]>
Commit | Line | Data |
---|---|---|
6dd083fd | 1 | /* |
3c95ef22 | 2 | * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. |
6dd083fd | 3 | * |
2c18d164 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6dd083fd MC |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
ab83e314 | 10 | #include <openssl/ocsp.h> |
706457b7 | 11 | #include "../ssl_local.h" |
67dc995e | 12 | #include "internal/cryptlib.h" |
706457b7 | 13 | #include "statem_local.h" |
6dd083fd | 14 | |
38b051a1 | 15 | EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 16 | unsigned int context, X509 *x, |
f63a17d6 | 17 | size_t chainidx) |
ab83e314 MC |
18 | { |
19 | /* Add RI if renegotiating */ | |
20 | if (!s->renegotiate) | |
b186a592 | 21 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
22 | |
23 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate) | |
24 | || !WPACKET_start_sub_packet_u16(pkt) | |
555cbb32 TS |
25 | || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished, |
26 | s->s3.previous_client_finished_len) | |
ab83e314 | 27 | || !WPACKET_close(pkt)) { |
c48ffbcc | 28 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 29 | return EXT_RETURN_FAIL; |
ab83e314 MC |
30 | } |
31 | ||
b186a592 | 32 | return EXT_RETURN_SENT; |
ab83e314 MC |
33 | } |
34 | ||
38b051a1 | 35 | EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 36 | unsigned int context, X509 *x, |
f63a17d6 | 37 | size_t chainidx) |
ab83e314 | 38 | { |
aff8c126 | 39 | if (s->ext.hostname == NULL) |
b186a592 | 40 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
41 | |
42 | /* Add TLS extension servername to the Client Hello message */ | |
43 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) | |
44 | /* Sub-packet for server_name extension */ | |
45 | || !WPACKET_start_sub_packet_u16(pkt) | |
46 | /* Sub-packet for servername list (always 1 hostname)*/ | |
47 | || !WPACKET_start_sub_packet_u16(pkt) | |
48 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name) | |
aff8c126 RS |
49 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, |
50 | strlen(s->ext.hostname)) | |
ab83e314 MC |
51 | || !WPACKET_close(pkt) |
52 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 53 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 54 | return EXT_RETURN_FAIL; |
ab83e314 MC |
55 | } |
56 | ||
b186a592 | 57 | return EXT_RETURN_SENT; |
ab83e314 MC |
58 | } |
59 | ||
cf72c757 | 60 | /* Push a Max Fragment Len extension into ClientHello */ |
38b051a1 | 61 | EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt, |
cf72c757 | 62 | unsigned int context, X509 *x, |
f63a17d6 | 63 | size_t chainidx) |
cf72c757 F |
64 | { |
65 | if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) | |
66 | return EXT_RETURN_NOT_SENT; | |
67 | ||
68 | /* Add Max Fragment Length extension if client enabled it. */ | |
69 | /*- | |
70 | * 4 bytes for this extension type and extension length | |
71 | * 1 byte for the Max Fragment Length code value. | |
72 | */ | |
73 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length) | |
74 | /* Sub-packet for Max Fragment Length extension (1 byte) */ | |
75 | || !WPACKET_start_sub_packet_u16(pkt) | |
76 | || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) | |
77 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 78 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
cf72c757 F |
79 | return EXT_RETURN_FAIL; |
80 | } | |
81 | ||
82 | return EXT_RETURN_SENT; | |
83 | } | |
84 | ||
ab83e314 | 85 | #ifndef OPENSSL_NO_SRP |
38b051a1 TM |
86 | EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt, |
87 | unsigned int context, | |
f63a17d6 | 88 | X509 *x, size_t chainidx) |
ab83e314 MC |
89 | { |
90 | /* Add SRP username if there is one */ | |
91 | if (s->srp_ctx.login == NULL) | |
b186a592 | 92 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
93 | |
94 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp) | |
95 | /* Sub-packet for SRP extension */ | |
96 | || !WPACKET_start_sub_packet_u16(pkt) | |
97 | || !WPACKET_start_sub_packet_u8(pkt) | |
98 | /* login must not be zero...internal error if so */ | |
99 | || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) | |
100 | || !WPACKET_memcpy(pkt, s->srp_ctx.login, | |
101 | strlen(s->srp_ctx.login)) | |
102 | || !WPACKET_close(pkt) | |
103 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 104 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 105 | return EXT_RETURN_FAIL; |
ab83e314 MC |
106 | } |
107 | ||
b186a592 | 108 | return EXT_RETURN_SENT; |
ab83e314 MC |
109 | } |
110 | #endif | |
111 | ||
38b051a1 | 112 | static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version) |
ab83e314 | 113 | { |
589b6227 | 114 | int i, end, ret = 0; |
ab83e314 MC |
115 | unsigned long alg_k, alg_a; |
116 | STACK_OF(SSL_CIPHER) *cipher_stack = NULL; | |
dbc6268f MC |
117 | const uint16_t *pgroups = NULL; |
118 | size_t num_groups, j; | |
38b051a1 | 119 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); |
ab83e314 MC |
120 | |
121 | /* See if we support any ECC ciphersuites */ | |
122 | if (s->version == SSL3_VERSION) | |
123 | return 0; | |
124 | ||
38b051a1 | 125 | cipher_stack = SSL_get1_supported_ciphers(ssl); |
1266eefd MC |
126 | end = sk_SSL_CIPHER_num(cipher_stack); |
127 | for (i = 0; i < end; i++) { | |
ab83e314 MC |
128 | const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); |
129 | ||
130 | alg_k = c->algorithm_mkey; | |
131 | alg_a = c->algorithm_auth; | |
132 | if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) | |
1266eefd | 133 | || (alg_a & SSL_aECDSA) |
589b6227 MC |
134 | || c->min_tls >= TLS1_3_VERSION) { |
135 | ret = 1; | |
136 | break; | |
137 | } | |
ab83e314 | 138 | } |
589b6227 | 139 | sk_SSL_CIPHER_free(cipher_stack); |
dbc6268f MC |
140 | if (!ret) |
141 | return 0; | |
142 | ||
143 | /* Check we have at least one EC supported group */ | |
144 | tls1_get_supported_groups(s, &pgroups, &num_groups); | |
145 | for (j = 0; j < num_groups; j++) { | |
146 | uint16_t ctmp = pgroups[j]; | |
147 | ||
8b1db5d3 | 148 | if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL) |
dbc6268f MC |
149 | && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) |
150 | return 1; | |
151 | } | |
152 | ||
153 | return 0; | |
ab83e314 MC |
154 | } |
155 | ||
38b051a1 | 156 | EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 157 | unsigned int context, X509 *x, |
f63a17d6 | 158 | size_t chainidx) |
ab83e314 MC |
159 | { |
160 | const unsigned char *pformats; | |
161 | size_t num_formats; | |
dbc6268f | 162 | int reason, min_version, max_version; |
ab83e314 | 163 | |
dbc6268f MC |
164 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); |
165 | if (reason != 0) { | |
c48ffbcc | 166 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); |
dbc6268f MC |
167 | return EXT_RETURN_FAIL; |
168 | } | |
9d2d857f | 169 | if (!use_ecc(s, min_version, max_version)) |
b186a592 | 170 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
171 | |
172 | /* Add TLS extension ECPointFormats to the ClientHello message */ | |
ab83e314 MC |
173 | tls1_get_formatlist(s, &pformats, &num_formats); |
174 | ||
175 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats) | |
176 | /* Sub-packet for formats extension */ | |
177 | || !WPACKET_start_sub_packet_u16(pkt) | |
178 | || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats) | |
179 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 180 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 181 | return EXT_RETURN_FAIL; |
ab83e314 MC |
182 | } |
183 | ||
b186a592 | 184 | return EXT_RETURN_SENT; |
ab83e314 MC |
185 | } |
186 | ||
38b051a1 | 187 | EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 188 | unsigned int context, X509 *x, |
f63a17d6 | 189 | size_t chainidx) |
ab83e314 | 190 | { |
f48d826e | 191 | const uint16_t *pgroups = NULL; |
8b1db5d3 | 192 | size_t num_groups = 0, i, tls13added = 0, added = 0; |
9aaecbfc | 193 | int min_version, max_version, reason; |
ab83e314 | 194 | |
9aaecbfc | 195 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); |
196 | if (reason != 0) { | |
c48ffbcc | 197 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); |
9aaecbfc | 198 | return EXT_RETURN_FAIL; |
199 | } | |
200 | ||
8b1db5d3 MC |
201 | /* |
202 | * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore | |
203 | * if we don't have EC support then we don't send this extension. | |
204 | */ | |
205 | if (!use_ecc(s, min_version, max_version) | |
38b051a1 | 206 | && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)) |
dbc6268f | 207 | return EXT_RETURN_NOT_SENT; |
dbc6268f | 208 | |
ab83e314 MC |
209 | /* |
210 | * Add TLS extension supported_groups to the ClientHello message | |
211 | */ | |
f48d826e | 212 | tls1_get_supported_groups(s, &pgroups, &num_groups); |
ab83e314 MC |
213 | |
214 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups) | |
215 | /* Sub-packet for supported_groups extension */ | |
216 | || !WPACKET_start_sub_packet_u16(pkt) | |
9aaecbfc | 217 | || !WPACKET_start_sub_packet_u16(pkt) |
218 | || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) { | |
c48ffbcc | 219 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 220 | return EXT_RETURN_FAIL; |
ab83e314 | 221 | } |
9aaecbfc | 222 | /* Copy group ID if supported */ |
f48d826e DSH |
223 | for (i = 0; i < num_groups; i++) { |
224 | uint16_t ctmp = pgroups[i]; | |
8b1db5d3 | 225 | int okfortls13; |
9e84a42d | 226 | |
8b1db5d3 | 227 | if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13) |
dbc6268f | 228 | && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { |
9e84a42d | 229 | if (!WPACKET_put_bytes_u16(pkt, ctmp)) { |
c48ffbcc | 230 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
9aaecbfc | 231 | return EXT_RETURN_FAIL; |
232 | } | |
8b1db5d3 MC |
233 | if (okfortls13 && max_version == TLS1_3_VERSION) |
234 | tls13added++; | |
235 | added++; | |
ab83e314 MC |
236 | } |
237 | } | |
238 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { | |
9afc6c54 | 239 | if (added == 0) |
8b1db5d3 MC |
240 | SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, |
241 | "No groups enabled for max supported SSL/TLS version"); | |
242 | else | |
243 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
b186a592 | 244 | return EXT_RETURN_FAIL; |
9afc6c54 MC |
245 | } |
246 | ||
247 | if (tls13added == 0 && max_version == TLS1_3_VERSION) { | |
248 | SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, | |
249 | "No groups enabled for max supported SSL/TLS version"); | |
250 | return EXT_RETURN_FAIL; | |
ab83e314 MC |
251 | } |
252 | ||
b186a592 | 253 | return EXT_RETURN_SENT; |
ab83e314 | 254 | } |
ab83e314 | 255 | |
38b051a1 | 256 | EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 257 | unsigned int context, X509 *x, |
