2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
45 const unsigned char *data;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
55 /* Check that the extension matches */
56 if (ilen != s->s3->previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
62 if (memcmp(data, s->s3->previous_client_finished,
63 s->s3->previous_client_finished_len)) {
64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
69 s->s3->send_connection_binding = 1;
75 * The servername extension is treated as follows:
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
95 * - On session reconnect, the servername extension may be absent.
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98 X509 *x, size_t chainidx)
100 unsigned int servname_type;
101 PACKET sni, hostname;
103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
133 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
134 SSL_R_BAD_EXTENSION);
138 if (PACKET_contains_zero_byte(&hostname)) {
139 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
140 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
141 SSL_R_BAD_EXTENSION);
145 OPENSSL_free(s->session->ext.hostname);
146 s->session->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 ERR_R_INTERNAL_ERROR);
153 s->servername_done = 1;
156 * TODO(openssl-team): if the SNI doesn't match, we MUST
157 * fall back to a full handshake.
159 s->servername_done = s->session->ext.hostname
160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
163 if (!s->servername_done && s->session->ext.hostname != NULL)
164 s->ext.early_data_ok = 0;
170 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
171 X509 *x, size_t chainidx)
175 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
176 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
177 SSL_R_BAD_EXTENSION);
181 /* Received |value| should be a valid max-fragment-length code. */
182 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
183 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
184 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
185 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
190 * RFC 6066: The negotiated length applies for the duration of the session
191 * including session resumptions.
192 * We should receive the same code as in resumed session !
194 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
195 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
196 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
197 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
202 * Store it in session, so it'll become binding for us
203 * and we'll include it in a next Server Hello.
205 s->session->ext.max_fragment_len_mode = value;
209 #ifndef OPENSSL_NO_SRP
210 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
215 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
216 || PACKET_contains_zero_byte(&srp_I)) {
217 SSLfatal(s, SSL_AD_DECODE_ERROR,
218 SSL_F_TLS_PARSE_CTOS_SRP,
219 SSL_R_BAD_EXTENSION);
224 * TODO(openssl-team): currently, we re-authenticate the user
225 * upon resumption. Instead, we MUST ignore the login.
227 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
229 ERR_R_INTERNAL_ERROR);
237 #ifndef OPENSSL_NO_EC
238 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
239 X509 *x, size_t chainidx)
241 PACKET ec_point_format_list;
243 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
244 || PACKET_remaining(&ec_point_format_list) == 0) {
245 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
246 SSL_R_BAD_EXTENSION);
251 if (!PACKET_memdup(&ec_point_format_list,
252 &s->session->ext.ecpointformats,
253 &s->session->ext.ecpointformats_len)) {
254 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
255 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
262 #endif /* OPENSSL_NO_EC */
264 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
265 X509 *x, size_t chainidx)
267 if (s->ext.session_ticket_cb &&
268 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
269 PACKET_remaining(pkt),
270 s->ext.session_ticket_cb_arg)) {
271 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
272 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
279 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
280 X509 *x, size_t chainidx)
282 PACKET supported_sig_algs;
284 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
285 || PACKET_remaining(&supported_sig_algs) == 0) {
286 SSLfatal(s, SSL_AD_DECODE_ERROR,
287 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
291 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR,
293 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
300 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
303 PACKET supported_sig_algs;
305 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
306 || PACKET_remaining(&supported_sig_algs) == 0) {
307 SSLfatal(s, SSL_AD_DECODE_ERROR,
308 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
312 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
313 SSLfatal(s, SSL_AD_DECODE_ERROR,
314 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
321 #ifndef OPENSSL_NO_OCSP
322 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
323 X509 *x, size_t chainidx)
325 PACKET responder_id_list, exts;
327 /* Not defined if we get one of these in a client Certificate */
331 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
332 SSLfatal(s, SSL_AD_DECODE_ERROR,
333 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
337 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
339 * We don't know what to do with any other type so ignore it.
