2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chain,
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chain,
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
124 s->servername_done = 1;
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
130 s->servername_done = s->session->tlsext_hostname
131 && PACKET_equal(&hostname, s->session->tlsext_hostname,
132 strlen(s->session->tlsext_hostname));
138 #ifndef OPENSSL_NO_SRP
139 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
162 #ifndef OPENSSL_NO_EC
163 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chain,
166 PACKET ec_point_format_list;
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->tlsext_ecpointformatlist,
177 &s->session->tlsext_ecpointformatlist_length)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
185 #endif /* OPENSSL_NO_EC */
187 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chain,
190 if (s->tls_session_ticket_ext_cb &&
191 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->tls_session_ticket_ext_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
201 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
203 PACKET supported_sig_algs;
205 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
206 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
207 || PACKET_remaining(&supported_sig_algs) == 0) {
208 *al = SSL_AD_DECODE_ERROR;
212 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
213 PACKET_remaining(&supported_sig_algs))) {
214 *al = TLS1_AD_INTERNAL_ERROR;
221 #ifndef OPENSSL_NO_OCSP
222 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain,
225 PACKET responder_id_list, exts;
227 /* Not defined if we get one of these in a client Certificate */
231 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
232 *al = SSL_AD_DECODE_ERROR;
236 if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
238 * We don't know what to do with any other type so ignore it.
240 s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
244 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
245 *al = SSL_AD_DECODE_ERROR;
250 * We remove any OCSP_RESPIDs from a previous handshake
251 * to prevent unbounded memory growth - CVE-2016-6304
253 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
254 if (PACKET_remaining(&responder_id_list) > 0) {
255 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
256 if (s->tlsext_ocsp_ids == NULL) {
257 *al = SSL_AD_INTERNAL_ERROR;
261 s->tlsext_ocsp_ids = NULL;
264 while (PACKET_remaining(&responder_id_list) > 0) {
267 const unsigned char *id_data;
269 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
270 || PACKET_remaining(&responder_id) == 0) {
271 *al = SSL_AD_DECODE_ERROR;
275 id_data = PACKET_data(&responder_id);
276 /* TODO(size_t): Convert d2i_* to size_t */
277 id = d2i_OCSP_RESPID(NULL, &id_data,
278 (int)PACKET_remaining(&responder_id));
280 *al = SSL_AD_DECODE_ERROR;
284 if (id_data != PACKET_end(&responder_id)) {
285 OCSP_RESPID_free(id);
286 *al = SSL_AD_DECODE_ERROR;
290 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
291 OCSP_RESPID_free(id);
292 *al = SSL_AD_INTERNAL_ERROR;
297 /* Read in request_extensions */
298 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
299 *al = SSL_AD_DECODE_ERROR;
303 if (PACKET_remaining(&exts) > 0) {
304 const unsigned char *ext_data = PACKET_data(&exts);
306 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
307 X509_EXTENSION_free);
308 s->tlsext_ocsp_exts =
309 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
310 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
311 *al = SSL_AD_DECODE_ERROR;
320 #ifndef OPENSSL_NO_NEXTPROTONEG
321 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
324 * We shouldn't accept this extension on a
327 * s->new_session will be set on renegotiation, but we
328 * probably shouldn't rely that it couldn't be set on
329 * the initial renegotiation too in certain cases (when
330 * there's some other reason to disallow resuming an
331 * earlier session -- the current code won't be doing
332 * anything like that, but this might change).
334 * A valid sign that there's been a previous handshake
335 * in this connection is if s->s3->tmp.finish_md_len >
336 * 0. (We are talking about a check that will happen
337 * in the Hello protocol round, well before a new
338 * Finished message could have been computed.)
