2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
31 /* Check that the extension matches */
32 if (ilen != s->s3->previous_client_finished_len) {
33 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
34 SSL_R_RENEGOTIATION_MISMATCH);
38 if (memcmp(data, s->s3->previous_client_finished,
39 s->s3->previous_client_finished_len)) {
40 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
41 SSL_R_RENEGOTIATION_MISMATCH);
45 s->s3->send_connection_binding = 1;
51 * The servername extension is treated as follows:
53 * - Only the hostname type is supported with a maximum length of 255.
54 * - The servername is rejected if too long or if it contains zeros,
55 * in which case an fatal alert is generated.
56 * - The servername field is maintained together with the session cache.
57 * - When a session is resumed, the servername call back invoked in order
58 * to allow the application to position itself to the right context.
59 * - The servername is acknowledged if it is new for a session or when
60 * it is identical to a previously used for the same session.
61 * Applications can control the behaviour. They can at any time
62 * set a 'desirable' servername for a new SSL object. This can be the
63 * case for example with HTTPS when a Host: header field is received and
64 * a renegotiation is requested. In this case, a possible servername
65 * presented in the new client hello is only acknowledged if it matches
66 * the value of the Host: field.
67 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
68 * if they provide for changing an explicit servername context for the
69 * session, i.e. when the session has been established with a servername
71 * - On session reconnect, the servername extension may be absent.
73 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
74 X509 *x, size_t chainidx)
76 unsigned int servname_type;
79 if (!PACKET_as_length_prefixed_2(pkt, &sni)
80 /* ServerNameList must be at least 1 byte long. */
81 || PACKET_remaining(&sni) == 0) {
82 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
88 * Although the intent was for server_name to be extensible, RFC 4366
89 * was not clear about it; and so OpenSSL among other implementations,
90 * always and only allows a 'host_name' name types.
91 * RFC 6066 corrected the mistake but adding new name types
92 * is nevertheless no longer feasible, so act as if no other
93 * SNI types can exist, to simplify parsing.
95 * Also note that the RFC permits only one SNI value per type,
96 * i.e., we can only have a single hostname.
98 if (!PACKET_get_1(&sni, &servname_type)
99 || servname_type != TLSEXT_NAMETYPE_host_name
100 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
101 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
102 SSL_R_BAD_EXTENSION);
107 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
108 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
109 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
110 SSL_R_BAD_EXTENSION);
114 if (PACKET_contains_zero_byte(&hostname)) {
115 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
116 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
117 SSL_R_BAD_EXTENSION);
121 OPENSSL_free(s->session->ext.hostname);
122 s->session->ext.hostname = NULL;
123 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
124 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
125 ERR_R_INTERNAL_ERROR);
129 s->servername_done = 1;
132 * TODO(openssl-team): if the SNI doesn't match, we MUST
133 * fall back to a full handshake.
135 s->servername_done = s->session->ext.hostname
136 && PACKET_equal(&hostname, s->session->ext.hostname,
137 strlen(s->session->ext.hostname));
139 if (!s->servername_done && s->session->ext.hostname != NULL)
140 s->ext.early_data_ok = 0;
146 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
147 X509 *x, size_t chainidx)
151 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
152 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
153 SSL_R_BAD_EXTENSION);
157 /* Received |value| should be a valid max-fragment-length code. */
158 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
159 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
160 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
161 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
166 * RFC 6066: The negotiated length applies for the duration of the session
167 * including session resumptions.
168 * We should receive the same code as in resumed session !
170 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
171 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
172 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
173 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
178 * Store it in session, so it'll become binding for us
179 * and we'll include it in a next Server Hello.
181 s->session->ext.max_fragment_len_mode = value;
185 #ifndef OPENSSL_NO_SRP
186 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
191 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
192 || PACKET_contains_zero_byte(&srp_I)) {
193 SSLfatal(s, SSL_AD_DECODE_ERROR,
194 SSL_F_TLS_PARSE_CTOS_SRP,
195 SSL_R_BAD_EXTENSION);
200 * TODO(openssl-team): currently, we re-authenticate the user
201 * upon resumption. Instead, we MUST ignore the login.
