2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
31 /* Check that the extension matches */
32 if (ilen != s->s3->previous_client_finished_len) {
33 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
34 SSL_R_RENEGOTIATION_MISMATCH);
38 if (memcmp(data, s->s3->previous_client_finished,
39 s->s3->previous_client_finished_len)) {
40 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
41 SSL_R_RENEGOTIATION_MISMATCH);
45 s->s3->send_connection_binding = 1;
51 * The servername extension is treated as follows:
53 * - Only the hostname type is supported with a maximum length of 255.
54 * - The servername is rejected if too long or if it contains zeros,
55 * in which case an fatal alert is generated.
56 * - The servername field is maintained together with the session cache.
57 * - When a session is resumed, the servername call back invoked in order
58 * to allow the application to position itself to the right context.
59 * - The servername is acknowledged if it is new for a session or when
60 * it is identical to a previously used for the same session.
61 * Applications can control the behaviour. They can at any time
62 * set a 'desirable' servername for a new SSL object. This can be the
63 * case for example with HTTPS when a Host: header field is received and
64 * a renegotiation is requested. In this case, a possible servername
65 * presented in the new client hello is only acknowledged if it matches
66 * the value of the Host: field.
67 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
68 * if they provide for changing an explicit servername context for the
69 * session, i.e. when the session has been established with a servername
71 * - On session reconnect, the servername extension may be absent.
73 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
74 X509 *x, size_t chainidx)
76 unsigned int servname_type;
79 if (!PACKET_as_length_prefixed_2(pkt, &sni)
80 /* ServerNameList must be at least 1 byte long. */
81 || PACKET_remaining(&sni) == 0) {
82 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
88 * Although the intent was for server_name to be extensible, RFC 4366
89 * was not clear about it; and so OpenSSL among other implementations,
90 * always and only allows a 'host_name' name types.
91 * RFC 6066 corrected the mistake but adding new name types
92 * is nevertheless no longer feasible, so act as if no other
93 * SNI types can exist, to simplify parsing.
95 * Also note that the RFC permits only one SNI value per type,
96 * i.e., we can only have a single hostname.
98 if (!PACKET_get_1(&sni, &servname_type)
99 || servname_type != TLSEXT_NAMETYPE_host_name
100 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
101 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
102 SSL_R_BAD_EXTENSION);
107 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
108 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
109 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
110 SSL_R_BAD_EXTENSION);
114 if (PACKET_contains_zero_byte(&hostname)) {
115 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
116 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
117 SSL_R_BAD_EXTENSION);
121 OPENSSL_free(s->session->ext.hostname);
122 s->session->ext.hostname = NULL;
123 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
124 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
125 ERR_R_INTERNAL_ERROR);
129 s->servername_done = 1;
132 * TODO(openssl-team): if the SNI doesn't match, we MUST
133 * fall back to a full handshake.
135 s->servername_done = s->session->ext.hostname
136 && PACKET_equal(&hostname, s->session->ext.hostname,
137 strlen(s->session->ext.hostname));
139 if (!s->servername_done && s->session->ext.hostname != NULL)
140 s->ext.early_data_ok = 0;
146 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
147 X509 *x, size_t chainidx)
151 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
152 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
153 SSL_R_BAD_EXTENSION);
157 /* Received |value| should be a valid max-fragment-length code. */
158 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
159 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
160 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
161 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
166 * RFC 6066: The negotiated length applies for the duration of the session
167 * including session resumptions.
168 * We should receive the same code as in resumed session !
170 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
171 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
172 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
173 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
178 * Store it in session, so it'll become binding for us
179 * and we'll include it in a next Server Hello.
181 s->session->ext.max_fragment_len_mode = value;
185 #ifndef OPENSSL_NO_SRP
186 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
191 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
192 || PACKET_contains_zero_byte(&srp_I)) {
193 SSLfatal(s, SSL_AD_DECODE_ERROR,
194 SSL_F_TLS_PARSE_CTOS_SRP,
195 SSL_R_BAD_EXTENSION);
200 * TODO(openssl-team): currently, we re-authenticate the user
201 * upon resumption. Instead, we MUST ignore the login.
