2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 OPENSSL_free(s->session->ext.hostname);
120 s->session->ext.hostname = NULL;
121 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
122 *al = TLS1_AD_INTERNAL_ERROR;
126 s->servername_done = 1;
129 * TODO(openssl-team): if the SNI doesn't match, we MUST
130 * fall back to a full handshake.
132 s->servername_done = s->session->ext.hostname
133 && PACKET_equal(&hostname, s->session->ext.hostname,
134 strlen(s->session->ext.hostname));
140 #ifndef OPENSSL_NO_SRP
141 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
142 size_t chainidx, int *al)
146 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
147 || PACKET_contains_zero_byte(&srp_I)) {
148 *al = SSL_AD_DECODE_ERROR;
153 * TODO(openssl-team): currently, we re-authenticate the user
154 * upon resumption. Instead, we MUST ignore the login.
156 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
157 *al = TLS1_AD_INTERNAL_ERROR;
165 #ifndef OPENSSL_NO_EC
166 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
167 X509 *x, size_t chainidx, int *al)
169 PACKET ec_point_format_list;
171 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
172 || PACKET_remaining(&ec_point_format_list) == 0) {
173 *al = SSL_AD_DECODE_ERROR;
178 if (!PACKET_memdup(&ec_point_format_list,
179 &s->session->ext.ecpointformats,
180 &s->session->ext.ecpointformats_len)) {
181 *al = TLS1_AD_INTERNAL_ERROR;
188 #endif /* OPENSSL_NO_EC */
190 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
191 X509 *x, size_t chainidx, int *al)
193 if (s->ext.session_ticket_cb &&
194 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
195 PACKET_remaining(pkt),
196 s->ext.session_ticket_cb_arg)) {
197 *al = TLS1_AD_INTERNAL_ERROR;
204 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
205 size_t chainidx, int *al)
207 PACKET supported_sig_algs;
209 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
210 || PACKET_remaining(&supported_sig_algs) == 0) {
211 *al = SSL_AD_DECODE_ERROR;
215 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
216 *al = TLS1_AD_DECODE_ERROR;
223 #ifndef OPENSSL_NO_OCSP
224 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
225 X509 *x, size_t chainidx, int *al)
227 PACKET responder_id_list, exts;
229 /* Not defined if we get one of these in a client Certificate */
233 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
234 *al = SSL_AD_DECODE_ERROR;
238 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
240 * We don't know what to do with any other type so ignore it.
242 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
246 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
247 *al = SSL_AD_DECODE_ERROR;
252 * We remove any OCSP_RESPIDs from a previous handshake
253 * to prevent unbounded memory growth - CVE-2016-6304
255 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
256 if (PACKET_remaining(&responder_id_list) > 0) {
257 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
258 if (s->ext.ocsp.ids == NULL) {
259 *al = SSL_AD_INTERNAL_ERROR;
263 s->ext.ocsp.ids = NULL;
266 while (PACKET_remaining(&responder_id_list) > 0) {
269 const unsigned char *id_data;
271 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
272 || PACKET_remaining(&responder_id) == 0) {
273 *al = SSL_AD_DECODE_ERROR;
277 id_data = PACKET_data(&responder_id);
278 /* TODO(size_t): Convert d2i_* to size_t */
279 id = d2i_OCSP_RESPID(NULL, &id_data,
280 (int)PACKET_remaining(&responder_id));
282 *al = SSL_AD_DECODE_ERROR;
286 if (id_data != PACKET_end(&responder_id)) {
287 OCSP_RESPID_free(id);
288 *al = SSL_AD_DECODE_ERROR;
292 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
293 OCSP_RESPID_free(id);
294 *al = SSL_AD_INTERNAL_ERROR;
299 /* Read in request_extensions */
300 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
301 *al = SSL_AD_DECODE_ERROR;
305 if (PACKET_remaining(&exts) > 0) {
306 const unsigned char *ext_data = PACKET_data(&exts);
308 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
309 X509_EXTENSION_free);
311 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
312 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
313 *al = SSL_AD_DECODE_ERROR;
322 #ifndef OPENSSL_NO_NEXTPROTONEG
323 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
324 size_t chainidx, int *al)
327 * We shouldn't accept this extension on a
330 if (SSL_IS_FIRST_HANDSHAKE(s))
338 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
339 * extension, not including type and length. |al| is a pointer to the alert
340 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
342 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
343 size_t chainidx, int *al)
345 PACKET protocol_list, save_protocol_list, protocol;
347 if (!SSL_IS_FIRST_HANDSHAKE(s))
350 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
351 || PACKET_remaining(&protocol_list) < 2) {
352 *al = SSL_AD_DECODE_ERROR;
356 save_protocol_list = protocol_list;
358 /* Protocol names can't be empty. */