203 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
205 ERR_R_INTERNAL_ERROR);
213 #ifndef OPENSSL_NO_EC
214 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
215 X509 *x, size_t chainidx)
217 PACKET ec_point_format_list;
219 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
220 || PACKET_remaining(&ec_point_format_list) == 0) {
221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
222 SSL_R_BAD_EXTENSION);
227 if (!PACKET_memdup(&ec_point_format_list,
228 &s->session->ext.ecpointformats,
229 &s->session->ext.ecpointformats_len)) {
230 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
231 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
238 #endif /* OPENSSL_NO_EC */
240 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
241 X509 *x, size_t chainidx)
243 if (s->ext.session_ticket_cb &&
244 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
245 PACKET_remaining(pkt),
246 s->ext.session_ticket_cb_arg)) {
247 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
248 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
255 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
258 PACKET supported_sig_algs;
260 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
261 || PACKET_remaining(&supported_sig_algs) == 0) {
262 SSLfatal(s, SSL_AD_DECODE_ERROR,
263 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
267 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
268 SSLfatal(s, SSL_AD_DECODE_ERROR,
269 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
276 #ifndef OPENSSL_NO_OCSP
277 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
278 X509 *x, size_t chainidx)
280 PACKET responder_id_list, exts;
282 /* Not defined if we get one of these in a client Certificate */
286 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
287 SSLfatal(s, SSL_AD_DECODE_ERROR,
288 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
292 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
294 * We don't know what to do with any other type so ignore it.
296 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
300 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
301 SSLfatal(s, SSL_AD_DECODE_ERROR,
302 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
307 * We remove any OCSP_RESPIDs from a previous handshake
308 * to prevent unbounded memory growth - CVE-2016-6304
310 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
311 if (PACKET_remaining(&responder_id_list) > 0) {
312 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
313 if (s->ext.ocsp.ids == NULL) {
314 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
315 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
319 s->ext.ocsp.ids = NULL;
322 while (PACKET_remaining(&responder_id_list) > 0) {
325 const unsigned char *id_data;
327 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
328 || PACKET_remaining(&responder_id) == 0) {
329 SSLfatal(s, SSL_AD_DECODE_ERROR,
330 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
334 id_data = PACKET_data(&responder_id);
335 /* TODO(size_t): Convert d2i_* to size_t */
336 id = d2i_OCSP_RESPID(NULL, &id_data,
337 (int)PACKET_remaining(&responder_id));
339 SSLfatal(s, SSL_AD_DECODE_ERROR,
340 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
344 if (id_data != PACKET_end(&responder_id)) {
345 OCSP_RESPID_free(id);
346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
352 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
353 OCSP_RESPID_free(id);
354 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
355 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
361 /* Read in request_extensions */
362 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
363 SSLfatal(s, SSL_AD_DECODE_ERROR,
364 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
368 if (PACKET_remaining(&exts) > 0) {
369 const unsigned char *ext_data = PACKET_data(&exts);
371 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
372 X509_EXTENSION_free);
374 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
375 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
376 SSLfatal(s, SSL_AD_DECODE_ERROR,
377 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
386 #ifndef OPENSSL_NO_NEXTPROTONEG
387 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
391 * We shouldn't accept this extension on a
394 if (SSL_IS_FIRST_HANDSHAKE(s))
402 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
403 * extension, not including type and length. |al| is a pointer to the alert
404 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
406 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
409 PACKET protocol_list, save_protocol_list, protocol;
411 if (!SSL_IS_FIRST_HANDSHAKE(s))
414 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
415 || PACKET_remaining(&protocol_list) < 2) {
416 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
417 SSL_R_BAD_EXTENSION);
421 save_protocol_list = protocol_list;
