls_process_cert_status_body(s, pkt); 1521 } 1522 1523 /* Set flag to expect CertificateStatus message */ 1524 s->ext.status_expected = 1; 1525 1526 return 1; 1527 } 1528 #endif 1529 1530 1531 #ifndef OPENSSL_NO_CT 1532 int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1533 X509 *x, size_t chainidx) 1534 { 1535 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { 1536 /* We ignore this if the server sends it in a CertificateRequest */ 1537 return 1; 1538 } 1539 1540 /* 1541 * Only take it if we asked for it - i.e if there is no CT validation 1542 * callback set, then a custom extension MAY be processing it, so we 1543 * need to let control continue to flow to that. 1544 */ 1545 if (s->ct_validation_callback != NULL) { 1546 size_t size = PACKET_remaining(pkt); 1547 1548 /* Simply copy it off for later processing */ 1549 OPENSSL_free(s->ext.scts); 1550 s->ext.scts = NULL; 1551 1552 s->ext.scts_len = (uint16_t)size; 1553 if (size > 0) { 1554 s->ext.scts = OPENSSL_malloc(size); 1555 if (s->ext.scts == NULL) { 1556 s->ext.scts_len = 0; 1557 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 1558 return 0; 1559 } 1560 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { 1561 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1562 return 0; 1563 } 1564 } 1565 } else { 1566 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 1567 ? ENDPOINT_CLIENT : ENDPOINT_BOTH; 1568 1569 /* 1570 * If we didn't ask for it then there must be a custom extension, 1571 * otherwise this is unsolicited. 1572 */ 1573 if (custom_ext_find(&s->cert->custext, role, 1574 TLSEXT_TYPE_signed_certificate_timestamp, 1575 NULL) == NULL) { 1576 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1577 return 0; 1578 } 1579 1580 if (!custom_ext_parse(s, context, 1581 TLSEXT_TYPE_signed_certificate_timestamp, 1582 PACKET_data(pkt), PACKET_remaining(pkt), 1583 x, chainidx)) { 1584 /* SSLfatal already called */ 1585 return 0; 1586 } 1587 } 1588 1589 return 1; 1590 } 1591 #endif 1592 1593 1594 #ifndef OPENSSL_NO_NEXTPROTONEG 1595 /* 1596 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No 1597 * elements of zero length are allowed and the set of elements must exactly 1598 * fill the length of the block. Returns 1 on success or 0 on failure. 1599 */ 1600 static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt) 1601 { 1602 PACKET tmp_protocol; 1603 1604 while (PACKET_remaining(pkt)) { 1605 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) 1606 || PACKET_remaining(&tmp_protocol) == 0) { 1607 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1608 return 0; 1609 } 1610 } 1611 1612 return 1; 1613 } 1614 1615 int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1616 X509 *x, size_t chainidx) 1617 { 1618 unsigned char *selected; 1619 unsigned char selected_len; 1620 PACKET tmppkt; 1621 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 1622 1623 /* Check if we are in a renegotiation. If so ignore this extension */ 1624 if (!SSL_IS_FIRST_HANDSHAKE(s)) 1625 return 1; 1626 1627 /* We must have requested it. */ 1628 if (sctx->ext.npn_select_cb == NULL) { 1629 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1630 return 0; 1631 } 1632 1633 /* The data must be valid */ 1634 tmppkt = *pkt; 1635 if (!ssl_next_proto_validate(s, &tmppkt)) { 1636 /* SSLfatal() already called */ 1637 return 0; 1638 } 1639 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s), 1640 &selected, &selected_len, 1641 PACKET_data(pkt), PACKET_remaining(pkt), 1642 sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK 1643 || selected_len == 0) { 1644 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); 1645 return 0; 1646 } 1647 1648 /* 1649 * Could be non-NULL if server has sent multiple NPN extensions in 1650 * a single Serverhello 1651 */ 1652 OPENSSL_free(s->ext.npn); 1653 s->ext.npn = OPENSSL_malloc(selected_len); 1654 if (s->ext.npn == NULL) { 1655 s->ext.npn_len = 0; 1656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1657 return 0; 1658 } 1659 1660 memcpy(s->ext.npn, selected, selected_len); 1661 s->ext.npn_len = selected_len; 1662 s->s3.npn_seen = 1; 1663 1664 return 1; 1665 } 1666 #endif 1667 1668 int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1669 X509 *x, size_t chainidx) 1670 { 1671 size_t len; 1672 PACKET confpkt, protpkt; 1673 int valid = 0; 1674 1675 /* We must have requested it. */ 1676 if (!s->s3.alpn_sent) { 1677 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); 1678 return 0; 1679 } 1680 /*- 1681 * The extension data consists of: 1682 * uint16 