2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
124 s->servername_done = 1;
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
130 s->servername_done = s->session->ext.hostname
131 && PACKET_equal(&hostname, s->session->ext.hostname,
132 strlen(s->session->ext.hostname));
138 #ifndef OPENSSL_NO_SRP
139 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
162 #ifndef OPENSSL_NO_EC
163 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
166 PACKET ec_point_format_list;
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->ext.ecpointformats,
177 &s->session->ext.ecpointformats_len)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
185 #endif /* OPENSSL_NO_EC */
187 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
190 if (s->ext.session_ticket_cb &&
191 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->ext.session_ticket_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
201 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
204 PACKET supported_sig_algs;
206 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
207 || PACKET_remaining(&supported_sig_algs) == 0) {
208 *al = SSL_AD_DECODE_ERROR;
212 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
213 *al = TLS1_AD_DECODE_ERROR;
220 #ifndef OPENSSL_NO_OCSP
221 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
224 PACKET responder_id_list, exts;
226 /* Not defined if we get one of these in a client Certificate */
230 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
231 *al = SSL_AD_DECODE_ERROR;
235 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
237 * We don't know what to do with any other type so ignore it.
239 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
243 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
244 *al = SSL_AD_DECODE_ERROR;
249 * We remove any OCSP_RESPIDs from a previous handshake
250 * to prevent unbounded memory growth - CVE-2016-6304
252 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
253 if (PACKET_remaining(&responder_id_list) > 0) {
254 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
255 if (s->ext.ocsp.ids == NULL) {
256 *al = SSL_AD_INTERNAL_ERROR;
260 s->ext.ocsp.ids = NULL;
263 while (PACKET_remaining(&responder_id_list) > 0) {
266 const unsigned char *id_data;
268 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
269 || PACKET_remaining(&responder_id) == 0) {
270 *al = SSL_AD_DECODE_ERROR;
274 id_data = PACKET_data(&responder_id);
275 /* TODO(size_t): Convert d2i_* to size_t */
276 id = d2i_OCSP_RESPID(NULL, &id_data,
277 (int)PACKET_remaining(&responder_id));
279 *al = SSL_AD_DECODE_ERROR;
283 if (id_data != PACKET_end(&responder_id)) {
284 OCSP_RESPID_free(id);
285 *al = SSL_AD_DECODE_ERROR;
289 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
290 OCSP_RESPID_free(id);
291 *al = SSL_AD_INTERNAL_ERROR;
296 /* Read in request_extensions */
297 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
298 *al = SSL_AD_DECODE_ERROR;
302 if (PACKET_remaining(&exts) > 0) {
303 const unsigned char *ext_data = PACKET_data(&exts);
305 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
306 X509_EXTENSION_free);
308 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
309 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
310 *al = SSL_AD_DECODE_ERROR;
319 #ifndef OPENSSL_NO_NEXTPROTONEG
320 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
323 * We shouldn't accept this extension on a
326 if (SSL_IS_FIRST_HANDSHAKE(s))
334 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
335 * extension, not including type and length. |al| is a pointer to the alert
336 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
338 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
340 PACKET protocol_list, save_protocol_list, protocol;
342 if (!SSL_IS_FIRST_HANDSHAKE(s))
345 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
346 || PACKET_remaining(&protocol_list) < 2) {
347 *al = SSL_AD_DECODE_ERROR;
351 save_protocol_list = protocol_list;
353 /* Protocol names can't be empty. */
354 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
355 || PACKET_remaining(&protocol) == 0) {
356 *al = SSL_AD_DECODE_ERROR;
359 } while (PACKET_remaining(&protocol_list) != 0);
361 if (!PACKET_memdup(&save_protocol_list,
362 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
363 *al = TLS1_AD_INTERNAL_ERROR;
370 #ifndef OPENSSL_NO_SRTP
371 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
374 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
375 unsigned int ct, mki_len, id;
379 /* Ignore this if we have no SRTP profiles */
380 if (SSL_get_srtp_profiles(s) == NULL)
383 /* Pull off the length of the cipher suite list and check it is even */