423 /* Protocol names can't be empty. */
424 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
425 || PACKET_remaining(&protocol) == 0) {
426 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
427 SSL_R_BAD_EXTENSION);
430 } while (PACKET_remaining(&protocol_list) != 0);
432 OPENSSL_free(s->s3->alpn_proposed);
433 s->s3->alpn_proposed = NULL;
434 s->s3->alpn_proposed_len = 0;
435 if (!PACKET_memdup(&save_protocol_list,
436 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
437 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
438 ERR_R_INTERNAL_ERROR);
445 #ifndef OPENSSL_NO_SRTP
446 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
449 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
450 unsigned int ct, mki_len, id;
454 /* Ignore this if we have no SRTP profiles */
455 if (SSL_get_srtp_profiles(s) == NULL)
458 /* Pull off the length of the cipher suite list and check it is even */
459 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
460 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
461 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
462 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
466 srvr = SSL_get_srtp_profiles(s);
467 s->srtp_profile = NULL;
468 /* Search all profiles for a match initially */
469 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
471 while (PACKET_remaining(&subpkt)) {
472 if (!PACKET_get_net_2(&subpkt, &id)) {
473 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
474 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
479 * Only look for match in profiles of higher preference than
481 * If no profiles have been have been configured then this
484 for (i = 0; i < srtp_pref; i++) {
485 SRTP_PROTECTION_PROFILE *sprof =
486 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
488 if (sprof->id == id) {
489 s->srtp_profile = sprof;
496 /* Now extract the MKI value as a sanity check, but discard it for now */
497 if (!PACKET_get_1(pkt, &mki_len)) {
498 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
499 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
503 if (!PACKET_forward(pkt, mki_len)
504 || PACKET_remaining(pkt)) {
505 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
506 SSL_R_BAD_SRTP_MKI_VALUE);
514 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
517 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
524 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
525 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
526 * If a failure occurs then |*al| is set to an appropriate alert value.
528 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
529 X509 *x, size_t chainidx)
531 #ifndef OPENSSL_NO_TLS1_3
532 PACKET psk_kex_modes;
535 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
536 || PACKET_remaining(&psk_kex_modes) == 0) {
537 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
538 SSL_R_BAD_EXTENSION);
542 while (PACKET_get_1(&psk_kex_modes, &mode)) {
543 if (mode == TLSEXT_KEX_MODE_KE_DHE)
544 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
545 else if (mode == TLSEXT_KEX_MODE_KE
546 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
547 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
555 * Process a key_share extension received in the ClientHello. |pkt| contains
556 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
557 * If a failure occurs then |*al| is set to an appropriate alert value.
559 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
562 #ifndef OPENSSL_NO_TLS1_3
563 unsigned int group_id;
564 PACKET key_share_list, encoded_pt;
565 const uint16_t *clntgroups, *srvrgroups;
566 size_t clnt_num_groups, srvr_num_groups;
569 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
573 if (s->s3->peer_tmp != NULL) {
574 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
575 ERR_R_INTERNAL_ERROR);
579 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
580 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
581 SSL_R_LENGTH_MISMATCH);
585 /* Get our list of supported groups */
586 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
587 /* Get the clients list of supported groups. */
588 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
589 if (clnt_num_groups == 0) {
591 * This can only happen if the supported_groups extension was not sent,
592 * because we verify that the length is non-zero when we process that
595 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
596 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
600 while (PACKET_remaining(&key_share_list) > 0) {
601 if (!PACKET_get_net_2(&key_share_list, &group_id)
602 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
603 || PACKET_remaining(&encoded_pt) == 0) {
604 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
605 SSL_R_LENGTH_MISMATCH);
610 * If we already found a suitable key_share we loop through the
611 * rest to verify the structure, but don't process them.
