2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
15 DEFINE_STACK_OF(OCSP_RESPID)
17 #define COOKIE_STATE_FORMAT_VERSION 0
20 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
21 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
22 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
23 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
24 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
26 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
27 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
30 * Message header + 2 bytes for protocol version + number of random bytes +
31 * + 1 byte for legacy session id length + number of bytes in legacy session id
32 * + 2 bytes for ciphersuite + 1 byte for legacy compression
33 * + 2 bytes for extension block length + 6 bytes for key_share extension
34 * + 4 bytes for cookie extension header + the number of bytes in the cookie
36 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
37 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
41 * Parse the client's renegotiation binding and abort if it's not right
43 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
44 X509 *x, size_t chainidx)
47 const unsigned char *data;
49 /* Parse the length byte */
50 if (!PACKET_get_1(pkt, &ilen)
51 || !PACKET_get_bytes(pkt, &data, ilen)) {
52 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
53 SSL_R_RENEGOTIATION_ENCODING_ERR);
57 /* Check that the extension matches */
58 if (ilen != s->s3.previous_client_finished_len) {
59 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
60 SSL_R_RENEGOTIATION_MISMATCH);
64 if (memcmp(data, s->s3.previous_client_finished,
65 s->s3.previous_client_finished_len)) {
66 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
67 SSL_R_RENEGOTIATION_MISMATCH);
71 s->s3.send_connection_binding = 1;
77 * The servername extension is treated as follows:
79 * - Only the hostname type is supported with a maximum length of 255.
80 * - The servername is rejected if too long or if it contains zeros,
81 * in which case an fatal alert is generated.
82 * - The servername field is maintained together with the session cache.
83 * - When a session is resumed, the servername call back invoked in order
84 * to allow the application to position itself to the right context.
85 * - The servername is acknowledged if it is new for a session or when
86 * it is identical to a previously used for the same session.
87 * Applications can control the behaviour. They can at any time
88 * set a 'desirable' servername for a new SSL object. This can be the
89 * case for example with HTTPS when a Host: header field is received and
90 * a renegotiation is requested. In this case, a possible servername
91 * presented in the new client hello is only acknowledged if it matches
92 * the value of the Host: field.
93 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
94 * if they provide for changing an explicit servername context for the
95 * session, i.e. when the session has been established with a servername
97 * - On session reconnect, the servername extension may be absent.
99 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
100 X509 *x, size_t chainidx)
102 unsigned int servname_type;
103 PACKET sni, hostname;
105 if (!PACKET_as_length_prefixed_2(pkt, &sni)
106 /* ServerNameList must be at least 1 byte long. */
107 || PACKET_remaining(&sni) == 0) {
108 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
109 SSL_R_BAD_EXTENSION);
114 * Although the intent was for server_name to be extensible, RFC 4366
115 * was not clear about it; and so OpenSSL among other implementations,
116 * always and only allows a 'host_name' name types.
117 * RFC 6066 corrected the mistake but adding new name types
118 * is nevertheless no longer feasible, so act as if no other
119 * SNI types can exist, to simplify parsing.
121 * Also note that the RFC permits only one SNI value per type,
122 * i.e., we can only have a single hostname.
124 if (!PACKET_get_1(&sni, &servname_type)
125 || servname_type != TLSEXT_NAMETYPE_host_name
126 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
127 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
128 SSL_R_BAD_EXTENSION);
133 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
134 * we always use the SNI value from the handshake.
136 if (!s->hit || SSL_IS_TLS13(s)) {
137 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
138 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
139 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
140 SSL_R_BAD_EXTENSION);
144 if (PACKET_contains_zero_byte(&hostname)) {
145 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
146 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
147 SSL_R_BAD_EXTENSION);
152 * Store the requested SNI in the SSL as temporary storage.
153 * If we accept it, it will get stored in the SSL_SESSION as well.
155 OPENSSL_free(s->ext.hostname);
156 s->ext.hostname = NULL;
157 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
158 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
159 ERR_R_INTERNAL_ERROR);
163 s->servername_done = 1;
166 * In TLSv1.2 and below we should check if the SNI is consistent between
167 * the initial handshake and the resumption. In TLSv1.3 SNI is not
168 * associated with the session.
171 * TODO(openssl-team): if the SNI doesn't match, we MUST
172 * fall back to a full handshake.
174 s->servername_done = (s->session->ext.hostname != NULL)
175 && PACKET_equal(&hostname, s->session->ext.hostname,
176 strlen(s->session->ext.hostname));
182 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
183 X509 *x, size_t chainidx)
187 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
188 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
189 SSL_R_BAD_EXTENSION);
193 /* Received |value| should be a valid max-fragment-length code. */
194 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
195 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
196 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
197 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
202 * RFC 6066: The negotiated length applies for the duration of the session
203 * including session resumptions.
204 * We should receive the same code as in resumed session !
206 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
207 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
208 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
209 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
214 * Store it in session, so it'll become binding for us
215 * and we'll include it in a next Server Hello.
217 s->session->ext.max_fragment_len_mode = value;
221 #ifndef OPENSSL_NO_SRP
222 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
227 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
228 || PACKET_contains_zero_byte(&srp_I)) {
229 SSLfatal(s, SSL_AD_DECODE_ERROR,
230 SSL_F_TLS_PARSE_CTOS_SRP,
231 SSL_R_BAD_EXTENSION);
236 * TODO(openssl-team): currently, we re-authenticate the user
237 * upon resumption. Instead, we MUST ignore the login.