203 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
205 ERR_R_INTERNAL_ERROR);
213 #ifndef OPENSSL_NO_EC
214 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
215 X509 *x, size_t chainidx)
217 PACKET ec_point_format_list;
219 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
220 || PACKET_remaining(&ec_point_format_list) == 0) {
221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
222 SSL_R_BAD_EXTENSION);
227 if (!PACKET_memdup(&ec_point_format_list,
228 &s->session->ext.ecpointformats,
229 &s->session->ext.ecpointformats_len)) {
230 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
231 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
238 #endif /* OPENSSL_NO_EC */
240 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
241 X509 *x, size_t chainidx)
243 if (s->ext.session_ticket_cb &&
244 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
245 PACKET_remaining(pkt),
246 s->ext.session_ticket_cb_arg)) {
247 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
248 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
255 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
258 PACKET supported_sig_algs;
260 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
261 || PACKET_remaining(&supported_sig_algs) == 0) {
262 SSLfatal(s, SSL_AD_DECODE_ERROR,
263 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
267 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
268 SSLfatal(s, SSL_AD_DECODE_ERROR,
269 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
276 #ifndef OPENSSL_NO_OCSP
277 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
278 X509 *x, size_t chainidx)
280 PACKET responder_id_list, exts;
282 /* Not defined if we get one of these in a client Certificate */
286 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
287 SSLfatal(s, SSL_AD_DECODE_ERROR,
288 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
292 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
294 * We don't know what to do with any other type so ignore it.
296 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
300 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
301 SSLfatal(s, SSL_AD_DECODE_ERROR,
302 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
307 * We remove any OCSP_RESPIDs from a previous handshake
308 * to prevent unbounded memory growth - CVE-2016-6304
310 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
311 if (PACKET_remaining(&responder_id_list) > 0) {
312 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
313 if (s->ext.ocsp.ids == NULL) {
314 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
315 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
319 s->ext.ocsp.ids = NULL;
322 while (PACKET_remaining(&responder_id_list) > 0) {
325 const unsigned char *id_data;
327 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
328 || PACKET_remaining(&responder_id) == 0) {
329 SSLfatal(s, SSL_AD_DECODE_ERROR,
330 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
334 id_data = PACKET_data(&responder_id);
335 /* TODO(size_t): Convert d2i_* to size_t */
336 id = d2i_OCSP_RESPID(NULL, &id_data,
337 (int)PACKET_remaining(&responder_id));
339 SSLfatal(s, SSL_AD_DECODE_ERROR,
340 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
344 if (id_data != PACKET_end(&responder_id)) {
345 OCSP_RESPID_free(id);
346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
352 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
353 OCSP_RESPID_free(id);
354 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
355 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
361 /* Read in request_extensions */
362 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
363 SSLfatal(s, SSL_AD_DECODE_ERROR,
364 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
368 if (PACKET_remaining(&exts) > 0) {
369 const unsigned char *ext_data = PACKET_data(&exts);
371 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
372 X509_EXTENSION_free);
374 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
375 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
376 SSLfatal(s, SSL_AD_DECODE_ERROR,
377 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
386 #ifndef OPENSSL_NO_NEXTPROTONEG
387 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
391 * We shouldn't accept this extension on a
394 if (SSL_IS_FIRST_HANDSHAKE(s))
402 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
403 * extension, not including type and length. Returns: 1 on success, 0 on error.
