2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
45 const unsigned char *data;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
55 /* Check that the extension matches */
56 if (ilen != s->s3->previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
62 if (memcmp(data, s->s3->previous_client_finished,
63 s->s3->previous_client_finished_len)) {
64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
69 s->s3->send_connection_binding = 1;
75 * The servername extension is treated as follows:
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
95 * - On session reconnect, the servername extension may be absent.
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98 X509 *x, size_t chainidx)
100 unsigned int servname_type;
101 PACKET sni, hostname;
103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
133 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
134 SSL_R_BAD_EXTENSION);
138 if (PACKET_contains_zero_byte(&hostname)) {
139 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
140 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
141 SSL_R_BAD_EXTENSION);
145 OPENSSL_free(s->session->ext.hostname);
146 s->session->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 ERR_R_INTERNAL_ERROR);
153 s->servername_done = 1;
156 * TODO(openssl-team): if the SNI doesn't match, we MUST
157 * fall back to a full handshake.
159 s->servername_done = s->session->ext.hostname
160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
163 if (!s->servername_done && s->session->ext.hostname != NULL)
164 s->ext.early_data_ok = 0;
170 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
171 X509 *x, size_t chainidx)
175 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
176 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
177 SSL_R_BAD_EXTENSION);
181 /* Received |value| should be a valid max-fragment-length code. */
182 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
183 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
184 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
185 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
190 * RFC 6066: The negotiated length applies for the duration of the session
191 * including session resumptions.
192 * We should receive the same code as in resumed session !
194 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
195 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
196 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
197 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
202 * Store it in session, so it'll become binding for us
203 * and we'll include it in a next Server Hello.
205 s->session->ext.max_fragment_len_mode = value;
209 #ifndef OPENSSL_NO_SRP
210 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
215 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
216 || PACKET_contains_zero_byte(&srp_I)) {
217 SSLfatal(s, SSL_AD_DECODE_ERROR,
218 SSL_F_TLS_PARSE_CTOS_SRP,
219 SSL_R_BAD_EXTENSION);
224 * TODO(openssl-team): currently, we re-authenticate the user
225 * upon resumption. Instead, we MUST ignore the login.
227 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
229 ERR_R_INTERNAL_ERROR);
237 #ifndef OPENSSL_NO_EC
238 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
239 X509 *x, size_t chainidx)
241 PACKET ec_point_format_list;
243 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
244 || PACKET_remaining(&ec_point_format_list) == 0) {
245 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
246 SSL_R_BAD_EXTENSION);
251 if (!PACKET_memdup(&ec_point_format_list,
252 &s->session->ext.ecpointformats,
253 &s->session->ext.ecpointformats_len)) {
254 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
255 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
262 #endif /* OPENSSL_NO_EC */
264 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
265 X509 *x, size_t chainidx)
267 if (s->ext.session_ticket_cb &&
268 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
269 PACKET_remaining(pkt),
270 s->ext.session_ticket_cb_arg)) {
271 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
272 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
279 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
280 X509 *x, size_t chainidx)
282 PACKET supported_sig_algs;
284 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
285 || PACKET_remaining(&supported_sig_algs) == 0) {
286 SSLfatal(s, SSL_AD_DECODE_ERROR,
287 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
291 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
292 SSLfatal(s, SSL_AD_DECODE_ERROR,
293 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
300 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
303 PACKET supported_sig_algs;
305 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
306 || PACKET_remaining(&supported_sig_algs) == 0) {
307 SSLfatal(s, SSL_AD_DECODE_ERROR,
308 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
312 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
313 SSLfatal(s, SSL_AD_DECODE_ERROR,
314 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
321 #ifndef OPENSSL_NO_OCSP
322 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
323 X509 *x, size_t chainidx)
325 PACKET responder_id_list, exts;
327 /* Not defined if we get one of these in a client Certificate */
331 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
332 SSLfatal(s, SSL_AD_DECODE_ERROR,
333 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
337 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
339 * We don't know what to do with any other type so ignore it.