f63a17d6 | 258 | size_t chainidx) |
ab83e314 MC |
259 | { |
260 | size_t ticklen; | |
261 | ||
262 | if (!tls_use_ticket(s)) | |
b186a592 | 263 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
264 | |
265 | if (!s->new_session && s->session != NULL | |
08191294 MC |
266 | && s->session->ext.tick != NULL |
267 | && s->session->ssl_version != TLS1_3_VERSION) { | |
aff8c126 RS |
268 | ticklen = s->session->ext.ticklen; |
269 | } else if (s->session && s->ext.session_ticket != NULL | |
270 | && s->ext.session_ticket->data != NULL) { | |
271 | ticklen = s->ext.session_ticket->length; | |
272 | s->session->ext.tick = OPENSSL_malloc(ticklen); | |
273 | if (s->session->ext.tick == NULL) { | |
c48ffbcc | 274 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 275 | return EXT_RETURN_FAIL; |
ab83e314 | 276 | } |
aff8c126 RS |
277 | memcpy(s->session->ext.tick, |
278 | s->ext.session_ticket->data, ticklen); | |
279 | s->session->ext.ticklen = ticklen; | |
ab83e314 MC |
280 | } else { |
281 | ticklen = 0; | |
282 | } | |
283 | ||
aff8c126 RS |
284 | if (ticklen == 0 && s->ext.session_ticket != NULL && |
285 | s->ext.session_ticket->data == NULL) | |
b186a592 | 286 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
287 | |
288 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket) | |
aff8c126 | 289 | || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { |
c48ffbcc | 290 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 291 | return EXT_RETURN_FAIL; |
ab83e314 MC |
292 | } |
293 | ||
b186a592 | 294 | return EXT_RETURN_SENT; |
ab83e314 MC |
295 | } |
296 | ||
38b051a1 | 297 | EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 298 | unsigned int context, X509 *x, |
f63a17d6 | 299 | size_t chainidx) |
ab83e314 MC |
300 | { |
301 | size_t salglen; | |
98c792d1 | 302 | const uint16_t *salg; |
ab83e314 MC |
303 | |
304 | if (!SSL_CLIENT_USE_SIGALGS(s)) | |
b186a592 | 305 | return EXT_RETURN_NOT_SENT; |
ab83e314 | 306 | |
a9669ddc | 307 | salglen = tls12_get_psigalgs(s, 1, &salg); |
ab83e314 MC |
308 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms) |
309 | /* Sub-packet for sig-algs extension */ | |
310 | || !WPACKET_start_sub_packet_u16(pkt) | |
311 | /* Sub-packet for the actual list */ | |
312 | || !WPACKET_start_sub_packet_u16(pkt) | |
313 | || !tls12_copy_sigalgs(s, pkt, salg, salglen) | |
314 | || !WPACKET_close(pkt) | |
315 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 316 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 317 | return EXT_RETURN_FAIL; |
ab83e314 MC |
318 | } |
319 | ||
b186a592 | 320 | return EXT_RETURN_SENT; |
ab83e314 MC |
321 | } |
322 | ||
323 | #ifndef OPENSSL_NO_OCSP | |
38b051a1 | 324 | EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 325 | unsigned int context, X509 *x, |
f63a17d6 | 326 | size_t chainidx) |
ab83e314 MC |
327 | { |
328 | int i; | |
329 | ||
e96e0f8e MC |
330 | /* This extension isn't defined for client Certificates */ |
331 | if (x != NULL) | |
b186a592 | 332 | return EXT_RETURN_NOT_SENT; |
e96e0f8e | 333 | |
aff8c126 | 334 | if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) |
b186a592 | 335 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
336 | |
337 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) | |
338 | /* Sub-packet for status request extension */ | |
339 | || !WPACKET_start_sub_packet_u16(pkt) | |
340 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp) | |
341 | /* Sub-packet for the ids */ | |
342 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
c48ffbcc | 343 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 344 | return EXT_RETURN_FAIL; |
ab83e314 | 345 | } |
aff8c126 | 346 | for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { |
ab83e314 | 347 | unsigned char *idbytes; |
aff8c126 | 348 | OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); |
1266eefd | 349 | int idlen = i2d_OCSP_RESPID(id, NULL); |
ab83e314 | 350 | |
ab83e314 MC |
351 | if (idlen <= 0 |
352 | /* Sub-packet for an individual id */ | |
353 | || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes) | |
354 | || i2d_OCSP_RESPID(id, &idbytes) != idlen) { | |
c48ffbcc | 355 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 356 | return EXT_RETURN_FAIL; |
ab83e314 MC |
357 | } |
358 | } | |
359 | if (!WPACKET_close(pkt) | |
360 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
c48ffbcc | 361 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 362 | return EXT_RETURN_FAIL; |
ab83e314 | 363 | } |
aff8c126 | 364 | if (s->ext.ocsp.exts) { |
ab83e314 | 365 | unsigned char *extbytes; |
aff8c126 | 366 | int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); |
ab83e314 MC |
367 | |
368 | if (extlen < 0) { | |
c48ffbcc | 369 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 370 | return EXT_RETURN_FAIL; |
ab83e314 MC |
371 | } |
372 | if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes) | |
aff8c126 | 373 | || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) |
ab83e314 | 374 | != extlen) { |
c48ffbcc | 375 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 376 | return EXT_RETURN_FAIL; |
ab83e314 MC |
377 | } |
378 | } | |
379 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { | |
c48ffbcc | 380 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 381 | return EXT_RETURN_FAIL; |
ab83e314 MC |
382 | } |
383 | ||
b186a592 | 384 | return EXT_RETURN_SENT; |
ab83e314 MC |
385 | } |
386 | #endif | |
387 | ||
388 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
38b051a1 TM |
389 | EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt, |
390 | unsigned int context, | |
f63a17d6 | 391 | X509 *x, size_t chainidx) |
ab83e314 | 392 | { |
38b051a1 TM |
393 | if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL |
394 | || !SSL_IS_FIRST_HANDSHAKE(s)) | |
b186a592 | 395 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
396 | |
397 | /* | |
398 | * The client advertises an empty extension to indicate its support | |
399 | * for Next Protocol Negotiation | |
400 | */ | |
401 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg) | |
402 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
c48ffbcc | 403 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 404 | return EXT_RETURN_FAIL; |
ab83e314 MC |
405 | } |
406 | ||
b186a592 | 407 | return EXT_RETURN_SENT; |
ab83e314 MC |
408 | } |
409 | #endif | |
410 | ||
38b051a1 TM |
411 | EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt, |
412 | unsigned int context, | |
f63a17d6 | 413 | X509 *x, size_t chainidx) |
ab83e314 | 414 | { |
555cbb32 | 415 | s->s3.alpn_sent = 0; |
ab83e314 | 416 | |
c7f47786 | 417 | if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) |
b186a592 | 418 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
419 | |
420 | if (!WPACKET_put_bytes_u16(pkt, | |
421 | TLSEXT_TYPE_application_layer_protocol_negotiation) | |
422 | /* Sub-packet ALPN extension */ | |
423 | || !WPACKET_start_sub_packet_u16(pkt) | |
aff8c126 | 424 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) |
ab83e314 | 425 | || !WPACKET_close(pkt)) { |
c48ffbcc | 426 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 427 | return EXT_RETURN_FAIL; |
ab83e314 | 428 | } |
555cbb32 | 429 | s->s3.alpn_sent = 1; |
ab83e314 | 430 | |
b186a592 | 431 | return EXT_RETURN_SENT; |
ab83e314 MC |
432 | } |
433 | ||
434 | ||
435 | #ifndef OPENSSL_NO_SRTP | |
38b051a1 | 436 | EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 437 | unsigned int context, X509 *x, |
f63a17d6 | 438 | size_t chainidx) |
ab83e314 | 439 | { |
38b051a1 TM |
440 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); |
441 | STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl); | |
1266eefd | 442 | int i, end; |
ab83e314 MC |
443 | |
444 | if (clnt == NULL) | |
b186a592 | 445 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
446 | |
447 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp) | |
448 | /* Sub-packet for SRTP extension */ | |
449 | || !WPACKET_start_sub_packet_u16(pkt) | |
450 | /* Sub-packet for the protection profile list */ | |
451 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
c48ffbcc | 452 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 453 | return EXT_RETURN_FAIL; |
ab83e314 | 454 | } |
1266eefd MC |
455 | |
456 | end = sk_SRTP_PROTECTION_PROFILE_num(clnt); | |
457 | for (i = 0; i < end; i++) { | |
458 | const SRTP_PROTECTION_PROFILE *prof = | |
459 | sk_SRTP_PROTECTION_PROFILE_value(clnt, i); | |
460 | ||
ab83e314 | 461 | if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { |
c48ffbcc | 462 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 463 | return EXT_RETURN_FAIL; |
ab83e314 MC |
464 | } |
465 | } | |
466 | if (!WPACKET_close(pkt) | |
467 | /* Add an empty use_mki value */ | |
468 | || !WPACKET_put_bytes_u8(pkt, 0) | |
469 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 470 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 471 | return EXT_RETURN_FAIL; |
ab83e314 MC |
472 | } |
473 | ||
b186a592 | 474 | return EXT_RETURN_SENT; |
ab83e314 MC |
475 | } |
476 | #endif | |
477 | ||
38b051a1 TM |
478 | EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt, |
479 | unsigned int context, | |
f63a17d6 | 480 | X509 *x, size_t chainidx) |
ab83e314 MC |
481 | { |
482 | if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) | |
b186a592 | 483 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
484 | |
485 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac) | |
486 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
c48ffbcc | 487 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 488 | return EXT_RETURN_FAIL; |
ab83e314 MC |
489 | } |
490 | ||
b186a592 | 491 | return EXT_RETURN_SENT; |
ab83e314 MC |
492 | } |
493 | ||
494 | #ifndef OPENSSL_NO_CT | |
38b051a1 TM |
495 | EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt, |
496 | unsigned int context, | |
f63a17d6 | 497 | X509 *x, size_t chainidx) |
ab83e314 MC |
498 | { |
499 | if (s->ct_validation_callback == NULL) | |
b186a592 | 500 | return EXT_RETURN_NOT_SENT; |
ab83e314 | 501 | |
e96e0f8e MC |
502 | /* Not defined for client Certificates */ |
503 | if (x != NULL) | |
b186a592 | 504 | return EXT_RETURN_NOT_SENT; |
e96e0f8e | 505 | |
ab83e314 MC |
506 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp) |
507 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
c48ffbcc | 508 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 509 | return EXT_RETURN_FAIL; |
ab83e314 MC |
510 | } |
511 | ||
b186a592 | 512 | return EXT_RETURN_SENT; |
ab83e314 MC |
513 | } |
514 | #endif | |
515 | ||
38b051a1 TM |
516 | EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt, |
517 | unsigned int context, | |
f63a17d6 | 518 | X509 *x, size_t chainidx) |
ab83e314 | 519 | { |
