2 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
15 DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
16 DEFINE_STACK_OF(OCSP_RESPID)
17 DEFINE_STACK_OF(X509_EXTENSION)
19 #define COOKIE_STATE_FORMAT_VERSION 0
22 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
23 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
24 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
25 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
26 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
28 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
29 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
32 * Message header + 2 bytes for protocol version + number of random bytes +
33 * + 1 byte for legacy session id length + number of bytes in legacy session id
34 * + 2 bytes for ciphersuite + 1 byte for legacy compression
35 * + 2 bytes for extension block length + 6 bytes for key_share extension
36 * + 4 bytes for cookie extension header + the number of bytes in the cookie
38 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
39 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
43 * Parse the client's renegotiation binding and abort if it's not right
45 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
46 X509 *x, size_t chainidx)
49 const unsigned char *data;
51 /* Parse the length byte */
52 if (!PACKET_get_1(pkt, &ilen)
53 || !PACKET_get_bytes(pkt, &data, ilen)) {
54 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
55 SSL_R_RENEGOTIATION_ENCODING_ERR);
59 /* Check that the extension matches */
60 if (ilen != s->s3.previous_client_finished_len) {
61 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
62 SSL_R_RENEGOTIATION_MISMATCH);
66 if (memcmp(data, s->s3.previous_client_finished,
67 s->s3.previous_client_finished_len)) {
68 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
69 SSL_R_RENEGOTIATION_MISMATCH);
73 s->s3.send_connection_binding = 1;
79 * The servername extension is treated as follows:
81 * - Only the hostname type is supported with a maximum length of 255.
82 * - The servername is rejected if too long or if it contains zeros,
83 * in which case an fatal alert is generated.
84 * - The servername field is maintained together with the session cache.
85 * - When a session is resumed, the servername call back invoked in order
86 * to allow the application to position itself to the right context.
87 * - The servername is acknowledged if it is new for a session or when
88 * it is identical to a previously used for the same session.
89 * Applications can control the behaviour. They can at any time
90 * set a 'desirable' servername for a new SSL object. This can be the
91 * case for example with HTTPS when a Host: header field is received and
92 * a renegotiation is requested. In this case, a possible servername
93 * presented in the new client hello is only acknowledged if it matches
94 * the value of the Host: field.
95 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
96 * if they provide for changing an explicit servername context for the
97 * session, i.e. when the session has been established with a servername
99 * - On session reconnect, the servername extension may be absent.
101 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
102 X509 *x, size_t chainidx)
104 unsigned int servname_type;
105 PACKET sni, hostname;
107 if (!PACKET_as_length_prefixed_2(pkt, &sni)
108 /* ServerNameList must be at least 1 byte long. */
109 || PACKET_remaining(&sni) == 0) {
110 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
111 SSL_R_BAD_EXTENSION);
116 * Although the intent was for server_name to be extensible, RFC 4366
117 * was not clear about it; and so OpenSSL among other implementations,
118 * always and only allows a 'host_name' name types.
119 * RFC 6066 corrected the mistake but adding new name types
120 * is nevertheless no longer feasible, so act as if no other
121 * SNI types can exist, to simplify parsing.
123 * Also note that the RFC permits only one SNI value per type,
124 * i.e., we can only have a single hostname.
126 if (!PACKET_get_1(&sni, &servname_type)
127 || servname_type != TLSEXT_NAMETYPE_host_name
128 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
129 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
130 SSL_R_BAD_EXTENSION);
135 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
136 * we always use the SNI value from the handshake.
138 if (!s->hit || SSL_IS_TLS13(s)) {
139 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
140 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
141 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
142 SSL_R_BAD_EXTENSION);
146 if (PACKET_contains_zero_byte(&hostname)) {
147 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
148 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
149 SSL_R_BAD_EXTENSION);
154 * Store the requested SNI in the SSL as temporary storage.
155 * If we accept it, it will get stored in the SSL_SESSION as well.
157 OPENSSL_free(s->ext.hostname);
158 s->ext.hostname = NULL;
159 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
161 ERR_R_INTERNAL_ERROR);
165 s->servername_done = 1;
168 * In TLSv1.2 and below we should check if the SNI is consistent between
169 * the initial handshake and the resumption. In TLSv1.3 SNI is not
170 * associated with the session.
173 * TODO(openssl-team): if the SNI doesn't match, we MUST
174 * fall back to a full handshake.
176 s->servername_done = (s->session->ext.hostname != NULL)
177 && PACKET_equal(&hostname, s->session->ext.hostname,
178 strlen(s->session->ext.hostname));
184 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
185 X509 *x, size_t chainidx)
189 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
190 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
191 SSL_R_BAD_EXTENSION);
195 /* Received |value| should be a valid max-fragment-length code. */
196 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
197 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
198 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
199 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
204 * RFC 6066: The negotiated length applies for the duration of the session
205 * including session resumptions.
206 * We should receive the same code as in resumed session !
208 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
209 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
210 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
211 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
216 * Store it in session, so it'll become binding for us
217 * and we'll include it in a next Server Hello.
219 s->session->ext.max_fragment_len_mode = value;
223 #ifndef OPENSSL_NO_SRP
224 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
229 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
230 || PACKET_contains_zero_byte(&srp_I)) {
231 SSLfatal(s, SSL_AD_DECODE_ERROR,
232 SSL_F_TLS_PARSE_CTOS_SRP,
233 SSL_R_BAD_EXTENSION);
238 * TODO(openssl-team): currently, we re-authenticate the user
239 * upon resumption. Instead, we MUST ignore the login.