341 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
345 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
352 * We remove any OCSP_RESPIDs from a previous handshake
353 * to prevent unbounded memory growth - CVE-2016-6304
355 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
356 if (PACKET_remaining(&responder_id_list) > 0) {
357 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
358 if (s->ext.ocsp.ids == NULL) {
359 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
360 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
364 s->ext.ocsp.ids = NULL;
367 while (PACKET_remaining(&responder_id_list) > 0) {
370 const unsigned char *id_data;
372 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
373 || PACKET_remaining(&responder_id) == 0) {
374 SSLfatal(s, SSL_AD_DECODE_ERROR,
375 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
379 id_data = PACKET_data(&responder_id);
380 /* TODO(size_t): Convert d2i_* to size_t */
381 id = d2i_OCSP_RESPID(NULL, &id_data,
382 (int)PACKET_remaining(&responder_id));
384 SSLfatal(s, SSL_AD_DECODE_ERROR,
385 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
389 if (id_data != PACKET_end(&responder_id)) {
390 OCSP_RESPID_free(id);
391 SSLfatal(s, SSL_AD_DECODE_ERROR,
392 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
397 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
398 OCSP_RESPID_free(id);
399 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
400 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
406 /* Read in request_extensions */
407 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
408 SSLfatal(s, SSL_AD_DECODE_ERROR,
409 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
413 if (PACKET_remaining(&exts) > 0) {
414 const unsigned char *ext_data = PACKET_data(&exts);
416 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
417 X509_EXTENSION_free);
419 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
420 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
421 SSLfatal(s, SSL_AD_DECODE_ERROR,
422 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
431 #ifndef OPENSSL_NO_NEXTPROTONEG
432 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
436 * We shouldn't accept this extension on a
439 if (SSL_IS_FIRST_HANDSHAKE(s))
447 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
448 * extension, not including type and length. Returns: 1 on success, 0 on error.
450 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
453 PACKET protocol_list, save_protocol_list, protocol;
455 if (!SSL_IS_FIRST_HANDSHAKE(s))
458 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
459 || PACKET_remaining(&protocol_list) < 2) {
460 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
461 SSL_R_BAD_EXTENSION);
465 save_protocol_list = protocol_list;
467 /* Protocol names can't be empty. */
468 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
469 || PACKET_remaining(&protocol) == 0) {
470 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
471 SSL_R_BAD_EXTENSION);
474 } while (PACKET_remaining(&protocol_list) != 0);
476 OPENSSL_free(s->s3->alpn_proposed);
477 s->s3->alpn_proposed = NULL;
478 s->s3->alpn_proposed_len = 0;
479 if (!PACKET_memdup(&save_protocol_list,
480 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
481 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
482 ERR_R_INTERNAL_ERROR);
489 #ifndef OPENSSL_NO_SRTP
490 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
493 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
494 unsigned int ct, mki_len, id;
498 /* Ignore this if we have no SRTP profiles */
499 if (SSL_get_srtp_profiles(s) == NULL)
502 /* Pull off the length of the cipher suite list and check it is even */
503 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
504 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
505 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
506 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
510 srvr = SSL_get_srtp_profiles(s);
511 s->srtp_profile = NULL;
512 /* Search all profiles for a match initially */
513 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
515 while (PACKET_remaining(&subpkt)) {
516 if (!PACKET_get_net_2(&subpkt, &id)) {
517 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
518 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
523 * Only look for match in profiles of higher preference than
525 * If no profiles have been have been configured then this
528 for (i = 0; i < srtp_pref; i++) {
529 SRTP_PROTECTION_PROFILE *sprof =
530 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
532 if (sprof->id == id) {
533 s->srtp_profile = sprof;
540 /* Now extract the MKI value as a sanity check, but discard it for now */
541 if (!PACKET_get_1(pkt, &mki_len)) {
542 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
543 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
547 if (!PACKET_forward(pkt, mki_len)
548 || PACKET_remaining(pkt)) {
549 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
550 SSL_R_BAD_SRTP_MKI_VALUE);
558 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
561 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
568 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
569 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
571 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
572 X509 *x, size_t chainidx)
574 #ifndef OPENSSL_NO_TLS1_3
575 PACKET psk_kex_modes;
578 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
579 || PACKET_remaining(&psk_kex_modes) == 0) {
580 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
581 SSL_R_BAD_EXTENSION);
585 while (PACKET_get_1(&psk_kex_modes, &mode)) {
586 if (mode == TLSEXT_KEX_MODE_KE_DHE)
587 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
588 else if (mode == TLSEXT_KEX_MODE_KE
589 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
590 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
598 * Process a key_share extension received in the ClientHello. |pkt| contains
599 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
601 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
604 #ifndef OPENSSL_NO_TLS1_3
605 unsigned int group_id;
606 PACKET key_share_list, encoded_pt;
607 const uint16_t *clntgroups, *srvrgroups;
608 size_t clnt_num_groups, srvr_num_groups;
611 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
615 if (s->s3->peer_tmp != NULL) {
616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
617 ERR_R_INTERNAL_ERROR);
621 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
622 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
623 SSL_R_LENGTH_MISMATCH);
627 /* Get our list of supported groups */
628 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
629 /* Get the clients list of supported groups. */
630 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
631 if (clnt_num_groups == 0) {
633 * This can only happen if the supported_groups extension was not sent,
634 * because we verify that the length is non-zero when we process that
637 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
638 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
642 if (s->s3->group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
644 * If we set a group_id already, then we must have sent an HRR
645 * requesting a new key_share. If we haven't got one then that is an
648 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
649 SSL_R_BAD_KEY_SHARE);
653 while (PACKET_remaining(&key_share_list) > 0) {
654 if (!PACKET_get_net_2(&key_share_list, &group_id)
655 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
656 || PACKET_remaining(&encoded_pt) == 0) {
657 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
658 SSL_R_LENGTH_MISMATCH);
663 * If we already found a suitable key_share we loop through the
664 * rest to verify the structure, but don't process them.