088dfa13 TS |
520 | if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) |
521 | return EXT_RETURN_NOT_SENT; | |
522 | ||
ab83e314 MC |
523 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) |
524 | || !WPACKET_put_bytes_u16(pkt, 0)) { | |
c48ffbcc | 525 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 526 | return EXT_RETURN_FAIL; |
ab83e314 MC |
527 | } |
528 | ||
b186a592 | 529 | return EXT_RETURN_SENT; |
ab83e314 MC |
530 | } |
531 | ||
38b051a1 | 532 | EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 533 | unsigned int context, X509 *x, |
f63a17d6 | 534 | size_t chainidx) |
ab83e314 MC |
535 | { |
536 | int currv, min_version, max_version, reason; | |
537 | ||
b5b993b2 | 538 | reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); |
88050dd1 | 539 | if (reason != 0) { |
c48ffbcc | 540 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); |
88050dd1 MC |
541 | return EXT_RETURN_FAIL; |
542 | } | |
543 | ||
544 | /* | |
545 | * Don't include this if we can't negotiate TLSv1.3. We can do a straight | |
546 | * comparison here because we will never be called in DTLS. | |
547 | */ | |
548 | if (max_version < TLS1_3_VERSION) | |
549 | return EXT_RETURN_NOT_SENT; | |
550 | ||
ab83e314 MC |
551 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) |
552 | || !WPACKET_start_sub_packet_u16(pkt) | |
553 | || !WPACKET_start_sub_packet_u8(pkt)) { | |
c48ffbcc | 554 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 555 | return EXT_RETURN_FAIL; |
ab83e314 MC |
556 | } |
557 | ||
ab83e314 | 558 | for (currv = max_version; currv >= min_version; currv--) { |
35e742ec | 559 | if (!WPACKET_put_bytes_u16(pkt, currv)) { |
c48ffbcc | 560 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 561 | return EXT_RETURN_FAIL; |
ab83e314 MC |
562 | } |
563 | } | |
564 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { | |
c48ffbcc | 565 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 566 | return EXT_RETURN_FAIL; |
ab83e314 MC |
567 | } |
568 | ||
b186a592 | 569 | return EXT_RETURN_SENT; |
ab83e314 MC |
570 | } |
571 | ||
b2f7e8c0 | 572 | /* |
e3c0d76b | 573 | * Construct a psk_kex_modes extension. |
b2f7e8c0 | 574 | */ |
38b051a1 | 575 | EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 576 | unsigned int context, X509 *x, |
f63a17d6 | 577 | size_t chainidx) |
b2f7e8c0 MC |
578 | { |
579 | #ifndef OPENSSL_NO_TLS1_3 | |
e3c0d76b MC |
580 | int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; |
581 | ||
b2f7e8c0 MC |
582 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) |
583 | || !WPACKET_start_sub_packet_u16(pkt) | |
584 | || !WPACKET_start_sub_packet_u8(pkt) | |
585 | || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE) | |
e3c0d76b | 586 | || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE)) |
b2f7e8c0 MC |
587 | || !WPACKET_close(pkt) |
588 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 589 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 590 | return EXT_RETURN_FAIL; |
b2f7e8c0 | 591 | } |
b3ad72ce | 592 | |
e3c0d76b MC |
593 | s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; |
594 | if (nodhe) | |
595 | s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; | |
b2f7e8c0 MC |
596 | #endif |
597 | ||
b186a592 | 598 | return EXT_RETURN_SENT; |
b2f7e8c0 MC |
599 | } |
600 | ||
3847d426 | 601 | #ifndef OPENSSL_NO_TLS1_3 |
38b051a1 | 602 | static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id) |
3847d426 | 603 | { |
7b1ec1cf MC |
604 | unsigned char *encoded_point = NULL; |
605 | EVP_PKEY *key_share_key = NULL; | |
3847d426 MC |
606 | size_t encodedlen; |
607 | ||
555cbb32 | 608 | if (s->s3.tmp.pkey != NULL) { |
fc7129dc | 609 | if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) { |
c48ffbcc | 610 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
d8028b20 | 611 | return 0; |
7b1ec1cf MC |
612 | } |
613 | /* | |
614 | * Could happen if we got an HRR that wasn't requesting a new key_share | |
615 | */ | |
555cbb32 | 616 | key_share_key = s->s3.tmp.pkey; |
7b1ec1cf | 617 | } else { |
f63a17d6 | 618 | key_share_key = ssl_generate_pkey_group(s, curve_id); |
7b1ec1cf | 619 | if (key_share_key == NULL) { |
f63a17d6 | 620 | /* SSLfatal() already called */ |
d8028b20 | 621 | return 0; |
7b1ec1cf | 622 | } |
3847d426 MC |
623 | } |
624 | ||
625 | /* Encode the public key. */ | |
5ac8fb58 MC |
626 | encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key, |
627 | &encoded_point); | |
3847d426 | 628 | if (encodedlen == 0) { |
c48ffbcc | 629 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); |
7b1ec1cf | 630 | goto err; |
3847d426 MC |
631 | } |
632 | ||
633 | /* Create KeyShareEntry */ | |
16f0e91c | 634 | if (!WPACKET_put_bytes_u16(pkt, curve_id) |
2248dbeb | 635 | || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) { |
c48ffbcc | 636 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
7b1ec1cf | 637 | goto err; |
3847d426 MC |
638 | } |
639 | ||
640 | /* | |
407820c0 | 641 | * When changing to send more than one key_share we're |
3847d426 MC |
642 | * going to need to be able to save more than one EVP_PKEY. For now |
643 | * we reuse the existing tmp.pkey | |
644 | */ | |
555cbb32 TS |
645 | s->s3.tmp.pkey = key_share_key; |
646 | s->s3.group_id = curve_id; | |
2248dbeb | 647 | OPENSSL_free(encoded_point); |
3847d426 | 648 | |
d8028b20 | 649 | return 1; |
7b1ec1cf | 650 | err: |
555cbb32 | 651 | if (s->s3.tmp.pkey == NULL) |
7b1ec1cf MC |
652 | EVP_PKEY_free(key_share_key); |
653 | OPENSSL_free(encoded_point); | |
d8028b20 | 654 | return 0; |
3847d426 MC |
655 | } |
656 | #endif | |
657 | ||
38b051a1 | 658 | EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 659 | unsigned int context, X509 *x, |
f63a17d6 | 660 | size_t chainidx) |
ab83e314 | 661 | { |
3cf96e88 | 662 | #ifndef OPENSSL_NO_TLS1_3 |
f48d826e DSH |
663 | size_t i, num_groups = 0; |
664 | const uint16_t *pgroups = NULL; | |
9e84a42d | 665 | uint16_t curve_id = 0; |
ab83e314 MC |
666 | |
667 | /* key_share extension */ | |
668 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) | |
669 | /* Extension data sub-packet */ | |
670 | || !WPACKET_start_sub_packet_u16(pkt) | |
671 | /* KeyShare list sub-packet */ | |
672 | || !WPACKET_start_sub_packet_u16(pkt)) { | |
c48ffbcc | 673 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 674 | return EXT_RETURN_FAIL; |
ab83e314 MC |
675 | } |
676 | ||
f48d826e | 677 | tls1_get_supported_groups(s, &pgroups, &num_groups); |
ab83e314 MC |
678 | |
679 | /* | |
407820c0 P |
680 | * Make the number of key_shares sent configurable. For |
681 | * now, we just send one | |
ab83e314 | 682 | */ |
555cbb32 TS |
683 | if (s->s3.group_id != 0) { |
684 | curve_id = s->s3.group_id; | |
3847d426 | 685 | } else { |
f48d826e | 686 | for (i = 0; i < num_groups; i++) { |
dbc6268f | 687 | if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) |
3847d426 | 688 | continue; |
ab83e314 | 689 | |
247b8e52 MC |
690 | if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, |
691 | 0, NULL)) | |
692 | continue; | |
693 | ||
f48d826e | 694 | curve_id = pgroups[i]; |
3847d426 | 695 | break; |
ab83e314 | 696 | } |
3847d426 | 697 | } |
ab83e314 | 698 | |
3847d426 | 699 | if (curve_id == 0) { |
c48ffbcc | 700 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); |
b186a592 | 701 | return EXT_RETURN_FAIL; |
ab83e314 MC |
702 | } |
703 | ||
f63a17d6 MC |
704 | if (!add_key_share(s, pkt, curve_id)) { |
705 | /* SSLfatal() already called */ | |
b186a592 | 706 | return EXT_RETURN_FAIL; |
f63a17d6 | 707 | } |
3847d426 | 708 | |
ab83e314 | 709 | if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { |
c48ffbcc | 710 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 711 | return EXT_RETURN_FAIL; |
ab83e314 | 712 | } |
b186a592 | 713 | return EXT_RETURN_SENT; |
aa2ed504 TS |
714 | #else |
715 | return EXT_RETURN_NOT_SENT; | |
716 | #endif | |
ab83e314 MC |
717 | } |
718 | ||
38b051a1 TM |
719 | EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt, |
720 | unsigned int context, | |
f63a17d6 | 721 | X509 *x, size_t chainidx) |
cfef5027 | 722 | { |
b186a592 | 723 | EXT_RETURN ret = EXT_RETURN_FAIL; |
cfef5027 MC |
724 | |
725 | /* Should only be set if we've had an HRR */ | |
726 | if (s->ext.tls13_cookie_len == 0) | |
b186a592 | 727 | return EXT_RETURN_NOT_SENT; |
cfef5027 MC |
728 | |
729 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) | |
730 | /* Extension data sub-packet */ | |
731 | || !WPACKET_start_sub_packet_u16(pkt) | |
732 | || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, | |
733 | s->ext.tls13_cookie_len) | |
734 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 735 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
cfef5027 MC |
736 | goto end; |
737 | } | |
738 | ||
b186a592 | 739 | ret = EXT_RETURN_SENT; |
cfef5027 MC |
740 | end: |
741 | OPENSSL_free(s->ext.tls13_cookie); | |
febb0afa | 742 | s->ext.tls13_cookie = NULL; |
cfef5027 MC |
743 | s->ext.tls13_cookie_len = 0; |
744 | ||
745 | return ret; | |
746 | } | |
747 | ||
38b051a1 | 748 | EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 749 | unsigned int context, X509 *x, |
f63a17d6 | 750 | size_t chainidx) |
38df5a45 | 751 | { |
696de86f PW |
752 | #ifndef OPENSSL_NO_PSK |
753 | char identity[PSK_MAX_IDENTITY_LEN + 1]; | |
754 | #endif /* OPENSSL_NO_PSK */ | |
ccb76685 | 755 | const unsigned char *id = NULL; |
fff202e5 | 756 | size_t idlen = 0; |
add8d0e9 | 757 | SSL_SESSION *psksess = NULL; |
ffc5bbaa | 758 | SSL_SESSION *edsess = NULL; |
add8d0e9 | 759 | const EVP_MD *handmd = NULL; |
38b051a1 | 760 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); |
add8d0e9 | 761 | |
fc7129dc | 762 | if (s->hello_retry_request == SSL_HRR_PENDING) |
add8d0e9 MC |
763 | handmd = ssl_handshake_md(s); |
764 | ||
765 | if (s->psk_use_session_cb != NULL | |
38b051a1 | 766 | && (!s->psk_use_session_cb(ssl, handmd, &id, &idlen, &psksess) |
ffc5bbaa MC |
767 | || (psksess != NULL |
768 | && psksess->ssl_version != TLS1_3_VERSION))) { | |
769 | SSL_SESSION_free(psksess); | |
c48ffbcc | 770 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); |
add8d0e9 MC |
771 | return EXT_RETURN_FAIL; |
772 | } | |
773 | ||
c2b290c3 | 774 | #ifndef OPENSSL_NO_PSK |
f3d40db1 MC |
775 | if (psksess == NULL && s->psk_client_callback != NULL) { |
776 | unsigned char psk[PSK_MAX_PSK_LEN]; | |
777 | size_t psklen = 0; | |
778 | ||
779 | memset(identity, 0, sizeof(identity)); | |
38b051a1 TM |
780 | psklen = s->psk_client_callback(ssl, NULL, |
781 | identity, sizeof(identity) - 1, | |
f3d40db1 MC |
782 | psk, sizeof(psk)); |
783 | ||
784 | if (psklen > PSK_MAX_PSK_LEN) { | |
c48ffbcc | 785 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); |
f3d40db1 MC |
786 | return EXT_RETURN_FAIL; |