341 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
345 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
352 * We remove any OCSP_RESPIDs from a previous handshake
353 * to prevent unbounded memory growth - CVE-2016-6304
355 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
356 if (PACKET_remaining(&responder_id_list) > 0) {
357 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
358 if (s->ext.ocsp.ids == NULL) {
359 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
360 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
364 s->ext.ocsp.ids = NULL;
367 while (PACKET_remaining(&responder_id_list) > 0) {
370 const unsigned char *id_data;
372 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
373 || PACKET_remaining(&responder_id) == 0) {
374 SSLfatal(s, SSL_AD_DECODE_ERROR,
375 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
379 id_data = PACKET_data(&responder_id);
380 /* TODO(size_t): Convert d2i_* to size_t */
381 id = d2i_OCSP_RESPID(NULL, &id_data,
382 (int)PACKET_remaining(&responder_id));
384 SSLfatal(s, SSL_AD_DECODE_ERROR,
385 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
389 if (id_data != PACKET_end(&responder_id)) {
390 OCSP_RESPID_free(id);
391 SSLfatal(s, SSL_AD_DECODE_ERROR,
392 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
397 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
398 OCSP_RESPID_free(id);
399 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
400 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
406 /* Read in request_extensions */
407 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
408 SSLfatal(s, SSL_AD_DECODE_ERROR,
409 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
413 if (PACKET_remaining(&exts) > 0) {
414 const unsigned char *ext_data = PACKET_data(&exts);
416 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
417 X509_EXTENSION_free);
419 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
420 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
421 SSLfatal(s, SSL_AD_DECODE_ERROR,
422 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
431 #ifndef OPENSSL_NO_NEXTPROTONEG
432 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
436 * We shouldn't accept this extension on a
439 if (SSL_IS_FIRST_HANDSHAKE(s))
447 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
448 * extension, not including type and length. Returns: 1 on success, 0 on error.
450 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
453 PACKET protocol_list, save_protocol_list, protocol;
455 if (!SSL_IS_FIRST_HANDSHAKE(s))
458 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
459 || PACKET_remaining(&protocol_list) < 2) {
460 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
461 SSL_R_BAD_EXTENSION);
465 save_protocol_list = protocol_list;
467 /* Protocol names can't be empty. */
468 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
469 || PACKET_remaining(&protocol) == 0) {
470 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
471 SSL_R_BAD_EXTENSION);
474 } while (PACKET_remaining(&protocol_list) != 0);
476 OPENSSL_free(s->s3->alpn_proposed);
477 s->s3->alpn_proposed = NULL;
478 s->s3->alpn_proposed_len = 0;
479 if (!PACKET_memdup(&save_protocol_list,
480 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
481 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
482 ERR_R_INTERNAL_ERROR);
489 #ifndef OPENSSL_NO_SRTP
490 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
493 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
494 unsigned int ct, mki_len, id;
498 /* Ignore this if we have no SRTP profiles */
499 if (SSL_get_srtp_profiles(s) == NULL)
502 /* Pull off the length of the cipher suite list and check it is even */
503 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
504 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
505 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
506 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
510 srvr = SSL_get_srtp_profiles(s);
511 s->srtp_profile = NULL;
512 /* Search all profiles for a match initially */
513 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
515 while (PACKET_remaining(&subpkt)) {
516 if (!PACKET_get_net_2(&subpkt, &id)) {
517 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
518 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
523 * Only look for match in profiles of higher preference than
525 * If no profiles have been have been configured then this
528 for (i = 0; i < srtp_pref; i++) {
529 SRTP_PROTECTION_PROFILE *sprof =
530 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
532 if (sprof->id == id) {
533 s->srtp_profile = sprof;
540 /* Now extract the MKI value as a sanity check, but discard it for now */
541 if (!PACKET_get_1(pkt, &mki_len)) {
542 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
543 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
547 if (!PACKET_forward(pkt, mki_len)
548 || PACKET_remaining(pkt)) {
549 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
550 SSL_R_BAD_SRTP_MKI_VALUE);
558 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
561 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
568 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
569 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
571 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
572 X509 *x, size_t chainidx)
574 #ifndef OPENSSL_NO_TLS1_3
575 PACKET psk_kex_modes;
578 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
579 || PACKET_remaining(&psk_kex_modes) == 0) {
580 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
581 SSL_R_BAD_EXTENSION);
585 while (PACKET_get_1(&psk_kex_modes, &mode)) {
586 if (mode == TLSEXT_KEX_MODE_KE_DHE)
587 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
588 else if (mode == TLSEXT_KEX_MODE_KE
589 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
590 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
598 * Process a key_share extension received in the ClientHello. |pkt| contains
599 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
601 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
604 #ifndef OPENSSL_NO_TLS1_3
605 unsigned int group_id;
606 PACKET key_share_list, encoded_pt;
607 const uint16_t *clntgroups, *srvrgroups;
608 size_t clnt_num_groups, srvr_num_groups;
611 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
615 if (s->s3->peer_tmp != NULL) {
616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
617 ERR_R_INTERNAL_ERROR);
621 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
622 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
623 SSL_R_LENGTH_MISMATCH);
627 /* Get our list of supported groups */
628 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
629 /* Get the clients list of supported groups. */
630 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
631 if (clnt_num_groups == 0) {
633 * This can only happen if the supported_groups extension was not sent,
634 * because we verify that the length is non-zero when we process that
637 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
638 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
642 if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
644 * If we set a group_id already, then we must have sent an HRR
645 * requesting a new key_share. If we haven't got one then that is an
648 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
649 SSL_R_BAD_KEY_SHARE);
653 while (PACKET_remaining(&key_share_list) > 0) {
654 if (!PACKET_get_net_2(&key_share_list, &group_id)
655 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
656 || PACKET_remaining(&encoded_pt) == 0) {
657 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
658 SSL_R_LENGTH_MISMATCH);
663 * If we already found a suitable key_share we loop through the
664 * rest to verify the structure, but don't process them.