241 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
242 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
243 ERR_R_INTERNAL_ERROR);
251 #ifndef OPENSSL_NO_EC
252 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
253 X509 *x, size_t chainidx)
255 PACKET ec_point_format_list;
257 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
258 || PACKET_remaining(&ec_point_format_list) == 0) {
259 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
260 SSL_R_BAD_EXTENSION);
265 if (!PACKET_memdup(&ec_point_format_list,
266 &s->ext.peer_ecpointformats,
267 &s->ext.peer_ecpointformats_len)) {
268 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
269 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
276 #endif /* OPENSSL_NO_EC */
278 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
279 X509 *x, size_t chainidx)
281 if (s->ext.session_ticket_cb &&
282 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
283 PACKET_remaining(pkt),
284 s->ext.session_ticket_cb_arg)) {
285 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
286 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
293 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
294 X509 *x, size_t chainidx)
296 PACKET supported_sig_algs;
298 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
299 || PACKET_remaining(&supported_sig_algs) == 0) {
300 SSLfatal(s, SSL_AD_DECODE_ERROR,
301 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
305 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
306 SSLfatal(s, SSL_AD_DECODE_ERROR,
307 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
314 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
317 PACKET supported_sig_algs;
319 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
320 || PACKET_remaining(&supported_sig_algs) == 0) {
321 SSLfatal(s, SSL_AD_DECODE_ERROR,
322 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
326 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
327 SSLfatal(s, SSL_AD_DECODE_ERROR,
328 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
335 #ifndef OPENSSL_NO_OCSP
336 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
337 X509 *x, size_t chainidx)
339 PACKET responder_id_list, exts;
341 /* We ignore this in a resumption handshake */
345 /* Not defined if we get one of these in a client Certificate */
349 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
350 SSLfatal(s, SSL_AD_DECODE_ERROR,
351 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
355 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
357 * We don't know what to do with any other type so ignore it.
359 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
363 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
364 SSLfatal(s, SSL_AD_DECODE_ERROR,
365 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
370 * We remove any OCSP_RESPIDs from a previous handshake
371 * to prevent unbounded memory growth - CVE-2016-6304
373 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
374 if (PACKET_remaining(&responder_id_list) > 0) {
375 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
376 if (s->ext.ocsp.ids == NULL) {
377 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
378 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
382 s->ext.ocsp.ids = NULL;
385 while (PACKET_remaining(&responder_id_list) > 0) {
388 const unsigned char *id_data;
390 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
391 || PACKET_remaining(&responder_id) == 0) {
392 SSLfatal(s, SSL_AD_DECODE_ERROR,
393 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
397 id_data = PACKET_data(&responder_id);
398 /* TODO(size_t): Convert d2i_* to size_t */
399 id = d2i_OCSP_RESPID(NULL, &id_data,
400 (int)PACKET_remaining(&responder_id));
402 SSLfatal(s, SSL_AD_DECODE_ERROR,
403 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
407 if (id_data != PACKET_end(&responder_id)) {
408 OCSP_RESPID_free(id);
409 SSLfatal(s, SSL_AD_DECODE_ERROR,
410 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
415 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
416 OCSP_RESPID_free(id);
417 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
418 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
424 /* Read in request_extensions */
425 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
426 SSLfatal(s, SSL_AD_DECODE_ERROR,
427 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
431 if (PACKET_remaining(&exts) > 0) {
432 const unsigned char *ext_data = PACKET_data(&exts);
434 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
435 X509_EXTENSION_free);
437 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
438 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
439 SSLfatal(s, SSL_AD_DECODE_ERROR,
440 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
449 #ifndef OPENSSL_NO_NEXTPROTONEG
450 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
454 * We shouldn't accept this extension on a
457 if (SSL_IS_FIRST_HANDSHAKE(s))
465 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
466 * extension, not including type and length. Returns: 1 on success, 0 on error.