787 | } else if (psklen > 0) { | |
788 | const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; | |
789 | const SSL_CIPHER *cipher; | |
790 | ||
791 | idlen = strlen(identity); | |
792 | if (idlen > PSK_MAX_IDENTITY_LEN) { | |
c48ffbcc | 793 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
f3d40db1 MC |
794 | return EXT_RETURN_FAIL; |
795 | } | |
796 | id = (unsigned char *)identity; | |
797 | ||
798 | /* | |
799 | * We found a PSK using an old style callback. We don't know | |
800 | * the digest so we default to SHA256 as per the TLSv1.3 spec | |
801 | */ | |
38b051a1 | 802 | cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id); |
f3d40db1 | 803 | if (cipher == NULL) { |
c48ffbcc | 804 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
f3d40db1 MC |
805 | return EXT_RETURN_FAIL; |
806 | } | |
807 | ||
808 | psksess = SSL_SESSION_new(); | |
809 | if (psksess == NULL | |
810 | || !SSL_SESSION_set1_master_key(psksess, psk, psklen) | |
811 | || !SSL_SESSION_set_cipher(psksess, cipher) | |
812 | || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { | |
c48ffbcc | 813 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
f3d40db1 MC |
814 | OPENSSL_cleanse(psk, psklen); |
815 | return EXT_RETURN_FAIL; | |
816 | } | |
817 | OPENSSL_cleanse(psk, psklen); | |
818 | } | |
819 | } | |
c2b290c3 | 820 | #endif /* OPENSSL_NO_PSK */ |
f3d40db1 | 821 | |
add8d0e9 MC |
822 | SSL_SESSION_free(s->psksession); |
823 | s->psksession = psksess; | |
824 | if (psksess != NULL) { | |
825 | OPENSSL_free(s->psksession_id); | |
826 | s->psksession_id = OPENSSL_memdup(id, idlen); | |
827 | if (s->psksession_id == NULL) { | |
39a14059 | 828 | s->psksession_id_len = 0; |
c48ffbcc | 829 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
add8d0e9 MC |
830 | return EXT_RETURN_FAIL; |
831 | } | |
832 | s->psksession_id_len = idlen; | |
833 | } | |
834 | ||
38df5a45 | 835 | if (s->early_data_state != SSL_EARLY_DATA_CONNECTING |
add8d0e9 MC |
836 | || (s->session->ext.max_early_data == 0 |
837 | && (psksess == NULL || psksess->ext.max_early_data == 0))) { | |
38df5a45 | 838 | s->max_early_data = 0; |
b186a592 | 839 | return EXT_RETURN_NOT_SENT; |
38df5a45 | 840 | } |
ffc5bbaa MC |
841 | edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; |
842 | s->max_early_data = edsess->ext.max_early_data; | |
843 | ||
bfab12bb MC |
844 | if (edsess->ext.hostname != NULL) { |
845 | if (s->ext.hostname == NULL | |
846 | || (s->ext.hostname != NULL | |
847 | && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { | |
f63a17d6 | 848 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
f63a17d6 | 849 | SSL_R_INCONSISTENT_EARLY_DATA_SNI); |
bfab12bb MC |
850 | return EXT_RETURN_FAIL; |
851 | } | |
ffc5bbaa MC |
852 | } |
853 | ||
854 | if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { | |
c48ffbcc | 855 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN); |
ffc5bbaa MC |
856 | return EXT_RETURN_FAIL; |
857 | } | |
858 | ||
859 | /* | |
860 | * Verify that we are offering an ALPN protocol consistent with the early | |
861 | * data. | |
862 | */ | |
863 | if (edsess->ext.alpn_selected != NULL) { | |
864 | PACKET prots, alpnpkt; | |
865 | int found = 0; | |
866 | ||
867 | if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { | |
c48ffbcc | 868 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
ffc5bbaa MC |
869 | return EXT_RETURN_FAIL; |
870 | } | |
871 | while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) { | |
872 | if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, | |
873 | edsess->ext.alpn_selected_len)) { | |
874 | found = 1; | |
875 | break; | |
876 | } | |
877 | } | |
878 | if (!found) { | |
f63a17d6 | 879 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
f63a17d6 | 880 | SSL_R_INCONSISTENT_EARLY_DATA_ALPN); |
ffc5bbaa MC |
881 | return EXT_RETURN_FAIL; |
882 | } | |
883 | } | |
38df5a45 MC |
884 | |
885 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data) | |
886 | || !WPACKET_start_sub_packet_u16(pkt) | |
887 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 888 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 889 | return EXT_RETURN_FAIL; |
38df5a45 MC |
890 | } |
891 | ||
892 | /* | |
893 | * We set this to rejected here. Later, if the server acknowledges the | |
894 | * extension, we set it to accepted. | |
895 | */ | |
896 | s->ext.early_data = SSL_EARLY_DATA_REJECTED; | |
4be3a7c7 | 897 | s->ext.early_data_ok = 1; |
38df5a45 | 898 | |
b186a592 | 899 | return EXT_RETURN_SENT; |
38df5a45 MC |
900 | } |
901 | ||
1266eefd MC |
902 | #define F5_WORKAROUND_MIN_MSG_LEN 0xff |
903 | #define F5_WORKAROUND_MAX_MSG_LEN 0x200 | |
904 | ||
d702ad12 MC |
905 | /* |
906 | * PSK pre binder overhead = | |
907 | * 2 bytes for TLSEXT_TYPE_psk | |
908 | * 2 bytes for extension length | |
909 | * 2 bytes for identities list length | |
910 | * 2 bytes for identity length | |
911 | * 4 bytes for obfuscated_ticket_age | |
912 | * 2 bytes for binder list length | |
913 | * 1 byte for binder length | |
914 | * The above excludes the number of bytes for the identity itself and the | |
915 | * subsequent binder bytes | |
916 | */ | |
917 | #define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1) | |
918 | ||
38b051a1 | 919 | EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt, |
b186a592 | 920 | unsigned int context, X509 *x, |
f63a17d6 | 921 | size_t chainidx) |
ab83e314 MC |
922 | { |
923 | unsigned char *padbytes; | |
924 | size_t hlen; | |
925 | ||
926 | if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) | |
b186a592 | 927 | return EXT_RETURN_NOT_SENT; |
ab83e314 MC |
928 | |
929 | /* | |
d702ad12 MC |
930 | * Add padding to workaround bugs in F5 terminators. See RFC7685. |
931 | * This code calculates the length of all extensions added so far but | |
932 | * excludes the PSK extension (because that MUST be written last). Therefore | |
933 | * this extension MUST always appear second to last. | |
ab83e314 MC |
934 | */ |
935 | if (!WPACKET_get_total_written(pkt, &hlen)) { | |
c48ffbcc | 936 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b186a592 | 937 | return EXT_RETURN_FAIL; |
ab83e314 MC |
938 | } |
939 | ||
d702ad12 MC |
940 | /* |
941 | * If we're going to send a PSK then that will be written out after this | |
942 | * extension, so we need to calculate how long it is going to be. | |
943 | */ | |
944 | if (s->session->ssl_version == TLS1_3_VERSION | |
945 | && s->session->ext.ticklen != 0 | |
946 | && s->session->cipher != NULL) { | |
38b051a1 TM |
947 | const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s), |
948 | s->session->cipher->algorithm2); | |
d702ad12 MC |
949 | |
950 | if (md != NULL) { | |
951 | /* | |
952 | * Add the fixed PSK overhead, the identity length and the binder | |
953 | * length. | |
954 | */ | |
955 | hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen | |
ed576acd | 956 | + EVP_MD_get_size(md); |
d702ad12 MC |
957 | } |
958 | } | |
959 | ||
1266eefd | 960 | if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) { |
1ee4b98e | 961 | /* Calculate the amount of padding we need to add */ |
1266eefd MC |
962 | hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; |
963 | ||
964 | /* | |
965 | * Take off the size of extension header itself (2 bytes for type and | |
10ed1b72 TS |
966 | * 2 bytes for length bytes), but ensure that the extension is at least |
967 | * 1 byte long so as not to have an empty extension last (WebSphere 7.x, | |
968 | * 8.x are intolerant of that condition) | |
1266eefd | 969 | */ |
3d85c7f4 | 970 | if (hlen > 4) |
ab83e314 MC |
971 | hlen -= 4; |
972 | else | |
10ed1b72 | 973 | hlen = 1; |
ab83e314 MC |
974 | |
975 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding) | |
976 | || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) { | |
c48ffbcc | 977 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
eb5fd03b | 978 | return EXT_RETURN_FAIL; |
ab83e314 MC |
979 | } |
980 | memset(padbytes, 0, hlen); | |
981 | } | |
982 | ||
b186a592 | 983 | return EXT_RETURN_SENT; |
ab83e314 MC |
984 | } |
985 | ||
ec15acb6 MC |
986 | /* |
987 | * Construct the pre_shared_key extension | |
988 | */ | |
38b051a1 TM |
989 | EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, |
990 | unsigned int context, | |
f63a17d6 | 991 | X509 *x, size_t chainidx) |
ec15acb6 MC |
992 | { |
993 | #ifndef OPENSSL_NO_TLS1_3 | |
e8a557dc | 994 | uint32_t agesec, agems = 0; |
add8d0e9 | 995 | size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen; |
9368f865 | 996 | unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL; |
15b1688a | 997 | const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; |
9368f865 | 998 | int dores = 0; |
38b051a1 | 999 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); |
f0131dc0 | 1000 | OSSL_TIME t; |
ec15acb6 | 1001 | |
c96ce52c | 1002 | s->ext.tick_identity = 0; |
ec15acb6 | 1003 | |
d702ad12 MC |
1004 | /* |
1005 | * Note: At this stage of the code we only support adding a single | |
1006 | * resumption PSK. If we add support for multiple PSKs then the length | |
1007 | * calculations in the padding extension will need to be adjusted. | |
1008 | */ | |
1009 | ||
ec15acb6 | 1010 | /* |
08191294 MC |
1011 | * If this is an incompatible or new session then we have nothing to resume |
1012 | * so don't add this extension. | |
ec15acb6 | 1013 | */ |
08191294 | 1014 | if (s->session->ssl_version != TLS1_3_VERSION |
add8d0e9 | 1015 | || (s->session->ext.ticklen == 0 && s->psksession == NULL)) |
b186a592 | 1016 | return EXT_RETURN_NOT_SENT; |
ec15acb6 | 1017 | |
fc7129dc | 1018 | if (s->hello_retry_request == SSL_HRR_PENDING) |
9368f865 MC |
1019 | handmd = ssl_handshake_md(s); |
1020 | ||
9368f865 | 1021 | if (s->session->ext.ticklen != 0) { |
72257204 | 1022 | /* Get the digest associated with the ciphersuite in the session */ |
9368f865 | 1023 | if (s->session->cipher == NULL) { |
c48ffbcc | 1024 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
635c8f77 | 1025 | return EXT_RETURN_FAIL; |
9368f865 | 1026 | } |
38b051a1 | 1027 | mdres = ssl_md(sctx, s->session->cipher->algorithm2); |
9368f865 | 1028 | if (mdres == NULL) { |
72257204 MC |
1029 | /* |
1030 | * Don't recognize this cipher so we can't use the session. | |
1031 | * Ignore it | |
1032 | */ | |
9368f865 MC |
1033 | goto dopsksess; |
1034 | } | |
1035 | ||
fc7129dc | 1036 | if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { |
9368f865 | 1037 | /* |
72257204 MC |
1038 | * Selected ciphersuite hash does not match the hash for the session |
1039 | * so we can't use it. | |
9368f865 MC |
1040 | */ |
1041 | goto dopsksess; | |
1042 | } | |
1f5b44e9 | 1043 | |
cf3e221b | 1044 | /* |
9368f865 | 1045 | * Technically the C standard just says time() returns a time_t and says |