405 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
408 PACKET protocol_list, save_protocol_list, protocol;
410 if (!SSL_IS_FIRST_HANDSHAKE(s))
413 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
414 || PACKET_remaining(&protocol_list) < 2) {
415 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
416 SSL_R_BAD_EXTENSION);
420 save_protocol_list = protocol_list;
422 /* Protocol names can't be empty. */
423 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
424 || PACKET_remaining(&protocol) == 0) {
425 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
426 SSL_R_BAD_EXTENSION);
429 } while (PACKET_remaining(&protocol_list) != 0);
431 OPENSSL_free(s->s3->alpn_proposed);
432 s->s3->alpn_proposed = NULL;
433 s->s3->alpn_proposed_len = 0;
434 if (!PACKET_memdup(&save_protocol_list,
435 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
436 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
437 ERR_R_INTERNAL_ERROR);
444 #ifndef OPENSSL_NO_SRTP
445 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
448 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
449 unsigned int ct, mki_len, id;
453 /* Ignore this if we have no SRTP profiles */
454 if (SSL_get_srtp_profiles(s) == NULL)
457 /* Pull off the length of the cipher suite list and check it is even */
458 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
459 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
460 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
461 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
465 srvr = SSL_get_srtp_profiles(s);
466 s->srtp_profile = NULL;
467 /* Search all profiles for a match initially */
468 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
470 while (PACKET_remaining(&subpkt)) {
471 if (!PACKET_get_net_2(&subpkt, &id)) {
472 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
473 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
478 * Only look for match in profiles of higher preference than
480 * If no profiles have been have been configured then this
483 for (i = 0; i < srtp_pref; i++) {
484 SRTP_PROTECTION_PROFILE *sprof =
485 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
487 if (sprof->id == id) {
488 s->srtp_profile = sprof;
495 /* Now extract the MKI value as a sanity check, but discard it for now */
496 if (!PACKET_get_1(pkt, &mki_len)) {
497 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
498 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
502 if (!PACKET_forward(pkt, mki_len)
503 || PACKET_remaining(pkt)) {
504 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
505 SSL_R_BAD_SRTP_MKI_VALUE);
513 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
516 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
523 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
524 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
526 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
527 X509 *x, size_t chainidx)
529 #ifndef OPENSSL_NO_TLS1_3
530 PACKET psk_kex_modes;
533 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
534 || PACKET_remaining(&psk_kex_modes) == 0) {
535 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
536 SSL_R_BAD_EXTENSION);
540 while (PACKET_get_1(&psk_kex_modes, &mode)) {
541 if (mode == TLSEXT_KEX_MODE_KE_DHE)
542 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
543 else if (mode == TLSEXT_KEX_MODE_KE
544 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
545 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
553 * Process a key_share extension received in the ClientHello. |pkt| contains
554 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
556 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
559 #ifndef OPENSSL_NO_TLS1_3
560 unsigned int group_id;
561 PACKET key_share_list, encoded_pt;
562 const uint16_t *clntgroups, *srvrgroups;
563 size_t clnt_num_groups, srvr_num_groups;
566 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
570 if (s->s3->peer_tmp != NULL) {
571 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
572 ERR_R_INTERNAL_ERROR);
576 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
577 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
578 SSL_R_LENGTH_MISMATCH);
582 /* Get our list of supported groups */
583 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
584 /* Get the clients list of supported groups. */
585 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
586 if (clnt_num_groups == 0) {
588 * This can only happen if the supported_groups extension was not sent,
589 * because we verify that the length is non-zero when we process that
592 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
593 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
597 while (PACKET_remaining(&key_share_list) > 0) {
598 if (!PACKET_get_net_2(&key_share_list, &group_id)
599 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
600 || PACKET_remaining(&encoded_pt) == 0) {
601 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
602 SSL_R_LENGTH_MISMATCH);
607 * If we already found a suitable key_share we loop through the
608 * rest to verify the structure, but don't process them.