670 * If we sent an HRR then the key_share sent back MUST be for the group
671 * we requested, and must be the only key_share sent.
673 if (s->s3->group_id != 0
674 && (group_id != s->s3->group_id
675 || PACKET_remaining(&key_share_list) != 0)) {
676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
677 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
681 /* Check if this share is in supported_groups sent from client */
682 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
683 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
684 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
688 /* Check if this share is for a group we can use */
689 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
690 /* Share not suitable */
694 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
695 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
696 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
700 s->s3->group_id = group_id;
702 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
703 PACKET_data(&encoded_pt),
704 PACKET_remaining(&encoded_pt))) {
705 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
706 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
717 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
720 unsigned int format, version, key_share, group_id;
723 PACKET cookie, raw, chhash, appcookie;
725 const unsigned char *data, *mdin, *ciphdata;
726 unsigned char hmac[SHA256_DIGEST_LENGTH];
727 unsigned char hrr[MAX_HRR_SIZE];
728 size_t rawlen, hmaclen, hrrlen, ciphlen;
729 unsigned long tm, now;
731 /* Ignore any cookie if we're not set up to verify it */
732 if (s->ctx->app_verify_cookie_cb == NULL
733 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
736 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
737 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
738 SSL_R_LENGTH_MISMATCH);
743 data = PACKET_data(&raw);
744 rawlen = PACKET_remaining(&raw);
745 if (rawlen < SHA256_DIGEST_LENGTH
746 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
747 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
748 SSL_R_LENGTH_MISMATCH);
751 mdin = PACKET_data(&raw);
753 /* Verify the HMAC of the cookie */
754 hctx = EVP_MD_CTX_create();
755 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
756 s->session_ctx->ext.cookie_hmac_key,
757 sizeof(s->session_ctx->ext.cookie_hmac_key));
758 if (hctx == NULL || pkey == NULL) {
759 EVP_MD_CTX_free(hctx);
761 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
762 ERR_R_MALLOC_FAILURE);
766 hmaclen = SHA256_DIGEST_LENGTH;
767 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
768 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
769 rawlen - SHA256_DIGEST_LENGTH) <= 0
770 || hmaclen != SHA256_DIGEST_LENGTH) {
771 EVP_MD_CTX_free(hctx);
773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
774 ERR_R_INTERNAL_ERROR);
778 EVP_MD_CTX_free(hctx);
781 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
782 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
783 SSL_R_COOKIE_MISMATCH);
787 if (!PACKET_get_net_2(&cookie, &format)) {
788 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
789 SSL_R_LENGTH_MISMATCH);
792 /* Check the cookie format is something we recognise. Ignore it if not */
793 if (format != COOKIE_STATE_FORMAT_VERSION)
797 * The rest of these checks really shouldn't fail since we have verified the
801 /* Check the version number is sane */
802 if (!PACKET_get_net_2(&cookie, &version)) {
803 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
804 SSL_R_LENGTH_MISMATCH);
807 if (version != TLS1_3_VERSION) {
808 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
809 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
813 if (!PACKET_get_net_2(&cookie, &group_id)) {
814 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
815 SSL_R_LENGTH_MISMATCH);
819 ciphdata = PACKET_data(&cookie);
820 if (!PACKET_forward(&cookie, 2)) {
821 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
822 SSL_R_LENGTH_MISMATCH);
825 if (group_id != s->s3->group_id
826 || s->s3->tmp.new_cipher
827 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
829 * We chose a different cipher or group id this time around to what is
830 * in the cookie. Something must have changed.