384 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
385 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
386 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
387 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
388 *al = SSL_AD_DECODE_ERROR;
392 srvr = SSL_get_srtp_profiles(s);
393 s->srtp_profile = NULL;
394 /* Search all profiles for a match initially */
395 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
397 while (PACKET_remaining(&subpkt)) {
398 if (!PACKET_get_net_2(&subpkt, &id)) {
399 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
400 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
401 *al = SSL_AD_DECODE_ERROR;
406 * Only look for match in profiles of higher preference than
408 * If no profiles have been have been configured then this
411 for (i = 0; i < srtp_pref; i++) {
412 SRTP_PROTECTION_PROFILE *sprof =
413 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
415 if (sprof->id == id) {
416 s->srtp_profile = sprof;
423 /* Now extract the MKI value as a sanity check, but discard it for now */
424 if (!PACKET_get_1(pkt, &mki_len)) {
425 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
426 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
427 *al = SSL_AD_DECODE_ERROR;
431 if (!PACKET_forward(pkt, mki_len)
432 || PACKET_remaining(pkt)) {
433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
434 *al = SSL_AD_DECODE_ERROR;
442 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
444 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
445 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
451 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
452 * and |checkallow| is 1 then additionally check if the group is allowed to be
453 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
456 #ifndef OPENSSL_NO_TLS1_3
457 static int check_in_list(SSL *s, unsigned int group_id,
458 const unsigned char *groups, size_t num_groups,
463 if (groups == NULL || num_groups == 0)
466 for (i = 0; i < num_groups; i++, groups += 2) {
467 unsigned int share_id = (groups[0] << 8) | (groups[1]);
469 if (group_id == share_id
471 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
476 /* If i == num_groups then not in the list */
477 return i < num_groups;
482 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
483 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
484 * If a failure occurs then |*al| is set to an appropriate alert value.
486 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
489 #ifndef OPENSSL_NO_TLS1_3
490 PACKET psk_kex_modes;
493 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
494 || PACKET_remaining(&psk_kex_modes) == 0) {
495 *al = SSL_AD_DECODE_ERROR;
499 while (PACKET_get_1(&psk_kex_modes, &mode)) {
500 if (mode == TLSEXT_KEX_MODE_KE_DHE)
501 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
502 else if (mode == TLSEXT_KEX_MODE_KE)
503 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
511 * Process a key_share extension received in the ClientHello. |pkt| contains
512 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
513 * If a failure occurs then |*al| is set to an appropriate alert value.
515 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
518 #ifndef OPENSSL_NO_TLS1_3
519 unsigned int group_id;
520 PACKET key_share_list, encoded_pt;
521 const unsigned char *clntcurves, *srvrcurves;
522 size_t clnt_num_curves, srvr_num_curves;
523 int group_nid, found = 0;
524 unsigned int curve_flags;
526 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
530 if (s->s3->peer_tmp != NULL) {
531 *al = SSL_AD_INTERNAL_ERROR;
532 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
536 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
537 *al = SSL_AD_HANDSHAKE_FAILURE;
538 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
542 /* Get our list of supported curves */
543 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
544 *al = SSL_AD_INTERNAL_ERROR;
545 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
550 * Get the clients list of supported curves.
551 * TODO(TLS1.3): We should validate that we actually received
554 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
555 *al = SSL_AD_INTERNAL_ERROR;
556 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
560 while (PACKET_remaining(&key_share_list) > 0) {
561 if (!PACKET_get_net_2(&key_share_list, &group_id)
562 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
563 || PACKET_remaining(&encoded_pt) == 0) {
564 *al = SSL_AD_HANDSHAKE_FAILURE;
565 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
566 SSL_R_LENGTH_MISMATCH);
571 * If we already found a suitable key_share we loop through the
572 * rest to verify the structure, but don't process them.
