2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_client_renegotiate(SSL *s, PACKET *pkt, int *al)
20 const unsigned char *data;
22 /* Parse the length byte */
23 if (!PACKET_get_1(pkt, &ilen)
24 || !PACKET_get_bytes(pkt, &data, ilen)) {
25 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
26 SSL_R_RENEGOTIATION_ENCODING_ERR);
27 *al = SSL_AD_ILLEGAL_PARAMETER;
31 /* Check that the extension matches */
32 if (ilen != s->s3->previous_client_finished_len) {
33 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
34 SSL_R_RENEGOTIATION_MISMATCH);
35 *al = SSL_AD_HANDSHAKE_FAILURE;
39 if (memcmp(data, s->s3->previous_client_finished,
40 s->s3->previous_client_finished_len)) {
41 SSLerr(SSL_F_TLS_PARSE_CLIENT_RENEGOTIATE,
42 SSL_R_RENEGOTIATION_MISMATCH);
43 *al = SSL_AD_HANDSHAKE_FAILURE;
47 s->s3->send_connection_binding = 1;
52 int tls_parse_client_server_name(SSL *s, PACKET *pkt, int *al)
54 unsigned int servname_type;
58 * The servername extension is treated as follows:
60 * - Only the hostname type is supported with a maximum length of 255.
61 * - The servername is rejected if too long or if it contains zeros,
62 * in which case an fatal alert is generated.
63 * - The servername field is maintained together with the session cache.
64 * - When a session is resumed, the servername call back invoked in order
65 * to allow the application to position itself to the right context.
66 * - The servername is acknowledged if it is new for a session or when
67 * it is identical to a previously used for the same session.
68 * Applications can control the behaviour. They can at any time
69 * set a 'desirable' servername for a new SSL object. This can be the
70 * case for example with HTTPS when a Host: header field is received and
71 * a renegotiation is requested. In this case, a possible servername
72 * presented in the new client hello is only acknowledged if it matches
73 * the value of the Host: field.
74 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
75 * if they provide for changing an explicit servername context for the
76 * session, i.e. when the session has been established with a servername
78 * - On session reconnect, the servername extension may be absent.
81 if (!PACKET_as_length_prefixed_2(pkt, &sni)
82 /* ServerNameList must be at least 1 byte long. */
83 || PACKET_remaining(&sni) == 0) {
84 *al = SSL_AD_DECODE_ERROR;
89 * Although the server_name extension was intended to be
90 * extensible to new name types, RFC 4366 defined the
91 * syntax inextensibility and OpenSSL 1.0.x parses it as
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
118 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
119 *al = TLS1_AD_INTERNAL_ERROR;
123 s->servername_done = 1;
126 * TODO(openssl-team): if the SNI doesn't match, we MUST
127 * fall back to a full handshake.
129 s->servername_done = s->session->tlsext_hostname
130 && PACKET_equal(&hostname, s->session->tlsext_hostname,
131 strlen(s->session->tlsext_hostname));
137 #ifndef OPENSSL_NO_SRP
138 int tls_parse_client_srp(SSL *s, PACKET *pkt, int *al)
142 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
143 || PACKET_contains_zero_byte(&srp_I)) {
144 *al = SSL_AD_DECODE_ERROR;
149 * TODO(openssl-team): currently, we re-authenticate the user
150 * upon resumption. Instead, we MUST ignore the login.