832 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
837 if (!PACKET_get_1(&cookie, &key_share)
838 || !PACKET_get_net_4(&cookie, &tm)
839 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
840 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
841 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
842 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
843 SSL_R_LENGTH_MISMATCH);
847 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
848 now = (unsigned long)time(NULL);
849 if (tm > now || (now - tm) > 600) {
850 /* Cookie is stale. Ignore it */
854 /* Verify the app cookie */
855 if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&appcookie),
856 PACKET_remaining(&appcookie)) == 0) {
857 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
858 SSL_R_COOKIE_MISMATCH);
863 * Reconstruct the HRR that we would have sent in response to the original
864 * ClientHello so we can add it to the transcript hash.
865 * Note: This won't work with custom HRR extensions
867 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
869 ERR_R_INTERNAL_ERROR);
872 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
873 || !WPACKET_start_sub_packet_u24(&hrrpkt)
874 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
875 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
876 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
877 s->tmp_session_id_len)
878 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
880 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
881 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
882 WPACKET_cleanup(&hrrpkt);
883 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
884 ERR_R_INTERNAL_ERROR);
887 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
888 || !WPACKET_start_sub_packet_u16(&hrrpkt)
889 /* TODO(TLS1.3): Fix this before release */
890 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
891 || !WPACKET_close(&hrrpkt)) {
892 WPACKET_cleanup(&hrrpkt);
893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
894 ERR_R_INTERNAL_ERROR);
898 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
899 || !WPACKET_start_sub_packet_u16(&hrrpkt)
900 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
901 || !WPACKET_close(&hrrpkt)) {
902 WPACKET_cleanup(&hrrpkt);
903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
904 ERR_R_INTERNAL_ERROR);
908 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
909 || !WPACKET_start_sub_packet_u16(&hrrpkt)
910 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
911 || !WPACKET_close(&hrrpkt) /* cookie extension */
912 || !WPACKET_close(&hrrpkt) /* extension block */
913 || !WPACKET_close(&hrrpkt) /* message */
914 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
915 || !WPACKET_finish(&hrrpkt)) {
916 WPACKET_cleanup(&hrrpkt);
917 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
918 ERR_R_INTERNAL_ERROR);
922 /* Reconstruct the transcript hash */
923 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
924 PACKET_remaining(&chhash), hrr,
926 /* SSLfatal() already called */
930 /* Act as if this ClientHello came after a HelloRetryRequest */
931 s->hello_retry_request = 1;
938 #ifndef OPENSSL_NO_EC
939 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
940 X509 *x, size_t chainidx)
942 PACKET supported_groups_list;
944 /* Each group is 2 bytes and we must have at least 1. */
945 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
946 || PACKET_remaining(&supported_groups_list) == 0
947 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
948 SSLfatal(s, SSL_AD_DECODE_ERROR,
949 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
953 if (!s->hit || SSL_IS_TLS13(s)) {
954 OPENSSL_free(s->session->ext.supportedgroups);
955 s->session->ext.supportedgroups = NULL;
956 s->session->ext.supportedgroups_len = 0;
957 if (!tls1_save_u16(&supported_groups_list,
958 &s->session->ext.supportedgroups,
959 &s->session->ext.supportedgroups_len)) {
960 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
961 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
962 ERR_R_INTERNAL_ERROR);
971 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
974 /* The extension must always be empty */
975 if (PACKET_remaining(pkt) != 0) {
976 SSLfatal(s, SSL_AD_DECODE_ERROR,
977 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
981 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
987 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
988 X509 *x, size_t chainidx)
990 if (PACKET_remaining(pkt) != 0) {
991 SSLfatal(s, SSL_AD_DECODE_ERROR,
992 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
996 if (s->hello_retry_request != SSL_HRR_NONE) {
997 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
998 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1005 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1008 PACKET identities, binders, binder;
1009 size_t binderoffset, hashsize;
1010 SSL_SESSION *sess = NULL;
1011 unsigned int id, i, ext = 0;
1012 const EVP_MD *md = NULL;
1015 * If we have no PSK kex mode that we recognise then we can't resume so
1016 * ignore this extension
1018 if ((s->ext.psk_kex_mode
1019 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1022 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1023 SSLfatal(s, SSL_AD_DECODE_ERROR,
1024 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1028 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1030 unsigned long ticket_agel;
1032 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1033 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1034 SSLfatal(s, SSL_AD_DECODE_ERROR,
1035 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1039 if (s->psk_find_session_cb != NULL
1040 && !s->psk_find_session_cb(s, PACKET_data(&identity),
1041 PACKET_remaining(&identity),
1043 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1044 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1049 /* We found a PSK */
1050 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1052 if (sesstmp == NULL) {
1053 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1054 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1057 SSL_SESSION_free(sess);
1061 * We've just been told to use this session for this context so
1062 * make sure the sid_ctx matches up.