670 * If we sent an HRR then the key_share sent back MUST be for the group
671 * we requested, and must be the only key_share sent.
673 if (s->s3->group_id != 0
674 && (group_id != s->s3->group_id
675 || PACKET_remaining(&key_share_list) != 0)) {
676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
677 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
681 /* Check if this share is in supported_groups sent from client */
682 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
683 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
684 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
688 /* Check if this share is for a group we can use */
689 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
690 /* Share not suitable */
694 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
695 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
696 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
700 s->s3->group_id = group_id;
702 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
703 PACKET_data(&encoded_pt),
704 PACKET_remaining(&encoded_pt))) {
705 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
706 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
717 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
720 unsigned int format, version, key_share, group_id;
723 PACKET cookie, raw, chhash, appcookie;
725 const unsigned char *data, *mdin, *ciphdata;
726 unsigned char hmac[SHA256_DIGEST_LENGTH];
727 unsigned char hrr[MAX_HRR_SIZE];
728 size_t rawlen, hmaclen, hrrlen, ciphlen;
729 unsigned long tm, now;
731 /* Ignore any cookie if we're not set up to verify it */
732 if (s->ctx->verify_stateless_cookie_cb == NULL
733 || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
736 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
737 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
738 SSL_R_LENGTH_MISMATCH);
743 data = PACKET_data(&raw);
744 rawlen = PACKET_remaining(&raw);
745 if (rawlen < SHA256_DIGEST_LENGTH
746 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
747 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
748 SSL_R_LENGTH_MISMATCH);
751 mdin = PACKET_data(&raw);
753 /* Verify the HMAC of the cookie */
754 hctx = EVP_MD_CTX_create();
755 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
756 s->session_ctx->ext.cookie_hmac_key,
757 sizeof(s->session_ctx->ext
759 if (hctx == NULL || pkey == NULL) {
760 EVP_MD_CTX_free(hctx);
762 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
763 ERR_R_MALLOC_FAILURE);
767 hmaclen = SHA256_DIGEST_LENGTH;
768 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
769 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
770 rawlen - SHA256_DIGEST_LENGTH) <= 0
771 || hmaclen != SHA256_DIGEST_LENGTH) {
772 EVP_MD_CTX_free(hctx);
774 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
775 ERR_R_INTERNAL_ERROR);
779 EVP_MD_CTX_free(hctx);
782 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
783 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
784 SSL_R_COOKIE_MISMATCH);
788 if (!PACKET_get_net_2(&cookie, &format)) {
789 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
790 SSL_R_LENGTH_MISMATCH);
793 /* Check the cookie format is something we recognise. Ignore it if not */
794 if (format != COOKIE_STATE_FORMAT_VERSION)
798 * The rest of these checks really shouldn't fail since we have verified the
802 /* Check the version number is sane */
803 if (!PACKET_get_net_2(&cookie, &version)) {
804 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
805 SSL_R_LENGTH_MISMATCH);
808 if (version != TLS1_3_VERSION) {
809 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
810 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
814 if (!PACKET_get_net_2(&cookie, &group_id)) {
815 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
816 SSL_R_LENGTH_MISMATCH);
820 ciphdata = PACKET_data(&cookie);
821 if (!PACKET_forward(&cookie, 2)) {
822 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
823 SSL_R_LENGTH_MISMATCH);
826 if (group_id != s->s3->group_id
827 || s->s3->tmp.new_cipher
828 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
830 * We chose a different cipher or group id this time around to what is
831 * in the cookie. Something must have changed.
833 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
838 if (!PACKET_get_1(&cookie, &key_share)
839 || !PACKET_get_net_4(&cookie, &tm)
840 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
841 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
842 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
843 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
844 SSL_R_LENGTH_MISMATCH);
848 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
849 now = (unsigned long)time(NULL);
850 if (tm > now || (now - tm) > 600) {
851 /* Cookie is stale. Ignore it */
855 /* Verify the app cookie */
856 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
857 PACKET_remaining(&appcookie)) == 0) {
858 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
859 SSL_R_COOKIE_MISMATCH);
864 * Reconstruct the HRR that we would have sent in response to the original
865 * ClientHello so we can add it to the transcript hash.