613 /* Check if this share is in supported_groups sent from client */
614 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
615 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
616 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
620 /* Check if this share is for a group we can use */
621 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
622 /* Share not suitable */
626 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
628 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
632 s->s3->group_id = group_id;
634 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
635 PACKET_data(&encoded_pt),
636 PACKET_remaining(&encoded_pt))) {
637 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
638 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
649 #ifndef OPENSSL_NO_EC
650 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
651 X509 *x, size_t chainidx)
653 PACKET supported_groups_list;
655 /* Each group is 2 bytes and we must have at least 1. */
656 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
657 || PACKET_remaining(&supported_groups_list) == 0
658 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
659 SSLfatal(s, SSL_AD_DECODE_ERROR,
660 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
664 if (!s->hit || SSL_IS_TLS13(s)) {
665 OPENSSL_free(s->session->ext.supportedgroups);
666 s->session->ext.supportedgroups = NULL;
667 s->session->ext.supportedgroups_len = 0;
668 if (!tls1_save_u16(&supported_groups_list,
669 &s->session->ext.supportedgroups,
670 &s->session->ext.supportedgroups_len)) {
671 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
672 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
673 ERR_R_INTERNAL_ERROR);
682 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
685 /* The extension must always be empty */
686 if (PACKET_remaining(pkt) != 0) {
687 SSLfatal(s, SSL_AD_DECODE_ERROR,
688 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
692 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
698 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
699 X509 *x, size_t chainidx)
701 if (PACKET_remaining(pkt) != 0) {
702 SSLfatal(s, SSL_AD_DECODE_ERROR,
703 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
707 if (s->hello_retry_request) {
708 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
709 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
716 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
719 PACKET identities, binders, binder;
720 size_t binderoffset, hashsize;
721 SSL_SESSION *sess = NULL;
722 unsigned int id, i, ext = 0;
723 const EVP_MD *md = NULL;
726 * If we have no PSK kex mode that we recognise then we can't resume so
727 * ignore this extension
729 if ((s->ext.psk_kex_mode
730 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
733 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
734 SSLfatal(s, SSL_AD_DECODE_ERROR,
735 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
739 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
741 unsigned long ticket_agel;
743 if (!PACKET_get_length_prefixed_2(&identities, &identity)
744 || !PACKET_get_net_4(&identities, &ticket_agel)) {
745 SSLfatal(s, SSL_AD_DECODE_ERROR,
746 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
750 if (s->psk_find_session_cb != NULL
751 && !s->psk_find_session_cb(s, PACKET_data(&identity),
752 PACKET_remaining(&identity),
754 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
755 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
761 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
763 if (sesstmp == NULL) {
764 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
765 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
768 SSL_SESSION_free(sess);
772 * We've just been told to use this session for this context so
773 * make sure the sid_ctx matches up.
775 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
776 sess->sid_ctx_length = s->sid_ctx_length;
779 s->ext.early_data_ok = 1;
781 uint32_t ticket_age = 0, now, agesec, agems;
782 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
783 PACKET_remaining(&identity), NULL, 0,
786 if (ret == TICKET_FATAL_ERR_MALLOC
787 || ret == TICKET_FATAL_ERR_OTHER) {
788 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
789 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
792 if (ret == TICKET_NO_DECRYPT)
795 ticket_age = (uint32_t)ticket_agel;
796 now = (uint32_t)time(NULL);
797 agesec = now - (uint32_t)sess->time;
798 agems = agesec * (uint32_t)1000;
799 ticket_age -= sess->ext.tick_age_add;
802 * For simplicity we do our age calculations in seconds. If the
803 * client does it in ms then it could appear that their ticket age
804 * is longer than ours (our ticket age calculation should always be
805 * slightly longer than the client's due to the network latency).