1064 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1065 sess->sid_ctx_length = s->sid_ctx_length;
1068 s->ext.early_data_ok = 1;
1070 uint32_t ticket_age = 0, now, agesec, agems;
1071 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1072 PACKET_remaining(&identity), NULL, 0,
1075 if (ret == TICKET_FATAL_ERR_MALLOC
1076 || ret == TICKET_FATAL_ERR_OTHER) {
1077 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1078 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1081 if (ret == TICKET_NO_DECRYPT)
1084 ticket_age = (uint32_t)ticket_agel;
1085 now = (uint32_t)time(NULL);
1086 agesec = now - (uint32_t)sess->time;
1087 agems = agesec * (uint32_t)1000;
1088 ticket_age -= sess->ext.tick_age_add;
1091 * For simplicity we do our age calculations in seconds. If the
1092 * client does it in ms then it could appear that their ticket age
1093 * is longer than ours (our ticket age calculation should always be
1094 * slightly longer than the client's due to the network latency).
1095 * Therefore we add 1000ms to our age calculation to adjust for
1099 && sess->timeout >= (long)agesec
1100 && agems / (uint32_t)1000 == agesec
1101 && ticket_age <= agems + 1000
1102 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1104 * Ticket age is within tolerance and not expired. We allow it
1107 s->ext.early_data_ok = 1;
1111 md = ssl_md(sess->cipher->algorithm2);
1112 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1113 /* The ciphersuite is not compatible with this session. */
1114 SSL_SESSION_free(sess);
1116 s->ext.early_data_ok = 0;
1125 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1126 hashsize = EVP_MD_size(md);
1128 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1129 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1130 SSL_R_BAD_EXTENSION);
1134 for (i = 0; i <= id; i++) {
1135 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1136 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1137 SSL_R_BAD_EXTENSION);
1142 if (PACKET_remaining(&binder) != hashsize) {
1143 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1144 SSL_R_BAD_EXTENSION);
1147 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1148 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1150 /* SSLfatal() already called */
1154 sess->ext.tick_identity = id;
1156 SSL_SESSION_free(s->session);
1160 SSL_SESSION_free(sess);
1164 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1165 X509 *x, size_t chainidx)
1167 if (PACKET_remaining(pkt) != 0) {
1168 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1169 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1173 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1179 * Add the server's renegotiation binding
1181 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1182 unsigned int context, X509 *x,
1185 if (!s->s3->send_connection_binding)
1186 return EXT_RETURN_NOT_SENT;
1188 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1189 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1190 || !WPACKET_start_sub_packet_u16(pkt)
1191 || !WPACKET_start_sub_packet_u8(pkt)
1192 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1193 s->s3->previous_client_finished_len)
1194 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1195 s->s3->previous_server_finished_len)
1196 || !WPACKET_close(pkt)
1197 || !WPACKET_close(pkt)) {
1198 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1199 ERR_R_INTERNAL_ERROR);
1200 return EXT_RETURN_FAIL;
1203 return EXT_RETURN_SENT;
1206 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1207 unsigned int context, X509 *x,
1210 if (s->hit || s->servername_done != 1
1211 || s->session->ext.hostname == NULL)
1212 return EXT_RETURN_NOT_SENT;
1214 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1215 || !WPACKET_put_bytes_u16(pkt, 0)) {
1216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1217 ERR_R_INTERNAL_ERROR);
1218 return EXT_RETURN_FAIL;
1221 return EXT_RETURN_SENT;
1224 /* Add/include the server's max fragment len extension into ServerHello */
1225 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1226 unsigned int context, X509 *x,
1229 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1230 return EXT_RETURN_NOT_SENT;
1233 * 4 bytes for this extension type and extension length
1234 * 1 byte for the Max Fragment Length code value.
