2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, int *al)
20 const unsigned char *data;
22 /* Parse the length byte */
23 if (!PACKET_get_1(pkt, &ilen)
24 || !PACKET_get_bytes(pkt, &data, ilen)) {
25 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
26 SSL_R_RENEGOTIATION_ENCODING_ERR);
27 *al = SSL_AD_ILLEGAL_PARAMETER;
31 /* Check that the extension matches */
32 if (ilen != s->s3->previous_client_finished_len) {
33 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
34 SSL_R_RENEGOTIATION_MISMATCH);
35 *al = SSL_AD_HANDSHAKE_FAILURE;
39 if (memcmp(data, s->s3->previous_client_finished,
40 s->s3->previous_client_finished_len)) {
41 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
42 SSL_R_RENEGOTIATION_MISMATCH);
43 *al = SSL_AD_HANDSHAKE_FAILURE;
47 s->s3->send_connection_binding = 1;
53 * The servername extension is treated as follows:
55 * - Only the hostname type is supported with a maximum length of 255.
56 * - The servername is rejected if too long or if it contains zeros,
57 * in which case an fatal alert is generated.
58 * - The servername field is maintained together with the session cache.
59 * - When a session is resumed, the servername call back invoked in order
60 * to allow the application to position itself to the right context.
61 * - The servername is acknowledged if it is new for a session or when
62 * it is identical to a previously used for the same session.
63 * Applications can control the behaviour. They can at any time
64 * set a 'desirable' servername for a new SSL object. This can be the
65 * case for example with HTTPS when a Host: header field is received and
66 * a renegotiation is requested. In this case, a possible servername
67 * presented in the new client hello is only acknowledged if it matches
68 * the value of the Host: field.
69 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
70 * if they provide for changing an explicit servername context for the
71 * session, i.e. when the session has been established with a servername
73 * - On session reconnect, the servername extension may be absent.
75 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, int *al)
77 unsigned int servname_type;
80 if (!PACKET_as_length_prefixed_2(pkt, &sni)
81 /* ServerNameList must be at least 1 byte long. */
82 || PACKET_remaining(&sni) == 0) {
83 *al = SSL_AD_DECODE_ERROR;
88 * Although the server_name extension was intended to be
89 * extensible to new name types, RFC 4366 defined the
90 * syntax inextensibly and OpenSSL 1.0.x parses it as
92 * RFC 6066 corrected the mistake but adding new name types
93 * is nevertheless no longer feasible, so act as if no other
94 * SNI types can exist, to simplify parsing.
96 * Also note that the RFC permits only one SNI value per type,
97 * i.e., we can only have a single hostname.
99 if (!PACKET_get_1(&sni, &servname_type)
100 || servname_type != TLSEXT_NAMETYPE_host_name
101 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
102 *al = SSL_AD_DECODE_ERROR;
107 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
108 *al = TLS1_AD_UNRECOGNIZED_NAME;
112 if (PACKET_contains_zero_byte(&hostname)) {
113 *al = TLS1_AD_UNRECOGNIZED_NAME;
117 if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
118 *al = TLS1_AD_INTERNAL_ERROR;
122 s->servername_done = 1;
125 * TODO(openssl-team): if the SNI doesn't match, we MUST
126 * fall back to a full handshake.
128 s->servername_done = s->session->tlsext_hostname
129 && PACKET_equal(&hostname, s->session->tlsext_hostname,
130 strlen(s->session->tlsext_hostname));
136 #ifndef OPENSSL_NO_SRP
137 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, int *al)
141 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
142 || PACKET_contains_zero_byte(&srp_I)) {
143 *al = SSL_AD_DECODE_ERROR;
148 * TODO(openssl-team): currently, we re-authenticate the user
149 * upon resumption. Instead, we MUST ignore the login.