359 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
360 || PACKET_remaining(&protocol) == 0) {
361 *al = SSL_AD_DECODE_ERROR;
364 } while (PACKET_remaining(&protocol_list) != 0);
366 OPENSSL_free(s->s3->alpn_proposed);
367 s->s3->alpn_proposed = NULL;
368 s->s3->alpn_proposed_len = 0;
369 if (!PACKET_memdup(&save_protocol_list,
370 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
371 *al = TLS1_AD_INTERNAL_ERROR;
378 #ifndef OPENSSL_NO_SRTP
379 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
380 size_t chainidx, int *al)
382 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
383 unsigned int ct, mki_len, id;
387 /* Ignore this if we have no SRTP profiles */
388 if (SSL_get_srtp_profiles(s) == NULL)
391 /* Pull off the length of the cipher suite list and check it is even */
392 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
393 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
394 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
395 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
396 *al = SSL_AD_DECODE_ERROR;
400 srvr = SSL_get_srtp_profiles(s);
401 s->srtp_profile = NULL;
402 /* Search all profiles for a match initially */
403 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
405 while (PACKET_remaining(&subpkt)) {
406 if (!PACKET_get_net_2(&subpkt, &id)) {
407 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
408 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
409 *al = SSL_AD_DECODE_ERROR;
414 * Only look for match in profiles of higher preference than
416 * If no profiles have been have been configured then this
419 for (i = 0; i < srtp_pref; i++) {
420 SRTP_PROTECTION_PROFILE *sprof =
421 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
423 if (sprof->id == id) {
424 s->srtp_profile = sprof;
431 /* Now extract the MKI value as a sanity check, but discard it for now */
432 if (!PACKET_get_1(pkt, &mki_len)) {
433 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
434 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
435 *al = SSL_AD_DECODE_ERROR;
439 if (!PACKET_forward(pkt, mki_len)
440 || PACKET_remaining(pkt)) {
441 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
442 *al = SSL_AD_DECODE_ERROR;
450 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
451 size_t chainidx, int *al)
453 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
454 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
460 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
461 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
462 * If a failure occurs then |*al| is set to an appropriate alert value.
464 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
465 X509 *x, size_t chainidx, int *al)
467 #ifndef OPENSSL_NO_TLS1_3
468 PACKET psk_kex_modes;
471 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
472 || PACKET_remaining(&psk_kex_modes) == 0) {
473 *al = SSL_AD_DECODE_ERROR;
477 while (PACKET_get_1(&psk_kex_modes, &mode)) {
478 if (mode == TLSEXT_KEX_MODE_KE_DHE)
479 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
480 else if (mode == TLSEXT_KEX_MODE_KE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
489 * Process a key_share extension received in the ClientHello. |pkt| contains
490 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
491 * If a failure occurs then |*al| is set to an appropriate alert value.
493 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
494 size_t chainidx, int *al)
496 #ifndef OPENSSL_NO_TLS1_3
497 unsigned int group_id;
498 PACKET key_share_list, encoded_pt;
499 const unsigned char *clntcurves, *srvrcurves;
500 size_t clnt_num_curves, srvr_num_curves;
501 int group_nid, found = 0;
502 unsigned int curve_flags;
504 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
508 if (s->s3->peer_tmp != NULL) {
509 *al = SSL_AD_INTERNAL_ERROR;
510 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
514 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
515 *al = SSL_AD_HANDSHAKE_FAILURE;
516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
520 /* Get our list of supported curves */
521 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
522 *al = SSL_AD_INTERNAL_ERROR;
523 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
528 * Get the clients list of supported curves.
529 * TODO(TLS1.3): We should validate that we actually received
532 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
533 *al = SSL_AD_INTERNAL_ERROR;
534 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
538 while (PACKET_remaining(&key_share_list) > 0) {
539 if (!PACKET_get_net_2(&key_share_list, &group_id)
540 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
541 || PACKET_remaining(&encoded_pt) == 0) {
542 *al = SSL_AD_HANDSHAKE_FAILURE;
543 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
544 SSL_R_LENGTH_MISMATCH);
549 * If we already found a suitable key_share we loop through the
550 * rest to verify the structure, but don't process them.