list_length 1683 * uint8 proto_length; 1684 * uint8 proto[proto_length]; 1685 */ 1686 if (!PACKET_get_net_2_len(pkt, &len) 1687 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) 1688 || PACKET_remaining(pkt) != len) { 1689 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1690 return 0; 1691 } 1692 1693 /* It must be a protocol that we sent */ 1694 if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { 1695 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1696 return 0; 1697 } 1698 while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { 1699 if (PACKET_remaining(&protpkt) != len) 1700 continue; 1701 if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { 1702 /* Valid protocol found */ 1703 valid = 1; 1704 break; 1705 } 1706 } 1707 1708 if (!valid) { 1709 /* The protocol sent from the server does not match one we advertised */ 1710 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1711 return 0; 1712 } 1713 1714 OPENSSL_free(s->s3.alpn_selected); 1715 s->s3.alpn_selected = OPENSSL_malloc(len); 1716 if (s->s3.alpn_selected == NULL) { 1717 s->s3.alpn_selected_len = 0; 1718 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1719 return 0; 1720 } 1721 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) { 1722 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 1723 return 0; 1724 } 1725 s->s3.alpn_selected_len = len; 1726 1727 if (s->session->ext.alpn_selected == NULL 1728 || s->session->ext.alpn_selected_len != len 1729 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len) 1730 != 0) { 1731 /* ALPN not consistent with the old session so cannot use early_data */ 1732 s->ext.early_data_ok = 0; 1733 } 1734 if (!s->hit) { 1735 /* 1736 * This is a new session and so alpn_selected should have been 1737 * initialised to NULL. We should update it with the selected ALPN. 1738 */ 1739 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { 1740 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1741 return 0; 1742 } 1743 s->session->ext.alpn_selected = 1744 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); 1745 if (s->session->ext.alpn_selected == NULL) { 1746 s->session->ext.alpn_selected_len = 0; 1747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1748 return 0; 1749 } 1750 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; 1751 } 1752 1753 return 1; 1754 } 1755 1756 #ifndef OPENSSL_NO_SRTP 1757 int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt, 1758 unsigned int context, X509 *x, size_t chainidx) 1759 { 1760 unsigned int id, ct, mki; 1761 int i; 1762 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; 1763 SRTP_PROTECTION_PROFILE *prof; 1764 1765 if (!PACKET_get_net_2(pkt, &ct) || ct != 2 1766 || !PACKET_get_net_2(pkt, &id) 1767 || !PACKET_get_1(pkt, &mki) 1768 || PACKET_remaining(pkt) != 0) { 1769 SSLfatal(s, SSL_AD_DECODE_ERROR, 1770 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1771 return 0; 1772 } 1773 1774 if (mki != 0) { 1775 /* Must be no MKI, since we never offer one */ 1776 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE); 1777 return 0; 1778 } 1779 1780 /* Throw an error if the server gave us an unsolicited extension */ 1781 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s)); 1782 if (clnt == NULL) { 1783 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES); 1784 return 0; 1785 } 1786 1787 /* 1788 * Check to see if the server gave us something we support (and 1789 * presumably offered) 1790 */ 1791 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { 1792 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); 1793 1794 if (prof->id == id) { 1795 s->srtp_profile = prof; 1796 return 1; 1797 } 1798 } 1799 1800 SSLfatal(s, SSL_AD_DECODE_ERROR, 1801 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); 1802 return 0; 1803 } 1804 #endif 1805 1806 int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1807 X509 *x, size_t chainidx) 1808 { 1809 /* Ignore if inappropriate ciphersuite */ 1810 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) 1811 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD 1812 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4 1813 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT 1814 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12 1815 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA 1816 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK) 1817 s->ext.use_etm = 1; 1818 1819 return 1; 1820 } 1821 1822 int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 1823 X509 *x, size_t chainidx) 1824 { 1825 