468 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
471 PACKET protocol_list, save_protocol_list, protocol;
473 if (!SSL_IS_FIRST_HANDSHAKE(s))
476 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
477 || PACKET_remaining(&protocol_list) < 2) {
478 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
479 SSL_R_BAD_EXTENSION);
483 save_protocol_list = protocol_list;
485 /* Protocol names can't be empty. */
486 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
487 || PACKET_remaining(&protocol) == 0) {
488 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
489 SSL_R_BAD_EXTENSION);
492 } while (PACKET_remaining(&protocol_list) != 0);
494 OPENSSL_free(s->s3.alpn_proposed);
495 s->s3.alpn_proposed = NULL;
496 s->s3.alpn_proposed_len = 0;
497 if (!PACKET_memdup(&save_protocol_list,
498 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
500 ERR_R_INTERNAL_ERROR);
507 #ifndef OPENSSL_NO_SRTP
508 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
511 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
512 unsigned int ct, mki_len, id;
516 /* Ignore this if we have no SRTP profiles */
517 if (SSL_get_srtp_profiles(s) == NULL)
520 /* Pull off the length of the cipher suite list and check it is even */
521 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
522 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
523 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
524 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
528 srvr = SSL_get_srtp_profiles(s);
529 s->srtp_profile = NULL;
530 /* Search all profiles for a match initially */
531 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
533 while (PACKET_remaining(&subpkt)) {
534 if (!PACKET_get_net_2(&subpkt, &id)) {
535 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
536 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
541 * Only look for match in profiles of higher preference than
543 * If no profiles have been have been configured then this
546 for (i = 0; i < srtp_pref; i++) {
547 SRTP_PROTECTION_PROFILE *sprof =
548 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
550 if (sprof->id == id) {
551 s->srtp_profile = sprof;
558 /* Now extract the MKI value as a sanity check, but discard it for now */
559 if (!PACKET_get_1(pkt, &mki_len)) {
560 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
561 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
565 if (!PACKET_forward(pkt, mki_len)
566 || PACKET_remaining(pkt)) {
567 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
568 SSL_R_BAD_SRTP_MKI_VALUE);
576 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
579 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
586 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
587 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
589 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
590 X509 *x, size_t chainidx)
592 #ifndef OPENSSL_NO_TLS1_3
593 PACKET psk_kex_modes;
596 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
597 || PACKET_remaining(&psk_kex_modes) == 0) {
598 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
599 SSL_R_BAD_EXTENSION);
603 while (PACKET_get_1(&psk_kex_modes, &mode)) {
604 if (mode == TLSEXT_KEX_MODE_KE_DHE)
605 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
606 else if (mode == TLSEXT_KEX_MODE_KE
607 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
608 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
616 * Process a key_share extension received in the ClientHello. |pkt| contains
617 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
619 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
622 #ifndef OPENSSL_NO_TLS1_3
623 unsigned int group_id;
624 PACKET key_share_list, encoded_pt;
625 const uint16_t *clntgroups, *srvrgroups;
626 size_t clnt_num_groups, srvr_num_groups;
629 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
633 if (s->s3.peer_tmp != NULL) {
634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
635 ERR_R_INTERNAL_ERROR);
639 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
640 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
641 SSL_R_LENGTH_MISMATCH);
645 /* Get our list of supported groups */
646 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
647 /* Get the clients list of supported groups. */
648 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
649 if (clnt_num_groups == 0) {
651 * This can only happen if the supported_groups extension was not sent,
652 * because we verify that the length is non-zero when we process that
655 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
656 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
660 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
662 * If we set a group_id already, then we must have sent an HRR
663 * requesting a new key_share. If we haven't got one then that is an
666 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
667 SSL_R_BAD_KEY_SHARE);
671 while (PACKET_remaining(&key_share_list) > 0) {
672 if (!PACKET_get_net_2(&key_share_list, &group_id)
673 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
674 || PACKET_remaining(&encoded_pt) == 0) {
675 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
676 SSL_R_LENGTH_MISMATCH);
681 * If we already found a suitable key_share we loop through the
682 * rest to verify the structure, but don't process them.
688 * If we sent an HRR then the key_share sent back MUST be for the group
689 * we requested, and must be the only key_share sent.
691 if (s->s3.group_id != 0
692 && (group_id != s->s3.group_id
693 || PACKET_remaining(&key_share_list) != 0)) {
694 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
695 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
699 /* Check if this share is in supported_groups sent from client */
700 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
701 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
702 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
706 /* Check if this share is for a group we can use */
707 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
708 /* Share not suitable */
712 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
713 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
714 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
718 s->s3.group_id = group_id;
720 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3.peer_tmp,
721 PACKET_data(&encoded_pt),
722 PACKET_remaining(&encoded_pt))) {
723 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
724 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
735 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
738 #ifndef OPENSSL_NO_TLS1_3
739 unsigned int format, version, key_share, group_id;
742 PACKET cookie, raw, chhash, appcookie;
744 const unsigned char *data, *mdin, *ciphdata;
745 unsigned char hmac[SHA256_DIGEST_LENGTH];
746 unsigned char hrr[MAX_HRR_SIZE];
747 size_t rawlen, hmaclen, hrrlen, ciphlen;
748 unsigned long tm, now;
750 /* Ignore any cookie if we're not set up to verify it */
751 if (s->ctx->verify_stateless_cookie_cb == NULL
752 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
755 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
756 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
757 SSL_R_LENGTH_MISMATCH);
762 data = PACKET_data(&raw);
763 rawlen = PACKET_remaining(&raw);
764 if (rawlen < SHA256_DIGEST_LENGTH
765 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
766 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
767 SSL_R_LENGTH_MISMATCH);
770 mdin = PACKET_data(&raw);
772 /* Verify the HMAC of the cookie */
773 hctx = EVP_MD_CTX_create();
774 pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC",
776 s->session_ctx->ext.cookie_hmac_key,
777 sizeof(s->session_ctx->ext
779 if (hctx == NULL || pkey == NULL) {
780 EVP_MD_CTX_free(hctx);
782 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
783 ERR_R_MALLOC_FAILURE);
787 hmaclen = SHA256_DIGEST_LENGTH;
788 if (EVP_DigestSignInit_with_libctx(hctx, NULL, "SHA2-256",
789 s->ctx->libctx, s->ctx->propq, pkey) <= 0
790 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
791 rawlen - SHA256_DIGEST_LENGTH) <= 0
792 || hmaclen != SHA256_DIGEST_LENGTH) {
793 EVP_MD_CTX_free(hctx);
795 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
796 ERR_R_INTERNAL_ERROR);
800 EVP_MD_CTX_free(hctx);
803 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
804 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
805 SSL_R_COOKIE_MISMATCH);
809 if (!PACKET_get_net_2(&cookie, &format)) {
810 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
811 SSL_R_LENGTH_MISMATCH);
814 /* Check the cookie format is something we recognise. Ignore it if not */
815 if (format != COOKIE_STATE_FORMAT_VERSION)
819 * The rest of these checks really shouldn't fail since we have verified the
823 /* Check the version number is sane */
824 if (!PACKET_get_net_2(&cookie, &version)) {
825 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
826 SSL_R_LENGTH_MISMATCH);
829 if (version != TLS1_3_VERSION) {
830 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
831 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
835 if (!PACKET_get_net_2(&cookie, &group_id)) {
836 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
837 SSL_R_LENGTH_MISMATCH);
841 ciphdata = PACKET_data(&cookie);
842 if (!PACKET_forward(&cookie, 2)) {
843 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
844 SSL_R_LENGTH_MISMATCH);
847 if (group_id != s->s3.group_id
848 || s->s3.tmp.new_cipher
849 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
851 * We chose a different cipher or group id this time around to what is
852 * in the cookie. Something must have changed.