806 * Therefore we add 1000ms to our age calculation to adjust for
810 && sess->timeout >= (long)agesec
811 && agems / (uint32_t)1000 == agesec
812 && ticket_age <= agems + 1000
813 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
815 * Ticket age is within tolerance and not expired. We allow it
818 s->ext.early_data_ok = 1;
822 md = ssl_md(sess->cipher->algorithm2);
823 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
824 /* The ciphersuite is not compatible with this session. */
825 SSL_SESSION_free(sess);
827 s->ext.early_data_ok = 0;
836 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
837 hashsize = EVP_MD_size(md);
839 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
840 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
841 SSL_R_BAD_EXTENSION);
845 for (i = 0; i <= id; i++) {
846 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
847 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
848 SSL_R_BAD_EXTENSION);
853 if (PACKET_remaining(&binder) != hashsize
854 || tls_psk_do_binder(s, md,
855 (const unsigned char *)s->init_buf->data,
856 binderoffset, PACKET_data(&binder), NULL,
857 sess, 0, ext) != 1) {
858 /* SSLfatal() already called */
862 sess->ext.tick_identity = id;
864 SSL_SESSION_free(s->session);
868 SSL_SESSION_free(sess);
873 * Add the server's renegotiation binding
875 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
876 unsigned int context, X509 *x,
879 if (!s->s3->send_connection_binding)
880 return EXT_RETURN_NOT_SENT;
882 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
883 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
884 || !WPACKET_start_sub_packet_u16(pkt)
885 || !WPACKET_start_sub_packet_u8(pkt)
886 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
887 s->s3->previous_client_finished_len)
888 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
889 s->s3->previous_server_finished_len)
890 || !WPACKET_close(pkt)
891 || !WPACKET_close(pkt)) {
892 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
893 ERR_R_INTERNAL_ERROR);
894 return EXT_RETURN_FAIL;
897 return EXT_RETURN_SENT;
900 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
901 unsigned int context, X509 *x,
904 if (s->hit || s->servername_done != 1
905 || s->session->ext.hostname == NULL)
906 return EXT_RETURN_NOT_SENT;
908 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
909 || !WPACKET_put_bytes_u16(pkt, 0)) {
910 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
911 ERR_R_INTERNAL_ERROR);
912 return EXT_RETURN_FAIL;
915 return EXT_RETURN_SENT;
918 /* Add/include the server's max fragment len extension into ServerHello */
919 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
920 unsigned int context, X509 *x,
923 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
924 return EXT_RETURN_NOT_SENT;
927 * 4 bytes for this extension type and extension length
928 * 1 byte for the Max Fragment Length code value.
930 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
931 || !WPACKET_start_sub_packet_u16(pkt)
932 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
933 || !WPACKET_close(pkt)) {
934 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
935 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
936 return EXT_RETURN_FAIL;
939 return EXT_RETURN_SENT;
942 #ifndef OPENSSL_NO_EC
943 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
944 unsigned int context, X509 *x,
947 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
948 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
949 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
950 && (s->session->ext.ecpointformats != NULL);
951 const unsigned char *plist;
955 return EXT_RETURN_NOT_SENT;
957 tls1_get_formatlist(s, &plist, &plistlen);
958 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
959 || !WPACKET_start_sub_packet_u16(pkt)
960 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
961 || !WPACKET_close(pkt)) {
962 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
963 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
964 return EXT_RETURN_FAIL;
967 return EXT_RETURN_SENT;
971 #ifndef OPENSSL_NO_EC
972 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
973 unsigned int context, X509 *x,
976 const uint16_t *groups;
977 size_t numgroups, i, first = 1;
979 /* s->s3->group_id is non zero if we accepted a key_share */
980 if (s->s3->group_id == 0)
981 return EXT_RETURN_NOT_SENT;
983 /* Get our list of supported groups */
984 tls1_get_supported_groups(s, &groups, &numgroups);
985 if (numgroups == 0) {
986 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
987 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
988 return EXT_RETURN_FAIL;
991 /* Copy group ID if supported */
992 for (i = 0; i < numgroups; i++) {
993 uint16_t group = groups[i];
995 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