616 /* Check if this share is in supported_groups sent from client */
617 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
618 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
619 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
623 /* Check if this share is for a group we can use */
624 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
625 /* Share not suitable */
629 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
631 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
635 s->s3->group_id = group_id;
637 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
638 PACKET_data(&encoded_pt),
639 PACKET_remaining(&encoded_pt))) {
640 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
641 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
652 #ifndef OPENSSL_NO_EC
653 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
654 X509 *x, size_t chainidx)
656 PACKET supported_groups_list;
658 /* Each group is 2 bytes and we must have at least 1. */
659 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
660 || PACKET_remaining(&supported_groups_list) == 0
661 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
662 SSLfatal(s, SSL_AD_DECODE_ERROR,
663 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
667 if (!s->hit || SSL_IS_TLS13(s)) {
668 OPENSSL_free(s->session->ext.supportedgroups);
669 s->session->ext.supportedgroups = NULL;
670 s->session->ext.supportedgroups_len = 0;
671 if (!tls1_save_u16(&supported_groups_list,
672 &s->session->ext.supportedgroups,
673 &s->session->ext.supportedgroups_len)) {
674 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
675 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
676 ERR_R_INTERNAL_ERROR);
685 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
688 /* The extension must always be empty */
689 if (PACKET_remaining(pkt) != 0) {
690 SSLfatal(s, SSL_AD_DECODE_ERROR,
691 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
695 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
701 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
702 X509 *x, size_t chainidx)
704 if (PACKET_remaining(pkt) != 0) {
705 SSLfatal(s, SSL_AD_DECODE_ERROR,
706 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
710 if (s->hello_retry_request) {
711 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
712 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
719 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
722 PACKET identities, binders, binder;
723 size_t binderoffset, hashsize;
724 SSL_SESSION *sess = NULL;
725 unsigned int id, i, ext = 0;
726 const EVP_MD *md = NULL;
729 * If we have no PSK kex mode that we recognise then we can't resume so
730 * ignore this extension
732 if ((s->ext.psk_kex_mode
733 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
736 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
737 SSLfatal(s, SSL_AD_DECODE_ERROR,
738 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
742 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
744 unsigned long ticket_agel;
746 if (!PACKET_get_length_prefixed_2(&identities, &identity)
747 || !PACKET_get_net_4(&identities, &ticket_agel)) {
748 SSLfatal(s, SSL_AD_DECODE_ERROR,
749 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
753 if (s->psk_find_session_cb != NULL
754 && !s->psk_find_session_cb(s, PACKET_data(&identity),
755 PACKET_remaining(&identity),
757 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
758 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
764 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
766 if (sesstmp == NULL) {
767 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
768 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
771 SSL_SESSION_free(sess);
775 * We've just been told to use this session for this context so
776 * make sure the sid_ctx matches up.
778 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
779 sess->sid_ctx_length = s->sid_ctx_length;
782 s->ext.early_data_ok = 1;
784 uint32_t ticket_age = 0, now, agesec, agems;
785 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
786 PACKET_remaining(&identity), NULL, 0,
789 if (ret == TICKET_FATAL_ERR_MALLOC
790 || ret == TICKET_FATAL_ERR_OTHER) {
791 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
792 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
795 if (ret == TICKET_NO_DECRYPT)
798 ticket_age = (uint32_t)ticket_agel;
799 now = (uint32_t)time(NULL);
800 agesec = now - (uint32_t)sess->time;
801 agems = agesec * (uint32_t)1000;
802 ticket_age -= sess->ext.tick_age_add;
805 * For simplicity we do our age calculations in seconds. If the
806 * client does it in ms then it could appear that their ticket age
807 * is longer than ours (our ticket age calculation should always be
808 * slightly longer than the client's due to the network latency).