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) 1826 return 1; 1827 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; 1828 if (!s->hit) 1829 s->session->flags |= SSL_SESS_FLAG_EXTMS; 1830 1831 return 1; 1832 } 1833 1834 int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt, 1835 unsigned int context, 1836 X509 *x, size_t chainidx) 1837 { 1838 unsigned int version; 1839 1840 if (!PACKET_get_net_2(pkt, &version) 1841 || PACKET_remaining(pkt) != 0) { 1842 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1843 return 0; 1844 } 1845 1846 /* 1847 * The only protocol version we support which is valid in this extension in 1848 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. 1849 */ 1850 if (version != TLS1_3_VERSION) { 1851 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 1852 SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1853 return 0; 1854 } 1855 1856 /* We ignore this extension for HRRs except to sanity check it */ 1857 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) 1858 return 1; 1859 1860 /* We just set it here. We validate it in ssl_choose_client_version */ 1861 s->version = version; 1862 if (!ssl_set_record_protocol_version(s, version)) { 1863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1864 return 0; 1865 } 1866 1867 return 1; 1868 } 1869 1870 int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, 1871 unsigned int context, X509 *x, 1872 size_t chainidx) 1873 { 1874 #ifndef OPENSSL_NO_TLS1_3 1875 unsigned int group_id; 1876 PACKET encoded_pt; 1877 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; 1878 const TLS_GROUP_INFO *ginf = NULL; 1879 uint16_t valid_ks_id = 0; 1880 size_t i; 1881 1882 /* Sanity check */ 1883 if (ckey == NULL || s->s3.peer_tmp != NULL) { 1884 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1885 return 0; 1886 } 1887 1888 /* Which group ID does the server want -> group_id */ 1889 if (!PACKET_get_net_2(pkt, &group_id)) { 1890 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1891 return 0; 1892 } 1893 1894 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { 1895 const uint16_t *pgroups = NULL; 1896 size_t num_groups; 1897 1898 if (PACKET_remaining(pkt) != 0) { 1899 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1900 return 0; 1901 } 1902 1903 /* 1904 * It is an error if the HelloRetryRequest wants a key_share that we 1905 * already sent in the first ClientHello 1906 */ 1907 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1908 if (s->s3.tmp.ks_group_id[i] == group_id) { 1909 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1910 return 0; 1911 } 1912 } 1913 1914 /* Validate the selected group is one we support */ 1915 tls1_get_supported_groups(s, &pgroups, &num_groups); 1916 for (i = 0; i < num_groups; i++) { 1917 if (group_id == pgroups[i]) 1918 break; 1919 } 1920 if (i >= num_groups 1921 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) 1922 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, 1923 0, NULL)) { 1924 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1925 return 0; 1926 } 1927 1928 /* Memorize which groupID the server wants */ 1929 s->s3.group_id = group_id; 1930 1931 /* The initial keyshares are obsolete now, hence free memory */ 1932 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1933 if (s->s3.tmp.ks_pkey[i] != NULL) { 1934 EVP_PKEY_free(s->s3.tmp.ks_pkey[i]); 1935 s->s3.tmp.ks_pkey[i] = NULL; 1936 } 1937 } 1938 s->s3.tmp.num_ks_pkey = 0; 1939 s->s3.tmp.pkey = NULL; 1940 1941 return 1; 1942 } 1943 1944 /* 1945 * check that the group requested by the server is one we've 1946 * sent a key share for, and if so: memorize which one 1947 */ 1948 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { 1949 if (s->s3.tmp.ks_group_id[i] == group_id) { 1950 valid_ks_id = group_id; 1951 ckey = s->s3.tmp.ks_pkey[i]; 1952 s->s3.group_id = group_id; 1953 s->s3.tmp.pkey = ckey; 1954 break; 1955 } 1956 } 1957 if (valid_ks_id == 0) { 1958 /* 1959 * This isn't for the group that we sent in the original 1960 * key_share! 1961 */ 1962 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1963 return 0; 1964 } 1965 /* Retain this group in the SSL_SESSION */ 1966 if (!s->hit) { 1967 s->session->kex_group = group_id; 1968 } else if (group_id != s->session->kex_group) { 1969 /* 1970 * If this is a resumption but changed what group was used, we need 1971 * to record the new group in the session, but the session is not 1972 * a new session and could be in use by other threads. So, make 1973 * a copy of the session to record the new information so that it's 1974 * useful for any sessions resumed from tickets issued on this 1975 * connection. 