239 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
240 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
241 ERR_R_INTERNAL_ERROR);
249 #ifndef OPENSSL_NO_EC
250 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
251 X509 *x, size_t chainidx)
253 PACKET ec_point_format_list;
255 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
256 || PACKET_remaining(&ec_point_format_list) == 0) {
257 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
258 SSL_R_BAD_EXTENSION);
263 if (!PACKET_memdup(&ec_point_format_list,
264 &s->ext.peer_ecpointformats,
265 &s->ext.peer_ecpointformats_len)) {
266 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
267 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
274 #endif /* OPENSSL_NO_EC */
276 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
277 X509 *x, size_t chainidx)
279 if (s->ext.session_ticket_cb &&
280 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
281 PACKET_remaining(pkt),
282 s->ext.session_ticket_cb_arg)) {
283 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
284 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
291 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
292 X509 *x, size_t chainidx)
294 PACKET supported_sig_algs;
296 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
297 || PACKET_remaining(&supported_sig_algs) == 0) {
298 SSLfatal(s, SSL_AD_DECODE_ERROR,
299 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
303 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
304 SSLfatal(s, SSL_AD_DECODE_ERROR,
305 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
312 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
315 PACKET supported_sig_algs;
317 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
318 || PACKET_remaining(&supported_sig_algs) == 0) {
319 SSLfatal(s, SSL_AD_DECODE_ERROR,
320 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
324 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
325 SSLfatal(s, SSL_AD_DECODE_ERROR,
326 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
333 #ifndef OPENSSL_NO_OCSP
334 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
335 X509 *x, size_t chainidx)
337 PACKET responder_id_list, exts;
339 /* We ignore this in a resumption handshake */
343 /* Not defined if we get one of these in a client Certificate */
347 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
348 SSLfatal(s, SSL_AD_DECODE_ERROR,
349 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
353 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
355 * We don't know what to do with any other type so ignore it.
357 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
361 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
362 SSLfatal(s, SSL_AD_DECODE_ERROR,
363 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
368 * We remove any OCSP_RESPIDs from a previous handshake
369 * to prevent unbounded memory growth - CVE-2016-6304
371 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
372 if (PACKET_remaining(&responder_id_list) > 0) {
373 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
374 if (s->ext.ocsp.ids == NULL) {
375 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
376 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
380 s->ext.ocsp.ids = NULL;
383 while (PACKET_remaining(&responder_id_list) > 0) {
386 const unsigned char *id_data;
388 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
389 || PACKET_remaining(&responder_id) == 0) {
390 SSLfatal(s, SSL_AD_DECODE_ERROR,
391 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
395 id_data = PACKET_data(&responder_id);
396 /* TODO(size_t): Convert d2i_* to size_t */
397 id = d2i_OCSP_RESPID(NULL, &id_data,
398 (int)PACKET_remaining(&responder_id));
400 SSLfatal(s, SSL_AD_DECODE_ERROR,
401 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
405 if (id_data != PACKET_end(&responder_id)) {
406 OCSP_RESPID_free(id);
407 SSLfatal(s, SSL_AD_DECODE_ERROR,
408 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
413 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
414 OCSP_RESPID_free(id);
415 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
416 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
422 /* Read in request_extensions */
423 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
424 SSLfatal(s, SSL_AD_DECODE_ERROR,
425 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
429 if (PACKET_remaining(&exts) > 0) {
430 const unsigned char *ext_data = PACKET_data(&exts);
432 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
433 X509_EXTENSION_free);
435 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
436 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
437 SSLfatal(s, SSL_AD_DECODE_ERROR,
438 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
447 #ifndef OPENSSL_NO_NEXTPROTONEG
448 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
452 * We shouldn't accept this extension on a
455 if (SSL_IS_FIRST_HANDSHAKE(s))
463 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
464 * extension, not including type and length. Returns: 1 on success, 0 on error.