809 * Therefore we add 1000ms to our age calculation to adjust for
813 && sess->timeout >= (long)agesec
814 && agems / (uint32_t)1000 == agesec
815 && ticket_age <= agems + 1000
816 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
818 * Ticket age is within tolerance and not expired. We allow it
821 s->ext.early_data_ok = 1;
825 md = ssl_md(sess->cipher->algorithm2);
826 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
827 /* The ciphersuite is not compatible with this session. */
828 SSL_SESSION_free(sess);
830 s->ext.early_data_ok = 0;
839 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
840 hashsize = EVP_MD_size(md);
842 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
843 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
844 SSL_R_BAD_EXTENSION);
848 for (i = 0; i <= id; i++) {
849 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
850 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
851 SSL_R_BAD_EXTENSION);
856 if (PACKET_remaining(&binder) != hashsize
857 || tls_psk_do_binder(s, md,
858 (const unsigned char *)s->init_buf->data,
859 binderoffset, PACKET_data(&binder), NULL,
860 sess, 0, ext) != 1) {
861 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
862 SSL_R_BAD_EXTENSION);
866 sess->ext.tick_identity = id;
868 SSL_SESSION_free(s->session);
872 SSL_SESSION_free(sess);
877 * Add the server's renegotiation binding
879 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
880 unsigned int context, X509 *x,
883 if (!s->s3->send_connection_binding)
884 return EXT_RETURN_NOT_SENT;
886 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
887 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
888 || !WPACKET_start_sub_packet_u16(pkt)
889 || !WPACKET_start_sub_packet_u8(pkt)
890 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
891 s->s3->previous_client_finished_len)
892 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
893 s->s3->previous_server_finished_len)
894 || !WPACKET_close(pkt)
895 || !WPACKET_close(pkt)) {
896 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
897 ERR_R_INTERNAL_ERROR);
898 return EXT_RETURN_FAIL;
901 return EXT_RETURN_SENT;
904 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
905 unsigned int context, X509 *x,
908 if (s->hit || s->servername_done != 1
909 || s->session->ext.hostname == NULL)
910 return EXT_RETURN_NOT_SENT;
912 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
913 || !WPACKET_put_bytes_u16(pkt, 0)) {
914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
915 ERR_R_INTERNAL_ERROR);
916 return EXT_RETURN_FAIL;
919 return EXT_RETURN_SENT;
922 /* Add/include the server's max fragment len extension into ServerHello */
923 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
924 unsigned int context, X509 *x,
927 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
928 return EXT_RETURN_NOT_SENT;
931 * 4 bytes for this extension type and extension length
932 * 1 byte for the Max Fragment Length code value.
934 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
935 || !WPACKET_start_sub_packet_u16(pkt)
936 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
937 || !WPACKET_close(pkt)) {
938 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
939 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
940 return EXT_RETURN_FAIL;
943 return EXT_RETURN_SENT;
946 #ifndef OPENSSL_NO_EC
947 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
948 unsigned int context, X509 *x,
951 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
952 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
953 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
954 && (s->session->ext.ecpointformats != NULL);
955 const unsigned char *plist;
959 return EXT_RETURN_NOT_SENT;
961 tls1_get_formatlist(s, &plist, &plistlen);
962 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
963 || !WPACKET_start_sub_packet_u16(pkt)
964 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
965 || !WPACKET_close(pkt)) {
966 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
967 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
968 return EXT_RETURN_FAIL;
971 return EXT_RETURN_SENT;
975 #ifndef OPENSSL_NO_EC
976 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
977 unsigned int context, X509 *x,
980 const uint16_t *groups;
981 size_t numgroups, i, first = 1;
983 /* s->s3->group_id is non zero if we accepted a key_share */
984 if (s->s3->group_id == 0)
985 return EXT_RETURN_NOT_SENT;
987 /* Get our list of supported groups */
988 tls1_get_supported_groups(s, &groups, &numgroups);
989 if (numgroups == 0) {
990 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
991 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
992 return EXT_RETURN_FAIL;
995 /* Copy group ID if supported */
996 for (i = 0; i < numgroups; i++) {
997 uint16_t group = groups[i];