151 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
152 *al = TLS1_AD_INTERNAL_ERROR;
160 #ifndef OPENSSL_NO_EC
161 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, int *al)
163 PACKET ec_point_format_list;
165 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
166 || PACKET_remaining(&ec_point_format_list) == 0) {
167 *al = SSL_AD_DECODE_ERROR;
172 if (!PACKET_memdup(&ec_point_format_list,
173 &s->session->tlsext_ecpointformatlist,
174 &s->session->tlsext_ecpointformatlist_length)) {
175 *al = TLS1_AD_INTERNAL_ERROR;
182 #endif /* OPENSSL_NO_EC */
184 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, int *al)
186 if (s->tls_session_ticket_ext_cb &&
187 !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
188 PACKET_remaining(pkt),
189 s->tls_session_ticket_ext_cb_arg)) {
190 *al = TLS1_AD_INTERNAL_ERROR;
197 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, int *al)
199 PACKET supported_sig_algs;
201 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
202 || (PACKET_remaining(&supported_sig_algs) % 2) != 0
203 || PACKET_remaining(&supported_sig_algs) == 0) {
204 *al = SSL_AD_DECODE_ERROR;
208 if (!s->hit && !tls1_save_sigalgs(s, PACKET_data(&supported_sig_algs),
209 PACKET_remaining(&supported_sig_algs))) {
210 *al = TLS1_AD_INTERNAL_ERROR;
217 #ifndef OPENSSL_NO_OCSP
218 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, int *al)
220 PACKET responder_id_list, exts;
222 if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
223 *al = SSL_AD_DECODE_ERROR;
227 if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
229 * We don't know what to do with any other type so ignore it.
231 s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
235 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
236 *al = SSL_AD_DECODE_ERROR;
241 * We remove any OCSP_RESPIDs from a previous handshake
242 * to prevent unbounded memory growth - CVE-2016-6304
244 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
245 if (PACKET_remaining(&responder_id_list) > 0) {
246 s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
247 if (s->tlsext_ocsp_ids == NULL) {
248 *al = SSL_AD_INTERNAL_ERROR;
252 s->tlsext_ocsp_ids = NULL;
255 while (PACKET_remaining(&responder_id_list) > 0) {
258 const unsigned char *id_data;
260 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
261 || PACKET_remaining(&responder_id) == 0) {
262 *al = SSL_AD_DECODE_ERROR;
266 id_data = PACKET_data(&responder_id);
267 /* TODO(size_t): Convert d2i_* to size_t */
268 id = d2i_OCSP_RESPID(NULL, &id_data,
269 (int)PACKET_remaining(&responder_id));
271 *al = SSL_AD_DECODE_ERROR;
275 if (id_data != PACKET_end(&responder_id)) {
276 OCSP_RESPID_free(id);
277 *al = SSL_AD_DECODE_ERROR;
281 if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
282 OCSP_RESPID_free(id);
283 *al = SSL_AD_INTERNAL_ERROR;
288 /* Read in request_extensions */
289 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
290 *al = SSL_AD_DECODE_ERROR;
294 if (PACKET_remaining(&exts) > 0) {
295 const unsigned char *ext_data = PACKET_data(&exts);
297 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
298 X509_EXTENSION_free);
299 s->tlsext_ocsp_exts =
300 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
301 if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
302 *al = SSL_AD_DECODE_ERROR;
311 #ifndef OPENSSL_NO_NEXTPROTONEG
312 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, int *al)
315 * We shouldn't accept this extension on a
318 * s->new_session will be set on renegotiation, but we
319 * probably shouldn't rely that it couldn't be set on
320 * the initial renegotiation too in certain cases (when
321 * there's some other reason to disallow resuming an
322 * earlier session -- the current code won't be doing
323 * anything like that, but this might change).
325 * A valid sign that there's been a previous handshake
326 * in this connection is if s->s3->tmp.finish_md_len >
327 * 0. (We are talking about a check that will happen
328 * in the Hello protocol round, well before a new
329 * Finished message could have been computed.)