1976 */ 1977 SSL_SESSION *new_sess; 1978 1979 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) { 1980 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); 1981 return 0; 1982 } 1983 SSL_SESSION_free(s->session); 1984 s->session = new_sess; 1985 s->session->kex_group = group_id; 1986 } 1987 1988 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), 1989 group_id)) == NULL) { 1990 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); 1991 return 0; 1992 } 1993 1994 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) 1995 || PACKET_remaining(&encoded_pt) == 0) { 1996 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 1997 return 0; 1998 } 1999 2000 if (!ginf->is_kem) { 2001 /* Regular KEX */ 2002 skey = EVP_PKEY_new(); 2003 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { 2004 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); 2005 EVP_PKEY_free(skey); 2006 return 0; 2007 } 2008 2009 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt), 2010 PACKET_remaining(&encoded_pt)) <= 0) { 2011 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); 2012 EVP_PKEY_free(skey); 2013 return 0; 2014 } 2015 2016 if (ssl_derive(s, ckey, skey, 1) == 0) { 2017 /* SSLfatal() already called */ 2018 EVP_PKEY_free(skey); 2019 return 0; 2020 } 2021 s->s3.peer_tmp = skey; 2022 } else { 2023 /* KEM Mode */ 2024 const unsigned char *ct = PACKET_data(&encoded_pt); 2025 size_t ctlen = PACKET_remaining(&encoded_pt); 2026 2027 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) { 2028 /* SSLfatal() already called */ 2029 return 0; 2030 } 2031 } 2032 s->s3.did_kex = 1; 2033 #endif 2034 2035 return 1; 2036 } 2037 2038 int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, 2039 X509 *x, size_t chainidx) 2040 { 2041 PACKET cookie; 2042 2043 if (!PACKET_as_length_prefixed_2(pkt, &cookie) 2044 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, 2045 &s->ext.tls13_cookie_len)) { 2046 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2047 return 0; 2048 } 2049 2050 return 1; 2051 } 2052 2053 int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt, 2054 unsigned int context, 2055 X509 *x, size_t chainidx) 2056 { 2057 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { 2058 unsigned long max_early_data; 2059 2060 if (!PACKET_get_net_4(pkt, &max_early_data) 2061 || PACKET_remaining(pkt) != 0) { 2062 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA); 2063 return 0; 2064 } 2065 2066 s->session->ext.max_early_data = max_early_data; 2067 2068 if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) { 2069 /* 2070 * QUIC allows missing max_early_data, or a max_early_data value 2071 * of 0xffffffff. Missing max_early_data is stored in the session 2072 * as 0. This is indistinguishable in OpenSSL from a present 2073 * max_early_data value that was 0. In order that later checks for 2074 * invalid max_early_data correctly treat as an error the case where 2075 * max_early_data is present and it is 0, we store any invalid 2076 * value in the same (non-zero) way. Otherwise we would have to 2077 * introduce a new flag just for this. 2078 */ 2079 s->session->ext.max_early_data = 1; 2080 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA); 2081 return 0; 2082 } 2083 2084 return 1; 2085 } 2086 2087 if (PACKET_remaining(pkt) != 0) { 2088 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2089 return 0; 2090 } 2091 2092 if (!s->ext.early_data_ok 2093 || !s->hit) { 2094 /* 2095 * If we get here then we didn't send early data, or we didn't resume 2096 * using the first identity, or the SNI/ALPN is not consistent so the 2097 * server should not be accepting it. 2098 */ 2099 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); 2100 return 0; 2101 } 2102 2103 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; 2104 2105 return 1; 2106 } 2107 2108 int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt, 2109 unsigned int context, X509 *x, 2110 size_t chainidx) 2111 { 2112 #ifndef OPENSSL_NO_TLS1_3 2113 unsigned int identity; 2114 2115 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { 2116 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); 2117 return 0; 2118 } 2119 2120 if (identity >= (unsigned int)s->ext.tick_identity) { 2121 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY); 2122 return 0; 2123 } 2124 2125 /* 2126 * Session resumption tickets are always sent before PSK tickets. If the 2127 * ticket index is 0 then it must be for a session resumption ticket if we 2128 * sent two tickets, or if we didn't send a PSK ticket. 