866 * Note: This won't work with custom HRR extensions
868 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
870 ERR_R_INTERNAL_ERROR);
873 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
874 || !WPACKET_start_sub_packet_u24(&hrrpkt)
875 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
876 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
877 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
878 s->tmp_session_id_len)
879 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &hrrpkt,
881 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
882 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
883 WPACKET_cleanup(&hrrpkt);
884 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
885 ERR_R_INTERNAL_ERROR);
888 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
889 || !WPACKET_start_sub_packet_u16(&hrrpkt)
890 /* TODO(TLS1.3): Fix this before release */
891 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
892 || !WPACKET_close(&hrrpkt)) {
893 WPACKET_cleanup(&hrrpkt);
894 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
895 ERR_R_INTERNAL_ERROR);
899 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
900 || !WPACKET_start_sub_packet_u16(&hrrpkt)
901 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3->group_id)
902 || !WPACKET_close(&hrrpkt)) {
903 WPACKET_cleanup(&hrrpkt);
904 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
905 ERR_R_INTERNAL_ERROR);
909 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
910 || !WPACKET_start_sub_packet_u16(&hrrpkt)
911 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
912 || !WPACKET_close(&hrrpkt) /* cookie extension */
913 || !WPACKET_close(&hrrpkt) /* extension block */
914 || !WPACKET_close(&hrrpkt) /* message */
915 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
916 || !WPACKET_finish(&hrrpkt)) {
917 WPACKET_cleanup(&hrrpkt);
918 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
919 ERR_R_INTERNAL_ERROR);
923 /* Reconstruct the transcript hash */
924 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
925 PACKET_remaining(&chhash), hrr,
927 /* SSLfatal() already called */
931 /* Act as if this ClientHello came after a HelloRetryRequest */
932 s->hello_retry_request = 1;
939 #ifndef OPENSSL_NO_EC
940 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
941 X509 *x, size_t chainidx)
943 PACKET supported_groups_list;
945 /* Each group is 2 bytes and we must have at least 1. */
946 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
947 || PACKET_remaining(&supported_groups_list) == 0
948 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
949 SSLfatal(s, SSL_AD_DECODE_ERROR,
950 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
954 if (!s->hit || SSL_IS_TLS13(s)) {
955 OPENSSL_free(s->session->ext.supportedgroups);
956 s->session->ext.supportedgroups = NULL;
957 s->session->ext.supportedgroups_len = 0;
958 if (!tls1_save_u16(&supported_groups_list,
959 &s->session->ext.supportedgroups,
960 &s->session->ext.supportedgroups_len)) {
961 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
962 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
963 ERR_R_INTERNAL_ERROR);
972 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
975 /* The extension must always be empty */
976 if (PACKET_remaining(pkt) != 0) {
977 SSLfatal(s, SSL_AD_DECODE_ERROR,
978 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
982 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
988 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
989 X509 *x, size_t chainidx)
991 if (PACKET_remaining(pkt) != 0) {
992 SSLfatal(s, SSL_AD_DECODE_ERROR,
993 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
997 if (s->hello_retry_request != SSL_HRR_NONE) {
998 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
999 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1006 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1009 PACKET identities, binders, binder;
1010 size_t binderoffset, hashsize;
1011 SSL_SESSION *sess = NULL;
1012 unsigned int id, i, ext = 0;
1013 const EVP_MD *md = NULL;
1016 * If we have no PSK kex mode that we recognise then we can't resume so
1017 * ignore this extension
1019 if ((s->ext.psk_kex_mode
1020 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1023 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1024 SSLfatal(s, SSL_AD_DECODE_ERROR,
1025 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1029 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1031 unsigned long ticket_agel;
1034 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1035 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1036 SSLfatal(s, SSL_AD_DECODE_ERROR,
1037 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1041 idlen = PACKET_remaining(&identity);
1042 if (s->psk_find_session_cb != NULL
1043 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1045 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1046 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1051 && s->psk_server_callback != NULL
1052 && idlen <= PSK_MAX_IDENTITY_LEN) {
1054 unsigned char pskdata[PSK_MAX_PSK_LEN];
1055 unsigned int pskdatalen;
1057 if (!PACKET_strndup(&identity, &pskid)) {
1058 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1059 ERR_R_INTERNAL_ERROR);
1062 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1064 OPENSSL_free(pskid);
1065 if (pskdatalen > PSK_MAX_PSK_LEN) {
1066 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1067 ERR_R_INTERNAL_ERROR);
1069 } else if (pskdatalen > 0) {
1070 const SSL_CIPHER *cipher;
1071 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1074 * We found a PSK using an old style callback. We don't know
1075 * the digest so we default to SHA256 as per the TLSv1.3 spec
1077 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1078 if (cipher == NULL) {
1079 OPENSSL_cleanse(pskdata, pskdatalen);
1080 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1081 ERR_R_INTERNAL_ERROR);
1085 sess = SSL_SESSION_new();
1087 || !SSL_SESSION_set1_master_key(sess, pskdata,
1089 || !SSL_SESSION_set_cipher(sess, cipher)
1090 || !SSL_SESSION_set_protocol_version(sess,
1092 OPENSSL_cleanse(pskdata, pskdatalen);
1093 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1094 ERR_R_INTERNAL_ERROR);
1097 OPENSSL_cleanse(pskdata, pskdatalen);
1102 /* We found a PSK */
1103 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1105 if (sesstmp == NULL) {
1106 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1107 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1110 SSL_SESSION_free(sess);
1114 * We've just been told to use this session for this context so
1115 * make sure the sid_ctx matches up.