152 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
153 *al = TLS1_AD_INTERNAL_ERROR;
161 #ifndef OPENSSL_NO_EC
162 int tls_parse_client_ec_pt_formats(SSL *s, PACKET *pkt, int *al)
164 PACKET ec_point_format_list;
166 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
167 || PACKET_remaining(&ec_point_format_list) == 0) {
168 *al = SSL_AD_DECODE_ERROR;
173 if (!PACKET_memdup(&ec_point_format_list,
174 &s->session->tlsext_ecpointformatlist,
175 &s->session->tlsext_ecpointformatlist_length)) {
176 *al = TLS1_AD_INTERNAL_ERROR;
183 #endif /* OPENSSL_NO_EC */
185 int tls_parse_client_session_ticket(SSL *s, PACKET *pkt, int *al)
187 if (s->tls_session_ticket_ext_cb &&
188 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
189 PACKET_remaining(pkt),
190 s->tls_session_ticket_ext_cb_arg)) {
191 *al = TLS1_AD_INTERNAL_ERROR;
198 int tls_parse_client_sig_algs(SSL *s, PACKET *pkt, int *al)
200 PACKET supported_sig_algs;
202 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
203 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
204 || PACKET_remaining(&supported_sig_algs) == 0) {
205 *al = SSL_AD_DECODE_ERROR;
209 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
210 PACKET_remaining(&supported_sig_algs))) {
211 *al = TLS1_AD_INTERNAL_ERROR;
218 #ifndef OPENSSL_NO_OCSP
219 int tls_parse_client_status_request(SSL *s, PACKET *pkt, int *al)
221 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
222 *al = SSL_AD_DECODE_ERROR;
226 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
227 const unsigned char *ext_data;
228 PACKET responder_id_list, exts;
229 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
230 *al = SSL_AD_DECODE_ERROR;
235 * We remove any OCSP_RESPIDs from a previous handshake
236 * to prevent unbounded memory growth - CVE-2016-6304
238 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
239 if (PACKET_remaining(&responder_id_list) > 0) {
240 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
241 if (s->tlsext_ocsp_ids == NULL) {
242 *al = SSL_AD_INTERNAL_ERROR;
246 s->tlsext_ocsp_ids = NULL;
249 while (PACKET_remaining(&responder_id_list) > 0) {
252 const unsigned char *id_data;
254 if (!PACKET_get_length_prefixed_2(&responder_id_list,
256 || PACKET_remaining(&responder_id) == 0) {
257 *al = SSL_AD_DECODE_ERROR;
261 id_data = PACKET_data(&responder_id);
262 /* TODO(size_t): Convert d2i_* to size_t */
263 id = d2i_OCSP_RESPID(NULL, &id_data,
264 (int)PACKET_remaining(&responder_id));
266 *al = SSL_AD_DECODE_ERROR;
270 if (id_data != PACKET_end(&responder_id)) {
271 OCSP_RESPID_free(id);
272 *al = SSL_AD_DECODE_ERROR;
276 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
277 OCSP_RESPID_free(id);
278 *al = SSL_AD_INTERNAL_ERROR;
283 /* Read in request_extensions */
284 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
285 *al = SSL_AD_DECODE_ERROR;
289 if (PACKET_remaining(&exts) > 0) {
290 ext_data = PACKET_data(&exts);
291 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
292 X509_EXTENSION_free);
293 s->tlsext_ocsp_exts =
294 d2i_X509_EXTENSIONS(NULL, &ext_data,
295 (int)PACKET_remaining(&exts));
296 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
297 *al = SSL_AD_DECODE_ERROR;
303 * We don't know what to do with any other type so ignore it.
305 s->tlsext_status_type = -1;
312 #ifndef OPENSSL_NO_NEXTPROTONEG
313 int tls_parse_client_npn(SSL *s, PACKET *pkt, int *al)
315 if (s->s3->tmp.finish_md_len == 0) {
317 * We shouldn't accept this extension on a
320 * s->new_session will be set on renegotiation, but we
321 * probably shouldn't rely that it couldn't be set on
322 * the initial renegotiation too in certain cases (when
323 * there's some other reason to disallow resuming an
324 * earlier session -- the current code won't be doing
325 * anything like that, but this might change).
327 * A valid sign that there's been a previous handshake
328 * in this connection is if s->s3->tmp.finish_md_len >
329 * 0. (We are talking about a check that will happen
330 * in the Hello protocol round, well before a new
331 * Finished message could have been computed.)
333 s->s3->next_proto_neg_seen = 1;
341 * Save the ALPN extension in a ClientHello.
342 * pkt: the contents of the ALPN extension, not including type and length.
343 * al: a pointer to the alert value to send in the event of a failure.
344 * returns: 1 on success, 0 on error.