1236 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1237 || !WPACKET_start_sub_packet_u16(pkt)
1238 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1239 || !WPACKET_close(pkt)) {
1240 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1241 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1242 return EXT_RETURN_FAIL;
1245 return EXT_RETURN_SENT;
1248 #ifndef OPENSSL_NO_EC
1249 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1250 unsigned int context, X509 *x,
1253 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1254 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1255 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1256 && (s->session->ext.ecpointformats != NULL);
1257 const unsigned char *plist;
1261 return EXT_RETURN_NOT_SENT;
1263 tls1_get_formatlist(s, &plist, &plistlen);
1264 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1265 || !WPACKET_start_sub_packet_u16(pkt)
1266 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1267 || !WPACKET_close(pkt)) {
1268 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1269 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1270 return EXT_RETURN_FAIL;
1273 return EXT_RETURN_SENT;
1277 #ifndef OPENSSL_NO_EC
1278 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1279 unsigned int context, X509 *x,
1282 const uint16_t *groups;
1283 size_t numgroups, i, first = 1;
1285 /* s->s3->group_id is non zero if we accepted a key_share */
1286 if (s->s3->group_id == 0)
1287 return EXT_RETURN_NOT_SENT;
1289 /* Get our list of supported groups */
1290 tls1_get_supported_groups(s, &groups, &numgroups);
1291 if (numgroups == 0) {
1292 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1293 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1294 return EXT_RETURN_FAIL;
1297 /* Copy group ID if supported */
1298 for (i = 0; i < numgroups; i++) {
1299 uint16_t group = groups[i];
1301 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1304 * Check if the client is already using our preferred group. If
1305 * so we don't need to add this extension
1307 if (s->s3->group_id == group)
1308 return EXT_RETURN_NOT_SENT;
1310 /* Add extension header */
1311 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1312 /* Sub-packet for supported_groups extension */
1313 || !WPACKET_start_sub_packet_u16(pkt)
1314 || !WPACKET_start_sub_packet_u16(pkt)) {
1315 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1316 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1317 ERR_R_INTERNAL_ERROR);
1318 return EXT_RETURN_FAIL;
1323 if (!WPACKET_put_bytes_u16(pkt, group)) {
1324 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1325 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1326 ERR_R_INTERNAL_ERROR);
1327 return EXT_RETURN_FAIL;
1332 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1333 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1334 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1335 ERR_R_INTERNAL_ERROR);
1336 return EXT_RETURN_FAIL;
1339 return EXT_RETURN_SENT;
1343 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1344 unsigned int context, X509 *x,
1347 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1348 s->ext.ticket_expected = 0;
1349 return EXT_RETURN_NOT_SENT;
1352 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1353 || !WPACKET_put_bytes_u16(pkt, 0)) {
1354 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1355 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1356 return EXT_RETURN_FAIL;
1359 return EXT_RETURN_SENT;
1362 #ifndef OPENSSL_NO_OCSP
1363 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1364 unsigned int context, X509 *x,
1367 if (!s->ext.status_expected)
1368 return EXT_RETURN_NOT_SENT;
1370 if (SSL_IS_TLS13(s) && chainidx != 0)
1371 return EXT_RETURN_NOT_SENT;
1373 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1374 || !WPACKET_start_sub_packet_u16(pkt)) {
1375 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1376 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1377 return EXT_RETURN_FAIL;
1381 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1382 * send back an empty extension, with the certificate status appearing as a
1385 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1386 /* SSLfatal() already called */
1387 return EXT_RETURN_FAIL;
1389 if (!WPACKET_close(pkt)) {
1390 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1391 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1392 return EXT_RETURN_FAIL;
1395 return EXT_RETURN_SENT;
1399 #ifndef OPENSSL_NO_NEXTPROTONEG
1400 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1401 unsigned int context, X509 *x,
1404 const unsigned char *npa;
1405 unsigned int npalen;
1407 int npn_seen = s->s3->npn_seen;
1409 s->s3->npn_seen = 0;
1410 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1411 return EXT_RETURN_NOT_SENT;
1413 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1414 s->ctx->ext.npn_advertised_cb_arg);
1415 if (ret == SSL_TLSEXT_ERR_OK) {
1416 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1417 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1418 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1419 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1420 ERR_R_INTERNAL_ERROR);
1421 return EXT_RETURN_FAIL;
1423 s->s3->npn_seen = 1;
1426 return EXT_RETURN_SENT;
1430 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1431 X509 *x, size_t chainidx)
1433 if (s->s3->alpn_selected == NULL)
1434 return EXT_RETURN_NOT_SENT;
1436 if (!WPACKET_put_bytes_u16(pkt,
1437 TLSEXT_TYPE_application_layer_protocol_negotiation)
1438 || !WPACKET_start_sub_packet_u16(pkt)
1439 || !WPACKET_start_sub_packet_u16(pkt)
1440 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1441 s->s3->alpn_selected_len)
1442 || !WPACKET_close(pkt)
1443 || !WPACKET_close(pkt)) {
1444 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1445 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1446 return EXT_RETURN_FAIL;
1449 return EXT_RETURN_SENT;
1452 #ifndef OPENSSL_NO_SRTP
1453 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1454 unsigned int context, X509 *x,
1457 if (s->srtp_profile == NULL)
1458 return EXT_RETURN_NOT_SENT;
1460 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1461 || !WPACKET_start_sub_packet_u16(pkt)
1462 || !WPACKET_put_bytes_u16(pkt, 2)
1463 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1464 || !WPACKET_put_bytes_u8(pkt, 0)
1465 || !WPACKET_close(pkt)) {
1466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1467 ERR_R_INTERNAL_ERROR);
1468 return EXT_RETURN_FAIL;
1471 return EXT_RETURN_SENT;
1475 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1476 X509 *x, size_t chainidx)
1478 if (!s->ext.use_etm)
1479 return EXT_RETURN_NOT_SENT;
1482 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1483 * for other cases too.