577 /* Check if this share is in supported_groups sent from client */
578 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
579 *al = SSL_AD_HANDSHAKE_FAILURE;
580 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
584 /* Check if this share is for a group we can use */
585 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
586 /* Share not suitable */
590 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
592 if (group_nid == 0) {
593 *al = SSL_AD_INTERNAL_ERROR;
594 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
595 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
599 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
600 /* Can happen for some curves, e.g. X25519 */
601 EVP_PKEY *key = EVP_PKEY_new();
603 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
604 *al = SSL_AD_INTERNAL_ERROR;
605 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
609 s->s3->peer_tmp = key;
611 /* Set up EVP_PKEY with named curve as parameters */
612 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
615 || EVP_PKEY_paramgen_init(pctx) <= 0
616 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
618 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
619 *al = SSL_AD_INTERNAL_ERROR;
620 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
621 EVP_PKEY_CTX_free(pctx);
624 EVP_PKEY_CTX_free(pctx);
627 s->s3->group_id = group_id;
629 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
630 PACKET_data(&encoded_pt),
631 PACKET_remaining(&encoded_pt))) {
632 *al = SSL_AD_DECODE_ERROR;
633 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
644 #ifndef OPENSSL_NO_EC
645 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
646 size_t chainidx, int *al)
648 PACKET supported_groups_list;
650 /* Each group is 2 bytes and we must have at least 1. */
651 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
652 || PACKET_remaining(&supported_groups_list) == 0
653 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
654 *al = SSL_AD_DECODE_ERROR;
658 if (!PACKET_memdup(&supported_groups_list,
659 &s->session->ext.supportedgroups,
660 &s->session->ext.supportedgroups_len)) {
661 *al = SSL_AD_DECODE_ERROR;
669 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
671 /* The extension must always be empty */
672 if (PACKET_remaining(pkt) != 0) {
673 *al = SSL_AD_DECODE_ERROR;
677 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
682 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
684 PACKET identities, binders, binder;
685 size_t binderoffset, hashsize;
686 SSL_SESSION *sess = NULL;
688 const EVP_MD *md = NULL;
690 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
691 *al = SSL_AD_DECODE_ERROR;
695 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
697 unsigned long ticket_age;
700 if (!PACKET_get_length_prefixed_2(&identities, &identity)
701 || !PACKET_get_net_4(&identities, &ticket_age)) {
702 *al = SSL_AD_DECODE_ERROR;
706 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
707 PACKET_remaining(&identity), NULL, 0, &sess);
708 if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
709 *al = SSL_AD_INTERNAL_ERROR;
712 if (ret == TICKET_NO_DECRYPT)
715 md = ssl_cipher_get_handshake_md(sess->cipher_id);
718 * Don't recognise this cipher so we can't use the session.
721 SSL_SESSION_free(sess);
727 * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
737 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
739 hashsize = EVP_MD_size(md);
741 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
742 *al = SSL_AD_DECODE_ERROR;
746 for (i = 0; i <= id; i++) {
747 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
748 *al = SSL_AD_DECODE_ERROR;
753 if (PACKET_remaining(&binder) != hashsize
754 || tls_psk_do_binder(s, md,
755 (const unsigned char *)s->init_buf->data,
756 binderoffset, PACKET_data(&binder), NULL,
758 *al = SSL_AD_DECODE_ERROR;
759 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
763 sess->ext.tick_identity = id;
764 SSL_SESSION_free(s->session);
773 * Add the server's renegotiation binding
775 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t
778 if (!s->s3->send_connection_binding)
781 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
782 || !WPACKET_start_sub_packet_u16(pkt)
783 || !WPACKET_start_sub_packet_u8(pkt)
784 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
785 s->s3->previous_client_finished_len)
786 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
787 s->s3->previous_server_finished_len)
788 || !WPACKET_close(pkt)
789 || !WPACKET_close(pkt)) {
790 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
797 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
798 size_t chainidx, int *al)
800 if (s->hit || s->servername_done != 1
801 || s->session->ext.hostname == NULL)
804 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
805 || !WPACKET_put_bytes_u16(pkt, 0)) {
806 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
813 #ifndef OPENSSL_NO_EC
814 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
815 size_t chainidx, int *al)
817 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
818 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
819 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
820 && (s->session->ext.ecpointformats != NULL);
821 const unsigned char *plist;
827 tls1_get_formatlist(s, &plist, &plistlen);
828 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
829 || !WPACKET_start_sub_packet_u16(pkt)
830 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
831 || !WPACKET_close(pkt)) {
832 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
840 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
841 size_t chainidx, int *al)
843 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