854 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
859 if (!PACKET_get_1(&cookie, &key_share)
860 || !PACKET_get_net_4(&cookie, &tm)
861 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
862 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
863 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
864 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
865 SSL_R_LENGTH_MISMATCH);
869 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
870 now = (unsigned long)time(NULL);
871 if (tm > now || (now - tm) > 600) {
872 /* Cookie is stale. Ignore it */
876 /* Verify the app cookie */
877 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
878 PACKET_remaining(&appcookie)) == 0) {
879 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
880 SSL_R_COOKIE_MISMATCH);
885 * Reconstruct the HRR that we would have sent in response to the original
886 * ClientHello so we can add it to the transcript hash.
887 * Note: This won't work with custom HRR extensions
889 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
891 ERR_R_INTERNAL_ERROR);
894 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
895 || !WPACKET_start_sub_packet_u24(&hrrpkt)
896 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
897 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
898 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
899 s->tmp_session_id_len)
900 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
902 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
903 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
904 WPACKET_cleanup(&hrrpkt);
905 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
906 ERR_R_INTERNAL_ERROR);
909 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
910 || !WPACKET_start_sub_packet_u16(&hrrpkt)
911 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
912 || !WPACKET_close(&hrrpkt)) {
913 WPACKET_cleanup(&hrrpkt);
914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
915 ERR_R_INTERNAL_ERROR);
919 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
920 || !WPACKET_start_sub_packet_u16(&hrrpkt)
921 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
922 || !WPACKET_close(&hrrpkt)) {
923 WPACKET_cleanup(&hrrpkt);
924 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
925 ERR_R_INTERNAL_ERROR);
929 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
930 || !WPACKET_start_sub_packet_u16(&hrrpkt)
931 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
932 || !WPACKET_close(&hrrpkt) /* cookie extension */
933 || !WPACKET_close(&hrrpkt) /* extension block */
934 || !WPACKET_close(&hrrpkt) /* message */
935 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
936 || !WPACKET_finish(&hrrpkt)) {
937 WPACKET_cleanup(&hrrpkt);
938 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
939 ERR_R_INTERNAL_ERROR);
943 /* Reconstruct the transcript hash */
944 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
945 PACKET_remaining(&chhash), hrr,
947 /* SSLfatal() already called */
951 /* Act as if this ClientHello came after a HelloRetryRequest */
952 s->hello_retry_request = 1;
960 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
961 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
962 X509 *x, size_t chainidx)
964 PACKET supported_groups_list;
966 /* Each group is 2 bytes and we must have at least 1. */
967 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
968 || PACKET_remaining(&supported_groups_list) == 0
969 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
970 SSLfatal(s, SSL_AD_DECODE_ERROR,
971 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
975 if (!s->hit || SSL_IS_TLS13(s)) {
976 OPENSSL_free(s->ext.peer_supportedgroups);
977 s->ext.peer_supportedgroups = NULL;
978 s->ext.peer_supportedgroups_len = 0;
979 if (!tls1_save_u16(&supported_groups_list,
980 &s->ext.peer_supportedgroups,
981 &s->ext.peer_supportedgroups_len)) {
982 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
983 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
984 ERR_R_INTERNAL_ERROR);
993 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
996 /* The extension must always be empty */
997 if (PACKET_remaining(pkt) != 0) {
998 SSLfatal(s, SSL_AD_DECODE_ERROR,
999 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
1003 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1006 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1012 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
1013 X509 *x, size_t chainidx)
1015 if (PACKET_remaining(pkt) != 0) {
1016 SSLfatal(s, SSL_AD_DECODE_ERROR,
1017 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1021 if (s->hello_retry_request != SSL_HRR_NONE) {
1022 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1023 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1030 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
1033 SSL_SESSION *tmpsess = NULL;
1035 s->ext.ticket_expected = 1;
1037 switch (PACKET_remaining(tick)) {
1039 return SSL_TICKET_EMPTY;
1041 case SSL_MAX_SSL_SESSION_ID_LENGTH:
1045 return SSL_TICKET_NO_DECRYPT;
1048 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1049 SSL_MAX_SSL_SESSION_ID_LENGTH);
1051 if (tmpsess == NULL)
1052 return SSL_TICKET_NO_DECRYPT;
1055 return SSL_TICKET_SUCCESS;
1058 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1061 PACKET identities, binders, binder;
1062 size_t binderoffset, hashsize;
1063 SSL_SESSION *sess = NULL;
1064 unsigned int id, i, ext = 0;
1065 const EVP_MD *md = NULL;
1068 * If we have no PSK kex mode that we recognise then we can't resume so
1069 * ignore this extension
1071 if ((s->ext.psk_kex_mode
1072 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1075 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1076 SSLfatal(s, SSL_AD_DECODE_ERROR,
1077 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1081 s->ext.ticket_expected = 0;
1082 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1084 unsigned long ticket_agel;
1087 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1088 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1089 SSLfatal(s, SSL_AD_DECODE_ERROR,
1090 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1094 idlen = PACKET_remaining(&identity);
1095 if (s->psk_find_session_cb != NULL
1096 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1098 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1099 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1103 #ifndef OPENSSL_NO_PSK
