2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chain,
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chain,
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
124 s->servername_done = 1;
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
130 s->servername_done = s->session->tlsext_hostname
131 && PACKET_equal(&hostname, s->session->tlsext_hostname,
132 strlen(s->session->tlsext_hostname));
138 #ifndef OPENSSL_NO_SRP
139 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
162 #ifndef OPENSSL_NO_EC
163 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chain,
166 PACKET ec_point_format_list;
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->tlsext_ecpointformatlist,
177 &s->session->tlsext_ecpointformatlist_length)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
185 #endif /* OPENSSL_NO_EC */
187 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chain,
190 if (s->tls_session_ticket_ext_cb &&
191 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->tls_session_ticket_ext_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
201 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
203 PACKET supported_sig_algs;
205 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
206 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
207 || PACKET_remaining(&supported_sig_algs) == 0) {
208 *al = SSL_AD_DECODE_ERROR;
212 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
213 PACKET_remaining(&supported_sig_algs))) {
214 *al = TLS1_AD_INTERNAL_ERROR;
221 #ifndef OPENSSL_NO_OCSP
222 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain,
225 PACKET responder_id_list, exts;
227 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
228 *al = SSL_AD_DECODE_ERROR;
232 if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
234 * We don't know what to do with any other type so ignore it.
236 s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
240 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
241 *al = SSL_AD_DECODE_ERROR;
246 * We remove any OCSP_RESPIDs from a previous handshake
247 * to prevent unbounded memory growth - CVE-2016-6304
249 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
250 if (PACKET_remaining(&responder_id_list) > 0) {
251 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
252 if (s->tlsext_ocsp_ids == NULL) {
253 *al = SSL_AD_INTERNAL_ERROR;
257 s->tlsext_ocsp_ids = NULL;
260 while (PACKET_remaining(&responder_id_list) > 0) {
263 const unsigned char *id_data;
265 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
266 || PACKET_remaining(&responder_id) == 0) {
267 *al = SSL_AD_DECODE_ERROR;
271 id_data = PACKET_data(&responder_id);
272 /* TODO(size_t): Convert d2i_* to size_t */
273 id = d2i_OCSP_RESPID(NULL, &id_data,
274 (int)PACKET_remaining(&responder_id));
276 *al = SSL_AD_DECODE_ERROR;
280 if (id_data != PACKET_end(&responder_id)) {
281 OCSP_RESPID_free(id);
282 *al = SSL_AD_DECODE_ERROR;
286 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
287 OCSP_RESPID_free(id);
288 *al = SSL_AD_INTERNAL_ERROR;
293 /* Read in request_extensions */
294 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
295 *al = SSL_AD_DECODE_ERROR;
299 if (PACKET_remaining(&exts) > 0) {
300 const unsigned char *ext_data = PACKET_data(&exts);
302 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
303 X509_EXTENSION_free);
304 s->tlsext_ocsp_exts =
305 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
306 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
307 *al = SSL_AD_DECODE_ERROR;
316 #ifndef OPENSSL_NO_NEXTPROTONEG
317 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
320 * We shouldn't accept this extension on a
323 * s->new_session will be set on renegotiation, but we
324 * probably shouldn't rely that it couldn't be set on
325 * the initial renegotiation too in certain cases (when
326 * there's some other reason to disallow resuming an
327 * earlier session -- the current code won't be doing
328 * anything like that, but this might change).
330 * A valid sign that there's been a previous handshake
331 * in this connection is if s->s3->tmp.finish_md_len >
332 * 0. (We are talking about a check that will happen
333 * in the Hello protocol round, well before a new
334 * Finished message could have been computed.)