1117 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1118 sess->sid_ctx_length = s->sid_ctx_length;
1121 s->ext.early_data_ok = 1;
1123 uint32_t ticket_age = 0, now, agesec, agems;
1124 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1125 PACKET_remaining(&identity), NULL, 0,
1128 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1129 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1130 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1131 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1134 if (ret == SSL_TICKET_NO_DECRYPT)
1137 ticket_age = (uint32_t)ticket_agel;
1138 now = (uint32_t)time(NULL);
1139 agesec = now - (uint32_t)sess->time;
1140 agems = agesec * (uint32_t)1000;
1141 ticket_age -= sess->ext.tick_age_add;
1144 * For simplicity we do our age calculations in seconds. If the
1145 * client does it in ms then it could appear that their ticket age
1146 * is longer than ours (our ticket age calculation should always be
1147 * slightly longer than the client's due to the network latency).
1148 * Therefore we add 1000ms to our age calculation to adjust for
1152 && sess->timeout >= (long)agesec
1153 && agems / (uint32_t)1000 == agesec
1154 && ticket_age <= agems + 1000
1155 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1157 * Ticket age is within tolerance and not expired. We allow it
1160 s->ext.early_data_ok = 1;
1164 md = ssl_md(sess->cipher->algorithm2);
1165 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
1166 /* The ciphersuite is not compatible with this session. */
1167 SSL_SESSION_free(sess);
1169 s->ext.early_data_ok = 0;
1178 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1179 hashsize = EVP_MD_size(md);
1181 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1182 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1183 SSL_R_BAD_EXTENSION);
1187 for (i = 0; i <= id; i++) {
1188 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1189 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1190 SSL_R_BAD_EXTENSION);
1195 if (PACKET_remaining(&binder) != hashsize) {
1196 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1197 SSL_R_BAD_EXTENSION);
1200 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1201 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1203 /* SSLfatal() already called */
1207 sess->ext.tick_identity = id;
1209 SSL_SESSION_free(s->session);
1213 SSL_SESSION_free(sess);
1217 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1218 X509 *x, size_t chainidx)
1220 if (PACKET_remaining(pkt) != 0) {
1221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1222 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1226 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1232 * Add the server's renegotiation binding
1234 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1235 unsigned int context, X509 *x,
1238 if (!s->s3->send_connection_binding)
1239 return EXT_RETURN_NOT_SENT;
1241 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1242 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1243 || !WPACKET_start_sub_packet_u16(pkt)
1244 || !WPACKET_start_sub_packet_u8(pkt)
1245 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
1246 s->s3->previous_client_finished_len)
1247 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
1248 s->s3->previous_server_finished_len)
1249 || !WPACKET_close(pkt)
1250 || !WPACKET_close(pkt)) {
1251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1252 ERR_R_INTERNAL_ERROR);
1253 return EXT_RETURN_FAIL;
1256 return EXT_RETURN_SENT;
1259 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1260 unsigned int context, X509 *x,
1263 if (s->hit || s->servername_done != 1
1264 || s->session->ext.hostname == NULL)
1265 return EXT_RETURN_NOT_SENT;
1267 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1268 || !WPACKET_put_bytes_u16(pkt, 0)) {
1269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1270 ERR_R_INTERNAL_ERROR);
1271 return EXT_RETURN_FAIL;
1274 return EXT_RETURN_SENT;
1277 /* Add/include the server's max fragment len extension into ServerHello */
1278 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1279 unsigned int context, X509 *x,
1282 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1283 return EXT_RETURN_NOT_SENT;
1286 * 4 bytes for this extension type and extension length
1287 * 1 byte for the Max Fragment Length code value.