1105 && s->psk_server_callback != NULL
1106 && idlen <= PSK_MAX_IDENTITY_LEN) {
1108 unsigned char pskdata[PSK_MAX_PSK_LEN];
1109 unsigned int pskdatalen;
1111 if (!PACKET_strndup(&identity, &pskid)) {
1112 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1113 ERR_R_INTERNAL_ERROR);
1116 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1118 OPENSSL_free(pskid);
1119 if (pskdatalen > PSK_MAX_PSK_LEN) {
1120 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1121 ERR_R_INTERNAL_ERROR);
1123 } else if (pskdatalen > 0) {
1124 const SSL_CIPHER *cipher;
1125 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1128 * We found a PSK using an old style callback. We don't know
1129 * the digest so we default to SHA256 as per the TLSv1.3 spec
1131 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1132 if (cipher == NULL) {
1133 OPENSSL_cleanse(pskdata, pskdatalen);
1134 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1135 ERR_R_INTERNAL_ERROR);
1139 sess = SSL_SESSION_new();
1141 || !SSL_SESSION_set1_master_key(sess, pskdata,
1143 || !SSL_SESSION_set_cipher(sess, cipher)
1144 || !SSL_SESSION_set_protocol_version(sess,
1146 OPENSSL_cleanse(pskdata, pskdatalen);
1147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1148 ERR_R_INTERNAL_ERROR);
1151 OPENSSL_cleanse(pskdata, pskdatalen);
1154 #endif /* OPENSSL_NO_PSK */
1157 /* We found a PSK */
1158 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1160 if (sesstmp == NULL) {
1161 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1162 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1165 SSL_SESSION_free(sess);
1169 * We've just been told to use this session for this context so
1170 * make sure the sid_ctx matches up.
1172 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1173 sess->sid_ctx_length = s->sid_ctx_length;
1176 s->ext.early_data_ok = 1;
1177 s->ext.ticket_expected = 1;
1179 uint32_t ticket_age = 0, now, agesec, agems;
1183 * If we are using anti-replay protection then we behave as if
1184 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1185 * is no point in using full stateless tickets.
1187 if ((s->options & SSL_OP_NO_TICKET) != 0
1188 || (s->max_early_data > 0
1189 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1190 ret = tls_get_stateful_ticket(s, &identity, &sess);
1192 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1193 PACKET_remaining(&identity), NULL, 0,
1196 if (ret == SSL_TICKET_EMPTY) {
1197 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1198 SSL_R_BAD_EXTENSION);
1202 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1203 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1204 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1205 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1208 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1211 /* Check for replay */
1212 if (s->max_early_data > 0
1213 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1214 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1215 SSL_SESSION_free(sess);
1220 ticket_age = (uint32_t)ticket_agel;
1221 now = (uint32_t)time(NULL);
1222 agesec = now - (uint32_t)sess->time;
1223 agems = agesec * (uint32_t)1000;
1224 ticket_age -= sess->ext.tick_age_add;
1227 * For simplicity we do our age calculations in seconds. If the
1228 * client does it in ms then it could appear that their ticket age
1229 * is longer than ours (our ticket age calculation should always be
1230 * slightly longer than the client's due to the network latency).
1231 * Therefore we add 1000ms to our age calculation to adjust for
1235 && sess->timeout >= (long)agesec
1236 && agems / (uint32_t)1000 == agesec
1237 && ticket_age <= agems + 1000
1238 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1240 * Ticket age is within tolerance and not expired. We allow it
1243 s->ext.early_data_ok = 1;
1247 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1248 if (!EVP_MD_is_a(md,
1249 EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
1250 /* The ciphersuite is not compatible with this session. */
1251 SSL_SESSION_free(sess);
1253 s->ext.early_data_ok = 0;
1254 s->ext.ticket_expected = 0;
1263 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1264 hashsize = EVP_MD_size(md);
1266 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1267 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1268 SSL_R_BAD_EXTENSION);
1272 for (i = 0; i <= id; i++) {
1273 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1274 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1275 SSL_R_BAD_EXTENSION);
1280 if (PACKET_remaining(&binder) != hashsize) {
1281 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1282 SSL_R_BAD_EXTENSION);
1285 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1286 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1288 /* SSLfatal() already called */
1292 s->ext.tick_identity = id;
1294 SSL_SESSION_free(s->session);
1298 SSL_SESSION_free(sess);
1302 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1303 X509 *x, size_t chainidx)
1305 if (PACKET_remaining(pkt) != 0) {
1306 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1307 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1311 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1317 * Add the server's renegotiation binding
1319 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1320 unsigned int context, X509 *x,
1323 if (!s->s3.send_connection_binding)
1324 return EXT_RETURN_NOT_SENT;
1326 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1327 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1328 || !WPACKET_start_sub_packet_u16(pkt)
1329 || !WPACKET_start_sub_packet_u8(pkt)
1330 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1331 s->s3.previous_client_finished_len)
1332 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1333 s->s3.previous_server_finished_len)
1334 || !WPACKET_close(pkt)
1335 || !WPACKET_close(pkt)) {
1336 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1337 ERR_R_INTERNAL_ERROR);
1338 return EXT_RETURN_FAIL;
1341 return EXT_RETURN_SENT;
1344 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1345 unsigned int context, X509 *x,
1348 if (s->servername_done != 1)
1349 return EXT_RETURN_NOT_SENT;
1352 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1353 * We just use the servername from the initial handshake.