466 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
469 PACKET protocol_list, save_protocol_list, protocol;
471 if (!SSL_IS_FIRST_HANDSHAKE(s))
474 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
475 || PACKET_remaining(&protocol_list) < 2) {
476 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
477 SSL_R_BAD_EXTENSION);
481 save_protocol_list = protocol_list;
483 /* Protocol names can't be empty. */
484 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
485 || PACKET_remaining(&protocol) == 0) {
486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
487 SSL_R_BAD_EXTENSION);
490 } while (PACKET_remaining(&protocol_list) != 0);
492 OPENSSL_free(s->s3.alpn_proposed);
493 s->s3.alpn_proposed = NULL;
494 s->s3.alpn_proposed_len = 0;
495 if (!PACKET_memdup(&save_protocol_list,
496 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
497 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
498 ERR_R_INTERNAL_ERROR);
505 #ifndef OPENSSL_NO_SRTP
506 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
509 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
510 unsigned int ct, mki_len, id;
514 /* Ignore this if we have no SRTP profiles */
515 if (SSL_get_srtp_profiles(s) == NULL)
518 /* Pull off the length of the cipher suite list and check it is even */
519 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
520 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
521 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
522 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
526 srvr = SSL_get_srtp_profiles(s);
527 s->srtp_profile = NULL;
528 /* Search all profiles for a match initially */
529 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
531 while (PACKET_remaining(&subpkt)) {
532 if (!PACKET_get_net_2(&subpkt, &id)) {
533 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
534 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
539 * Only look for match in profiles of higher preference than
541 * If no profiles have been have been configured then this
544 for (i = 0; i < srtp_pref; i++) {
545 SRTP_PROTECTION_PROFILE *sprof =
546 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
548 if (sprof->id == id) {
549 s->srtp_profile = sprof;
556 /* Now extract the MKI value as a sanity check, but discard it for now */
557 if (!PACKET_get_1(pkt, &mki_len)) {
558 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
559 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
563 if (!PACKET_forward(pkt, mki_len)
564 || PACKET_remaining(pkt)) {
565 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
566 SSL_R_BAD_SRTP_MKI_VALUE);
574 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
577 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
584 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
585 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
587 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
588 X509 *x, size_t chainidx)
590 #ifndef OPENSSL_NO_TLS1_3
591 PACKET psk_kex_modes;
594 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
595 || PACKET_remaining(&psk_kex_modes) == 0) {
596 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
597 SSL_R_BAD_EXTENSION);
601 while (PACKET_get_1(&psk_kex_modes, &mode)) {
602 if (mode == TLSEXT_KEX_MODE_KE_DHE)
603 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
604 else if (mode == TLSEXT_KEX_MODE_KE
605 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
606 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
614 * Process a key_share extension received in the ClientHello. |pkt| contains
615 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
617 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
620 #ifndef OPENSSL_NO_TLS1_3
621 unsigned int group_id;
622 PACKET key_share_list, encoded_pt;
623 const uint16_t *clntgroups, *srvrgroups;
624 size_t clnt_num_groups, srvr_num_groups;
627 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
631 if (s->s3.peer_tmp != NULL) {
632 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
633 ERR_R_INTERNAL_ERROR);
637 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
638 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
639 SSL_R_LENGTH_MISMATCH);
643 /* Get our list of supported groups */
644 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
645 /* Get the clients list of supported groups. */
646 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
647 if (clnt_num_groups == 0) {
649 * This can only happen if the supported_groups extension was not sent,
650 * because we verify that the length is non-zero when we process that
653 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
654 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
658 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
660 * If we set a group_id already, then we must have sent an HRR
661 * requesting a new key_share. If we haven't got one then that is an
664 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
665 SSL_R_BAD_KEY_SHARE);
669 while (PACKET_remaining(&key_share_list) > 0) {
670 if (!PACKET_get_net_2(&key_share_list, &group_id)
671 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
672 || PACKET_remaining(&encoded_pt) == 0) {
673 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
674 SSL_R_LENGTH_MISMATCH);
679 * If we already found a suitable key_share we loop through the
680 * rest to verify the structure, but don't process them.
686 * If we sent an HRR then the key_share sent back MUST be for the group
687 * we requested, and must be the only key_share sent.
689 if (s->s3.group_id != 0
690 && (group_id != s->s3.group_id
691 || PACKET_remaining(&key_share_list) != 0)) {
692 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
693 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
697 /* Check if this share is in supported_groups sent from client */
698 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
699 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
700 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
704 /* Check if this share is for a group we can use */
705 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
706 /* Share not suitable */
710 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
711 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
712 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
716 s->s3.group_id = group_id;
718 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3.peer_tmp,
719 PACKET_data(&encoded_pt),
720 PACKET_remaining(&encoded_pt))) {
721 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
722 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
733 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
736 #ifndef OPENSSL_NO_TLS1_3
737 unsigned int format, version, key_share, group_id;
740 PACKET cookie, raw, chhash, appcookie;
742 const unsigned char *data, *mdin, *ciphdata;
743 unsigned char hmac[SHA256_DIGEST_LENGTH];
744 unsigned char hrr[MAX_HRR_SIZE];
745 size_t rawlen, hmaclen, hrrlen, ciphlen;
746 unsigned long tm, now;
748 /* Ignore any cookie if we're not set up to verify it */
749 if (s->ctx->verify_stateless_cookie_cb == NULL
750 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
753 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
754 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
755 SSL_R_LENGTH_MISMATCH);
760 data = PACKET_data(&raw);
761 rawlen = PACKET_remaining(&raw);
762 if (rawlen < SHA256_DIGEST_LENGTH
763 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
764 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
765 SSL_R_LENGTH_MISMATCH);
768 mdin = PACKET_data(&raw);
770 /* Verify the HMAC of the cookie */
771 hctx = EVP_MD_CTX_create();
772 pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC",
774 s->session_ctx->ext.cookie_hmac_key,
775 sizeof(s->session_ctx->ext
777 if (hctx == NULL || pkey == NULL) {
778 EVP_MD_CTX_free(hctx);
780 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
781 ERR_R_MALLOC_FAILURE);
785 hmaclen = SHA256_DIGEST_LENGTH;
786 if (EVP_DigestSignInit_with_libctx(hctx, NULL, "SHA2-256",
787 s->ctx->libctx, s->ctx->propq, pkey) <= 0
788 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
789 rawlen - SHA256_DIGEST_LENGTH) <= 0
790 || hmaclen != SHA256_DIGEST_LENGTH) {
791 EVP_MD_CTX_free(hctx);
793 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
794 ERR_R_INTERNAL_ERROR);
798 EVP_MD_CTX_free(hctx);
801 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
802 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
803 SSL_R_COOKIE_MISMATCH);
807 if (!PACKET_get_net_2(&cookie, &format)) {
808 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
809 SSL_R_LENGTH_MISMATCH);
812 /* Check the cookie format is something we recognise. Ignore it if not */
813 if (format != COOKIE_STATE_FORMAT_VERSION)
817 * The rest of these checks really shouldn't fail since we have verified the
821 /* Check the version number is sane */
822 if (!PACKET_get_net_2(&cookie, &version)) {
823 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
824 SSL_R_LENGTH_MISMATCH);
827 if (version != TLS1_3_VERSION) {
828 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
829 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
833 if (!PACKET_get_net_2(&cookie, &group_id)) {
834 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
835 SSL_R_LENGTH_MISMATCH);
839 ciphdata = PACKET_data(&cookie);
840 if (!PACKET_forward(&cookie, 2)) {
841 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
842 SSL_R_LENGTH_MISMATCH);
845 if (group_id != s->s3.group_id
846 || s->s3.tmp.new_cipher
847 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
849 * We chose a different cipher or group id this time around to what is
850 * in the cookie. Something must have changed.