1289 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1290 || !WPACKET_start_sub_packet_u16(pkt)
1291 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1292 || !WPACKET_close(pkt)) {
1293 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1294 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1295 return EXT_RETURN_FAIL;
1298 return EXT_RETURN_SENT;
1301 #ifndef OPENSSL_NO_EC
1302 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1303 unsigned int context, X509 *x,
1306 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1307 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1308 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1309 && (s->session->ext.ecpointformats != NULL);
1310 const unsigned char *plist;
1314 return EXT_RETURN_NOT_SENT;
1316 tls1_get_formatlist(s, &plist, &plistlen);
1317 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1318 || !WPACKET_start_sub_packet_u16(pkt)
1319 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1320 || !WPACKET_close(pkt)) {
1321 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1322 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1323 return EXT_RETURN_FAIL;
1326 return EXT_RETURN_SENT;
1330 #ifndef OPENSSL_NO_EC
1331 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1332 unsigned int context, X509 *x,
1335 const uint16_t *groups;
1336 size_t numgroups, i, first = 1;
1338 /* s->s3->group_id is non zero if we accepted a key_share */
1339 if (s->s3->group_id == 0)
1340 return EXT_RETURN_NOT_SENT;
1342 /* Get our list of supported groups */
1343 tls1_get_supported_groups(s, &groups, &numgroups);
1344 if (numgroups == 0) {
1345 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1346 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1347 return EXT_RETURN_FAIL;
1350 /* Copy group ID if supported */
1351 for (i = 0; i < numgroups; i++) {
1352 uint16_t group = groups[i];
1354 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1357 * Check if the client is already using our preferred group. If
1358 * so we don't need to add this extension
1360 if (s->s3->group_id == group)
1361 return EXT_RETURN_NOT_SENT;
1363 /* Add extension header */
1364 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1365 /* Sub-packet for supported_groups extension */
1366 || !WPACKET_start_sub_packet_u16(pkt)
1367 || !WPACKET_start_sub_packet_u16(pkt)) {
1368 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1369 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1370 ERR_R_INTERNAL_ERROR);
1371 return EXT_RETURN_FAIL;
1376 if (!WPACKET_put_bytes_u16(pkt, group)) {
1377 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1378 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1379 ERR_R_INTERNAL_ERROR);
1380 return EXT_RETURN_FAIL;
1385 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1386 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1387 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1388 ERR_R_INTERNAL_ERROR);
1389 return EXT_RETURN_FAIL;
1392 return EXT_RETURN_SENT;
1396 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1397 unsigned int context, X509 *x,
1400 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1401 s->ext.ticket_expected = 0;
1402 return EXT_RETURN_NOT_SENT;
1405 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1406 || !WPACKET_put_bytes_u16(pkt, 0)) {
1407 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1408 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1409 return EXT_RETURN_FAIL;
1412 return EXT_RETURN_SENT;
1415 #ifndef OPENSSL_NO_OCSP
1416 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1417 unsigned int context, X509 *x,
1420 if (!s->ext.status_expected)
1421 return EXT_RETURN_NOT_SENT;
1423 if (SSL_IS_TLS13(s) && chainidx != 0)
1424 return EXT_RETURN_NOT_SENT;
1426 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1427 || !WPACKET_start_sub_packet_u16(pkt)) {
1428 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1429 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1430 return EXT_RETURN_FAIL;
1434 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1435 * send back an empty extension, with the certificate status appearing as a
1438 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1439 /* SSLfatal() already called */
1440 return EXT_RETURN_FAIL;
1442 if (!WPACKET_close(pkt)) {
1443 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1444 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1445 return EXT_RETURN_FAIL;
1448 return EXT_RETURN_SENT;
1452 #ifndef OPENSSL_NO_NEXTPROTONEG
1453 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1454 unsigned int context, X509 *x,
1457 const unsigned char *npa;
1458 unsigned int npalen;
1460 int npn_seen = s->s3->npn_seen;
1462 s->s3->npn_seen = 0;
1463 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1464 return EXT_RETURN_NOT_SENT;
1466 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1467 s->ctx->ext.npn_advertised_cb_arg);
1468 if (ret == SSL_TLSEXT_ERR_OK) {
1469 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1470 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1471 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1472 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1473 ERR_R_INTERNAL_ERROR);
1474 return EXT_RETURN_FAIL;
1476 s->s3->npn_seen = 1;
1479 return EXT_RETURN_SENT;
1483 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1484 X509 *x, size_t chainidx)
1486 if (s->s3->alpn_selected == NULL)
1487 return EXT_RETURN_NOT_SENT;
1489 if (!WPACKET_put_bytes_u16(pkt,
1490 TLSEXT_TYPE_application_layer_protocol_negotiation)
1491 || !WPACKET_start_sub_packet_u16(pkt)
1492 || !WPACKET_start_sub_packet_u16(pkt)
1493 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1494 s->s3->alpn_selected_len)
1495 || !WPACKET_close(pkt)
1496 || !WPACKET_close(pkt)) {
1497 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1498 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1499 return EXT_RETURN_FAIL;
1502 return EXT_RETURN_SENT;
1505 #ifndef OPENSSL_NO_SRTP
1506 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1507 unsigned int context, X509 *x,
1510 if (s->srtp_profile == NULL)
1511 return EXT_RETURN_NOT_SENT;
1513 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1514 || !WPACKET_start_sub_packet_u16(pkt)
1515 || !WPACKET_put_bytes_u16(pkt, 2)
1516 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1517 || !WPACKET_put_bytes_u8(pkt, 0)
1518 || !WPACKET_close(pkt)) {
1519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1520 ERR_R_INTERNAL_ERROR);
1521 return EXT_RETURN_FAIL;
1524 return EXT_RETURN_SENT;
1528 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1529 X509 *x, size_t chainidx)
1531 if (!s->ext.use_etm)
1532 return EXT_RETURN_NOT_SENT;
1535 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1536 * for other cases too.