1485 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1486 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1487 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1488 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1490 return EXT_RETURN_NOT_SENT;
1493 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1494 || !WPACKET_put_bytes_u16(pkt, 0)) {
1495 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1496 ERR_R_INTERNAL_ERROR);
1497 return EXT_RETURN_FAIL;
1500 return EXT_RETURN_SENT;
1503 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1504 X509 *x, size_t chainidx)
1506 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1507 return EXT_RETURN_NOT_SENT;
1509 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1510 || !WPACKET_put_bytes_u16(pkt, 0)) {
1511 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1512 ERR_R_INTERNAL_ERROR);
1513 return EXT_RETURN_FAIL;
1516 return EXT_RETURN_SENT;
1519 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1520 unsigned int context, X509 *x,
1523 if (!SSL_IS_TLS13(s))
1524 return EXT_RETURN_NOT_SENT;
1526 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1527 || !WPACKET_start_sub_packet_u16(pkt)
1528 /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1529 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1530 || !WPACKET_close(pkt)) {
1531 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1532 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1533 ERR_R_INTERNAL_ERROR);
1534 return EXT_RETURN_FAIL;
1537 return EXT_RETURN_SENT;
1540 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1541 unsigned int context, X509 *x,
1544 #ifndef OPENSSL_NO_TLS1_3
1545 unsigned char *encodedPoint;
1546 size_t encoded_pt_len = 0;
1547 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1549 if (s->hello_retry_request == SSL_HRR_PENDING) {
1551 /* Original key_share was acceptable so don't ask for another one */
1552 return EXT_RETURN_NOT_SENT;
1554 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1555 || !WPACKET_start_sub_packet_u16(pkt)
1556 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1557 || !WPACKET_close(pkt)) {
1558 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1559 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1560 ERR_R_INTERNAL_ERROR);
1561 return EXT_RETURN_FAIL;
1564 return EXT_RETURN_SENT;
1568 /* No key_share received from client - must be resuming */
1569 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1570 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1571 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1572 return EXT_RETURN_FAIL;
1574 return EXT_RETURN_NOT_SENT;
1577 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1578 || !WPACKET_start_sub_packet_u16(pkt)
1579 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1580 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1581 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1582 return EXT_RETURN_FAIL;
1585 skey = ssl_generate_pkey(ckey);
1587 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1588 ERR_R_MALLOC_FAILURE);
1589 return EXT_RETURN_FAIL;
1592 /* Generate encoding of server key */
1593 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1594 if (encoded_pt_len == 0) {
1595 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1597 EVP_PKEY_free(skey);
1598 return EXT_RETURN_FAIL;
1601 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1602 || !WPACKET_close(pkt)) {
1603 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1604 ERR_R_INTERNAL_ERROR);
1605 EVP_PKEY_free(skey);
1606 OPENSSL_free(encodedPoint);
1607 return EXT_RETURN_FAIL;
1609 OPENSSL_free(encodedPoint);
1611 /* This causes the crypto state to be updated based on the derived keys */
1612 s->s3->tmp.pkey = skey;
1613 if (ssl_derive(s, skey, ckey, 1) == 0) {
1614 /* SSLfatal() already called */
1615 return EXT_RETURN_FAIL;
1619 return EXT_RETURN_SENT;
1622 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1623 X509 *x, size_t chainidx)
1625 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1626 unsigned char *hmac, *hmac2;
1627 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen;
1628 unsigned int appcookielen;
1631 int ret = EXT_RETURN_FAIL;
1633 if (s->ctx->app_gen_cookie_cb == NULL
1634 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1635 return EXT_RETURN_NOT_SENT;
1637 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1638 || !WPACKET_start_sub_packet_u16(pkt)
1639 || !WPACKET_start_sub_packet_u16(pkt)
1640 || !WPACKET_get_total_written(pkt, &startlen)
1641 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1642 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1643 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1644 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1645 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1647 /* Is there a key_share extension present in this HRR? */
1648 || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
1649 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1650 || !WPACKET_start_sub_packet_u16(pkt)