72257204 MC |
1046 | * nothing about the encoding of that type. In practice most |
1047 | * implementations follow POSIX which holds it as an integral type in | |
1048 | * seconds since epoch. We've already made the assumption that we can do | |
1049 | * this in multiple places in the code, so portability shouldn't be an | |
1050 | * issue. | |
cf3e221b | 1051 | */ |
f0131dc0 P |
1052 | t = ossl_time_subtract(ossl_time_now(), s->session->time); |
1053 | agesec = (uint32_t)ossl_time2seconds(t); | |
7e70213f MC |
1054 | /* |
1055 | * We calculate the age in seconds but the server may work in ms. Due to | |
1056 | * rounding errors we could overestimate the age by up to 1s. It is | |
1057 | * better to underestimate it. Otherwise, if the RTT is very short, when | |
1058 | * the server calculates the age reported by the client it could be | |
1059 | * bigger than the age calculated on the server - which should never | |
1060 | * happen. | |
1061 | */ | |
1062 | if (agesec > 0) | |
1063 | agesec--; | |
cf3e221b | 1064 | |
9368f865 MC |
1065 | if (s->session->ext.tick_lifetime_hint < agesec) { |
1066 | /* Ticket is too old. Ignore it. */ | |
1067 | goto dopsksess; | |
1068 | } | |
ec15acb6 | 1069 | |
9368f865 MC |
1070 | /* |
1071 | * Calculate age in ms. We're just doing it to nearest second. Should be | |
1072 | * good enough. | |
1073 | */ | |
1074 | agems = agesec * (uint32_t)1000; | |
fc24f0bf | 1075 | |
9368f865 MC |
1076 | if (agesec != 0 && agems / (uint32_t)1000 != agesec) { |
1077 | /* | |
72257204 MC |
1078 | * Overflow. Shouldn't happen unless this is a *really* old session. |
1079 | * If so we just ignore it. | |
9368f865 MC |
1080 | */ |
1081 | goto dopsksess; | |
1082 | } | |
ec15acb6 | 1083 | |
ec15acb6 | 1084 | /* |
72257204 MC |
1085 | * Obfuscate the age. Overflow here is fine, this addition is supposed |
1086 | * to be mod 2^32. | |
ec15acb6 | 1087 | */ |
9368f865 MC |
1088 | agems += s->session->ext.tick_age_add; |
1089 | ||
ed576acd | 1090 | reshashsize = EVP_MD_get_size(mdres); |
c96ce52c | 1091 | s->ext.tick_identity++; |
9368f865 | 1092 | dores = 1; |
ec15acb6 MC |
1093 | } |
1094 | ||
9368f865 | 1095 | dopsksess: |
add8d0e9 | 1096 | if (!dores && s->psksession == NULL) |
9368f865 | 1097 | return EXT_RETURN_NOT_SENT; |
ec15acb6 | 1098 | |
add8d0e9 | 1099 | if (s->psksession != NULL) { |
38b051a1 | 1100 | mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2); |
9368f865 MC |
1101 | if (mdpsk == NULL) { |
1102 | /* | |
1103 | * Don't recognize this cipher so we can't use the session. | |
1104 | * If this happens it's an application bug. | |
1105 | */ | |
c48ffbcc | 1106 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); |
635c8f77 | 1107 | return EXT_RETURN_FAIL; |
9368f865 MC |
1108 | } |
1109 | ||
fc7129dc | 1110 | if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { |
9368f865 MC |
1111 | /* |
1112 | * Selected ciphersuite hash does not match the hash for the PSK | |
1113 | * session. This is an application bug. | |
1114 | */ | |
c48ffbcc | 1115 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); |
635c8f77 | 1116 | return EXT_RETURN_FAIL; |
9368f865 MC |
1117 | } |
1118 | ||
ed576acd | 1119 | pskhashsize = EVP_MD_get_size(mdpsk); |
9368f865 | 1120 | } |
ec15acb6 MC |
1121 | |
1122 | /* Create the extension, but skip over the binder for now */ | |
1123 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk) | |
1124 | || !WPACKET_start_sub_packet_u16(pkt) | |
9368f865 | 1125 | || !WPACKET_start_sub_packet_u16(pkt)) { |
c48ffbcc | 1126 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
635c8f77 | 1127 | return EXT_RETURN_FAIL; |
9368f865 MC |
1128 | } |
1129 | ||
1130 | if (dores) { | |
1131 | if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, | |
1132 | s->session->ext.ticklen) | |
1133 | || !WPACKET_put_bytes_u32(pkt, agems)) { | |
c48ffbcc | 1134 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
635c8f77 | 1135 | return EXT_RETURN_FAIL; |
9368f865 MC |
1136 | } |
1137 | } | |
1138 | ||
add8d0e9 MC |
1139 | if (s->psksession != NULL) { |
1140 | if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, | |
1141 | s->psksession_id_len) | |
9368f865 | 1142 | || !WPACKET_put_bytes_u32(pkt, 0)) { |
c48ffbcc | 1143 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
635c8f77 | 1144 | return EXT_RETURN_FAIL; |
9368f865 | 1145 | } |
c96ce52c | 1146 | s->ext.tick_identity++; |
9368f865 MC |
1147 | } |
1148 | ||
1149 | if (!WPACKET_close(pkt) | |
ec15acb6 MC |
1150 | || !WPACKET_get_total_written(pkt, &binderoffset) |
1151 | || !WPACKET_start_sub_packet_u16(pkt) | |
9368f865 MC |
1152 | || (dores |
1153 | && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder)) | |
add8d0e9 | 1154 | || (s->psksession != NULL |
9368f865 | 1155 | && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder)) |
ec15acb6 MC |
1156 | || !WPACKET_close(pkt) |
1157 | || !WPACKET_close(pkt) | |
1158 | || !WPACKET_get_total_written(pkt, &msglen) | |
1159 | /* | |
1160 | * We need to fill in all the sub-packet lengths now so we can | |
1161 | * calculate the HMAC of the message up to the binders | |
1162 | */ | |
1163 | || !WPACKET_fill_lengths(pkt)) { | |
c48ffbcc | 1164 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
635c8f77 | 1165 | return EXT_RETURN_FAIL; |
ec15acb6 MC |
1166 | } |
1167 | ||
1168 | msgstart = WPACKET_get_curr(pkt) - msglen; | |
1169 | ||
72257204 MC |
1170 | if (dores |
1171 | && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, | |
1172 | resbinder, s->session, 1, 0) != 1) { | |
635c8f77 MC |
1173 | /* SSLfatal() already called */ |
1174 | return EXT_RETURN_FAIL; | |
ec15acb6 MC |
1175 | } |
1176 | ||
add8d0e9 | 1177 | if (s->psksession != NULL |
72257204 | 1178 | && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, |
add8d0e9 | 1179 | pskbinder, s->psksession, 1, 1) != 1) { |
635c8f77 MC |
1180 | /* SSLfatal() already called */ |
1181 | return EXT_RETURN_FAIL; | |
9368f865 MC |
1182 | } |
1183 | ||
635c8f77 | 1184 | return EXT_RETURN_SENT; |
ec15acb6 | 1185 | #else |
89bc9cf6 | 1186 | return EXT_RETURN_NOT_SENT; |
ec15acb6 MC |
1187 | #endif |
1188 | } | |
1189 | ||
38b051a1 | 1190 | EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt, |
a7e6a3d8 P |
1191 | ossl_unused unsigned int context, |
1192 | ossl_unused X509 *x, | |
1193 | ossl_unused size_t chainidx) | |
9d75dce3 TS |
1194 | { |
1195 | #ifndef OPENSSL_NO_TLS1_3 | |
32097b33 MC |
1196 | if (!s->pha_enabled) |
1197 | return EXT_RETURN_NOT_SENT; | |
9d75dce3 TS |
1198 | |
1199 | /* construct extension - 0 length, no contents */ | |
1200 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) | |
1201 | || !WPACKET_start_sub_packet_u16(pkt) | |
1202 | || !WPACKET_close(pkt)) { | |
c48ffbcc | 1203 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
9d75dce3 TS |
1204 | return EXT_RETURN_FAIL; |
1205 | } | |
1206 | ||
1207 | s->post_handshake_auth = SSL_PHA_EXT_SENT; | |
1208 | ||
1209 | return EXT_RETURN_SENT; | |
1210 | #else | |
1211 | return EXT_RETURN_NOT_SENT; | |
1212 | #endif | |
1213 | } | |
1214 | ||
1215 | ||
6dd083fd MC |
1216 | /* |
1217 | * Parse the server's renegotiation binding and abort if it's not right | |
1218 | */ | |
38b051a1 TM |
1219 | int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt, |
1220 | unsigned int context, | |
f63a17d6 | 1221 | X509 *x, size_t chainidx) |
6dd083fd | 1222 | { |
555cbb32 TS |
1223 | size_t expected_len = s->s3.previous_client_finished_len |
1224 | + s->s3.previous_server_finished_len; | |
6dd083fd MC |
1225 | size_t ilen; |
1226 | const unsigned char *data; | |
1227 | ||
1228 | /* Check for logic errors */ | |
b77f3ed1 | 1229 | if (!ossl_assert(expected_len == 0 |
555cbb32 | 1230 | || s->s3.previous_client_finished_len != 0) |
b77f3ed1 | 1231 | || !ossl_assert(expected_len == 0 |
555cbb32 | 1232 | || s->s3.previous_server_finished_len != 0)) { |
c48ffbcc | 1233 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
b77f3ed1 MC |
1234 | return 0; |
1235 | } | |
6dd083fd MC |
1236 | |
1237 | /* Parse the length byte */ | |
1238 | if (!PACKET_get_1_len(pkt, &ilen)) { | |
c48ffbcc | 1239 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); |
6dd083fd MC |
1240 | return 0; |
1241 | } | |
1242 | ||
1243 | /* Consistency check */ | |
1244 | if (PACKET_remaining(pkt) != ilen) { | |
c48ffbcc | 1245 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); |
6dd083fd MC |
1246 | return 0; |
1247 | } | |
1248 | ||
1249 | /* Check that the extension matches */ | |
1250 | if (ilen != expected_len) { | |
c48ffbcc | 1251 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); |
6dd083fd MC |
1252 | return 0; |
1253 | } | |
1254 | ||
555cbb32 TS |
1255 | if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len) |
1256 | || memcmp(data, s->s3.previous_client_finished, | |
1257 | s->s3.previous_client_finished_len) != 0) { | |
c48ffbcc | 1258 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); |
6dd083fd MC |
1259 | return 0; |
1260 | } | |
1261 | ||
555cbb32 TS |
1262 | if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len) |
1263 | || memcmp(data, s->s3.previous_server_finished, | |
1264 | s->s3.previous_server_finished_len) != 0) { | |
c48ffbcc | 1265 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); |
6dd083fd MC |
1266 | return 0; |
1267 | } | |
555cbb32 | 1268 | s->s3.send_connection_binding = 1; |
6dd083fd MC |
1269 | |
1270 | return 1; | |
1271 | } | |
1272 | ||
cf72c757 | 1273 | /* Parse the server's max fragment len extension packet */ |
38b051a1 TM |
1274 | int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt, |
1275 | unsigned int context, | |
f63a17d6 | 1276 | X509 *x, size_t chainidx) |
cf72c757 F |
1277 | { |
1278 | unsigned int value; | |
1279 | ||
1280 | if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) { | |
c48ffbcc | 1281 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
cf72c757 F |
1282 | return 0; |
1283 | } | |
1284 | ||
1285 | /* |value| should contains a valid max-fragment-length code. */ | |
1286 | if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) { | |
f63a17d6 | 1287 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
f63a17d6 | 1288 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); |
cf72c757 F |
1289 | return 0; |
1290 | } | |
1291 | ||
1292 | /* Must be the same value as client-configured one who was sent to server */ | |
1293 | /*- | |
1294 | * RFC 6066: if a client receives a maximum fragment length negotiation | |
1295 | * response that differs from the length it requested, ... | |
1296 | * It must abort with SSL_AD_ILLEGAL_PARAMETER alert | |
1297 | */ | |
1298 | if (value != s->ext.max_fragment_len_mode) { | |
f63a17d6 | 1299 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