331 if (s->s3->tmp.finish_md_len == 0)
332 s->s3->next_proto_neg_seen = 1;
339 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
340 * extension, not including type and length. |al| is a pointer to the alert
341 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
343 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, int *al)
345 PACKET protocol_list, save_protocol_list, protocol;
347 if (s->s3->tmp.finish_md_len != 0)
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
356 save_protocol_list = protocol_list;
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
364 } while (PACKET_remaining(&protocol_list) != 0);
366 if (!PACKET_memdup(&save_protocol_list,
367 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
368 *al = TLS1_AD_INTERNAL_ERROR;
375 #ifndef OPENSSL_NO_SRTP
376 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, int *al)
378 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
379 unsigned int ct, mki_len, id;
383 /* Ignore this if we have no SRTP profiles */
384 if (SSL_get_srtp_profiles(s) == NULL)
387 /* Pull off the length of the cipher suite list and check it is even */
388 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
389 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
390 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
391 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
392 *al = SSL_AD_DECODE_ERROR;
396 srvr = SSL_get_srtp_profiles(s);
397 s->srtp_profile = NULL;
398 /* Search all profiles for a match initially */
399 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
401 while (PACKET_remaining(&subpkt)) {
402 if (!PACKET_get_net_2(&subpkt, &id)) {
403 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
404 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
405 *al = SSL_AD_DECODE_ERROR;
410 * Only look for match in profiles of higher preference than
412 * If no profiles have been have been configured then this
415 for (i = 0; i < srtp_pref; i++) {
416 SRTP_PROTECTION_PROFILE *sprof =
417 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
419 if (sprof->id == id) {
420 s->srtp_profile = sprof;
427 /* Now extract the MKI value as a sanity check, but discard it for now */
428 if (!PACKET_get_1(pkt, &mki_len)) {
429 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
430 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
431 *al = SSL_AD_DECODE_ERROR;
435 if (!PACKET_forward(pkt, mki_len)
436 || PACKET_remaining(pkt)) {
437 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
438 *al = SSL_AD_DECODE_ERROR;
446 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, int *al)
448 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
449 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
455 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
456 * and |checkallow| is 1 then additionally check if the group is allowed to be
457 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
460 #ifndef OPENSSL_NO_TLS1_3
461 static int check_in_list(SSL *s, unsigned int group_id,
462 const unsigned char *groups, size_t num_groups,
467 if (groups == NULL || num_groups == 0)
470 for (i = 0; i < num_groups; i++, groups += 2) {
471 unsigned int share_id = (groups[0] << 8) | (groups[1]);
473 if (group_id == share_id
475 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
480 /* If i == num_groups then not in the list */
481 return i < num_groups;
486 * Process a key_share extension received in the ClientHello. |pkt| contains
487 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
488 * If a failure occurs then |*al| is set to an appropriate alert value.
490 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, int *al)
492 #ifndef OPENSSL_NO_TLS1_3
493 unsigned int group_id;
494 PACKET key_share_list, encoded_pt;
495 const unsigned char *clntcurves, *srvrcurves;
496 size_t clnt_num_curves, srvr_num_curves;
497 int group_nid, found = 0;
498 unsigned int curve_flags;
504 if (s->s3->peer_tmp != NULL) {
505 *al = SSL_AD_INTERNAL_ERROR;
506 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
510 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
511 *al = SSL_AD_HANDSHAKE_FAILURE;
512 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
516 /* Get our list of supported curves */
517 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
518 *al = SSL_AD_INTERNAL_ERROR;
519 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
524 * Get the clients list of supported curves.
525 * TODO(TLS1.3): We should validate that we actually received
528 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
529 *al = SSL_AD_INTERNAL_ERROR;
530 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
534 while (PACKET_remaining(&key_share_list) > 0) {
535 if (!PACKET_get_net_2(&key_share_list, &group_id)
536 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
537 || PACKET_remaining(&encoded_pt) == 0) {
538 *al = SSL_AD_HANDSHAKE_FAILURE;
539 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
540 SSL_R_LENGTH_MISMATCH);
545 * If we already found a suitable key_share we loop through the
546 * rest to verify the structure, but don't process them.
551 /* Check if this share is in supported_groups sent from client */
552 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
553 *al = SSL_AD_HANDSHAKE_FAILURE;
554 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
558 /* Check if this share is for a group we can use */
559 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
560 /* Share not suitable */
564 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
566 if (group_nid == 0) {
567 *al = SSL_AD_INTERNAL_ERROR;
568 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
569 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
573 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
574 /* Can happen for some curves, e.g. X25519 */
575 EVP_PKEY *key = EVP_PKEY_new();
577 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
578 *al = SSL_AD_INTERNAL_ERROR;
579 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
583 s->s3->peer_tmp = key;
585 /* Set up EVP_PKEY with named curve as parameters */
586 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
589 || EVP_PKEY_paramgen_init(pctx) <= 0
590 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
592 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
593 *al = SSL_AD_INTERNAL_ERROR;
594 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
595 EVP_PKEY_CTX_free(pctx);
598 EVP_PKEY_CTX_free(pctx);
601 s->s3->group_id = group_id;
603 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
604 PACKET_data(&encoded_pt),
605 PACKET_remaining(&encoded_pt))) {
606 *al = SSL_AD_DECODE_ERROR;
607 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
618 #ifndef OPENSSL_NO_EC
619 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, int *al)
621 PACKET supported_groups_list;
623 /* Each group is 2 bytes and we must have at least 1. */
624 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
625 || PACKET_remaining(&supported_groups_list) == 0
626 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
627 *al = SSL_AD_DECODE_ERROR;