346 int tls_parse_client_alpn(SSL *s, PACKET *pkt, int *al)
348 PACKET protocol_list, save_protocol_list, protocol;
350 if (s->s3->tmp.finish_md_len != 0)
353 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
354 || PACKET_remaining(&protocol_list) < 2) {
355 *al = SSL_AD_DECODE_ERROR;
359 save_protocol_list = protocol_list;
361 /* Protocol names can't be empty. */
362 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
363 || PACKET_remaining(&protocol) == 0) {
364 *al = SSL_AD_DECODE_ERROR;
367 } while (PACKET_remaining(&protocol_list) != 0);
369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
371 *al = TLS1_AD_INTERNAL_ERROR;
378 #ifndef OPENSSL_NO_SRTP
379 int tls_parse_client_use_srtp(SSL *s, PACKET *pkt, int *al)
381 SRTP_PROTECTION_PROFILE *sprof;
382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
391 /* Pull off the length of the cipher suite list and check it is even */
392 if (!PACKET_get_net_2(pkt, &ct)
393 || (ct & 1) != 0 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
394 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
407 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
414 * Only look for match in profiles of higher preference than
416 * If no profiles have been have been configured then this
419 for (i = 0; i < srtp_pref; i++) {
420 sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
421 if (sprof->id == id) {
422 s->srtp_profile = sprof;
430 * Now extract the MKI value as a sanity check, but discard it for now
432 if (!PACKET_get_1(pkt, &mki_len)) {
433 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP,
434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
441 SSLerr(SSL_F_TLS_PARSE_CLIENT_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
442 *al = SSL_AD_DECODE_ERROR;
450 int tls_parse_client_etm(SSL *s, PACKET *pkt, int *al)
452 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
453 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
459 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
460 * and |checkallow| is 1 then additionally check if the group is allowed to be
461 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
464 static int check_in_list(SSL *s, unsigned int group_id,
465 const unsigned char *groups, size_t num_groups,
470 if (groups == NULL || num_groups == 0)
473 for (i = 0; i < num_groups; i++, groups += 2) {
474 unsigned int share_id = (groups[0] << 8) | (groups[1]);
476 if (group_id == share_id
477 && (!checkallow || tls_curve_allowed(s, groups,
478 SSL_SECOP_CURVE_CHECK))) {
483 /* If i == num_groups then not in the list */
484 return i < num_groups;
488 * Process a key_share extension received in the ClientHello. |pkt| contains
489 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
490 * If a failure occurs then |*al| is set to an appropriate alert value.
492 int tls_parse_client_key_share(SSL *s, PACKET *pkt, int *al)
494 unsigned int group_id;
495 PACKET key_share_list, encoded_pt;
496 const unsigned char *clntcurves, *srvrcurves;
497 size_t clnt_num_curves, srvr_num_curves;
498 int group_nid, found = 0;
499 unsigned int curve_flags;
505 if (s->s3->peer_tmp != NULL) {
506 *al = SSL_AD_INTERNAL_ERROR;
507 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
511 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
512 *al = SSL_AD_HANDSHAKE_FAILURE;
513 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
517 /* Get our list of supported curves */
518 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
519 *al = SSL_AD_INTERNAL_ERROR;
520 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
524 /* Get the clients list of supported curves */
525 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
526 *al = SSL_AD_INTERNAL_ERROR;
527 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_INTERNAL_ERROR);
531 while (PACKET_remaining(&key_share_list) > 0) {
532 if (!PACKET_get_net_2(&key_share_list, &group_id)
533 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
534 || PACKET_remaining(&encoded_pt) == 0) {
535 *al = SSL_AD_HANDSHAKE_FAILURE;
536 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE,
537 SSL_R_LENGTH_MISMATCH);
542 * If we already found a suitable key_share we loop through the
543 * rest to verify the structure, but don't process them.
548 /* Check if this share is in supported_groups sent from client */
549 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
550 *al = SSL_AD_HANDSHAKE_FAILURE;
551 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
555 /* Check if this share is for a group we can use */
556 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
557 /* Share not suitable */
561 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
563 if (group_nid == 0) {
564 *al = SSL_AD_INTERNAL_ERROR;
565 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE,
566 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
570 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
571 /* Can happen for some curves, e.g. X25519 */
572 EVP_PKEY *key = EVP_PKEY_new();
574 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
575 *al = SSL_AD_INTERNAL_ERROR;
576 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_EVP_LIB);
580 s->s3->peer_tmp = key;
582 /* Set up EVP_PKEY with named curve as parameters */
583 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
585 || EVP_PKEY_paramgen_init(pctx) <= 0
586 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
588 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
589 *al = SSL_AD_INTERNAL_ERROR;
590 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, ERR_R_EVP_LIB);
591 EVP_PKEY_CTX_free(pctx);
594 EVP_PKEY_CTX_free(pctx);
597 s->s3->group_id = group_id;
599 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
600 PACKET_data(&encoded_pt),
601 PACKET_remaining(&encoded_pt))) {
602 *al = SSL_AD_DECODE_ERROR;
603 SSLerr(SSL_F_TLS_PARSE_CLIENT_KEY_SHARE, SSL_R_BAD_ECPOINT);
613 #ifndef OPENSSL_NO_EC
614 int tls_parse_client_supported_groups(SSL *s, PACKET *pkt, int *al)
616 PACKET supported_groups_list;
618 /* Each group is 2 bytes and we must have at least 1. */
619 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
620 || PACKET_remaining(&supported_groups_list) == 0
621 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
622 *al = SSL_AD_DECODE_ERROR;
627 && !PACKET_memdup(&supported_groups_list,
628 &s->session->tlsext_supportedgroupslist,
629 &s->session->tlsext_supportedgroupslist_length)) {
630 *al = SSL_AD_DECODE_ERROR;
638 int tls_parse_client_ems(SSL *s, PACKET *pkt, int *al)
640 /* The extension must always be empty */
641 if (PACKET_remaining(pkt) != 0) {
642 *al = SSL_AD_DECODE_ERROR;
646 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
652 * Process all remaining ClientHello extensions that we collected earlier and
653 * haven't already processed.