1651 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1653 ERR_R_INTERNAL_ERROR);
1654 return EXT_RETURN_FAIL;
1658 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1659 * on raw buffers, so we first reserve sufficient bytes (above) and then
1660 * subsequently allocate them (below)
1662 if (!ssl3_digest_cached_records(s, 0)
1663 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1664 /* SSLfatal() already called */
1665 return EXT_RETURN_FAIL;
1668 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1669 || !ossl_assert(hashval1 == hashval2)
1670 || !WPACKET_close(pkt)
1671 || !WPACKET_start_sub_packet_u8(pkt)
1672 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1673 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1674 ERR_R_INTERNAL_ERROR);
1675 return EXT_RETURN_FAIL;
1678 /* Generate the application cookie */
1679 if (s->ctx->app_gen_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1680 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1681 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1682 return EXT_RETURN_FAIL;
1685 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1686 || !ossl_assert(appcookie1 == appcookie2)
1687 || !WPACKET_close(pkt)
1688 || !WPACKET_get_total_written(pkt, &totcookielen)
1689 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1690 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1691 ERR_R_INTERNAL_ERROR);
1692 return EXT_RETURN_FAIL;
1694 hmaclen = SHA256_DIGEST_LENGTH;
1696 totcookielen -= startlen;
1697 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1698 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1699 ERR_R_INTERNAL_ERROR);
1700 return EXT_RETURN_FAIL;
1703 /* HMAC the cookie */
1704 hctx = EVP_MD_CTX_create();
1705 pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
1706 s->session_ctx->ext.cookie_hmac_key,
1707 sizeof(s->session_ctx->ext.cookie_hmac_key));
1708 if (hctx == NULL || pkey == NULL) {
1709 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1710 ERR_R_MALLOC_FAILURE);
1714 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1715 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1716 totcookielen) <= 0) {
1717 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1718 ERR_R_INTERNAL_ERROR);
1722 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1723 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1724 ERR_R_INTERNAL_ERROR);
1728 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1729 || !ossl_assert(hmac == hmac2)
1730 || !ossl_assert(cookie == hmac - totcookielen)
1731 || !WPACKET_close(pkt)
1732 || !WPACKET_close(pkt)) {
1733 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1734 ERR_R_INTERNAL_ERROR);
1738 ret = EXT_RETURN_SENT;
1741 EVP_MD_CTX_free(hctx);
1742 EVP_PKEY_free(pkey);
1746 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1747 unsigned int context, X509 *x,
1750 const unsigned char cryptopro_ext[36] = {
1751 0xfd, 0xe8, /* 65000 */
1752 0x00, 0x20, /* 32 bytes length */
1753 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1754 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1755 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1756 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1759 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1760 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1761 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1762 return EXT_RETURN_NOT_SENT;
1764 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1765 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1766 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1767 return EXT_RETURN_FAIL;
1770 return EXT_RETURN_SENT;
1773 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1774 unsigned int context, X509 *x,
1777 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1778 if (s->max_early_data == 0)
1779 return EXT_RETURN_NOT_SENT;
1781 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1782 || !WPACKET_start_sub_packet_u16(pkt)
1783 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1784 || !WPACKET_close(pkt)) {
1785 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1786 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1787 return EXT_RETURN_FAIL;
1790 return EXT_RETURN_SENT;
1793 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1794 return EXT_RETURN_NOT_SENT;
1796 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1797 || !WPACKET_start_sub_packet_u16(pkt)
1798 || !WPACKET_close(pkt)) {
1799 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1800 ERR_R_INTERNAL_ERROR);
1801 return EXT_RETURN_FAIL;
1804 return EXT_RETURN_SENT;
1807 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1808 X509 *x, size_t chainidx)
1811 return EXT_RETURN_NOT_SENT;
1813 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1814 || !WPACKET_start_sub_packet_u16(pkt)
1815 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1816 || !WPACKET_close(pkt)) {
1817 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1818 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1819 return EXT_RETURN_FAIL;
1822 return EXT_RETURN_SENT;
projects / openssl.git / blob