1355 if (s->hit && !SSL_IS_TLS13(s))
1356 return EXT_RETURN_NOT_SENT;
1358 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1359 || !WPACKET_put_bytes_u16(pkt, 0)) {
1360 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1361 ERR_R_INTERNAL_ERROR);
1362 return EXT_RETURN_FAIL;
1365 return EXT_RETURN_SENT;
1368 /* Add/include the server's max fragment len extension into ServerHello */
1369 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1370 unsigned int context, X509 *x,
1373 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1374 return EXT_RETURN_NOT_SENT;
1377 * 4 bytes for this extension type and extension length
1378 * 1 byte for the Max Fragment Length code value.
1380 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1381 || !WPACKET_start_sub_packet_u16(pkt)
1382 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1383 || !WPACKET_close(pkt)) {
1384 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1385 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1386 return EXT_RETURN_FAIL;
1389 return EXT_RETURN_SENT;
1392 #ifndef OPENSSL_NO_EC
1393 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1394 unsigned int context, X509 *x,
1397 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1398 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1399 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1400 && (s->ext.peer_ecpointformats != NULL);
1401 const unsigned char *plist;
1405 return EXT_RETURN_NOT_SENT;
1407 tls1_get_formatlist(s, &plist, &plistlen);
1408 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1409 || !WPACKET_start_sub_packet_u16(pkt)
1410 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1411 || !WPACKET_close(pkt)) {
1412 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1413 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1414 return EXT_RETURN_FAIL;
1417 return EXT_RETURN_SENT;
1421 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1422 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1423 unsigned int context, X509 *x,
1426 const uint16_t *groups;
1427 size_t numgroups, i, first = 1;
1430 /* s->s3.group_id is non zero if we accepted a key_share */
1431 if (s->s3.group_id == 0)
1432 return EXT_RETURN_NOT_SENT;
1434 /* Get our list of supported groups */
1435 tls1_get_supported_groups(s, &groups, &numgroups);
1436 if (numgroups == 0) {
1437 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1438 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1439 return EXT_RETURN_FAIL;
1442 /* Copy group ID if supported */
1443 version = SSL_version(s);
1444 for (i = 0; i < numgroups; i++) {
1445 uint16_t group = groups[i];
1447 if (tls_valid_group(s, group, version, version)
1448 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1451 * Check if the client is already using our preferred group. If
1452 * so we don't need to add this extension
1454 if (s->s3.group_id == group)
1455 return EXT_RETURN_NOT_SENT;
1457 /* Add extension header */
1458 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1459 /* Sub-packet for supported_groups extension */
1460 || !WPACKET_start_sub_packet_u16(pkt)
1461 || !WPACKET_start_sub_packet_u16(pkt)) {
1462 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1463 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1464 ERR_R_INTERNAL_ERROR);
1465 return EXT_RETURN_FAIL;
1470 if (!WPACKET_put_bytes_u16(pkt, group)) {
1471 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1472 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1473 ERR_R_INTERNAL_ERROR);
1474 return EXT_RETURN_FAIL;
1479 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1480 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1481 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1482 ERR_R_INTERNAL_ERROR);
1483 return EXT_RETURN_FAIL;
1486 return EXT_RETURN_SENT;
1490 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1491 unsigned int context, X509 *x,
1494 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1495 s->ext.ticket_expected = 0;
1496 return EXT_RETURN_NOT_SENT;
1499 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1500 || !WPACKET_put_bytes_u16(pkt, 0)) {
1501 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1502 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1503 return EXT_RETURN_FAIL;
1506 return EXT_RETURN_SENT;
1509 #ifndef OPENSSL_NO_OCSP
1510 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1511 unsigned int context, X509 *x,
1514 /* We don't currently support this extension inside a CertificateRequest */
1515 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1516 return EXT_RETURN_NOT_SENT;
1518 if (!s->ext.status_expected)
1519 return EXT_RETURN_NOT_SENT;
1521 if (SSL_IS_TLS13(s) && chainidx != 0)
1522 return EXT_RETURN_NOT_SENT;
1524 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1525 || !WPACKET_start_sub_packet_u16(pkt)) {
1526 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1527 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1528 return EXT_RETURN_FAIL;
1532 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1533 * send back an empty extension, with the certificate status appearing as a
1536 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1537 /* SSLfatal() already called */
1538 return EXT_RETURN_FAIL;
1540 if (!WPACKET_close(pkt)) {
1541 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1542 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1543 return EXT_RETURN_FAIL;
1546 return EXT_RETURN_SENT;
1550 #ifndef OPENSSL_NO_NEXTPROTONEG
1551 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1552 unsigned int context, X509 *x,
1555 const unsigned char *npa;
1556 unsigned int npalen;
1558 int npn_seen = s->s3.npn_seen;
1561 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1562 return EXT_RETURN_NOT_SENT;
1564 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1565 s->ctx->ext.npn_advertised_cb_arg);
1566 if (ret == SSL_TLSEXT_ERR_OK) {
1567 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1568 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1569 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1570 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1571 ERR_R_INTERNAL_ERROR);