632 && !PACKET_memdup(&supported_groups_list,
633 &s->session->tlsext_supportedgroupslist,
634 &s->session->tlsext_supportedgroupslist_length)) {
635 *al = SSL_AD_DECODE_ERROR;
643 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, int *al)
645 /* The extension must always be empty */
646 if (PACKET_remaining(pkt) != 0) {
647 *al = SSL_AD_DECODE_ERROR;
651 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
657 * Add the server's renegotiation binding
659 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
662 if (!s->s3->send_connection_binding)
665 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
666 || !WPACKET_start_sub_packet_u16(pkt)
667 || !WPACKET_start_sub_packet_u8(pkt)
668 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
669 s->s3->previous_client_finished_len)
670 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
671 s->s3->previous_server_finished_len)
672 || !WPACKET_close(pkt)
673 || !WPACKET_close(pkt)) {
674 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
681 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
684 if (s->hit || s->servername_done != 1
685 || s->session->tlsext_hostname == NULL)
688 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
689 || !WPACKET_put_bytes_u16(pkt, 0)) {
690 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
697 #ifndef OPENSSL_NO_EC
698 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
699 size_t chain, int *al)
701 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
702 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
703 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
704 && (s->session->tlsext_ecpointformatlist != NULL);
705 const unsigned char *plist;
711 tls1_get_formatlist(s, &plist, &plistlen);
712 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
713 || !WPACKET_start_sub_packet_u16(pkt)
714 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
715 || !WPACKET_close(pkt)) {
716 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
724 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
725 size_t chain, int *al)
727 if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
728 s->tlsext_ticket_expected = 0;
732 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
733 || !WPACKET_put_bytes_u16(pkt, 0)) {
734 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
741 #ifndef OPENSSL_NO_OCSP
742 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
743 size_t chain, int *al)
745 if (!s->tlsext_status_expected)
748 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
749 || !WPACKET_put_bytes_u16(pkt, 0)) {
750 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
758 #ifndef OPENSSL_NO_NEXTPROTONEG
759 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
760 size_t chain, int *al)
762 const unsigned char *npa;
765 int next_proto_neg_seen = s->s3->next_proto_neg_seen;
767 s->s3->next_proto_neg_seen = 0;
768 if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
771 ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
772 s->ctx->next_protos_advertised_cb_arg);
773 if (ret == SSL_TLSEXT_ERR_OK) {
774 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
775 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
776 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
777 ERR_R_INTERNAL_ERROR);
780 s->s3->next_proto_neg_seen = 1;
787 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
790 if (s->s3->alpn_selected == NULL)
793 if (!WPACKET_put_bytes_u16(pkt,
794 TLSEXT_TYPE_application_layer_protocol_negotiation)
795 || !WPACKET_start_sub_packet_u16(pkt)
796 || !WPACKET_start_sub_packet_u16(pkt)
797 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
798 s->s3->alpn_selected_len)
799 || !WPACKET_close(pkt)
800 || !WPACKET_close(pkt)) {
801 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
808 #ifndef OPENSSL_NO_SRTP
809 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
812 if (s->srtp_profile == NULL)
815 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
816 || !WPACKET_start_sub_packet_u16(pkt)
817 || !WPACKET_put_bytes_u16(pkt, 2)
818 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
819 || !WPACKET_put_bytes_u8(pkt, 0)
820 || !WPACKET_close(pkt)) {
821 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
829 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
831 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
835 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
836 * for other cases too.
838 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
839 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
840 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
841 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
842 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
846 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
847 || !WPACKET_put_bytes_u16(pkt, 0)) {
848 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
855 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al)
857 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
860 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
861 || !WPACKET_put_bytes_u16(pkt, 0)) {
862 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
869 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chain,
872 #ifndef OPENSSL_NO_TLS1_3
873 unsigned char *encodedPoint;
874 size_t encoded_pt_len = 0;
875 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
881 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
885 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
886 || !WPACKET_start_sub_packet_u16(pkt)
887 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
888 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
892 skey = ssl_generate_pkey(ckey);
894 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
898 /* Generate encoding of server key */
899 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
900 if (encoded_pt_len == 0) {
901 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
906 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
907 || !WPACKET_close(pkt)) {
908 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
910 OPENSSL_free(encodedPoint);
913 OPENSSL_free(encodedPoint);
915 /* This causes the crypto state to be updated based on the derived keys */
916 s->s3->tmp.pkey = skey;
917 if (ssl_derive(s, skey, ckey, 1) == 0) {
918 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
926 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
927 size_t chain, int *al)
929 const unsigned char cryptopro_ext[36] = {
930 0xfd, 0xe8, /* 65000 */
931 0x00, 0x20, /* 32 bytes length */
932 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
933 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
934 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
935 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
938 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
939 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
940 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
943 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
944 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);