336 if (s->s3->tmp.finish_md_len == 0)
337 s->s3->next_proto_neg_seen = 1;
344 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
345 * extension, not including type and length. |al| is a pointer to the alert
346 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
348 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
350 PACKET protocol_list, save_protocol_list, protocol;
352 if (s->s3->tmp.finish_md_len != 0)
355 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
356 || PACKET_remaining(&protocol_list) < 2) {
357 *al = SSL_AD_DECODE_ERROR;
361 save_protocol_list = protocol_list;
363 /* Protocol names can't be empty. */
364 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
365 || PACKET_remaining(&protocol) == 0) {
366 *al = SSL_AD_DECODE_ERROR;
369 } while (PACKET_remaining(&protocol_list) != 0);
371 if (!PACKET_memdup(&save_protocol_list,
372 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
373 *al = TLS1_AD_INTERNAL_ERROR;
380 #ifndef OPENSSL_NO_SRTP
381 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
383 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
384 unsigned int ct, mki_len, id;
388 /* Ignore this if we have no SRTP profiles */
389 if (SSL_get_srtp_profiles(s) == NULL)
392 /* Pull off the length of the cipher suite list and check it is even */
393 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
394 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
395 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
396 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
397 *al = SSL_AD_DECODE_ERROR;
401 srvr = SSL_get_srtp_profiles(s);
402 s->srtp_profile = NULL;
403 /* Search all profiles for a match initially */
404 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
406 while (PACKET_remaining(&subpkt)) {
407 if (!PACKET_get_net_2(&subpkt, &id)) {
408 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
409 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
410 *al = SSL_AD_DECODE_ERROR;
415 * Only look for match in profiles of higher preference than
417 * If no profiles have been have been configured then this
420 for (i = 0; i < srtp_pref; i++) {
421 SRTP_PROTECTION_PROFILE *sprof =
422 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
424 if (sprof->id == id) {
425 s->srtp_profile = sprof;
432 /* Now extract the MKI value as a sanity check, but discard it for now */
433 if (!PACKET_get_1(pkt, &mki_len)) {
434 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
435 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
436 *al = SSL_AD_DECODE_ERROR;
440 if (!PACKET_forward(pkt, mki_len)
441 || PACKET_remaining(pkt)) {
442 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
443 *al = SSL_AD_DECODE_ERROR;
451 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
454 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
460 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
461 * and |checkallow| is 1 then additionally check if the group is allowed to be
462 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
465 #ifndef OPENSSL_NO_TLS1_3
466 static int check_in_list(SSL *s, unsigned int group_id,
467 const unsigned char *groups, size_t num_groups,
472 if (groups == NULL || num_groups == 0)
475 for (i = 0; i < num_groups; i++, groups += 2) {
476 unsigned int share_id = (groups[0] << 8) | (groups[1]);
478 if (group_id == share_id
480 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
485 /* If i == num_groups then not in the list */
486 return i < num_groups;
491 * Process a key_share extension received in the ClientHello. |pkt| contains
492 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
493 * If a failure occurs then |*al| is set to an appropriate alert value.
495 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chain,
498 #ifndef OPENSSL_NO_TLS1_3
499 unsigned int group_id;
500 PACKET key_share_list, encoded_pt;
501 const unsigned char *clntcurves, *srvrcurves;
502 size_t clnt_num_curves, srvr_num_curves;
503 int group_nid, found = 0;
504 unsigned int curve_flags;
510 if (s->s3->peer_tmp != NULL) {
511 *al = SSL_AD_INTERNAL_ERROR;
512 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
516 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
517 *al = SSL_AD_HANDSHAKE_FAILURE;
518 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
522 /* Get our list of supported curves */
523 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
524 *al = SSL_AD_INTERNAL_ERROR;
525 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
530 * Get the clients list of supported curves.
531 * TODO(TLS1.3): We should validate that we actually received
534 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
535 *al = SSL_AD_INTERNAL_ERROR;
536 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
540 while (PACKET_remaining(&key_share_list) > 0) {
541 if (!PACKET_get_net_2(&key_share_list, &group_id)
542 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
543 || PACKET_remaining(&encoded_pt) == 0) {
544 *al = SSL_AD_HANDSHAKE_FAILURE;
545 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
546 SSL_R_LENGTH_MISMATCH);
551 * If we already found a suitable key_share we loop through the
552 * rest to verify the structure, but don't process them.
557 /* Check if this share is in supported_groups sent from client */
558 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
559 *al = SSL_AD_HANDSHAKE_FAILURE;
560 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
564 /* Check if this share is for a group we can use */
565 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
566 /* Share not suitable */
570 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
572 if (group_nid == 0) {
573 *al = SSL_AD_INTERNAL_ERROR;
574 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
575 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
579 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
580 /* Can happen for some curves, e.g. X25519 */
581 EVP_PKEY *key = EVP_PKEY_new();
583 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
584 *al = SSL_AD_INTERNAL_ERROR;
585 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
589 s->s3->peer_tmp = key;
591 /* Set up EVP_PKEY with named curve as parameters */
592 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
595 || EVP_PKEY_paramgen_init(pctx) <= 0
596 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
598 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
599 *al = SSL_AD_INTERNAL_ERROR;
600 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
601 EVP_PKEY_CTX_free(pctx);
604 EVP_PKEY_CTX_free(pctx);
607 s->s3->group_id = group_id;
609 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
610 PACKET_data(&encoded_pt),
611 PACKET_remaining(&encoded_pt))) {
612 *al = SSL_AD_DECODE_ERROR;
613 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
624 #ifndef OPENSSL_NO_EC
625 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x, size_t chain,
628 PACKET supported_groups_list;
630 /* Each group is 2 bytes and we must have at least 1. */
631 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
632 || PACKET_remaining(&supported_groups_list) == 0