1572 return EXT_RETURN_FAIL;
1577 return EXT_RETURN_SENT;
1581 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1582 X509 *x, size_t chainidx)
1584 if (s->s3.alpn_selected == NULL)
1585 return EXT_RETURN_NOT_SENT;
1587 if (!WPACKET_put_bytes_u16(pkt,
1588 TLSEXT_TYPE_application_layer_protocol_negotiation)
1589 || !WPACKET_start_sub_packet_u16(pkt)
1590 || !WPACKET_start_sub_packet_u16(pkt)
1591 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1592 s->s3.alpn_selected_len)
1593 || !WPACKET_close(pkt)
1594 || !WPACKET_close(pkt)) {
1595 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1596 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1597 return EXT_RETURN_FAIL;
1600 return EXT_RETURN_SENT;
1603 #ifndef OPENSSL_NO_SRTP
1604 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1605 unsigned int context, X509 *x,
1608 if (s->srtp_profile == NULL)
1609 return EXT_RETURN_NOT_SENT;
1611 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1612 || !WPACKET_start_sub_packet_u16(pkt)
1613 || !WPACKET_put_bytes_u16(pkt, 2)
1614 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1615 || !WPACKET_put_bytes_u8(pkt, 0)
1616 || !WPACKET_close(pkt)) {
1617 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1618 ERR_R_INTERNAL_ERROR);
1619 return EXT_RETURN_FAIL;
1622 return EXT_RETURN_SENT;
1626 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1627 X509 *x, size_t chainidx)
1629 if (!s->ext.use_etm)
1630 return EXT_RETURN_NOT_SENT;
1633 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1634 * for other cases too.
1636 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1637 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1638 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1639 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1640 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1641 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
1643 return EXT_RETURN_NOT_SENT;
1646 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1647 || !WPACKET_put_bytes_u16(pkt, 0)) {
1648 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1649 ERR_R_INTERNAL_ERROR);
1650 return EXT_RETURN_FAIL;
1653 return EXT_RETURN_SENT;
1656 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1657 X509 *x, size_t chainidx)
1659 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1660 return EXT_RETURN_NOT_SENT;
1662 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1663 || !WPACKET_put_bytes_u16(pkt, 0)) {
1664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1665 ERR_R_INTERNAL_ERROR);
1666 return EXT_RETURN_FAIL;
1669 return EXT_RETURN_SENT;
1672 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1673 unsigned int context, X509 *x,
1676 if (!ossl_assert(SSL_IS_TLS13(s))) {
1677 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1678 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1679 ERR_R_INTERNAL_ERROR);
1680 return EXT_RETURN_FAIL;
1683 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1684 || !WPACKET_start_sub_packet_u16(pkt)
1685 || !WPACKET_put_bytes_u16(pkt, s->version)
1686 || !WPACKET_close(pkt)) {
1687 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1688 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1689 ERR_R_INTERNAL_ERROR);
1690 return EXT_RETURN_FAIL;
1693 return EXT_RETURN_SENT;
1696 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1697 unsigned int context, X509 *x,
1700 #ifndef OPENSSL_NO_TLS1_3
1701 unsigned char *encodedPoint;
1702 size_t encoded_pt_len = 0;
1703 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1705 if (s->hello_retry_request == SSL_HRR_PENDING) {
1707 /* Original key_share was acceptable so don't ask for another one */
1708 return EXT_RETURN_NOT_SENT;
1710 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1711 || !WPACKET_start_sub_packet_u16(pkt)
1712 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1713 || !WPACKET_close(pkt)) {
1714 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1715 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1716 ERR_R_INTERNAL_ERROR);
1717 return EXT_RETURN_FAIL;
1720 return EXT_RETURN_SENT;
1724 /* No key_share received from client - must be resuming */
1725 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1726 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1727 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1728 return EXT_RETURN_FAIL;
1730 return EXT_RETURN_NOT_SENT;
1733 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1734 || !WPACKET_start_sub_packet_u16(pkt)
1735 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1736 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1737 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1738 return EXT_RETURN_FAIL;
1741 skey = ssl_generate_pkey(s, ckey);
1743 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1744 ERR_R_MALLOC_FAILURE);
1745 return EXT_RETURN_FAIL;
1748 /* Generate encoding of server key */
1749 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1750 if (encoded_pt_len == 0) {
1751 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1753 EVP_PKEY_free(skey);
1754 return EXT_RETURN_FAIL;
1757 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1758 || !WPACKET_close(pkt)) {
1759 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1760 ERR_R_INTERNAL_ERROR);
1761 EVP_PKEY_free(skey);
1762 OPENSSL_free(encodedPoint);
1763 return EXT_RETURN_FAIL;
1765 OPENSSL_free(encodedPoint);
1767 /* This causes the crypto state to be updated based on the derived keys */
1768 s->s3.tmp.pkey = skey;
1769 if (ssl_derive(s, skey, ckey, 1) == 0) {
1770 /* SSLfatal() already called */
1771 return EXT_RETURN_FAIL;
1773 return EXT_RETURN_SENT;
1775 return EXT_RETURN_FAIL;
1779 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1780 X509 *x, size_t chainidx)
1782 #ifndef OPENSSL_NO_TLS1_3
1783 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1784 unsigned char *hmac, *hmac2;
1785 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1788 int ret = EXT_RETURN_FAIL;