844 s->ext.ticket_expected = 0;
848 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
849 || !WPACKET_put_bytes_u16(pkt, 0)) {
850 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
857 #ifndef OPENSSL_NO_OCSP
858 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
859 size_t chainidx, int *al)
861 if (!s->ext.status_expected)
864 if (SSL_IS_TLS13(s) && chainidx != 0)
867 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
868 || !WPACKET_start_sub_packet_u16(pkt)) {
869 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
874 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
875 * send back an empty extension, with the certificate status appearing as a
878 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
879 || !WPACKET_close(pkt)) {
880 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
888 #ifndef OPENSSL_NO_NEXTPROTONEG
889 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
890 size_t chainidx, int *al)
892 const unsigned char *npa;
895 int npn_seen = s->s3->npn_seen;
898 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
901 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
902 s->ctx->ext.npn_advertised_cb_arg);
903 if (ret == SSL_TLSEXT_ERR_OK) {
904 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
905 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
906 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
907 ERR_R_INTERNAL_ERROR);
917 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
920 if (s->s3->alpn_selected == NULL)
923 if (!WPACKET_put_bytes_u16(pkt,
924 TLSEXT_TYPE_application_layer_protocol_negotiation)
925 || !WPACKET_start_sub_packet_u16(pkt)
926 || !WPACKET_start_sub_packet_u16(pkt)
927 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
928 s->s3->alpn_selected_len)
929 || !WPACKET_close(pkt)
930 || !WPACKET_close(pkt)) {
931 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
938 #ifndef OPENSSL_NO_SRTP
939 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
942 if (s->srtp_profile == NULL)
945 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
946 || !WPACKET_start_sub_packet_u16(pkt)
947 || !WPACKET_put_bytes_u16(pkt, 2)
948 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
949 || !WPACKET_put_bytes_u8(pkt, 0)
950 || !WPACKET_close(pkt)) {
951 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
959 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
962 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
966 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
967 * for other cases too.
969 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
970 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
971 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
972 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
973 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
977 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
978 || !WPACKET_put_bytes_u16(pkt, 0)) {
979 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
986 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
989 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
992 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
993 || !WPACKET_put_bytes_u16(pkt, 0)) {
994 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1001 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
1004 #ifndef OPENSSL_NO_TLS1_3
1005 unsigned char *encodedPoint;
1006 size_t encoded_pt_len = 0;
1007 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1010 /* No key_share received from client, must be resuming. */
1011 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1012 *al = SSL_AD_INTERNAL_ERROR;
1013 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1019 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1020 || !WPACKET_start_sub_packet_u16(pkt)
1021 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1022 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1026 skey = ssl_generate_pkey(ckey);
1028 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1032 /* Generate encoding of server key */
1033 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1034 if (encoded_pt_len == 0) {
1035 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1036 EVP_PKEY_free(skey);
1040 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1041 || !WPACKET_close(pkt)) {
1042 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1043 EVP_PKEY_free(skey);
1044 OPENSSL_free(encodedPoint);
1047 OPENSSL_free(encodedPoint);
1049 /* This causes the crypto state to be updated based on the derived keys */
1050 s->s3->tmp.pkey = skey;
1051 if (ssl_derive(s, skey, ckey, 1) == 0) {
1052 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1060 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
1061 size_t chainidx, int *al)
1063 const unsigned char cryptopro_ext[36] = {
1064 0xfd, 0xe8, /* 65000 */
1065 0x00, 0x20, /* 32 bytes length */
1066 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1067 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1068 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1069 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1072 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1073 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1074 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1077 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1078 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1085 int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
1091 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1092 || !WPACKET_start_sub_packet_u16(pkt)
1093 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1094 || !WPACKET_close(pkt)) {
1095 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);