998 * Check if the client is already using our preferred group. If
999 * so we don't need to add this extension
1001 if (s->s3->group_id == group)
1002 return EXT_RETURN_NOT_SENT;
1004 /* Add extension header */
1005 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1006 /* Sub-packet for supported_groups extension */
1007 || !WPACKET_start_sub_packet_u16(pkt)
1008 || !WPACKET_start_sub_packet_u16(pkt)) {
1009 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1010 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1011 ERR_R_INTERNAL_ERROR);
1012 return EXT_RETURN_FAIL;
1017 if (!WPACKET_put_bytes_u16(pkt, group)) {
1018 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1019 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1020 ERR_R_INTERNAL_ERROR);
1021 return EXT_RETURN_FAIL;
1026 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1027 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1028 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1029 ERR_R_INTERNAL_ERROR);
1030 return EXT_RETURN_FAIL;
1033 return EXT_RETURN_SENT;
1037 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1038 unsigned int context, X509 *x,
1041 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1042 s->ext.ticket_expected = 0;
1043 return EXT_RETURN_NOT_SENT;
1046 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1047 || !WPACKET_put_bytes_u16(pkt, 0)) {
1048 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1049 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1050 return EXT_RETURN_FAIL;
1053 return EXT_RETURN_SENT;
1056 #ifndef OPENSSL_NO_OCSP
1057 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1058 unsigned int context, X509 *x,
1061 if (!s->ext.status_expected)
1062 return EXT_RETURN_NOT_SENT;
1064 if (SSL_IS_TLS13(s) && chainidx != 0)
1065 return EXT_RETURN_NOT_SENT;
1067 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1068 || !WPACKET_start_sub_packet_u16(pkt)) {
1069 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1070 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1071 return EXT_RETURN_FAIL;
1075 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1076 * send back an empty extension, with the certificate status appearing as a
1079 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1080 /* SSLfatal() already called */
1081 return EXT_RETURN_FAIL;
1083 if (!WPACKET_close(pkt)) {
1084 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1085 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1086 return EXT_RETURN_FAIL;
1089 return EXT_RETURN_SENT;
1093 #ifndef OPENSSL_NO_NEXTPROTONEG
1094 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1095 unsigned int context, X509 *x,
1098 const unsigned char *npa;
1099 unsigned int npalen;
1101 int npn_seen = s->s3->npn_seen;
1103 s->s3->npn_seen = 0;
1104 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1105 return EXT_RETURN_NOT_SENT;
1107 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1108 s->ctx->ext.npn_advertised_cb_arg);
1109 if (ret == SSL_TLSEXT_ERR_OK) {
1110 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1111 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1112 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1113 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1114 ERR_R_INTERNAL_ERROR);
1115 return EXT_RETURN_FAIL;
1117 s->s3->npn_seen = 1;
1120 return EXT_RETURN_SENT;
1124 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1125 X509 *x, size_t chainidx)
1127 if (s->s3->alpn_selected == NULL)
1128 return EXT_RETURN_NOT_SENT;
1130 if (!WPACKET_put_bytes_u16(pkt,
1131 TLSEXT_TYPE_application_layer_protocol_negotiation)
1132 || !WPACKET_start_sub_packet_u16(pkt)
1133 || !WPACKET_start_sub_packet_u16(pkt)
1134 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1135 s->s3->alpn_selected_len)
1136 || !WPACKET_close(pkt)
1137 || !WPACKET_close(pkt)) {
1138 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1139 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1140 return EXT_RETURN_FAIL;
1143 return EXT_RETURN_SENT;
1146 #ifndef OPENSSL_NO_SRTP
1147 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1148 unsigned int context, X509 *x,
1151 if (s->srtp_profile == NULL)
1152 return EXT_RETURN_NOT_SENT;
1154 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1155 || !WPACKET_start_sub_packet_u16(pkt)
1156 || !WPACKET_put_bytes_u16(pkt, 2)
1157 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1158 || !WPACKET_put_bytes_u8(pkt, 0)
1159 || !WPACKET_close(pkt)) {
1160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1161 ERR_R_INTERNAL_ERROR);
1162 return EXT_RETURN_FAIL;
1165 return EXT_RETURN_SENT;
1169 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1170 X509 *x, size_t chainidx)
1172 if (!s->ext.use_etm)
1173 return EXT_RETURN_NOT_SENT;
1176 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1177 * for other cases too.