f63a17d6 | 1300 | SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH); |
cf72c757 F |
1301 | return 0; |
1302 | } | |
1303 | ||
1304 | /* | |
1305 | * Maximum Fragment Length Negotiation succeeded. | |
1306 | * The negotiated Maximum Fragment Length is binding now. | |
1307 | */ | |
1308 | s->session->ext.max_fragment_len_mode = value; | |
1309 | ||
1310 | return 1; | |
1311 | } | |
1312 | ||
38b051a1 TM |
1313 | int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt, |
1314 | unsigned int context, | |
f63a17d6 | 1315 | X509 *x, size_t chainidx) |
6dd083fd | 1316 | { |
fb34a0f4 | 1317 | if (s->ext.hostname == NULL) { |
c48ffbcc | 1318 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
fb34a0f4 MC |
1319 | return 0; |
1320 | } | |
1321 | ||
1322 | if (PACKET_remaining(pkt) > 0) { | |
c48ffbcc | 1323 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1324 | return 0; |
1325 | } | |
1326 | ||
1327 | if (!s->hit) { | |
aff8c126 | 1328 | if (s->session->ext.hostname != NULL) { |
c48ffbcc | 1329 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1330 | return 0; |
1331 | } | |
aff8c126 RS |
1332 | s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); |
1333 | if (s->session->ext.hostname == NULL) { | |
c48ffbcc | 1334 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1335 | return 0; |
1336 | } | |
1337 | } | |
1338 | ||
1339 | return 1; | |
1340 | } | |
1341 | ||
38b051a1 TM |
1342 | int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt, |
1343 | unsigned int context, | |
f63a17d6 | 1344 | X509 *x, size_t chainidx) |
6dd083fd | 1345 | { |
848a950b | 1346 | size_t ecpointformats_len; |
6dd083fd MC |
1347 | PACKET ecptformatlist; |
1348 | ||
1349 | if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) { | |
c48ffbcc | 1350 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1351 | return 0; |
1352 | } | |
1353 | if (!s->hit) { | |
aff8c126 | 1354 | ecpointformats_len = PACKET_remaining(&ecptformatlist); |
848a950b | 1355 | if (ecpointformats_len == 0) { |
c48ffbcc | 1356 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); |
848a950b MC |
1357 | return 0; |
1358 | } | |
6dd083fd | 1359 | |
cd0fb43c MC |
1360 | s->ext.peer_ecpointformats_len = 0; |
1361 | OPENSSL_free(s->ext.peer_ecpointformats); | |
1362 | s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); | |
1363 | if (s->ext.peer_ecpointformats == NULL) { | |
39a14059 | 1364 | s->ext.peer_ecpointformats_len = 0; |
c48ffbcc | 1365 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1366 | return 0; |
1367 | } | |
1368 | ||
cd0fb43c | 1369 | s->ext.peer_ecpointformats_len = ecpointformats_len; |
6dd083fd MC |
1370 | |
1371 | if (!PACKET_copy_bytes(&ecptformatlist, | |
cd0fb43c | 1372 | s->ext.peer_ecpointformats, |
aff8c126 | 1373 | ecpointformats_len)) { |
c48ffbcc | 1374 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1375 | return 0; |
1376 | } | |
1377 | } | |
1378 | ||
1379 | return 1; | |
1380 | } | |
6dd083fd | 1381 | |
38b051a1 TM |
1382 | int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt, |
1383 | unsigned int context, | |
f63a17d6 | 1384 | X509 *x, size_t chainidx) |
6dd083fd | 1385 | { |
38b051a1 TM |
1386 | SSL *ssl = SSL_CONNECTION_GET_SSL(s); |
1387 | ||
aff8c126 | 1388 | if (s->ext.session_ticket_cb != NULL && |
38b051a1 TM |
1389 | !s->ext.session_ticket_cb(ssl, PACKET_data(pkt), |
1390 | PACKET_remaining(pkt), | |
1391 | s->ext.session_ticket_cb_arg)) { | |
c48ffbcc | 1392 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1393 | return 0; |
1394 | } | |
1266eefd | 1395 | |
fb34a0f4 | 1396 | if (!tls_use_ticket(s)) { |
c48ffbcc | 1397 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1398 | return 0; |
1399 | } | |
fb34a0f4 | 1400 | if (PACKET_remaining(pkt) > 0) { |
c48ffbcc | 1401 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
fb34a0f4 MC |
1402 | return 0; |
1403 | } | |
1266eefd | 1404 | |
aff8c126 | 1405 | s->ext.ticket_expected = 1; |
6dd083fd MC |
1406 | |
1407 | return 1; | |
1408 | } | |
1409 | ||
ab83e314 | 1410 | #ifndef OPENSSL_NO_OCSP |
38b051a1 TM |
1411 | int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt, |
1412 | unsigned int context, | |
f63a17d6 | 1413 | X509 *x, size_t chainidx) |
6dd083fd | 1414 | { |
5de683d2 MC |
1415 | if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { |
1416 | /* We ignore this if the server sends a CertificateRequest */ | |
5de683d2 MC |
1417 | return 1; |
1418 | } | |
1419 | ||
6dd083fd | 1420 | /* |
f63e4288 MC |
1421 | * MUST only be sent if we've requested a status |
1422 | * request message. In TLS <= 1.2 it must also be empty. | |
6dd083fd | 1423 | */ |
fb34a0f4 | 1424 | if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { |
c48ffbcc | 1425 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1426 | return 0; |
1427 | } | |
38b051a1 | 1428 | if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { |
c48ffbcc | 1429 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
fb34a0f4 MC |
1430 | return 0; |
1431 | } | |
f63e4288 | 1432 | |
38b051a1 | 1433 | if (SSL_CONNECTION_IS_TLS13(s)) { |
f63e4288 | 1434 | /* We only know how to handle this if it's for the first Certificate in |
1ee4b98e | 1435 | * the chain. We ignore any other responses. |
f63e4288 | 1436 | */ |
8521ced6 | 1437 | if (chainidx != 0) |
f63e4288 | 1438 | return 1; |
f63a17d6 MC |
1439 | |
1440 | /* SSLfatal() already called */ | |
1441 | return tls_process_cert_status_body(s, pkt); | |
f63e4288 MC |
1442 | } |
1443 | ||
6dd083fd | 1444 | /* Set flag to expect CertificateStatus message */ |
aff8c126 | 1445 | s->ext.status_expected = 1; |
6dd083fd MC |
1446 | |
1447 | return 1; | |
1448 | } | |
ab83e314 | 1449 | #endif |
6dd083fd MC |
1450 | |
1451 | ||
1452 | #ifndef OPENSSL_NO_CT | |
38b051a1 TM |
1453 | int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, |
1454 | X509 *x, size_t chainidx) | |
6dd083fd | 1455 | { |
5de683d2 MC |
1456 | if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) { |
1457 | /* We ignore this if the server sends it in a CertificateRequest */ | |
5de683d2 MC |
1458 | return 1; |
1459 | } | |
1460 | ||
6dd083fd MC |
1461 | /* |
1462 | * Only take it if we asked for it - i.e if there is no CT validation | |
1463 | * callback set, then a custom extension MAY be processing it, so we | |
1464 | * need to let control continue to flow to that. | |
1465 | */ | |
1466 | if (s->ct_validation_callback != NULL) { | |
1467 | size_t size = PACKET_remaining(pkt); | |
1468 | ||
1469 | /* Simply copy it off for later processing */ | |
aff8c126 RS |
1470 | OPENSSL_free(s->ext.scts); |
1471 | s->ext.scts = NULL; | |
1266eefd | 1472 | |
3a63c0ed | 1473 | s->ext.scts_len = (uint16_t)size; |
6dd083fd | 1474 | if (size > 0) { |
aff8c126 | 1475 | s->ext.scts = OPENSSL_malloc(size); |
39a14059 MC |
1476 | if (s->ext.scts == NULL) { |
1477 | s->ext.scts_len = 0; | |
e077455e | 1478 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); |
39a14059 MC |
1479 | return 0; |
1480 | } | |
1481 | if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { | |
c48ffbcc | 1482 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1483 | return 0; |
1484 | } | |
1485 | } | |
1486 | } else { | |
b186a592 MC |
1487 | ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0 |
1488 | ? ENDPOINT_CLIENT : ENDPOINT_BOTH; | |
1489 | ||
1490 | /* | |
1491 | * If we didn't ask for it then there must be a custom extension, | |
1492 | * otherwise this is unsolicited. | |
1493 | */ | |
1494 | if (custom_ext_find(&s->cert->custext, role, | |
1495 | TLSEXT_TYPE_signed_certificate_timestamp, | |
1496 | NULL) == NULL) { | |
c48ffbcc | 1497 | SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); |
b186a592 MC |
1498 | return 0; |
1499 | } | |
1500 | ||
f63a17d6 | 1501 | if (!custom_ext_parse(s, context, |
43ae5eed MC |
1502 | TLSEXT_TYPE_signed_certificate_timestamp, |
1503 | PACKET_data(pkt), PACKET_remaining(pkt), | |
f63a17d6 MC |
1504 | x, chainidx)) { |
1505 | /* SSLfatal already called */ | |
6dd083fd | 1506 | return 0; |
f63a17d6 | 1507 | } |
6dd083fd MC |
1508 | } |
1509 | ||
1510 | return 1; | |
1511 | } | |
1512 | #endif | |
1513 | ||
1514 | ||
1515 | #ifndef OPENSSL_NO_NEXTPROTONEG | |
1516 | /* | |
1517 | * ssl_next_proto_validate validates a Next Protocol Negotiation block. No | |
1518 | * elements of zero length are allowed and the set of elements must exactly | |
1519 | * fill the length of the block. Returns 1 on success or 0 on failure. | |
1520 | */ | |
38b051a1 | 1521 | static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt) |
6dd083fd MC |
1522 | { |
1523 | PACKET tmp_protocol; | |
1524 | ||
1525 | while (PACKET_remaining(pkt)) { | |
1526 | if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) | |
f63a17d6 | 1527 | || PACKET_remaining(&tmp_protocol) == 0) { |
c48ffbcc | 1528 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
6dd083fd | 1529 | return 0; |
f63a17d6 | 1530 | } |
6dd083fd MC |
1531 | } |
1532 | ||
1533 | return 1; | |
1534 | } | |
1535 | ||
38b051a1 TM |
1536 | int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, |
1537 | X509 *x, size_t chainidx) | |
6dd083fd MC |
1538 | { |
1539 | unsigned char *selected; | |
1540 | unsigned char selected_len; | |
1541 | PACKET tmppkt; | |
38b051a1 | 1542 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); |
6dd083fd | 1543 | |
1266eefd | 1544 | /* Check if we are in a renegotiation. If so ignore this extension */ |
c7f47786 | 1545 | if (!SSL_IS_FIRST_HANDSHAKE(s)) |
6dd083fd MC |
1546 | return 1; |
1547 | ||
1548 | /* We must have requested it. */ | |
38b051a1 | 1549 | if (sctx->ext.npn_select_cb == NULL) { |
c48ffbcc | 1550 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1551 | return 0; |
1552 | } | |
1266eefd | 1553 | |
6dd083fd MC |
1554 | /* The data must be valid */ |
1555 | tmppkt = *pkt; | |
f63a17d6 MC |
1556 | if (!ssl_next_proto_validate(s, &tmppkt)) { |
1557 | /* SSLfatal() already called */ | |
6dd083fd MC |
1558 | return 0; |
1559 | } | |
38b051a1 TM |
1560 | if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s), |
1561 | &selected, &selected_len, | |
1562 | PACKET_data(pkt), PACKET_remaining(pkt), | |
1563 | sctx->ext.npn_select_cb_arg) != | |
6dd083fd | 1564 | SSL_TLSEXT_ERR_OK) { |
c48ffbcc | 1565 | SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1566 | return 0; |
1567 | } | |
1266eefd | 1568 | |
6dd083fd MC |
1569 | /* |
1570 | * Could be non-NULL if server has sent multiple NPN extensions in | |
1571 | * a single Serverhello | |
1572 | */ | |
aff8c126 RS |
1573 | OPENSSL_free(s->ext.npn); |
1574 | s->ext.npn = OPENSSL_malloc(selected_len); | |
1575 | if (s->ext.npn == NULL) { | |
39a14059 | 1576 | s->ext.npn_len = 0; |