340 if (s->s3->tmp.finish_md_len == 0)
341 s->s3->next_proto_neg_seen = 1;
348 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
349 * extension, not including type and length. |al| is a pointer to the alert
350 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
352 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
354 PACKET protocol_list, save_protocol_list, protocol;
356 if (s->s3->tmp.finish_md_len != 0)
359 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
360 || PACKET_remaining(&protocol_list) < 2) {
361 *al = SSL_AD_DECODE_ERROR;
365 save_protocol_list = protocol_list;
367 /* Protocol names can't be empty. */
368 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
369 || PACKET_remaining(&protocol) == 0) {
370 *al = SSL_AD_DECODE_ERROR;
373 } while (PACKET_remaining(&protocol_list) != 0);
375 if (!PACKET_memdup(&save_protocol_list,
376 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
377 *al = TLS1_AD_INTERNAL_ERROR;
384 #ifndef OPENSSL_NO_SRTP
385 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
387 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
388 unsigned int ct, mki_len, id;
392 /* Ignore this if we have no SRTP profiles */
393 if (SSL_get_srtp_profiles(s) == NULL)
396 /* Pull off the length of the cipher suite list and check it is even */
397 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
398 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
399 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
400 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
401 *al = SSL_AD_DECODE_ERROR;
405 srvr = SSL_get_srtp_profiles(s);
406 s->srtp_profile = NULL;
407 /* Search all profiles for a match initially */
408 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
410 while (PACKET_remaining(&subpkt)) {
411 if (!PACKET_get_net_2(&subpkt, &id)) {
412 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
413 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
414 *al = SSL_AD_DECODE_ERROR;
419 * Only look for match in profiles of higher preference than
421 * If no profiles have been have been configured then this
424 for (i = 0; i < srtp_pref; i++) {
425 SRTP_PROTECTION_PROFILE *sprof =
426 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
428 if (sprof->id == id) {
429 s->srtp_profile = sprof;
436 /* Now extract the MKI value as a sanity check, but discard it for now */
437 if (!PACKET_get_1(pkt, &mki_len)) {
438 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
439 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
440 *al = SSL_AD_DECODE_ERROR;
444 if (!PACKET_forward(pkt, mki_len)
445 || PACKET_remaining(pkt)) {
446 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
447 *al = SSL_AD_DECODE_ERROR;
455 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
457 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
458 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
464 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
465 * and |checkallow| is 1 then additionally check if the group is allowed to be
466 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
469 #ifndef OPENSSL_NO_TLS1_3
470 static int check_in_list(SSL *s, unsigned int group_id,
471 const unsigned char *groups, size_t num_groups,
476 if (groups == NULL || num_groups == 0)
479 for (i = 0; i < num_groups; i++, groups += 2) {
480 unsigned int share_id = (groups[0] << 8) | (groups[1]);
482 if (group_id == share_id
484 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
489 /* If i == num_groups then not in the list */
490 return i < num_groups;
495 * Process a key_share extension received in the ClientHello. |pkt| contains
496 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
497 * If a failure occurs then |*al| is set to an appropriate alert value.
499 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chain,
502 #ifndef OPENSSL_NO_TLS1_3
503 unsigned int group_id;
504 PACKET key_share_list, encoded_pt;
505 const unsigned char *clntcurves, *srvrcurves;
506 size_t clnt_num_curves, srvr_num_curves;
507 int group_nid, found = 0;
508 unsigned int curve_flags;
514 if (s->s3->peer_tmp != NULL) {
515 *al = SSL_AD_INTERNAL_ERROR;
516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
520 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
521 *al = SSL_AD_HANDSHAKE_FAILURE;
522 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
526 /* Get our list of supported curves */
527 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
528 *al = SSL_AD_INTERNAL_ERROR;
529 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
534 * Get the clients list of supported curves.
535 * TODO(TLS1.3): We should validate that we actually received
538 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
539 *al = SSL_AD_INTERNAL_ERROR;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
544 while (PACKET_remaining(&key_share_list) > 0) {
545 if (!PACKET_get_net_2(&key_share_list, &group_id)
546 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
547 || PACKET_remaining(&encoded_pt) == 0) {
548 *al = SSL_AD_HANDSHAKE_FAILURE;
549 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
550 SSL_R_LENGTH_MISMATCH);
555 * If we already found a suitable key_share we loop through the
556 * rest to verify the structure, but don't process them.
561 /* Check if this share is in supported_groups sent from client */
562 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
563 *al = SSL_AD_HANDSHAKE_FAILURE;
564 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
568 /* Check if this share is for a group we can use */
569 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
570 /* Share not suitable */
574 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
576 if (group_nid == 0) {
577 *al = SSL_AD_INTERNAL_ERROR;
578 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
579 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
583 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
584 /* Can happen for some curves, e.g. X25519 */
585 EVP_PKEY *key = EVP_PKEY_new();
587 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
588 *al = SSL_AD_INTERNAL_ERROR;
589 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
593 s->s3->peer_tmp = key;
595 /* Set up EVP_PKEY with named curve as parameters */
596 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
599 || EVP_PKEY_paramgen_init(pctx) <= 0
600 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
602 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
603 *al = SSL_AD_INTERNAL_ERROR;
604 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
605 EVP_PKEY_CTX_free(pctx);
608 EVP_PKEY_CTX_free(pctx);
611 s->s3->group_id = group_id;
613 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
614 PACKET_data(&encoded_pt),
615 PACKET_remaining(&encoded_pt))) {
616 *al = SSL_AD_DECODE_ERROR;
617 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
628 #ifndef OPENSSL_NO_EC
629 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x, size_t chain,
632 PACKET supported_groups_list;
634 /* Each group is 2 bytes and we must have at least 1. */
635 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
636 || PACKET_remaining(&supported_groups_list) == 0
