2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
124 s->servername_done = 1;
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
130 s->servername_done = s->session->ext.hostname
131 && PACKET_equal(&hostname, s->session->ext.hostname,
132 strlen(s->session->ext.hostname));
138 #ifndef OPENSSL_NO_SRP
139 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
162 #ifndef OPENSSL_NO_EC
163 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
166 PACKET ec_point_format_list;
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->ext.ecpointformats,
177 &s->session->ext.ecpointformats_len)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
185 #endif /* OPENSSL_NO_EC */
187 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
190 if (s->ext.session_ticket_cb &&
191 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->ext.session_ticket_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
201 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
204 PACKET supported_sig_algs;
206 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
207 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
208 || PACKET_remaining(&supported_sig_algs) == 0) {
209 *al = SSL_AD_DECODE_ERROR;
213 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
214 PACKET_remaining(&supported_sig_algs))) {
215 *al = TLS1_AD_INTERNAL_ERROR;
222 #ifndef OPENSSL_NO_OCSP
223 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
226 PACKET responder_id_list, exts;
228 /* Not defined if we get one of these in a client Certificate */
232 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
233 *al = SSL_AD_DECODE_ERROR;
237 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
239 * We don't know what to do with any other type so ignore it.
241 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
245 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
246 *al = SSL_AD_DECODE_ERROR;
251 * We remove any OCSP_RESPIDs from a previous handshake
252 * to prevent unbounded memory growth - CVE-2016-6304
254 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
255 if (PACKET_remaining(&responder_id_list) > 0) {
256 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
257 if (s->ext.ocsp.ids == NULL) {
258 *al = SSL_AD_INTERNAL_ERROR;
262 s->ext.ocsp.ids = NULL;
265 while (PACKET_remaining(&responder_id_list) > 0) {
268 const unsigned char *id_data;
270 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
271 || PACKET_remaining(&responder_id) == 0) {
272 *al = SSL_AD_DECODE_ERROR;
276 id_data = PACKET_data(&responder_id);
277 /* TODO(size_t): Convert d2i_* to size_t */
278 id = d2i_OCSP_RESPID(NULL, &id_data,
279 (int)PACKET_remaining(&responder_id));
281 *al = SSL_AD_DECODE_ERROR;
285 if (id_data != PACKET_end(&responder_id)) {
286 OCSP_RESPID_free(id);
287 *al = SSL_AD_DECODE_ERROR;
291 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
292 OCSP_RESPID_free(id);
293 *al = SSL_AD_INTERNAL_ERROR;
298 /* Read in request_extensions */
299 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
300 *al = SSL_AD_DECODE_ERROR;
304 if (PACKET_remaining(&exts) > 0) {
305 const unsigned char *ext_data = PACKET_data(&exts);
307 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
308 X509_EXTENSION_free);
310 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
311 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
312 *al = SSL_AD_DECODE_ERROR;
321 #ifndef OPENSSL_NO_NEXTPROTONEG
322 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
325 * We shouldn't accept this extension on a
328 * s->new_session will be set on renegotiation, but we
329 * probably shouldn't rely that it couldn't be set on
330 * the initial renegotiation too in certain cases (when
331 * there's some other reason to disallow resuming an
332 * earlier session -- the current code won't be doing
333 * anything like that, but this might change).
335 * A valid sign that there's been a previous handshake
336 * in this connection is if s->s3->tmp.finish_md_len >
337 * 0. (We are talking about a check that will happen
338 * in the Hello protocol round, well before a new
339 * Finished message could have been computed.)