633 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
634 *al = SSL_AD_DECODE_ERROR;
639 && !PACKET_memdup(&supported_groups_list,
640 &s->session->tlsext_supportedgroupslist,
641 &s->session->tlsext_supportedgroupslist_length)) {
642 *al = SSL_AD_DECODE_ERROR;
650 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al)
652 /* The extension must always be empty */
653 if (PACKET_remaining(pkt) != 0) {
654 *al = SSL_AD_DECODE_ERROR;
658 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
664 * Add the server's renegotiation binding
666 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
669 if (!s->s3->send_connection_binding)
672 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
673 || !WPACKET_start_sub_packet_u16(pkt)
674 || !WPACKET_start_sub_packet_u8(pkt)
675 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
676 s->s3->previous_client_finished_len)
677 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
678 s->s3->previous_server_finished_len)
679 || !WPACKET_close(pkt)
680 || !WPACKET_close(pkt)) {
681 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
688 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
691 if (s->hit || s->servername_done != 1
692 || s->session->tlsext_hostname == NULL)
695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
696 || !WPACKET_put_bytes_u16(pkt, 0)) {
697 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
704 #ifndef OPENSSL_NO_EC
705 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
706 size_t chain, int *al)
708 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
709 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
710 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
711 && (s->session->tlsext_ecpointformatlist != NULL);
712 const unsigned char *plist;
718 tls1_get_formatlist(s, &plist, &plistlen);
719 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
720 || !WPACKET_start_sub_packet_u16(pkt)
721 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
722 || !WPACKET_close(pkt)) {
723 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
731 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
732 size_t chain, int *al)
734 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
735 s->tlsext_ticket_expected = 0;
739 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
740 || !WPACKET_put_bytes_u16(pkt, 0)) {
741 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
748 #ifndef OPENSSL_NO_OCSP
749 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
750 size_t chain, int *al)
752 if (!s->tlsext_status_expected)
755 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
756 || !WPACKET_put_bytes_u16(pkt, 0)) {
757 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
765 #ifndef OPENSSL_NO_NEXTPROTONEG
766 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
767 size_t chain, int *al)
769 const unsigned char *npa;
772 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
774 s->s3->next_proto_neg_seen = 0;
775 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
778 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
779 s->ctx->next_protos_advertised_cb_arg);
780 if (ret == SSL_TLSEXT_ERR_OK) {
781 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
782 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
783 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
784 ERR_R_INTERNAL_ERROR);
787 s->s3->next_proto_neg_seen = 1;
794 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
797 if (s->s3->alpn_selected == NULL)
800 if (!WPACKET_put_bytes_u16(pkt,
801 TLSEXT_TYPE_application_layer_protocol_negotiation)
802 || !WPACKET_start_sub_packet_u16(pkt)
803 || !WPACKET_start_sub_packet_u16(pkt)
804 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
805 s->s3->alpn_selected_len)
806 || !WPACKET_close(pkt)
807 || !WPACKET_close(pkt)) {
808 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
815 #ifndef OPENSSL_NO_SRTP
816 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
819 if (s->srtp_profile == NULL)
822 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
823 || !WPACKET_start_sub_packet_u16(pkt)
824 || !WPACKET_put_bytes_u16(pkt, 2)
825 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
826 || !WPACKET_put_bytes_u8(pkt, 0)
827 || !WPACKET_close(pkt)) {
828 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
836 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
838 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
842 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
843 * for other cases too.
845 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
846 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
847 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
848 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
849 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
853 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
854 || !WPACKET_put_bytes_u16(pkt, 0)) {
855 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
862 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
864 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
867 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
868 || !WPACKET_put_bytes_u16(pkt, 0)) {
869 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
876 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
879 #ifndef OPENSSL_NO_TLS1_3
880 unsigned char *encodedPoint;
881 size_t encoded_pt_len = 0;
882 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
888 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
892 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
893 || !WPACKET_start_sub_packet_u16(pkt)
894 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
895 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
899 skey = ssl_generate_pkey(ckey);
901 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
905 /* Generate encoding of server key */
906 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
907 if (encoded_pt_len == 0) {
908 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
913 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
914 || !WPACKET_close(pkt)) {
915 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
917 OPENSSL_free(encodedPoint);
920 OPENSSL_free(encodedPoint);
922 /* This causes the crypto state to be updated based on the derived keys */
923 s->s3->tmp.pkey = skey;
924 if (ssl_derive(s, skey, ckey, 1) == 0) {
925 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
933 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
934 size_t chain, int *al)
936 const unsigned char cryptopro_ext[36] = {
937 0xfd, 0xe8, /* 65000 */
938 0x00, 0x20, /* 32 bytes length */
939 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
940 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
941 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
942 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
945 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
946 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
947 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
950 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
951 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);