999 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1002 * Check if the client is already using our preferred group. If
1003 * so we don't need to add this extension
1005 if (s->s3->group_id == group)
1006 return EXT_RETURN_NOT_SENT;
1008 /* Add extension header */
1009 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1010 /* Sub-packet for supported_groups extension */
1011 || !WPACKET_start_sub_packet_u16(pkt)
1012 || !WPACKET_start_sub_packet_u16(pkt)) {
1013 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1014 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1015 ERR_R_INTERNAL_ERROR);
1016 return EXT_RETURN_FAIL;
1021 if (!WPACKET_put_bytes_u16(pkt, group)) {
1022 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1023 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1024 ERR_R_INTERNAL_ERROR);
1025 return EXT_RETURN_FAIL;
1030 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1031 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1032 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1033 ERR_R_INTERNAL_ERROR);
1034 return EXT_RETURN_FAIL;
1037 return EXT_RETURN_SENT;
1041 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1042 unsigned int context, X509 *x,
1045 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1046 s->ext.ticket_expected = 0;
1047 return EXT_RETURN_NOT_SENT;
1050 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1051 || !WPACKET_put_bytes_u16(pkt, 0)) {
1052 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1053 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1054 return EXT_RETURN_FAIL;
1057 return EXT_RETURN_SENT;
1060 #ifndef OPENSSL_NO_OCSP
1061 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1062 unsigned int context, X509 *x,
1065 if (!s->ext.status_expected)
1066 return EXT_RETURN_NOT_SENT;
1068 if (SSL_IS_TLS13(s) && chainidx != 0)
1069 return EXT_RETURN_NOT_SENT;
1071 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1072 || !WPACKET_start_sub_packet_u16(pkt)) {
1073 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1074 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1075 return EXT_RETURN_FAIL;
1079 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1080 * send back an empty extension, with the certificate status appearing as a
1083 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1084 /* SSLfatal() already called */
1085 return EXT_RETURN_FAIL;
1087 if (!WPACKET_close(pkt)) {
1088 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1089 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1090 return EXT_RETURN_FAIL;
1093 return EXT_RETURN_SENT;
1097 #ifndef OPENSSL_NO_NEXTPROTONEG
1098 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1099 unsigned int context, X509 *x,
1102 const unsigned char *npa;
1103 unsigned int npalen;
1105 int npn_seen = s->s3->npn_seen;
1107 s->s3->npn_seen = 0;
1108 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1109 return EXT_RETURN_NOT_SENT;
1111 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1112 s->ctx->ext.npn_advertised_cb_arg);
1113 if (ret == SSL_TLSEXT_ERR_OK) {
1114 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1115 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1116 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1117 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1118 ERR_R_INTERNAL_ERROR);
1119 return EXT_RETURN_FAIL;
1121 s->s3->npn_seen = 1;
1124 return EXT_RETURN_SENT;
1128 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1129 X509 *x, size_t chainidx)
1131 if (s->s3->alpn_selected == NULL)
1132 return EXT_RETURN_NOT_SENT;
1134 if (!WPACKET_put_bytes_u16(pkt,
1135 TLSEXT_TYPE_application_layer_protocol_negotiation)
1136 || !WPACKET_start_sub_packet_u16(pkt)
1137 || !WPACKET_start_sub_packet_u16(pkt)
1138 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1139 s->s3->alpn_selected_len)
1140 || !WPACKET_close(pkt)
1141 || !WPACKET_close(pkt)) {
1142 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1143 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1144 return EXT_RETURN_FAIL;
1147 return EXT_RETURN_SENT;
1150 #ifndef OPENSSL_NO_SRTP
1151 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1152 unsigned int context, X509 *x,
1155 if (s->srtp_profile == NULL)
1156 return EXT_RETURN_NOT_SENT;
1158 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1159 || !WPACKET_start_sub_packet_u16(pkt)
1160 || !WPACKET_put_bytes_u16(pkt, 2)
1161 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1162 || !WPACKET_put_bytes_u8(pkt, 0)
1163 || !WPACKET_close(pkt)) {
1164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1165 ERR_R_INTERNAL_ERROR);
1166 return EXT_RETURN_FAIL;
1169 return EXT_RETURN_SENT;
1173 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1174 X509 *x, size_t chainidx)
1176 if (!s->ext.use_etm)
1177 return EXT_RETURN_NOT_SENT;
1180 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1181 * for other cases too.