852 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
857 if (!PACKET_get_1(&cookie, &key_share)
858 || !PACKET_get_net_4(&cookie, &tm)
859 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
860 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
861 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
862 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
863 SSL_R_LENGTH_MISMATCH);
867 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
868 now = (unsigned long)time(NULL);
869 if (tm > now || (now - tm) > 600) {
870 /* Cookie is stale. Ignore it */
874 /* Verify the app cookie */
875 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
876 PACKET_remaining(&appcookie)) == 0) {
877 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
878 SSL_R_COOKIE_MISMATCH);
883 * Reconstruct the HRR that we would have sent in response to the original
884 * ClientHello so we can add it to the transcript hash.
885 * Note: This won't work with custom HRR extensions
887 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
888 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
889 ERR_R_INTERNAL_ERROR);
892 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
893 || !WPACKET_start_sub_packet_u24(&hrrpkt)
894 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
895 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
896 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
897 s->tmp_session_id_len)
898 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
900 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
901 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
902 WPACKET_cleanup(&hrrpkt);
903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
904 ERR_R_INTERNAL_ERROR);
907 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
908 || !WPACKET_start_sub_packet_u16(&hrrpkt)
909 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
910 || !WPACKET_close(&hrrpkt)) {
911 WPACKET_cleanup(&hrrpkt);
912 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
913 ERR_R_INTERNAL_ERROR);
917 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
918 || !WPACKET_start_sub_packet_u16(&hrrpkt)
919 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
920 || !WPACKET_close(&hrrpkt)) {
921 WPACKET_cleanup(&hrrpkt);
922 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
923 ERR_R_INTERNAL_ERROR);
927 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
928 || !WPACKET_start_sub_packet_u16(&hrrpkt)
929 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
930 || !WPACKET_close(&hrrpkt) /* cookie extension */
931 || !WPACKET_close(&hrrpkt) /* extension block */
932 || !WPACKET_close(&hrrpkt) /* message */
933 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
934 || !WPACKET_finish(&hrrpkt)) {
935 WPACKET_cleanup(&hrrpkt);
936 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
937 ERR_R_INTERNAL_ERROR);
941 /* Reconstruct the transcript hash */
942 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
943 PACKET_remaining(&chhash), hrr,
945 /* SSLfatal() already called */
949 /* Act as if this ClientHello came after a HelloRetryRequest */
950 s->hello_retry_request = 1;
958 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
959 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
960 X509 *x, size_t chainidx)
962 PACKET supported_groups_list;
964 /* Each group is 2 bytes and we must have at least 1. */
965 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
966 || PACKET_remaining(&supported_groups_list) == 0
967 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
968 SSLfatal(s, SSL_AD_DECODE_ERROR,
969 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
973 if (!s->hit || SSL_IS_TLS13(s)) {
974 OPENSSL_free(s->ext.peer_supportedgroups);
975 s->ext.peer_supportedgroups = NULL;
976 s->ext.peer_supportedgroups_len = 0;
977 if (!tls1_save_u16(&supported_groups_list,
978 &s->ext.peer_supportedgroups,
979 &s->ext.peer_supportedgroups_len)) {
980 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
981 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
982 ERR_R_INTERNAL_ERROR);
991 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
994 /* The extension must always be empty */
995 if (PACKET_remaining(pkt) != 0) {
996 SSLfatal(s, SSL_AD_DECODE_ERROR,
997 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
1001 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1004 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1010 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
1011 X509 *x, size_t chainidx)
1013 if (PACKET_remaining(pkt) != 0) {
1014 SSLfatal(s, SSL_AD_DECODE_ERROR,
1015 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1019 if (s->hello_retry_request != SSL_HRR_NONE) {
1020 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1021 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1028 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
1031 SSL_SESSION *tmpsess = NULL;
1033 s->ext.ticket_expected = 1;
1035 switch (PACKET_remaining(tick)) {
1037 return SSL_TICKET_EMPTY;
1039 case SSL_MAX_SSL_SESSION_ID_LENGTH:
1043 return SSL_TICKET_NO_DECRYPT;
1046 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1047 SSL_MAX_SSL_SESSION_ID_LENGTH);
1049 if (tmpsess == NULL)
1050 return SSL_TICKET_NO_DECRYPT;
1053 return SSL_TICKET_SUCCESS;
1056 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1059 PACKET identities, binders, binder;
1060 size_t binderoffset, hashsize;
1061 SSL_SESSION *sess = NULL;
1062 unsigned int id, i, ext = 0;
1063 const EVP_MD *md = NULL;
1066 * If we have no PSK kex mode that we recognise then we can't resume so
1067 * ignore this extension
1069 if ((s->ext.psk_kex_mode
1070 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1073 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1074 SSLfatal(s, SSL_AD_DECODE_ERROR,
1075 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1079 s->ext.ticket_expected = 0;
1080 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1082 unsigned long ticket_agel;
1085 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1086 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1087 SSLfatal(s, SSL_AD_DECODE_ERROR,
1088 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1092 idlen = PACKET_remaining(&identity);
1093 if (s->psk_find_session_cb != NULL
1094 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1096 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1097 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1101 #ifndef OPENSSL_NO_PSK