1179 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1180 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1181 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1182 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1184 return EXT_RETURN_NOT_SENT;
1187 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1188 || !WPACKET_put_bytes_u16(pkt, 0)) {
1189 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1190 ERR_R_INTERNAL_ERROR);
1191 return EXT_RETURN_FAIL;
1194 return EXT_RETURN_SENT;
1197 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1198 X509 *x, size_t chainidx)
1200 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1201 return EXT_RETURN_NOT_SENT;
1203 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1204 || !WPACKET_put_bytes_u16(pkt, 0)) {
1205 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1206 ERR_R_INTERNAL_ERROR);
1207 return EXT_RETURN_FAIL;
1210 return EXT_RETURN_SENT;
1213 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1214 unsigned int context, X509 *x,
1217 #ifndef OPENSSL_NO_TLS1_3
1218 unsigned char *encodedPoint;
1219 size_t encoded_pt_len = 0;
1220 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1223 /* No key_share received from client */
1224 if (s->hello_retry_request) {
1225 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1226 || !WPACKET_start_sub_packet_u16(pkt)
1227 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1228 || !WPACKET_close(pkt)) {
1229 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1230 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1231 ERR_R_INTERNAL_ERROR);
1232 return EXT_RETURN_FAIL;
1235 return EXT_RETURN_SENT;
1238 /* Must be resuming. */
1239 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1240 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1241 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1242 return EXT_RETURN_FAIL;
1244 return EXT_RETURN_NOT_SENT;
1247 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1248 || !WPACKET_start_sub_packet_u16(pkt)
1249 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1250 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1251 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1252 return EXT_RETURN_FAIL;
1255 skey = ssl_generate_pkey(ckey);
1257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1258 ERR_R_MALLOC_FAILURE);
1259 return EXT_RETURN_FAIL;
1262 /* Generate encoding of server key */
1263 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1264 if (encoded_pt_len == 0) {
1265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1267 EVP_PKEY_free(skey);
1268 return EXT_RETURN_FAIL;
1271 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1272 || !WPACKET_close(pkt)) {
1273 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1274 ERR_R_INTERNAL_ERROR);
1275 EVP_PKEY_free(skey);
1276 OPENSSL_free(encodedPoint);
1277 return EXT_RETURN_FAIL;
1279 OPENSSL_free(encodedPoint);
1281 /* This causes the crypto state to be updated based on the derived keys */
1282 s->s3->tmp.pkey = skey;
1283 if (ssl_derive(s, skey, ckey, 1) == 0) {
1284 /* SSLfatal() already called */
1285 return EXT_RETURN_FAIL;
1289 return EXT_RETURN_SENT;
1292 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1293 unsigned int context, X509 *x,
1296 const unsigned char cryptopro_ext[36] = {
1297 0xfd, 0xe8, /* 65000 */
1298 0x00, 0x20, /* 32 bytes length */
1299 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1300 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1301 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1302 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1305 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1306 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1307 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1308 return EXT_RETURN_NOT_SENT;
1310 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1311 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1312 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1313 return EXT_RETURN_FAIL;
1316 return EXT_RETURN_SENT;
1319 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1320 unsigned int context, X509 *x,
1323 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1324 if (s->max_early_data == 0)
1325 return EXT_RETURN_NOT_SENT;
1327 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1328 || !WPACKET_start_sub_packet_u16(pkt)
1329 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1330 || !WPACKET_close(pkt)) {
1331 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1332 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1333 return EXT_RETURN_FAIL;
1336 return EXT_RETURN_SENT;
1339 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1340 return EXT_RETURN_NOT_SENT;
1342 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1343 || !WPACKET_start_sub_packet_u16(pkt)
1344 || !WPACKET_close(pkt)) {
1345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1346 ERR_R_INTERNAL_ERROR);
1347 return EXT_RETURN_FAIL;
1350 return EXT_RETURN_SENT;
1353 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1354 X509 *x, size_t chainidx)
1357 return EXT_RETURN_NOT_SENT;
1359 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1360 || !WPACKET_start_sub_packet_u16(pkt)
1361 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1362 || !WPACKET_close(pkt)) {
1363 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1364 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1365 return EXT_RETURN_FAIL;
1368 return EXT_RETURN_SENT;