1790 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1791 return EXT_RETURN_NOT_SENT;
1793 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1794 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1795 SSL_R_NO_COOKIE_CALLBACK_SET);
1796 return EXT_RETURN_FAIL;
1799 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1800 || !WPACKET_start_sub_packet_u16(pkt)
1801 || !WPACKET_start_sub_packet_u16(pkt)
1802 || !WPACKET_get_total_written(pkt, &startlen)
1803 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1804 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1805 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1806 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1807 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1809 /* Is there a key_share extension present in this HRR? */
1810 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1811 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1812 || !WPACKET_start_sub_packet_u16(pkt)
1813 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1814 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1815 ERR_R_INTERNAL_ERROR);
1816 return EXT_RETURN_FAIL;
1820 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1821 * on raw buffers, so we first reserve sufficient bytes (above) and then
1822 * subsequently allocate them (below)
1824 if (!ssl3_digest_cached_records(s, 0)
1825 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1826 /* SSLfatal() already called */
1827 return EXT_RETURN_FAIL;
1830 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1831 || !ossl_assert(hashval1 == hashval2)
1832 || !WPACKET_close(pkt)
1833 || !WPACKET_start_sub_packet_u8(pkt)
1834 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1835 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1836 ERR_R_INTERNAL_ERROR);
1837 return EXT_RETURN_FAIL;
1840 /* Generate the application cookie */
1841 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1842 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1843 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1844 return EXT_RETURN_FAIL;
1847 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1848 || !ossl_assert(appcookie1 == appcookie2)
1849 || !WPACKET_close(pkt)
1850 || !WPACKET_get_total_written(pkt, &totcookielen)
1851 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1852 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1853 ERR_R_INTERNAL_ERROR);
1854 return EXT_RETURN_FAIL;
1856 hmaclen = SHA256_DIGEST_LENGTH;
1858 totcookielen -= startlen;
1859 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1860 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1861 ERR_R_INTERNAL_ERROR);
1862 return EXT_RETURN_FAIL;
1865 /* HMAC the cookie */
1866 hctx = EVP_MD_CTX_create();
1867 pkey = EVP_PKEY_new_raw_private_key_with_libctx(s->ctx->libctx, "HMAC",
1869 s->session_ctx->ext.cookie_hmac_key,
1870 sizeof(s->session_ctx->ext
1872 if (hctx == NULL || pkey == NULL) {
1873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1874 ERR_R_MALLOC_FAILURE);
1878 if (EVP_DigestSignInit_with_libctx(hctx, NULL, "SHA2-256",
1879 s->ctx->libctx, s->ctx->propq,
1881 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1882 totcookielen) <= 0) {
1883 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1884 ERR_R_INTERNAL_ERROR);
1888 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1890 ERR_R_INTERNAL_ERROR);
1894 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1895 || !ossl_assert(hmac == hmac2)
1896 || !ossl_assert(cookie == hmac - totcookielen)
1897 || !WPACKET_close(pkt)
1898 || !WPACKET_close(pkt)) {
1899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1900 ERR_R_INTERNAL_ERROR);
1904 ret = EXT_RETURN_SENT;
1907 EVP_MD_CTX_free(hctx);
1908 EVP_PKEY_free(pkey);
1911 return EXT_RETURN_FAIL;
1915 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1916 unsigned int context, X509 *x,
1919 const unsigned char cryptopro_ext[36] = {
1920 0xfd, 0xe8, /* 65000 */
1921 0x00, 0x20, /* 32 bytes length */
1922 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1923 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1924 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1925 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1928 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1929 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1930 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1931 return EXT_RETURN_NOT_SENT;
1933 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1934 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1935 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1936 return EXT_RETURN_FAIL;
1939 return EXT_RETURN_SENT;
1942 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1943 unsigned int context, X509 *x,
1946 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1947 if (s->max_early_data == 0)
1948 return EXT_RETURN_NOT_SENT;
1950 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1951 || !WPACKET_start_sub_packet_u16(pkt)
1952 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1953 || !WPACKET_close(pkt)) {
1954 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1955 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1956 return EXT_RETURN_FAIL;
1959 return EXT_RETURN_SENT;
1962 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1963 return EXT_RETURN_NOT_SENT;
1965 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1966 || !WPACKET_start_sub_packet_u16(pkt)
1967 || !WPACKET_close(pkt)) {
1968 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1969 ERR_R_INTERNAL_ERROR);
1970 return EXT_RETURN_FAIL;
1973 return EXT_RETURN_SENT;
1976 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1977 X509 *x, size_t chainidx)
1980 return EXT_RETURN_NOT_SENT;
1982 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1983 || !WPACKET_start_sub_packet_u16(pkt)
1984 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
1985 || !WPACKET_close(pkt)) {
1986 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1987 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1988 return EXT_RETURN_FAIL;
1991 return EXT_RETURN_SENT;