1103 && s->psk_server_callback != NULL
1104 && idlen <= PSK_MAX_IDENTITY_LEN) {
1106 unsigned char pskdata[PSK_MAX_PSK_LEN];
1107 unsigned int pskdatalen;
1109 if (!PACKET_strndup(&identity, &pskid)) {
1110 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1111 ERR_R_INTERNAL_ERROR);
1114 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1116 OPENSSL_free(pskid);
1117 if (pskdatalen > PSK_MAX_PSK_LEN) {
1118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1119 ERR_R_INTERNAL_ERROR);
1121 } else if (pskdatalen > 0) {
1122 const SSL_CIPHER *cipher;
1123 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1126 * We found a PSK using an old style callback. We don't know
1127 * the digest so we default to SHA256 as per the TLSv1.3 spec
1129 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1130 if (cipher == NULL) {
1131 OPENSSL_cleanse(pskdata, pskdatalen);
1132 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1133 ERR_R_INTERNAL_ERROR);
1137 sess = SSL_SESSION_new();
1139 || !SSL_SESSION_set1_master_key(sess, pskdata,
1141 || !SSL_SESSION_set_cipher(sess, cipher)
1142 || !SSL_SESSION_set_protocol_version(sess,
1144 OPENSSL_cleanse(pskdata, pskdatalen);
1145 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1146 ERR_R_INTERNAL_ERROR);
1149 OPENSSL_cleanse(pskdata, pskdatalen);
1152 #endif /* OPENSSL_NO_PSK */
1155 /* We found a PSK */
1156 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1158 if (sesstmp == NULL) {
1159 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1160 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1163 SSL_SESSION_free(sess);
1167 * We've just been told to use this session for this context so
1168 * make sure the sid_ctx matches up.
1170 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1171 sess->sid_ctx_length = s->sid_ctx_length;
1174 s->ext.early_data_ok = 1;
1175 s->ext.ticket_expected = 1;
1177 uint32_t ticket_age = 0, now, agesec, agems;
1181 * If we are using anti-replay protection then we behave as if
1182 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1183 * is no point in using full stateless tickets.
1185 if ((s->options & SSL_OP_NO_TICKET) != 0
1186 || (s->max_early_data > 0
1187 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1188 ret = tls_get_stateful_ticket(s, &identity, &sess);
1190 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1191 PACKET_remaining(&identity), NULL, 0,
1194 if (ret == SSL_TICKET_EMPTY) {
1195 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1196 SSL_R_BAD_EXTENSION);
1200 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1201 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1202 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1203 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1206 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1209 /* Check for replay */
1210 if (s->max_early_data > 0
1211 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1212 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1213 SSL_SESSION_free(sess);
1218 ticket_age = (uint32_t)ticket_agel;
1219 now = (uint32_t)time(NULL);
1220 agesec = now - (uint32_t)sess->time;
1221 agems = agesec * (uint32_t)1000;
1222 ticket_age -= sess->ext.tick_age_add;
1225 * For simplicity we do our age calculations in seconds. If the
1226 * client does it in ms then it could appear that their ticket age
1227 * is longer than ours (our ticket age calculation should always be
1228 * slightly longer than the client's due to the network latency).
1229 * Therefore we add 1000ms to our age calculation to adjust for
1233 && sess->timeout >= (long)agesec
1234 && agems / (uint32_t)1000 == agesec
1235 && ticket_age <= agems + 1000
1236 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1238 * Ticket age is within tolerance and not expired. We allow it
1241 s->ext.early_data_ok = 1;
1245 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1246 if (!EVP_MD_is_a(md,
1247 EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
1248 /* The ciphersuite is not compatible with this session. */
1249 SSL_SESSION_free(sess);
1251 s->ext.early_data_ok = 0;
1252 s->ext.ticket_expected = 0;
1261 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1262 hashsize = EVP_MD_size(md);
1264 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1265 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1266 SSL_R_BAD_EXTENSION);
1270 for (i = 0; i <= id; i++) {
1271 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1272 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1273 SSL_R_BAD_EXTENSION);
1278 if (PACKET_remaining(&binder) != hashsize) {
1279 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1280 SSL_R_BAD_EXTENSION);
1283 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1284 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1286 /* SSLfatal() already called */
1290 s->ext.tick_identity = id;
1292 SSL_SESSION_free(s->session);
1296 SSL_SESSION_free(sess);
1300 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1301 X509 *x, size_t chainidx)
1303 if (PACKET_remaining(pkt) != 0) {
1304 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1305 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1309 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1315 * Add the server's renegotiation binding
1317 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1318 unsigned int context, X509 *x,
1321 if (!s->s3.send_connection_binding)
1322 return EXT_RETURN_NOT_SENT;
1324 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1325 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1326 || !WPACKET_start_sub_packet_u16(pkt)
1327 || !WPACKET_start_sub_packet_u8(pkt)
1328 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1329 s->s3.previous_client_finished_len)
1330 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1331 s->s3.previous_server_finished_len)
1332 || !WPACKET_close(pkt)
1333 || !WPACKET_close(pkt)) {
1334 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1335 ERR_R_INTERNAL_ERROR);
1336 return EXT_RETURN_FAIL;
1339 return EXT_RETURN_SENT;
1342 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1343 unsigned int context, X509 *x,
1346 if (s->servername_done != 1)
1347 return EXT_RETURN_NOT_SENT;
1350 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1351 * We just use the servername from the initial handshake.