341 if (s->s3->tmp.finish_md_len == 0)
349 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
350 * extension, not including type and length. |al| is a pointer to the alert
351 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
353 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
355 PACKET protocol_list, save_protocol_list, protocol;
357 if (s->s3->tmp.finish_md_len != 0)
360 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
361 || PACKET_remaining(&protocol_list) < 2) {
362 *al = SSL_AD_DECODE_ERROR;
366 save_protocol_list = protocol_list;
368 /* Protocol names can't be empty. */
369 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
370 || PACKET_remaining(&protocol) == 0) {
371 *al = SSL_AD_DECODE_ERROR;
374 } while (PACKET_remaining(&protocol_list) != 0);
376 if (!PACKET_memdup(&save_protocol_list,
377 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
378 *al = TLS1_AD_INTERNAL_ERROR;
385 #ifndef OPENSSL_NO_SRTP
386 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
389 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
390 unsigned int ct, mki_len, id;
394 /* Ignore this if we have no SRTP profiles */
395 if (SSL_get_srtp_profiles(s) == NULL)
398 /* Pull off the length of the cipher suite list and check it is even */
399 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
400 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
401 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
402 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
403 *al = SSL_AD_DECODE_ERROR;
407 srvr = SSL_get_srtp_profiles(s);
408 s->srtp_profile = NULL;
409 /* Search all profiles for a match initially */
410 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
412 while (PACKET_remaining(&subpkt)) {
413 if (!PACKET_get_net_2(&subpkt, &id)) {
414 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
415 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
416 *al = SSL_AD_DECODE_ERROR;
421 * Only look for match in profiles of higher preference than
423 * If no profiles have been have been configured then this
426 for (i = 0; i < srtp_pref; i++) {
427 SRTP_PROTECTION_PROFILE *sprof =
428 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
430 if (sprof->id == id) {
431 s->srtp_profile = sprof;
438 /* Now extract the MKI value as a sanity check, but discard it for now */
439 if (!PACKET_get_1(pkt, &mki_len)) {
440 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
441 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
442 *al = SSL_AD_DECODE_ERROR;
446 if (!PACKET_forward(pkt, mki_len)
447 || PACKET_remaining(pkt)) {
448 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
449 *al = SSL_AD_DECODE_ERROR;
457 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
459 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
460 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
466 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
467 * and |checkallow| is 1 then additionally check if the group is allowed to be
468 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
471 #ifndef OPENSSL_NO_TLS1_3
472 static int check_in_list(SSL *s, unsigned int group_id,
473 const unsigned char *groups, size_t num_groups,
478 if (groups == NULL || num_groups == 0)
481 for (i = 0; i < num_groups; i++, groups += 2) {
482 unsigned int share_id = (groups[0] << 8) | (groups[1]);
484 if (group_id == share_id
486 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
491 /* If i == num_groups then not in the list */
492 return i < num_groups;
497 * Process a key_share extension received in the ClientHello. |pkt| contains
498 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
499 * If a failure occurs then |*al| is set to an appropriate alert value.
501 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
504 #ifndef OPENSSL_NO_TLS1_3
505 unsigned int group_id;
506 PACKET key_share_list, encoded_pt;
507 const unsigned char *clntcurves, *srvrcurves;
508 size_t clnt_num_curves, srvr_num_curves;
509 int group_nid, found = 0;
510 unsigned int curve_flags;
516 if (s->s3->peer_tmp != NULL) {
517 *al = SSL_AD_INTERNAL_ERROR;
518 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
522 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
523 *al = SSL_AD_HANDSHAKE_FAILURE;
524 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
528 /* Get our list of supported curves */
529 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
530 *al = SSL_AD_INTERNAL_ERROR;
531 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
536 * Get the clients list of supported curves.
537 * TODO(TLS1.3): We should validate that we actually received
540 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
541 *al = SSL_AD_INTERNAL_ERROR;
542 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
546 while (PACKET_remaining(&key_share_list) > 0) {
547 if (!PACKET_get_net_2(&key_share_list, &group_id)
548 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
549 || PACKET_remaining(&encoded_pt) == 0) {
550 *al = SSL_AD_HANDSHAKE_FAILURE;
551 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
552 SSL_R_LENGTH_MISMATCH);
557 * If we already found a suitable key_share we loop through the
558 * rest to verify the structure, but don't process them.
563 /* Check if this share is in supported_groups sent from client */
564 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
565 *al = SSL_AD_HANDSHAKE_FAILURE;
566 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
570 /* Check if this share is for a group we can use */
571 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
572 /* Share not suitable */
576 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
578 if (group_nid == 0) {
579 *al = SSL_AD_INTERNAL_ERROR;
580 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
581 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
585 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
586 /* Can happen for some curves, e.g. X25519 */
587 EVP_PKEY *key = EVP_PKEY_new();
589 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
590 *al = SSL_AD_INTERNAL_ERROR;
591 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
595 s->s3->peer_tmp = key;
597 /* Set up EVP_PKEY with named curve as parameters */
598 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
601 || EVP_PKEY_paramgen_init(pctx) <= 0
602 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
604 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
605 *al = SSL_AD_INTERNAL_ERROR;
606 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
607 EVP_PKEY_CTX_free(pctx);
610 EVP_PKEY_CTX_free(pctx);
613 s->s3->group_id = group_id;
615 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
616 PACKET_data(&encoded_pt),
617 PACKET_remaining(&encoded_pt))) {
618 *al = SSL_AD_DECODE_ERROR;
619 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
630 #ifndef OPENSSL_NO_EC
631 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
632 size_t chainidx, int *al)
634 PACKET supported_groups_list;
636 /* Each group is 2 bytes and we must have at least 1. */
637 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
638 || PACKET_remaining(&supported_groups_list) == 0
639 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
640 *al = SSL_AD_DECODE_ERROR;
645 && !PACKET_memdup(&supported_groups_list,