655 * Behaviour upon resumption is extension-specific. If the extension has no
656 * effect during resumption, it is parsed (to verify its format) but otherwise
657 * ignored. Returns 1 on success and 0 on failure. Upon failure, sets |al| to
658 * the appropriate alert.
660 int tls_scan_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello, int *al)
663 * We process the supported_groups extension first so that is done before
664 * we get to key_share which needs to use the information in it.
666 if (!tls_parse_extension(s, TLSEXT_TYPE_supported_groups, EXT_CLIENT_HELLO,
667 hello->pre_proc_exts, hello->num_extensions, al)) {
671 return tls_parse_all_extensions(s, EXT_CLIENT_HELLO, hello->pre_proc_exts,
672 hello->num_extensions, al);
676 * Process the ALPN extension in a ClientHello.
677 * al: a pointer to the alert value to send in the event of a failure.
678 * returns 1 on success, 0 on error.
680 static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
682 const unsigned char *selected = NULL;
683 unsigned char selected_len = 0;
685 if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
686 int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
687 s->s3->alpn_proposed,
688 (unsigned int)s->s3->alpn_proposed_len,
689 s->ctx->alpn_select_cb_arg);
691 if (r == SSL_TLSEXT_ERR_OK) {
692 OPENSSL_free(s->s3->alpn_selected);
693 s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
694 if (s->s3->alpn_selected == NULL) {
695 *al = SSL_AD_INTERNAL_ERROR;
698 s->s3->alpn_selected_len = selected_len;
699 #ifndef OPENSSL_NO_NEXTPROTONEG
700 /* ALPN takes precedence over NPN. */
701 s->s3->next_proto_neg_seen = 0;
704 *al = SSL_AD_NO_APPLICATION_PROTOCOL;
713 * Upon success, returns 1.
714 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
716 int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
718 s->tlsext_status_expected = 0;
721 * If status request then ask callback what to do. Note: this must be
722 * called after servername callbacks in case the certificate has changed,
723 * and must be called after the cipher has been chosen because this may
724 * influence which certificate is sent
726 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
729 certpkey = ssl_get_server_send_pkey(s);
730 /* If no certificate can't return certificate status */
731 if (certpkey != NULL) {
733 * Set current certificate to one we will use so SSL_get_certificate
734 * et al can pick it up.
736 s->cert->key = certpkey;
737 ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
739 /* We don't want to send a status request response */
740 case SSL_TLSEXT_ERR_NOACK:
741 s->tlsext_status_expected = 0;
743 /* status request response should be sent */
744 case SSL_TLSEXT_ERR_OK:
745 if (s->tlsext_ocsp_resp)
746 s->tlsext_status_expected = 1;
748 /* something bad happened */
749 case SSL_TLSEXT_ERR_ALERT_FATAL:
751 *al = SSL_AD_INTERNAL_ERROR;
757 if (!tls1_alpn_handle_client_hello_late(s, al)) {
764 /* Add the server's renegotiation binding */
765 int tls_construct_server_renegotiate(SSL *s, WPACKET *pkt, int *al)
767 if (!s->s3->send_connection_binding)
770 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
771 || !WPACKET_start_sub_packet_u16(pkt)
772 || !WPACKET_start_sub_packet_u8(pkt)
773 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
774 s->s3->previous_client_finished_len)
775 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
776 s->s3->previous_server_finished_len)
777 || !WPACKET_close(pkt)
778 || !WPACKET_close(pkt)) {
779 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
786 int tls_construct_server_server_name(SSL *s, WPACKET *pkt, int *al)
788 if (s->hit || s->servername_done != 1
789 || s->session->tlsext_hostname == NULL)
792 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
793 || !WPACKET_put_bytes_u16(pkt, 0)) {
794 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_SERVER_NAME, ERR_R_INTERNAL_ERROR);
801 #ifndef OPENSSL_NO_EC
802 int tls_construct_server_ec_pt_formats(SSL *s, WPACKET *pkt, int *al)
804 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
805 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
806 int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
807 using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
808 const unsigned char *plist;
814 tls1_get_formatlist(s, &plist, &plistlen);
816 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
817 || !WPACKET_start_sub_packet_u16(pkt)
818 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
819 || !WPACKET_close(pkt)) {
820 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
828 int tls_construct_server_session_ticket(SSL *s, WPACKET *pkt, int *al)
830 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
831 s->tlsext_ticket_expected = 0;
835 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
836 || !WPACKET_put_bytes_u16(pkt, 0)) {
837 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
844 #ifndef OPENSSL_NO_OCSP