1353 if (s->hit && !SSL_IS_TLS13(s))
1354 return EXT_RETURN_NOT_SENT;
1356 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1357 || !WPACKET_put_bytes_u16(pkt, 0)) {
1358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1359 ERR_R_INTERNAL_ERROR);
1360 return EXT_RETURN_FAIL;
1363 return EXT_RETURN_SENT;
1366 /* Add/include the server's max fragment len extension into ServerHello */
1367 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1368 unsigned int context, X509 *x,
1371 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1372 return EXT_RETURN_NOT_SENT;
1375 * 4 bytes for this extension type and extension length
1376 * 1 byte for the Max Fragment Length code value.
1378 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1379 || !WPACKET_start_sub_packet_u16(pkt)
1380 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1381 || !WPACKET_close(pkt)) {
1382 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1383 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1384 return EXT_RETURN_FAIL;
1387 return EXT_RETURN_SENT;
1390 #ifndef OPENSSL_NO_EC
1391 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1392 unsigned int context, X509 *x,
1395 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1396 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1397 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1398 && (s->ext.peer_ecpointformats != NULL);
1399 const unsigned char *plist;
1403 return EXT_RETURN_NOT_SENT;
1405 tls1_get_formatlist(s, &plist, &plistlen);
1406 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1407 || !WPACKET_start_sub_packet_u16(pkt)
1408 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1409 || !WPACKET_close(pkt)) {
1410 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1411 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1412 return EXT_RETURN_FAIL;
1415 return EXT_RETURN_SENT;
1419 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1420 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1421 unsigned int context, X509 *x,
1424 const uint16_t *groups;
1425 size_t numgroups, i, first = 1;
1428 /* s->s3.group_id is non zero if we accepted a key_share */
1429 if (s->s3.group_id == 0)
1430 return EXT_RETURN_NOT_SENT;
1432 /* Get our list of supported groups */
1433 tls1_get_supported_groups(s, &groups, &numgroups);
1434 if (numgroups == 0) {
1435 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1436 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1437 return EXT_RETURN_FAIL;
1440 /* Copy group ID if supported */
1441 version = SSL_version(s);
1442 for (i = 0; i < numgroups; i++) {
1443 uint16_t group = groups[i];
1445 if (tls_valid_group(s, group, version, version)
1446 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1449 * Check if the client is already using our preferred group. If
1450 * so we don't need to add this extension
1452 if (s->s3.group_id == group)
1453 return EXT_RETURN_NOT_SENT;
1455 /* Add extension header */
1456 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1457 /* Sub-packet for supported_groups extension */
1458 || !WPACKET_start_sub_packet_u16(pkt)
1459 || !WPACKET_start_sub_packet_u16(pkt)) {
1460 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1461 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1462 ERR_R_INTERNAL_ERROR);
1463 return EXT_RETURN_FAIL;
1468 if (!WPACKET_put_bytes_u16(pkt, group)) {
1469 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1470 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1471 ERR_R_INTERNAL_ERROR);
1472 return EXT_RETURN_FAIL;
1477 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1478 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1479 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1480 ERR_R_INTERNAL_ERROR);
1481 return EXT_RETURN_FAIL;
1484 return EXT_RETURN_SENT;
1488 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1489 unsigned int context, X509 *x,
1492 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1493 s->ext.ticket_expected = 0;
1494 return EXT_RETURN_NOT_SENT;
1497 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1498 || !WPACKET_put_bytes_u16(pkt, 0)) {
1499 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1500 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1501 return EXT_RETURN_FAIL;
1504 return EXT_RETURN_SENT;
1507 #ifndef OPENSSL_NO_OCSP
1508 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1509 unsigned int context, X509 *x,
1512 /* We don't currently support this extension inside a CertificateRequest */
1513 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1514 return EXT_RETURN_NOT_SENT;
1516 if (!s->ext.status_expected)
1517 return EXT_RETURN_NOT_SENT;
1519 if (SSL_IS_TLS13(s) && chainidx != 0)
1520 return EXT_RETURN_NOT_SENT;
1522 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1523 || !WPACKET_start_sub_packet_u16(pkt)) {
1524 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1525 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1526 return EXT_RETURN_FAIL;
1530 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1531 * send back an empty extension, with the certificate status appearing as a
1534 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1535 /* SSLfatal() already called */
1536 return EXT_RETURN_FAIL;
1538 if (!WPACKET_close(pkt)) {
1539 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1540 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1541 return EXT_RETURN_FAIL;
1544 return EXT_RETURN_SENT;
1548 #ifndef OPENSSL_NO_NEXTPROTONEG
1549 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1550 unsigned int context, X509 *x,
1553 const unsigned char *npa;
1554 unsigned int npalen;
1556 int npn_seen = s->s3.npn_seen;
1559 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1560 return EXT_RETURN_NOT_SENT;
1562 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1563 s->ctx->ext.npn_advertised_cb_arg);
1564 if (ret == SSL_TLSEXT_ERR_OK) {
1565 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1566 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1567 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1568 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1569 ERR_R_INTERNAL_ERROR);