1183 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1184 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1185 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1186 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1188 return EXT_RETURN_NOT_SENT;
1191 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1192 || !WPACKET_put_bytes_u16(pkt, 0)) {
1193 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1194 ERR_R_INTERNAL_ERROR);
1195 return EXT_RETURN_FAIL;
1198 return EXT_RETURN_SENT;
1201 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1202 X509 *x, size_t chainidx)
1204 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1205 return EXT_RETURN_NOT_SENT;
1207 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1208 || !WPACKET_put_bytes_u16(pkt, 0)) {
1209 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1210 ERR_R_INTERNAL_ERROR);
1211 return EXT_RETURN_FAIL;
1214 return EXT_RETURN_SENT;
1217 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1218 unsigned int context, X509 *x,
1221 #ifndef OPENSSL_NO_TLS1_3
1222 unsigned char *encodedPoint;
1223 size_t encoded_pt_len = 0;
1224 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1227 /* No key_share received from client */
1228 if (s->hello_retry_request) {
1229 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1230 || !WPACKET_start_sub_packet_u16(pkt)
1231 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1232 || !WPACKET_close(pkt)) {
1233 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1234 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1235 ERR_R_INTERNAL_ERROR);
1236 return EXT_RETURN_FAIL;
1239 return EXT_RETURN_SENT;
1242 /* Must be resuming. */
1243 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1244 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1245 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1246 return EXT_RETURN_FAIL;
1248 return EXT_RETURN_NOT_SENT;
1251 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1252 || !WPACKET_start_sub_packet_u16(pkt)
1253 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1254 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1255 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1256 return EXT_RETURN_FAIL;
1259 skey = ssl_generate_pkey(ckey);
1261 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1262 ERR_R_MALLOC_FAILURE);
1263 return EXT_RETURN_FAIL;
1266 /* Generate encoding of server key */
1267 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1268 if (encoded_pt_len == 0) {
1269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1271 EVP_PKEY_free(skey);
1272 return EXT_RETURN_FAIL;
1275 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1276 || !WPACKET_close(pkt)) {
1277 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1278 ERR_R_INTERNAL_ERROR);
1279 EVP_PKEY_free(skey);
1280 OPENSSL_free(encodedPoint);
1281 return EXT_RETURN_FAIL;
1283 OPENSSL_free(encodedPoint);
1285 /* This causes the crypto state to be updated based on the derived keys */
1286 s->s3->tmp.pkey = skey;
1287 if (ssl_derive(s, skey, ckey, 1) == 0) {
1288 /* SSLfatal() already called */
1289 return EXT_RETURN_FAIL;
1293 return EXT_RETURN_SENT;
1296 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1297 unsigned int context, X509 *x,
1300 const unsigned char cryptopro_ext[36] = {
1301 0xfd, 0xe8, /* 65000 */
1302 0x00, 0x20, /* 32 bytes length */
1303 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1304 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1305 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1306 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1309 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1310 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1311 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1312 return EXT_RETURN_NOT_SENT;
1314 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1315 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1316 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1317 return EXT_RETURN_FAIL;
1320 return EXT_RETURN_SENT;
1323 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1324 unsigned int context, X509 *x,
1327 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1328 if (s->max_early_data == 0)
1329 return EXT_RETURN_NOT_SENT;
1331 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1332 || !WPACKET_start_sub_packet_u16(pkt)
1333 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1334 || !WPACKET_close(pkt)) {
1335 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1336 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1337 return EXT_RETURN_FAIL;
1340 return EXT_RETURN_SENT;
1343 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1344 return EXT_RETURN_NOT_SENT;
1346 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1347 || !WPACKET_start_sub_packet_u16(pkt)
1348 || !WPACKET_close(pkt)) {
1349 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1350 ERR_R_INTERNAL_ERROR);
1351 return EXT_RETURN_FAIL;
1354 return EXT_RETURN_SENT;
1357 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1358 X509 *x, size_t chainidx)
1361 return EXT_RETURN_NOT_SENT;
1363 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1364 || !WPACKET_start_sub_packet_u16(pkt)
1365 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1366 || !WPACKET_close(pkt)) {
1367 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1368 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1369 return EXT_RETURN_FAIL;
1372 return EXT_RETURN_SENT;