845 int tls_construct_server_status_request(SSL *s, WPACKET *pkt, int *al)
847 if (!s->tlsext_status_expected)
850 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
851 || !WPACKET_put_bytes_u16(pkt, 0)) {
852 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
861 #ifndef OPENSSL_NO_NEXTPROTONEG
862 int tls_construct_server_next_proto_neg(SSL *s, WPACKET *pkt, int *al)
864 const unsigned char *npa;
867 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
869 s->s3->next_proto_neg_seen = 0;
870 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
873 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
874 s->ctx->next_protos_advertised_cb_arg);
875 if (ret == SSL_TLSEXT_ERR_OK) {
876 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
877 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
878 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_NEXT_PROTO_NEG,
879 ERR_R_INTERNAL_ERROR);
882 s->s3->next_proto_neg_seen = 1;
889 int tls_construct_server_alpn(SSL *s, WPACKET *pkt, int *al)
891 if (s->s3->alpn_selected == NULL)
894 if (!WPACKET_put_bytes_u16(pkt,
895 TLSEXT_TYPE_application_layer_protocol_negotiation)
896 || !WPACKET_start_sub_packet_u16(pkt)
897 || !WPACKET_start_sub_packet_u16(pkt)
898 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
899 s->s3->alpn_selected_len)
900 || !WPACKET_close(pkt)
901 || !WPACKET_close(pkt)) {
902 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_ALPN, ERR_R_INTERNAL_ERROR);
909 #ifndef OPENSSL_NO_SRTP
910 int tls_construct_server_use_srtp(SSL *s, WPACKET *pkt, int *al)
912 if (s->srtp_profile == NULL)
915 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
916 || !WPACKET_start_sub_packet_u16(pkt)
917 || !WPACKET_put_bytes_u16(pkt, 2)
918 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
919 || !WPACKET_put_bytes_u8(pkt, 0)
920 || !WPACKET_close(pkt)) {
921 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_USE_SRTP, ERR_R_INTERNAL_ERROR);
929 int tls_construct_server_etm(SSL *s, WPACKET *pkt, int *al)
931 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
935 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
936 * for other cases too.
938 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
939 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
940 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
941 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
942 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
946 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
947 || !WPACKET_put_bytes_u16(pkt, 0)) {
948 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_ETM, ERR_R_INTERNAL_ERROR);
955 int tls_construct_server_ems(SSL *s, WPACKET *pkt, int *al)
957 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
960 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
961 || !WPACKET_put_bytes_u16(pkt, 0)) {
962 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_EMS, ERR_R_INTERNAL_ERROR);
969 int tls_construct_server_key_share(SSL *s, WPACKET *pkt, int *al)
971 unsigned char *encodedPoint;
972 size_t encoded_pt_len = 0;
973 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
979 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
983 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
984 || !WPACKET_start_sub_packet_u16(pkt)
985 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
986 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
990 skey = ssl_generate_pkey(ckey);
992 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_MALLOC_FAILURE);
996 /* Generate encoding of server key */
997 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
998 if (encoded_pt_len == 0) {
999 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_EC_LIB);
1000 EVP_PKEY_free(skey);
1004 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1005 || !WPACKET_close(pkt)) {
1006 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1007 EVP_PKEY_free(skey);
1008 OPENSSL_free(encodedPoint);
1011 OPENSSL_free(encodedPoint);
1013 /* This causes the crypto state to be updated based on the derived keys */
1014 s->s3->tmp.pkey = skey;
1015 if (ssl_derive(s, skey, ckey, 1) == 0) {
1016 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1023 int tls_construct_server_cryptopro_bug(SSL *s, WPACKET *pkt, int *al)
1025 const unsigned char cryptopro_ext[36] = {
1026 0xfd, 0xe8, /* 65000 */
1027 0x00, 0x20, /* 32 bytes length */
1028 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1029 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1030 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1031 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1034 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1035 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1036 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1039 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1040 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);