/*
- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent);
static int init_sig_algs_cert(SSL_CONNECTION *s, unsigned int context);
static int init_sig_algs(SSL_CONNECTION *s, unsigned int context);
+static int init_server_cert_type(SSL_CONNECTION *sc, unsigned int context);
+static int init_client_cert_type(SSL_CONNECTION *sc, unsigned int context);
static int init_certificate_authorities(SSL_CONNECTION *s,
unsigned int context);
static EXT_RETURN tls_construct_certificate_authorities(SSL_CONNECTION *s,
NULL, tls_construct_ctos_post_handshake_auth,
NULL,
},
+ {
+ TLSEXT_TYPE_client_cert_type,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ | SSL_EXT_TLS1_2_SERVER_HELLO,
+ init_client_cert_type,
+ tls_parse_ctos_client_cert_type, tls_parse_stoc_client_cert_type,
+ tls_construct_stoc_client_cert_type, tls_construct_ctos_client_cert_type,
+ NULL
+ },
+ {
+ TLSEXT_TYPE_server_cert_type,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS
+ | SSL_EXT_TLS1_2_SERVER_HELLO,
+ init_server_cert_type,
+ tls_parse_ctos_server_cert_type, tls_parse_stoc_server_cert_type,
+ tls_construct_stoc_server_cert_type, tls_construct_ctos_server_cert_type,
+ NULL
+ },
{
TLSEXT_TYPE_signature_algorithms,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
if (!ossl_comp_has_alg(0))
return EXT_RETURN_NOT_SENT;
+ /* Server: Don't attempt to compress a non-X509 (i.e. an RPK) */
+ if (sc->server && sc->ext.server_cert_type != TLSEXT_cert_type_x509) {
+ sc->cert_comp_prefs[0] = TLSEXT_comp_cert_none;
+ return EXT_RETURN_NOT_SENT;
+ }
+
+ /* Client: If we sent a client cert-type extension, don't indicate compression */
+ if (!sc->server && sc->ext.client_cert_type_ctos) {
+ sc->cert_comp_prefs[0] = TLSEXT_comp_cert_none;
+ return EXT_RETURN_NOT_SENT;
+ }
+
/* Do not indicate we support receiving compressed certificates */
if ((sc->options & SSL_OP_NO_RX_CERTIFICATE_COMPRESSION) != 0)
return EXT_RETURN_NOT_SENT;
if (!ossl_comp_has_alg(0))
return 1;
+ /* Don't attempt to compress a non-X509 (i.e. an RPK) */
+ if (sc->server && sc->ext.server_cert_type != TLSEXT_cert_type_x509)
+ return 1;
+ if (!sc->server && sc->ext.client_cert_type != TLSEXT_cert_type_x509)
+ return 1;
+
/* Ignore the extension and don't send compressed certificates */
if ((sc->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0)
return 1;
#endif
return 1;
}
+
+static int init_server_cert_type(SSL_CONNECTION *sc, unsigned int context)
+{
+ /* Only reset when parsing client hello */
+ if (sc->server) {
+ sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
+ sc->ext.server_cert_type = TLSEXT_cert_type_x509;
+ }
+ return 1;
+}
+
+static int init_client_cert_type(SSL_CONNECTION *sc, unsigned int context)
+{
+ /* Only reset when parsing client hello */
+ if (sc->server) {
+ sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
+ sc->ext.client_cert_type = TLSEXT_cert_type_x509;
+ }
+ return 1;
+}