637 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
638 *al = SSL_AD_DECODE_ERROR;
643 && !PACKET_memdup(&supported_groups_list,
644 &s->session->tlsext_supportedgroupslist,
645 &s->session->tlsext_supportedgroupslist_length)) {
646 *al = SSL_AD_DECODE_ERROR;
654 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
656 /* The extension must always be empty */
657 if (PACKET_remaining(pkt) != 0) {
658 *al = SSL_AD_DECODE_ERROR;
662 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
668 * Add the server's renegotiation binding
670 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
673 if (!s->s3->send_connection_binding)
676 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
677 || !WPACKET_start_sub_packet_u16(pkt)
678 || !WPACKET_start_sub_packet_u8(pkt)
679 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
680 s->s3->previous_client_finished_len)
681 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
682 s->s3->previous_server_finished_len)
683 || !WPACKET_close(pkt)
684 || !WPACKET_close(pkt)) {
685 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
692 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
695 if (s->hit || s->servername_done != 1
696 || s->session->tlsext_hostname == NULL)
699 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
700 || !WPACKET_put_bytes_u16(pkt, 0)) {
701 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
708 #ifndef OPENSSL_NO_EC
709 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
710 size_t chain, int *al)
712 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
713 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
714 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
715 && (s->session->tlsext_ecpointformatlist != NULL);
716 const unsigned char *plist;
722 tls1_get_formatlist(s, &plist, &plistlen);
723 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
724 || !WPACKET_start_sub_packet_u16(pkt)
725 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
726 || !WPACKET_close(pkt)) {
727 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
735 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
736 size_t chain, int *al)
738 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
739 s->tlsext_ticket_expected = 0;
743 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
744 || !WPACKET_put_bytes_u16(pkt, 0)) {
745 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
752 #ifndef OPENSSL_NO_OCSP
753 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
754 size_t chain, int *al)
756 if (!s->tlsext_status_expected)
759 if (SSL_IS_TLS13(s) && chain != 0)
762 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
763 || !WPACKET_put_bytes_u16(pkt, 0)) {
764 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
772 #ifndef OPENSSL_NO_NEXTPROTONEG
773 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
774 size_t chain, int *al)
776 const unsigned char *npa;
779 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
781 s->s3->next_proto_neg_seen = 0;
782 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
785 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
786 s->ctx->next_protos_advertised_cb_arg);
787 if (ret == SSL_TLSEXT_ERR_OK) {
788 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
789 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
790 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
791 ERR_R_INTERNAL_ERROR);
794 s->s3->next_proto_neg_seen = 1;
801 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
804 if (s->s3->alpn_selected == NULL)
807 if (!WPACKET_put_bytes_u16(pkt,
808 TLSEXT_TYPE_application_layer_protocol_negotiation)
809 || !WPACKET_start_sub_packet_u16(pkt)
810 || !WPACKET_start_sub_packet_u16(pkt)
811 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
812 s->s3->alpn_selected_len)
813 || !WPACKET_close(pkt)
814 || !WPACKET_close(pkt)) {
815 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
822 #ifndef OPENSSL_NO_SRTP
823 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
826 if (s->srtp_profile == NULL)
829 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
830 || !WPACKET_start_sub_packet_u16(pkt)
831 || !WPACKET_put_bytes_u16(pkt, 2)
832 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
833 || !WPACKET_put_bytes_u8(pkt, 0)
834 || !WPACKET_close(pkt)) {
835 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
843 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
845 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
849 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
850 * for other cases too.
852 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
853 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
854 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
855 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
856 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
860 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
861 || !WPACKET_put_bytes_u16(pkt, 0)) {
862 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
869 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
871 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
874 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
875 || !WPACKET_put_bytes_u16(pkt, 0)) {
876 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
883 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
886 #ifndef OPENSSL_NO_TLS1_3
887 unsigned char *encodedPoint;
888 size_t encoded_pt_len = 0;
889 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
895 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
899 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
900 || !WPACKET_start_sub_packet_u16(pkt)
901 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
902 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
906 skey = ssl_generate_pkey(ckey);
908 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
912 /* Generate encoding of server key */
913 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
914 if (encoded_pt_len == 0) {
915 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
920 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
921 || !WPACKET_close(pkt)) {
922 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
924 OPENSSL_free(encodedPoint);
927 OPENSSL_free(encodedPoint);
929 /* This causes the crypto state to be updated based on the derived keys */
930 s->s3->tmp.pkey = skey;
931 if (ssl_derive(s, skey, ckey, 1) == 0) {
932 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
940 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
941 size_t chain, int *al)
943 const unsigned char cryptopro_ext[36] = {
944 0xfd, 0xe8, /* 65000 */
945 0x00, 0x20, /* 32 bytes length */
946 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
947 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
948 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
949 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
952 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
953 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
954 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
957 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
958 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);