2129 */ 2130 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { 2131 s->hit = 1; 2132 SSL_SESSION_free(s->psksession); 2133 s->psksession = NULL; 2134 return 1; 2135 } 2136 2137 if (s->psksession == NULL) { 2138 /* Should never happen */ 2139 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2140 return 0; 2141 } 2142 2143 /* 2144 * If we used the external PSK for sending early_data then s->early_secret 2145 * is already set up, so don't overwrite it. Otherwise we copy the 2146 * early_secret across that we generated earlier. 2147 */ 2148 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY 2149 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) 2150 || s->session->ext.max_early_data > 0 2151 || s->psksession->ext.max_early_data == 0) 2152 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); 2153 2154 SSL_SESSION_free(s->session); 2155 s->session = s->psksession; 2156 s->psksession = NULL; 2157 s->hit = 1; 2158 /* Early data is only allowed if we used the first ticket */ 2159 if (identity != 0) 2160 s->ext.early_data_ok = 0; 2161 #endif 2162 2163 return 1; 2164 } 2165 2166 EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, 2167 unsigned int context, 2168 X509 *x, size_t chainidx) 2169 { 2170 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; 2171 if (sc->client_cert_type == NULL) 2172 return EXT_RETURN_NOT_SENT; 2173 2174 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type) 2175 || !WPACKET_start_sub_packet_u16(pkt) 2176 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len) 2177 || !WPACKET_close(pkt)) { 2178 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2179 return EXT_RETURN_FAIL; 2180 } 2181 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; 2182 return EXT_RETURN_SENT; 2183 } 2184 2185 int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt, 2186 unsigned int context, 2187 X509 *x, size_t chainidx) 2188 { 2189 unsigned int type; 2190 2191 if (PACKET_remaining(pkt) != 1) { 2192 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2193 return 0; 2194 } 2195 if (!PACKET_get_1(pkt, &type)) { 2196 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2197 return 0; 2198 } 2199 /* We did not send/ask for this */ 2200 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { 2201 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2202 return 0; 2203 } 2204 /* We don't have this enabled */ 2205 if (sc->client_cert_type == NULL) { 2206 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2207 return 0; 2208 } 2209 /* Given back a value we didn't configure */ 2210 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) { 2211 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); 2212 return 0; 2213 } 2214 sc->ext.client_cert_type = type; 2215 return 1; 2216 } 2217 2218 EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, 2219 unsigned int context, 2220 X509 *x, size_t chainidx) 2221 { 2222 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; 2223 if (sc->server_cert_type == NULL) 2224 return EXT_RETURN_NOT_SENT; 2225 2226 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type) 2227 || !WPACKET_start_sub_packet_u16(pkt) 2228 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len) 2229 || !WPACKET_close(pkt)) { 2230 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 2231 return EXT_RETURN_FAIL; 2232 } 2233 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; 2234 return EXT_RETURN_SENT; 2235 } 2236 2237 int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt, 2238 unsigned int context, 2239 X509 *x, size_t chainidx) 2240 { 2241 unsigned int type; 2242 2243 if (PACKET_remaining(pkt) != 1) { 2244 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2245 return 0; 2246 } 2247 if (!PACKET_get_1(pkt, &type)) { 2248 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2249 return 0; 2250 } 2251 /* We did not send/ask for this */ 2252 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { 2253 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2254 return 0; 2255 } 2256 /* We don't have this enabled */ 2257 if (sc->server_cert_type == NULL) { 2258 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); 2259 return 0; 2260 } 2261 /* Given back a value we didn't configure */ 2262 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) { 2263 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); 2264 return 0; 2265 } 2266 sc->ext.server_cert_type = type; 2267 return 1; 2268 } 2269