1570 return EXT_RETURN_FAIL;
1575 return EXT_RETURN_SENT;
1579 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1580 X509 *x, size_t chainidx)
1582 if (s->s3.alpn_selected == NULL)
1583 return EXT_RETURN_NOT_SENT;
1585 if (!WPACKET_put_bytes_u16(pkt,
1586 TLSEXT_TYPE_application_layer_protocol_negotiation)
1587 || !WPACKET_start_sub_packet_u16(pkt)
1588 || !WPACKET_start_sub_packet_u16(pkt)
1589 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1590 s->s3.alpn_selected_len)
1591 || !WPACKET_close(pkt)
1592 || !WPACKET_close(pkt)) {
1593 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1594 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1595 return EXT_RETURN_FAIL;
1598 return EXT_RETURN_SENT;
1601 #ifndef OPENSSL_NO_SRTP
1602 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1603 unsigned int context, X509 *x,
1606 if (s->srtp_profile == NULL)
1607 return EXT_RETURN_NOT_SENT;
1609 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1610 || !WPACKET_start_sub_packet_u16(pkt)
1611 || !WPACKET_put_bytes_u16(pkt, 2)
1612 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1613 || !WPACKET_put_bytes_u8(pkt, 0)
1614 || !WPACKET_close(pkt)) {
1615 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1616 ERR_R_INTERNAL_ERROR);
1617 return EXT_RETURN_FAIL;
1620 return EXT_RETURN_SENT;
1624 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1625 X509 *x, size_t chainidx)
1627 if (!s->ext.use_etm)
1628 return EXT_RETURN_NOT_SENT;
1631 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1632 * for other cases too.
1634 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1635 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1636 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1637 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1638 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1639 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1641 return EXT_RETURN_NOT_SENT;
1644 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1645 || !WPACKET_put_bytes_u16(pkt, 0)) {
1646 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1647 ERR_R_INTERNAL_ERROR);
1648 return EXT_RETURN_FAIL;
1651 return EXT_RETURN_SENT;
1654 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1655 X509 *x, size_t chainidx)
1657 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1658 return EXT_RETURN_NOT_SENT;
1660 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1661 || !WPACKET_put_bytes_u16(pkt, 0)) {
1662 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1663 ERR_R_INTERNAL_ERROR);
1664 return EXT_RETURN_FAIL;
1667 return EXT_RETURN_SENT;
1670 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1671 unsigned int context, X509 *x,
1674 if (!ossl_assert(SSL_IS_TLS13(s))) {
1675 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1676 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1677 ERR_R_INTERNAL_ERROR);
1678 return EXT_RETURN_FAIL;
1681 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1682 || !WPACKET_start_sub_packet_u16(pkt)
1683 || !WPACKET_put_bytes_u16(pkt, s->version)
1684 || !WPACKET_close(pkt)) {
1685 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1686 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1687 ERR_R_INTERNAL_ERROR);
1688 return EXT_RETURN_FAIL;
1691 return EXT_RETURN_SENT;
1694 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1695 unsigned int context, X509 *x,
1698 #ifndef OPENSSL_NO_TLS1_3
1699 unsigned char *encodedPoint;
1700 size_t encoded_pt_len = 0;
1701 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1703 if (s->hello_retry_request == SSL_HRR_PENDING) {
1705 /* Original key_share was acceptable so don't ask for another one */
1706 return EXT_RETURN_NOT_SENT;
1708 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1709 || !WPACKET_start_sub_packet_u16(pkt)
1710 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1711 || !WPACKET_close(pkt)) {
1712 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1713 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1714 ERR_R_INTERNAL_ERROR);
1715 return EXT_RETURN_FAIL;
1718 return EXT_RETURN_SENT;
1722 /* No key_share received from client - must be resuming */
1723 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1724 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1725 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1726 return EXT_RETURN_FAIL;
1728 return EXT_RETURN_NOT_SENT;
1731 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1732 || !WPACKET_start_sub_packet_u16(pkt)
1733 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1734 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1735 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1736 return EXT_RETURN_FAIL;
1739 skey = ssl_generate_pkey(s, ckey);
1741 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1742 ERR_R_MALLOC_FAILURE);
1743 return EXT_RETURN_FAIL;
1746 /* Generate encoding of server key */
1747 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1748 if (encoded_pt_len == 0) {
1749 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1751 EVP_PKEY_free(skey);
1752 return EXT_RETURN_FAIL;
1755 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1756 || !WPACKET_close(pkt)) {
1757 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1758 ERR_R_INTERNAL_ERROR);
1759 EVP_PKEY_free(skey);
1760 OPENSSL_free(encodedPoint);
1761 return EXT_RETURN_FAIL;
1763 OPENSSL_free(encodedPoint);
1765 /* This causes the crypto state to be updated based on the derived keys */
1766 s->s3.tmp.pkey = skey;
1767 if (ssl_derive(s, skey, ckey, 1) == 0) {
1768 /* SSLfatal() already called */
1769 return EXT_RETURN_FAIL;
1771 return EXT_RETURN_SENT;
1773 return EXT_RETURN_FAIL;
1777 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1778 X509 *x, size_t chainidx)
1780 #ifndef OPENSSL_NO_TLS1_3
1781 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1782 unsigned char *hmac, *hmac2;
1783 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1786 int ret = EXT_RETURN_FAIL;