646 &s->session->ext.supportedgroups,
647 &s->session->ext.supportedgroups_len)) {
648 *al = SSL_AD_DECODE_ERROR;
656 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
658 /* The extension must always be empty */
659 if (PACKET_remaining(pkt) != 0) {
660 *al = SSL_AD_DECODE_ERROR;
664 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
670 * Add the server's renegotiation binding
672 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t
675 if (!s->s3->send_connection_binding)
678 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
679 || !WPACKET_start_sub_packet_u16(pkt)
680 || !WPACKET_start_sub_packet_u8(pkt)
681 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
682 s->s3->previous_client_finished_len)
683 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
684 s->s3->previous_server_finished_len)
685 || !WPACKET_close(pkt)
686 || !WPACKET_close(pkt)) {
687 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
694 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
695 size_t chainidx, int *al)
697 if (s->hit || s->servername_done != 1
698 || s->session->ext.hostname == NULL)
701 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
702 || !WPACKET_put_bytes_u16(pkt, 0)) {
703 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
710 #ifndef OPENSSL_NO_EC
711 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
712 size_t chainidx, int *al)
714 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
715 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
716 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
717 && (s->session->ext.ecpointformats != NULL);
718 const unsigned char *plist;
724 tls1_get_formatlist(s, &plist, &plistlen);
725 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
726 || !WPACKET_start_sub_packet_u16(pkt)
727 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
728 || !WPACKET_close(pkt)) {
729 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
737 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
738 size_t chainidx, int *al)
740 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
741 s->ext.ticket_expected = 0;
745 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
746 || !WPACKET_put_bytes_u16(pkt, 0)) {
747 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
754 #ifndef OPENSSL_NO_OCSP
755 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
756 size_t chainidx, int *al)
758 if (!s->ext.status_expected)
761 if (SSL_IS_TLS13(s) && chainidx != 0)
764 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
765 || !WPACKET_start_sub_packet_u16(pkt)) {
766 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
771 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
772 * send back an empty extension, with the certificate status appearing as a
775 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
776 || !WPACKET_close(pkt)) {
777 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
785 #ifndef OPENSSL_NO_NEXTPROTONEG
786 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
787 size_t chainidx, int *al)
789 const unsigned char *npa;
792 int npn_seen = s->s3->npn_seen;
795 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
798 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
799 s->ctx->ext.npn_advertised_cb_arg);
800 if (ret == SSL_TLSEXT_ERR_OK) {
801 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
802 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
803 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
804 ERR_R_INTERNAL_ERROR);
814 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
817 if (s->s3->alpn_selected == NULL)
820 if (!WPACKET_put_bytes_u16(pkt,
821 TLSEXT_TYPE_application_layer_protocol_negotiation)
822 || !WPACKET_start_sub_packet_u16(pkt)
823 || !WPACKET_start_sub_packet_u16(pkt)
824 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
825 s->s3->alpn_selected_len)
826 || !WPACKET_close(pkt)
827 || !WPACKET_close(pkt)) {
828 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
835 #ifndef OPENSSL_NO_SRTP
836 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
839 if (s->srtp_profile == NULL)
842 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
843 || !WPACKET_start_sub_packet_u16(pkt)
844 || !WPACKET_put_bytes_u16(pkt, 2)
845 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
846 || !WPACKET_put_bytes_u8(pkt, 0)
847 || !WPACKET_close(pkt)) {
848 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
856 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
859 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
863 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
864 * for other cases too.
866 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
867 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
868 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
869 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
870 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
874 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
875 || !WPACKET_put_bytes_u16(pkt, 0)) {
876 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
883 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
886 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
889 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
890 || !WPACKET_put_bytes_u16(pkt, 0)) {
891 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
898 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
901 #ifndef OPENSSL_NO_TLS1_3
902 unsigned char *encodedPoint;
903 size_t encoded_pt_len = 0;
904 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
910 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
914 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
915 || !WPACKET_start_sub_packet_u16(pkt)
916 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
917 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
921 skey = ssl_generate_pkey(ckey);
923 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
927 /* Generate encoding of server key */
928 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
929 if (encoded_pt_len == 0) {
930 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
935 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
936 || !WPACKET_close(pkt)) {
937 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
939 OPENSSL_free(encodedPoint);
942 OPENSSL_free(encodedPoint);
944 /* This causes the crypto state to be updated based on the derived keys */
945 s->s3->tmp.pkey = skey;
946 if (ssl_derive(s, skey, ckey, 1) == 0) {
947 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
955 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
956 size_t chainidx, int *al)
958 const unsigned char cryptopro_ext[36] = {
959 0xfd, 0xe8, /* 65000 */
960 0x00, 0x20, /* 32 bytes length */
961 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
962 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
963 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
964 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
967 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
968 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
969 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
972 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
973 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);