1538 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1539 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1540 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1541 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1543 return EXT_RETURN_NOT_SENT;
1546 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1547 || !WPACKET_put_bytes_u16(pkt, 0)) {
1548 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1549 ERR_R_INTERNAL_ERROR);
1550 return EXT_RETURN_FAIL;
1553 return EXT_RETURN_SENT;
1556 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1557 X509 *x, size_t chainidx)
1559 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1560 return EXT_RETURN_NOT_SENT;
1562 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1563 || !WPACKET_put_bytes_u16(pkt, 0)) {
1564 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1565 ERR_R_INTERNAL_ERROR);
1566 return EXT_RETURN_FAIL;
1569 return EXT_RETURN_SENT;
1572 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1573 unsigned int context, X509 *x,
1576 if (!ossl_assert(SSL_IS_TLS13(s))) {
1577 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1578 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1579 ERR_R_INTERNAL_ERROR);
1580 return EXT_RETURN_FAIL;
1583 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1584 || !WPACKET_start_sub_packet_u16(pkt)
1585 /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
1586 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
1587 || !WPACKET_close(pkt)) {
1588 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1589 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1590 ERR_R_INTERNAL_ERROR);
1591 return EXT_RETURN_FAIL;
1594 return EXT_RETURN_SENT;
1597 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1598 unsigned int context, X509 *x,
1601 #ifndef OPENSSL_NO_TLS1_3
1602 unsigned char *encodedPoint;
1603 size_t encoded_pt_len = 0;
1604 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1606 if (s->hello_retry_request == SSL_HRR_PENDING) {
1608 /* Original key_share was acceptable so don't ask for another one */
1609 return EXT_RETURN_NOT_SENT;
1611 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1612 || !WPACKET_start_sub_packet_u16(pkt)
1613 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1614 || !WPACKET_close(pkt)) {
1615 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1616 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1617 ERR_R_INTERNAL_ERROR);
1618 return EXT_RETURN_FAIL;
1621 return EXT_RETURN_SENT;
1625 /* No key_share received from client - must be resuming */
1626 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1627 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1628 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1629 return EXT_RETURN_FAIL;
1631 return EXT_RETURN_NOT_SENT;
1634 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1635 || !WPACKET_start_sub_packet_u16(pkt)
1636 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1637 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1638 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1639 return EXT_RETURN_FAIL;
1642 skey = ssl_generate_pkey(ckey);
1644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1645 ERR_R_MALLOC_FAILURE);
1646 return EXT_RETURN_FAIL;
1649 /* Generate encoding of server key */
1650 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1651 if (encoded_pt_len == 0) {
1652 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1654 EVP_PKEY_free(skey);
1655 return EXT_RETURN_FAIL;
1658 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1659 || !WPACKET_close(pkt)) {
1660 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1661 ERR_R_INTERNAL_ERROR);
1662 EVP_PKEY_free(skey);
1663 OPENSSL_free(encodedPoint);
1664 return EXT_RETURN_FAIL;
1666 OPENSSL_free(encodedPoint);
1668 /* This causes the crypto state to be updated based on the derived keys */
1669 s->s3->tmp.pkey = skey;
1670 if (ssl_derive(s, skey, ckey, 1) == 0) {
1671 /* SSLfatal() already called */
1672 return EXT_RETURN_FAIL;
1676 return EXT_RETURN_SENT;
1679 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1680 X509 *x, size_t chainidx)
1682 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1683 unsigned char *hmac, *hmac2;
1684 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1687 int ret = EXT_RETURN_FAIL;
1689 if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
1690 return EXT_RETURN_NOT_SENT;
1692 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1693 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1694 SSL_R_NO_COOKIE_CALLBACK_SET);
1695 return EXT_RETURN_FAIL;
1698 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1699 || !WPACKET_start_sub_packet_u16(pkt)
1700 || !WPACKET_start_sub_packet_u16(pkt)
1701 || !WPACKET_get_total_written(pkt, &startlen)
1702 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1703 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1704 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1705 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1706 || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt,
1708 /* Is there a key_share extension present in this HRR? */