1788 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1789 return EXT_RETURN_NOT_SENT;
1791 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1792 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1793 SSL_R_NO_COOKIE_CALLBACK_SET);
1794 return EXT_RETURN_FAIL;
1797 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1798 || !WPACKET_start_sub_packet_u16(pkt)
1799 || !WPACKET_start_sub_packet_u16(pkt)
1800 || !WPACKET_get_total_written(pkt, &startlen)
1801 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1802 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1803 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1804 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1805 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1807 /* Is there a key_share extension present in this HRR? */
1808 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1809 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1810 || !WPACKET_start_sub_packet_u16(pkt)
1811 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1812 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1813 ERR_R_INTERNAL_ERROR);
1814 return EXT_RETURN_FAIL;
1818 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1819 * on raw buffers, so we first reserve sufficient bytes (above) and then
1820 * subsequently allocate them (below)
1822 if (!ssl3_digest_cached_records(s, 0)
1823 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1824 /* SSLfatal() already called */
1825 return EXT_RETURN_FAIL;
1828 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1829 || !ossl_assert(hashval1 == hashval2)
1830 || !WPACKET_close(pkt)
1831 || !WPACKET_start_sub_packet_u8(pkt)
1832 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1833 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1834 ERR_R_INTERNAL_ERROR);
1835 return EXT_RETURN_FAIL;
1838 /* Generate the application cookie */
1839 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1840 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1841 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1842 return EXT_RETURN_FAIL;
1845 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1846 || !ossl_assert(appcookie1 == appcookie2)
1847 || !WPACKET_close(pkt)
1848 || !WPACKET_get_total_written(pkt, &totcookielen)
1849 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1850 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1851 ERR_R_INTERNAL_ERROR);
1852 return EXT_RETURN_FAIL;
1854 hmaclen = SHA256_DIGEST_LENGTH;
1856 totcookielen -= startlen;
1857 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1858 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1859 ERR_R_INTERNAL_ERROR);
1860 return EXT_RETURN_FAIL;
1863 /* HMAC the cookie */
1864 hctx = EVP_MD_CTX_create();
1865 pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC",
1867 s->session_ctx->ext.cookie_hmac_key,
1868 sizeof(s->session_ctx->ext
1870 if (hctx == NULL || pkey == NULL) {
1871 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1872 ERR_R_MALLOC_FAILURE);
1876 if (EVP_DigestSignInit_with_libctx(hctx, NULL, "SHA2-256",
1877 s->ctx->libctx, s->ctx->propq,
1879 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1880 totcookielen) <= 0) {
1881 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1882 ERR_R_INTERNAL_ERROR);
1886 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1888 ERR_R_INTERNAL_ERROR);
1892 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1893 || !ossl_assert(hmac == hmac2)
1894 || !ossl_assert(cookie == hmac - totcookielen)
1895 || !WPACKET_close(pkt)
1896 || !WPACKET_close(pkt)) {
1897 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1898 ERR_R_INTERNAL_ERROR);
1902 ret = EXT_RETURN_SENT;
1905 EVP_MD_CTX_free(hctx);
1906 EVP_PKEY_free(pkey);
1909 return EXT_RETURN_FAIL;
1913 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1914 unsigned int context, X509 *x,
1917 const unsigned char cryptopro_ext[36] = {
1918 0xfd, 0xe8, /* 65000 */
1919 0x00, 0x20, /* 32 bytes length */
1920 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1921 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1922 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1923 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1926 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1927 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1928 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1929 return EXT_RETURN_NOT_SENT;
1931 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1932 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1933 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1934 return EXT_RETURN_FAIL;
1937 return EXT_RETURN_SENT;
1940 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1941 unsigned int context, X509 *x,
1944 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1945 if (s->max_early_data == 0)
1946 return EXT_RETURN_NOT_SENT;
1948 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1949 || !WPACKET_start_sub_packet_u16(pkt)
1950 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1951 || !WPACKET_close(pkt)) {
1952 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1953 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1954 return EXT_RETURN_FAIL;
1957 return EXT_RETURN_SENT;
1960 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1961 return EXT_RETURN_NOT_SENT;
1963 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1964 || !WPACKET_start_sub_packet_u16(pkt)
1965 || !WPACKET_close(pkt)) {
1966 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1967 ERR_R_INTERNAL_ERROR);
1968 return EXT_RETURN_FAIL;
1971 return EXT_RETURN_SENT;
1974 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1975 X509 *x, size_t chainidx)
1978 return EXT_RETURN_NOT_SENT;
1980 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1981 || !WPACKET_start_sub_packet_u16(pkt)
1982 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1983 || !WPACKET_close(pkt)) {
1984 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1985 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1986 return EXT_RETURN_FAIL;
1989 return EXT_RETURN_SENT;