c48ffbcc | 1577 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1578 | return 0; |
1579 | } | |
1580 | ||
aff8c126 RS |
1581 | memcpy(s->ext.npn, selected, selected_len); |
1582 | s->ext.npn_len = selected_len; | |
555cbb32 | 1583 | s->s3.npn_seen = 1; |
6dd083fd MC |
1584 | |
1585 | return 1; | |
1586 | } | |
1587 | #endif | |
1588 | ||
38b051a1 TM |
1589 | int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, |
1590 | X509 *x, size_t chainidx) | |
6dd083fd MC |
1591 | { |
1592 | size_t len; | |
1593 | ||
1594 | /* We must have requested it. */ | |
555cbb32 | 1595 | if (!s->s3.alpn_sent) { |
c48ffbcc | 1596 | SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1597 | return 0; |
1598 | } | |
1599 | /*- | |
1600 | * The extension data consists of: | |
1601 | * uint16 list_length | |
1602 | * uint8 proto_length; | |
1603 | * uint8 proto[proto_length]; | |
1604 | */ | |
1605 | if (!PACKET_get_net_2_len(pkt, &len) | |
1606 | || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len) | |
1607 | || PACKET_remaining(pkt) != len) { | |
c48ffbcc | 1608 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1609 | return 0; |
1610 | } | |
555cbb32 TS |
1611 | OPENSSL_free(s->s3.alpn_selected); |
1612 | s->s3.alpn_selected = OPENSSL_malloc(len); | |
1613 | if (s->s3.alpn_selected == NULL) { | |
39a14059 | 1614 | s->s3.alpn_selected_len = 0; |
c48ffbcc | 1615 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1616 | return 0; |
1617 | } | |
555cbb32 | 1618 | if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) { |
c48ffbcc | 1619 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
6dd083fd MC |
1620 | return 0; |
1621 | } | |
555cbb32 | 1622 | s->s3.alpn_selected_len = len; |
6dd083fd | 1623 | |
0ef28021 MC |
1624 | if (s->session->ext.alpn_selected == NULL |
1625 | || s->session->ext.alpn_selected_len != len | |
555cbb32 | 1626 | || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len) |
0ef28021 | 1627 | != 0) { |
4be3a7c7 MC |
1628 | /* ALPN not consistent with the old session so cannot use early_data */ |
1629 | s->ext.early_data_ok = 0; | |
1630 | } | |
1631 | if (!s->hit) { | |
9d5db9c9 MC |
1632 | /* |
1633 | * This is a new session and so alpn_selected should have been | |
1634 | * initialised to NULL. We should update it with the selected ALPN. | |
1635 | */ | |
1636 | if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { | |
c48ffbcc | 1637 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
9d5db9c9 MC |
1638 | return 0; |
1639 | } | |
4be3a7c7 | 1640 | s->session->ext.alpn_selected = |
555cbb32 | 1641 | OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); |
4be3a7c7 | 1642 | if (s->session->ext.alpn_selected == NULL) { |
39a14059 | 1643 | s->session->ext.alpn_selected_len = 0; |
c48ffbcc | 1644 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
4be3a7c7 MC |
1645 | return 0; |
1646 | } | |
555cbb32 | 1647 | s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; |
ae8d7d99 MC |
1648 | } |
1649 | ||
6dd083fd MC |
1650 | return 1; |
1651 | } | |
1652 | ||
1653 | #ifndef OPENSSL_NO_SRTP | |
38b051a1 TM |
1654 | int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt, |
1655 | unsigned int context, X509 *x, size_t chainidx) | |
6dd083fd MC |
1656 | { |
1657 | unsigned int id, ct, mki; | |
1658 | int i; | |
1659 | STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; | |
1660 | SRTP_PROTECTION_PROFILE *prof; | |
1661 | ||
1266eefd MC |
1662 | if (!PACKET_get_net_2(pkt, &ct) || ct != 2 |
1663 | || !PACKET_get_net_2(pkt, &id) | |
1664 | || !PACKET_get_1(pkt, &mki) | |
1665 | || PACKET_remaining(pkt) != 0) { | |
c48ffbcc | 1666 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
f63a17d6 | 1667 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
6dd083fd MC |
1668 | return 0; |
1669 | } | |
1670 | ||
1671 | if (mki != 0) { | |
1672 | /* Must be no MKI, since we never offer one */ | |
c48ffbcc | 1673 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE); |
6dd083fd MC |
1674 | return 0; |
1675 | } | |
1676 | ||
6dd083fd | 1677 | /* Throw an error if the server gave us an unsolicited extension */ |
38b051a1 | 1678 | clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s)); |
6dd083fd | 1679 | if (clnt == NULL) { |
c48ffbcc | 1680 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES); |
6dd083fd MC |
1681 | return 0; |
1682 | } | |
1683 | ||
1684 | /* | |
1685 | * Check to see if the server gave us something we support (and | |
1686 | * presumably offered) | |
1687 | */ | |
1688 | for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { | |
1689 | prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i); | |
1690 | ||
1691 | if (prof->id == id) { | |
1692 | s->srtp_profile = prof; | |
6dd083fd MC |
1693 | return 1; |
1694 | } | |
1695 | } | |
1696 | ||
c48ffbcc | 1697 | SSLfatal(s, SSL_AD_DECODE_ERROR, |
f63a17d6 | 1698 | SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); |
6dd083fd MC |
1699 | return 0; |
1700 | } | |
1701 | #endif | |
1702 | ||
38b051a1 TM |
1703 | int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, |
1704 | X509 *x, size_t chainidx) | |
6dd083fd MC |
1705 | { |
1706 | /* Ignore if inappropriate ciphersuite */ | |
1707 | if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) | |
555cbb32 | 1708 | && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD |
d724da69 DB |
1709 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4 |
1710 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT | |
1711 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12 | |
1712 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA | |
1713 | && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK) | |
28a31a0a | 1714 | s->ext.use_etm = 1; |
6dd083fd MC |
1715 | |
1716 | return 1; | |
1717 | } | |
1718 | ||
38b051a1 TM |
1719 | int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, |
1720 | X509 *x, size_t chainidx) | |
6dd083fd | 1721 | { |
088dfa13 TS |
1722 | if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) |
1723 | return 1; | |
555cbb32 | 1724 | s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; |
6dd083fd MC |
1725 | if (!s->hit) |
1726 | s->session->flags |= SSL_SESS_FLAG_EXTMS; | |
1727 | ||
1728 | return 1; | |
1729 | } | |
1730 | ||
38b051a1 TM |
1731 | int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt, |
1732 | unsigned int context, | |
88050dd1 MC |
1733 | X509 *x, size_t chainidx) |
1734 | { | |
1735 | unsigned int version; | |
1736 | ||
1737 | if (!PACKET_get_net_2(pkt, &version) | |
1738 | || PACKET_remaining(pkt) != 0) { | |
c48ffbcc | 1739 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); |
88050dd1 MC |
1740 | return 0; |
1741 | } | |
1742 | ||
27e462f1 MC |
1743 | /* |
1744 | * The only protocol version we support which is valid in this extension in | |
1745 | * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. | |
1746 | */ | |
1747 | if (version != TLS1_3_VERSION) { | |
1748 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, | |
27e462f1 MC |
1749 | SSL_R_BAD_PROTOCOL_VERSION_NUMBER); |
1750 | return 0; | |
1751 | } | |
1752 | ||
426dfc9f | 1753 | /* We ignore this extension for HRRs except to sanity check it */ |
27e462f1 | 1754 | if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) |
426dfc9f | 1755 | return 1; |
426dfc9f | 1756 | |
88050dd1 MC |
1757 | /* We just set it here. We validate it in ssl_choose_client_version */ |
1758 | s->version = version; | |
1d367677 MC |
1759 | if (!ssl_set_record_protocol_version(s, version)) { |
1760 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
1761 | return 0; | |
1762 | } | |
88050dd1 MC |
1763 | |
1764 | return 1; | |
1765 | } | |
1766 | ||
38b051a1 TM |
1767 | int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, |
1768 | unsigned int context, X509 *x, | |
f63a17d6 | 1769 | size_t chainidx) |
6dd083fd | 1770 | { |
3cf96e88 | 1771 | #ifndef OPENSSL_NO_TLS1_3 |
6dd083fd MC |
1772 | unsigned int group_id; |
1773 | PACKET encoded_pt; | |
555cbb32 | 1774 | EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; |
a011b586 | 1775 | const TLS_GROUP_INFO *ginf = NULL; |
6dd083fd MC |
1776 | |
1777 | /* Sanity check */ | |
555cbb32 | 1778 | if (ckey == NULL || s->s3.peer_tmp != NULL) { |
c48ffbcc | 1779 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
6dd083fd MC |
1780 | return 0; |
1781 | } | |
1782 | ||
1783 | if (!PACKET_get_net_2(pkt, &group_id)) { | |
c48ffbcc | 1784 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); |
6dd083fd MC |
1785 | return 0; |
1786 | } | |
1787 | ||
fe874d27 | 1788 | if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { |
f48d826e DSH |
1789 | const uint16_t *pgroups = NULL; |
1790 | size_t i, num_groups; | |
3847d426 MC |
1791 | |
1792 | if (PACKET_remaining(pkt) != 0) { | |
c48ffbcc | 1793 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); |
3847d426 MC |
1794 | return 0; |
1795 | } | |
1796 | ||
1797 | /* | |
1798 | * It is an error if the HelloRetryRequest wants a key_share that we | |
1799 | * already sent in the first ClientHello | |
1800 | */ | |
555cbb32 | 1801 | if (group_id == s->s3.group_id) { |
c48ffbcc | 1802 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); |
3847d426 MC |
1803 | return 0; |
1804 | } | |
1805 | ||
1806 | /* Validate the selected group is one we support */ | |
f48d826e DSH |
1807 | tls1_get_supported_groups(s, &pgroups, &num_groups); |
1808 | for (i = 0; i < num_groups; i++) { | |
1809 | if (group_id == pgroups[i]) | |
3847d426 MC |
1810 | break; |
1811 | } | |
f48d826e | 1812 | if (i >= num_groups |
247b8e52 MC |
1813 | || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) |
1814 | || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, | |
1815 | 0, NULL)) { | |
c48ffbcc | 1816 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); |
3847d426 MC |
1817 | return 0; |
1818 | } | |
1819 | ||
555cbb32 TS |
1820 | s->s3.group_id = group_id; |
1821 | EVP_PKEY_free(s->s3.tmp.pkey); | |
1822 | s->s3.tmp.pkey = NULL; | |
3847d426 MC |
1823 | return 1; |
1824 | } | |
1825 | ||
555cbb32 | 1826 | if (group_id != s->s3.group_id) { |
6dd083fd MC |
1827 | /* |
1828 | * This isn't for the group that we sent in the original | |
1829 | * key_share! | |
1830 | */ | |
c48ffbcc | 1831 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); |
6dd083fd MC |
1832 | return 0; |
1833 | } | |
aa6bd216 BK |
1834 | /* Retain this group in the SSL_SESSION */ |
1835 | if (!s->hit) { | |
1836 | s->session->kex_group = group_id; | |
1837 | } else if (group_id != s->session->kex_group) { | |
1838 | /* | |
1839 | * If this is a resumption but changed what group was used, we need | |
1840 | * to record the new group in the session, but the session is not | |
1841 | * a new session and could be in use by other threads. So, make | |