1709 || !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
1710 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1711 || !WPACKET_start_sub_packet_u16(pkt)
1712 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1713 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1714 ERR_R_INTERNAL_ERROR);
1715 return EXT_RETURN_FAIL;
1719 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1720 * on raw buffers, so we first reserve sufficient bytes (above) and then
1721 * subsequently allocate them (below)
1723 if (!ssl3_digest_cached_records(s, 0)
1724 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1725 /* SSLfatal() already called */
1726 return EXT_RETURN_FAIL;
1729 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1730 || !ossl_assert(hashval1 == hashval2)
1731 || !WPACKET_close(pkt)
1732 || !WPACKET_start_sub_packet_u8(pkt)
1733 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1734 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1735 ERR_R_INTERNAL_ERROR);
1736 return EXT_RETURN_FAIL;
1739 /* Generate the application cookie */
1740 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1741 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1742 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1743 return EXT_RETURN_FAIL;
1746 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1747 || !ossl_assert(appcookie1 == appcookie2)
1748 || !WPACKET_close(pkt)
1749 || !WPACKET_get_total_written(pkt, &totcookielen)
1750 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1751 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1752 ERR_R_INTERNAL_ERROR);
1753 return EXT_RETURN_FAIL;
1755 hmaclen = SHA256_DIGEST_LENGTH;
1757 totcookielen -= startlen;
1758 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1760 ERR_R_INTERNAL_ERROR);
1761 return EXT_RETURN_FAIL;
1764 /* HMAC the cookie */
1765 hctx = EVP_MD_CTX_create();
1766 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
1767 s->session_ctx->ext.cookie_hmac_key,
1768 sizeof(s->session_ctx->ext
1770 if (hctx == NULL || pkey == NULL) {
1771 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1772 ERR_R_MALLOC_FAILURE);
1776 if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
1777 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1778 totcookielen) <= 0) {
1779 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1780 ERR_R_INTERNAL_ERROR);
1784 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1785 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1786 ERR_R_INTERNAL_ERROR);
1790 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1791 || !ossl_assert(hmac == hmac2)
1792 || !ossl_assert(cookie == hmac - totcookielen)
1793 || !WPACKET_close(pkt)
1794 || !WPACKET_close(pkt)) {
1795 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1796 ERR_R_INTERNAL_ERROR);
1800 ret = EXT_RETURN_SENT;
1803 EVP_MD_CTX_free(hctx);
1804 EVP_PKEY_free(pkey);
1808 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1809 unsigned int context, X509 *x,
1812 const unsigned char cryptopro_ext[36] = {
1813 0xfd, 0xe8, /* 65000 */
1814 0x00, 0x20, /* 32 bytes length */
1815 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1816 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1817 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1818 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1821 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1822 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1823 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1824 return EXT_RETURN_NOT_SENT;
1826 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1827 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1828 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1829 return EXT_RETURN_FAIL;
1832 return EXT_RETURN_SENT;
1835 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1836 unsigned int context, X509 *x,
1839 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1840 if (s->max_early_data == 0)
1841 return EXT_RETURN_NOT_SENT;
1843 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1844 || !WPACKET_start_sub_packet_u16(pkt)
1845 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1846 || !WPACKET_close(pkt)) {
1847 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1848 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1849 return EXT_RETURN_FAIL;
1852 return EXT_RETURN_SENT;
1855 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1856 return EXT_RETURN_NOT_SENT;
1858 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1859 || !WPACKET_start_sub_packet_u16(pkt)
1860 || !WPACKET_close(pkt)) {
1861 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1862 ERR_R_INTERNAL_ERROR);
1863 return EXT_RETURN_FAIL;
1866 return EXT_RETURN_SENT;
1869 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1870 X509 *x, size_t chainidx)
1873 return EXT_RETURN_NOT_SENT;
1875 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1876 || !WPACKET_start_sub_packet_u16(pkt)
1877 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1878 || !WPACKET_close(pkt)) {
1879 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1880 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1881 return EXT_RETURN_FAIL;
1884 return EXT_RETURN_SENT;