1842 | * a copy of the session to record the new information so that it's | |
1843 | * useful for any sessions resumed from tickets issued on this | |
1844 | * connection. | |
1845 | */ | |
1846 | SSL_SESSION *new_sess; | |
1847 | ||
1848 | if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) { | |
e077455e | 1849 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); |
aa6bd216 BK |
1850 | return 0; |
1851 | } | |
1852 | SSL_SESSION_free(s->session); | |
1853 | s->session = new_sess; | |
1854 | s->session->kex_group = group_id; | |
1855 | } | |
6dd083fd | 1856 | |
38b051a1 TM |
1857 | if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), |
1858 | group_id)) == NULL) { | |
c48ffbcc | 1859 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); |
a011b586 NT |
1860 | return 0; |
1861 | } | |
1862 | ||
6dd083fd MC |
1863 | if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt) |
1864 | || PACKET_remaining(&encoded_pt) == 0) { | |
c48ffbcc | 1865 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); |
6dd083fd MC |
1866 | return 0; |
1867 | } | |
1868 | ||
a011b586 NT |
1869 | if (!ginf->is_kem) { |
1870 | /* Regular KEX */ | |
1871 | skey = EVP_PKEY_new(); | |
1872 | if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) { | |
c48ffbcc | 1873 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); |
b3c34401 | 1874 | EVP_PKEY_free(skey); |
a011b586 NT |
1875 | return 0; |
1876 | } | |
afce590b | 1877 | |
d5530efa TM |
1878 | if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt), |
1879 | PACKET_remaining(&encoded_pt)) <= 0) { | |
c48ffbcc | 1880 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); |
a011b586 NT |
1881 | EVP_PKEY_free(skey); |
1882 | return 0; | |
1883 | } | |
6dd083fd | 1884 | |
a011b586 NT |
1885 | if (ssl_derive(s, ckey, skey, 1) == 0) { |
1886 | /* SSLfatal() already called */ | |
1887 | EVP_PKEY_free(skey); | |
1888 | return 0; | |
1889 | } | |
1890 | s->s3.peer_tmp = skey; | |
1891 | } else { | |
1892 | /* KEM Mode */ | |
1893 | const unsigned char *ct = PACKET_data(&encoded_pt); | |
1894 | size_t ctlen = PACKET_remaining(&encoded_pt); | |
1895 | ||
1896 | if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) { | |
1897 | /* SSLfatal() already called */ | |
1898 | return 0; | |
1899 | } | |
6dd083fd | 1900 | } |
aa6bd216 | 1901 | s->s3.did_kex = 1; |
3cf96e88 | 1902 | #endif |
6dd083fd MC |
1903 | |
1904 | return 1; | |
1905 | } | |
4ff65f77 | 1906 | |
38b051a1 TM |
1907 | int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, |
1908 | X509 *x, size_t chainidx) | |
cfef5027 MC |
1909 | { |
1910 | PACKET cookie; | |
1911 | ||
1912 | if (!PACKET_as_length_prefixed_2(pkt, &cookie) | |
1913 | || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, | |
1914 | &s->ext.tls13_cookie_len)) { | |
c48ffbcc | 1915 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); |
cfef5027 MC |
1916 | return 0; |
1917 | } | |
1918 | ||
1919 | return 1; | |
1920 | } | |
1921 | ||
38b051a1 TM |
1922 | int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt, |
1923 | unsigned int context, | |
f63a17d6 | 1924 | X509 *x, size_t chainidx) |
38df5a45 | 1925 | { |
fe874d27 | 1926 | if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) { |
6594189f MC |
1927 | unsigned long max_early_data; |
1928 | ||
1929 | if (!PACKET_get_net_4(pkt, &max_early_data) | |
1930 | || PACKET_remaining(pkt) != 0) { | |
c48ffbcc | 1931 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA); |
6594189f MC |
1932 | return 0; |
1933 | } | |
1934 | ||
1935 | s->session->ext.max_early_data = max_early_data; | |
1936 | ||
1937 | return 1; | |
1938 | } | |
1939 | ||
38df5a45 | 1940 | if (PACKET_remaining(pkt) != 0) { |
c48ffbcc | 1941 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); |
38df5a45 MC |
1942 | return 0; |
1943 | } | |
1944 | ||
4be3a7c7 | 1945 | if (!s->ext.early_data_ok |
c96ce52c | 1946 | || !s->hit) { |
38df5a45 MC |
1947 | /* |
1948 | * If we get here then we didn't send early data, or we didn't resume | |
4be3a7c7 MC |
1949 | * using the first identity, or the SNI/ALPN is not consistent so the |
1950 | * server should not be accepting it. | |
38df5a45 | 1951 | */ |
c48ffbcc | 1952 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); |
38df5a45 MC |
1953 | return 0; |
1954 | } | |
1955 | ||
1956 | s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; | |
1957 | ||
1958 | return 1; | |
1959 | } | |
1960 | ||
38b051a1 TM |
1961 | int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt, |
1962 | unsigned int context, X509 *x, | |
f63a17d6 | 1963 | size_t chainidx) |
4ff65f77 MC |
1964 | { |
1965 | #ifndef OPENSSL_NO_TLS1_3 | |
1966 | unsigned int identity; | |
1967 | ||
1968 | if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { | |
c48ffbcc | 1969 | SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); |
4ff65f77 MC |
1970 | return 0; |
1971 | } | |
1972 | ||
c96ce52c | 1973 | if (identity >= (unsigned int)s->ext.tick_identity) { |
c48ffbcc | 1974 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY); |
c96ce52c MC |
1975 | return 0; |
1976 | } | |
1977 | ||
1978 | /* | |
1979 | * Session resumption tickets are always sent before PSK tickets. If the | |
1980 | * ticket index is 0 then it must be for a session resumption ticket if we | |
1981 | * sent two tickets, or if we didn't send a PSK ticket. | |
1982 | */ | |
1983 | if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { | |
9368f865 MC |
1984 | s->hit = 1; |
1985 | SSL_SESSION_free(s->psksession); | |
1986 | s->psksession = NULL; | |
1987 | return 1; | |
1988 | } | |
1989 | ||
c96ce52c MC |
1990 | if (s->psksession == NULL) { |
1991 | /* Should never happen */ | |
c48ffbcc | 1992 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
4ff65f77 MC |
1993 | return 0; |
1994 | } | |
1995 | ||
add8d0e9 MC |
1996 | /* |
1997 | * If we used the external PSK for sending early_data then s->early_secret | |
1998 | * is already set up, so don't overwrite it. Otherwise we copy the | |
1999 | * early_secret across that we generated earlier. | |
2000 | */ | |
2001 | if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY | |
2002 | && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) | |
2003 | || s->session->ext.max_early_data > 0 | |
2004 | || s->psksession->ext.max_early_data == 0) | |
2005 | memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); | |
2006 | ||
9368f865 MC |
2007 | SSL_SESSION_free(s->session); |
2008 | s->session = s->psksession; | |
2009 | s->psksession = NULL; | |
4ff65f77 | 2010 | s->hit = 1; |
c96ce52c MC |
2011 | /* Early data is only allowed if we used the first ticket */ |
2012 | if (identity != 0) | |
2013 | s->ext.early_data_ok = 0; | |
4ff65f77 MC |
2014 | #endif |
2015 | ||
2016 | return 1; | |
2017 | } | |
3c95ef22 TS |
2018 | |
2019 | EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, | |
2020 | unsigned int context, | |
2021 | X509 *x, size_t chainidx) | |
2022 | { | |
2023 | sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; | |
2024 | if (sc->client_cert_type == NULL) | |
2025 | return EXT_RETURN_NOT_SENT; | |
2026 | ||
2027 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type) | |
2028 | || !WPACKET_start_sub_packet_u16(pkt) | |
2029 | || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len) | |
2030 | || !WPACKET_close(pkt)) { | |
2031 | SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
2032 | return EXT_RETURN_FAIL; | |
2033 | } | |
2034 | sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; | |
2035 | return EXT_RETURN_SENT; | |
2036 | } | |
2037 | ||
2038 | int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt, | |
2039 | unsigned int context, | |
2040 | X509 *x, size_t chainidx) | |
2041 | { | |
2042 | unsigned int type; | |
2043 | ||
2044 | if (PACKET_remaining(pkt) != 1) { | |
2045 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); | |
2046 | return 0; | |
2047 | } | |
2048 | if (!PACKET_get_1(pkt, &type)) { | |
2049 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); | |
2050 | return 0; | |
2051 | } | |
2052 | /* We did not send/ask for this */ | |
2053 | if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { | |
2054 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); | |
2055 | return 0; | |
2056 | } | |
2057 | /* We don't have this enabled */ | |
2058 | if (sc->client_cert_type == NULL) { | |
2059 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); | |
2060 | return 0; | |
2061 | } | |
2062 | /* Given back a value we didn't configure */ | |
2063 | if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) { | |
2064 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); | |
2065 | return 0; | |
2066 | } | |
2067 | sc->ext.client_cert_type = type; | |
2068 | return 1; | |
2069 | } | |
2070 | ||
2071 | EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, | |
2072 | unsigned int context, | |
2073 | X509 *x, size_t chainidx) | |
2074 | { | |
2075 | sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; | |
2076 | if (sc->server_cert_type == NULL) | |
2077 | return EXT_RETURN_NOT_SENT; | |
2078 | ||
2079 | if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type) | |
2080 | || !WPACKET_start_sub_packet_u16(pkt) | |
2081 | || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len) | |
2082 | || !WPACKET_close(pkt)) { | |
2083 | SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); | |
2084 | return EXT_RETURN_FAIL; | |
2085 | } | |
2086 | sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; | |
2087 | return EXT_RETURN_SENT; | |
2088 | } | |
2089 | ||
2090 | int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt, | |
2091 | unsigned int context, | |
2092 | X509 *x, size_t chainidx) | |
2093 | { | |
2094 | unsigned int type; | |
2095 | ||
2096 | if (PACKET_remaining(pkt) != 1) { | |
2097 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); | |
2098 | return 0; | |
2099 | } | |
2100 | if (!PACKET_get_1(pkt, &type)) { | |
2101 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); | |
2102 | return 0; | |
2103 | } | |
2104 | /* We did not send/ask for this */ | |
2105 | if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { | |
2106 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); | |
2107 | return 0; | |
2108 | } | |
2109 | /* We don't have this enabled */ | |
2110 | if (sc->server_cert_type == NULL) { | |
2111 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); | |
2112 | return 0; | |
2113 | } | |
2114 | /* Given back a value we didn't configure */ | |
2115 | if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) { | |
2116 | SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE); | |
2117 | return 0; | |
2118 | } | |
2119 | sc->ext.server_cert_type = type; | |
2120 | return 1; | |
2121 | } |