555 /* Check if this share is in supported_groups sent from client */
556 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
557 *al = SSL_AD_HANDSHAKE_FAILURE;
558 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
562 /* Check if this share is for a group we can use */
563 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
564 /* Share not suitable */
568 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
570 if (group_nid == 0) {
571 *al = SSL_AD_INTERNAL_ERROR;
572 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
573 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
577 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
578 /* Can happen for some curves, e.g. X25519 */
579 EVP_PKEY *key = EVP_PKEY_new();
581 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
582 *al = SSL_AD_INTERNAL_ERROR;
583 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
587 s->s3->peer_tmp = key;
589 /* Set up EVP_PKEY with named curve as parameters */
590 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
593 || EVP_PKEY_paramgen_init(pctx) <= 0
594 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
596 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
597 *al = SSL_AD_INTERNAL_ERROR;
598 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
599 EVP_PKEY_CTX_free(pctx);
602 EVP_PKEY_CTX_free(pctx);
605 s->s3->group_id = group_id;
607 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
608 PACKET_data(&encoded_pt),
609 PACKET_remaining(&encoded_pt))) {
610 *al = SSL_AD_DECODE_ERROR;
611 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
622 #ifndef OPENSSL_NO_EC
623 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
624 X509 *x, size_t chainidx, int *al)
626 PACKET supported_groups_list;
628 /* Each group is 2 bytes and we must have at least 1. */
629 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
630 || PACKET_remaining(&supported_groups_list) == 0
631 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
632 *al = SSL_AD_DECODE_ERROR;
636 OPENSSL_free(s->session->ext.supportedgroups);
637 s->session->ext.supportedgroups = NULL;
638 s->session->ext.supportedgroups_len = 0;
639 if (!PACKET_memdup(&supported_groups_list,
640 &s->session->ext.supportedgroups,
641 &s->session->ext.supportedgroups_len)) {
642 *al = SSL_AD_DECODE_ERROR;
650 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
651 size_t chainidx, int *al)
653 /* The extension must always be empty */
654 if (PACKET_remaining(pkt) != 0) {
655 *al = SSL_AD_DECODE_ERROR;
659 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
664 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
665 size_t chainidx, int *al)
667 PACKET identities, binders, binder;
668 size_t binderoffset, hashsize;
669 SSL_SESSION *sess = NULL;
671 const EVP_MD *md = NULL;
674 * If we have no PSK kex mode that we recognise then we can't resume so
675 * ignore this extension
677 if ((s->ext.psk_kex_mode
678 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
681 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
682 *al = SSL_AD_DECODE_ERROR;
686 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
688 unsigned long ticket_age;
691 if (!PACKET_get_length_prefixed_2(&identities, &identity)
692 || !PACKET_get_net_4(&identities, &ticket_age)) {
693 *al = SSL_AD_DECODE_ERROR;
697 /* TODO(TLS1.3): Should we validate the ticket age? */
699 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
700 PACKET_remaining(&identity), NULL, 0, &sess);
701 if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) {
702 *al = SSL_AD_INTERNAL_ERROR;
705 if (ret == TICKET_NO_DECRYPT)
708 md = ssl_md(sess->cipher->algorithm2);
711 * Don't recognise this cipher so we can't use the session.
714 SSL_SESSION_free(sess);
720 * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal.
730 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
731 hashsize = EVP_MD_size(md);
733 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
734 *al = SSL_AD_DECODE_ERROR;
738 for (i = 0; i <= id; i++) {
739 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
740 *al = SSL_AD_DECODE_ERROR;
745 if (PACKET_remaining(&binder) != hashsize
746 || tls_psk_do_binder(s, md,
747 (const unsigned char *)s->init_buf->data,
748 binderoffset, PACKET_data(&binder), NULL,
750 *al = SSL_AD_DECODE_ERROR;
751 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
755 sess->ext.tick_identity = id;
756 SSL_SESSION_free(s->session);
764 * Add the server's renegotiation binding
766 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
767 X509 *x, size_t chainidx, int *al)
769 if (!s->s3->send_connection_binding)
772 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
773 || !WPACKET_start_sub_packet_u16(pkt)
774 || !WPACKET_start_sub_packet_u8(pkt)
775 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
776 s->s3->previous_client_finished_len)
777 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
778 s->s3->previous_server_finished_len)
779 || !WPACKET_close(pkt)
780 || !WPACKET_close(pkt)) {
781 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
788 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
789 X509 *x, size_t chainidx, int *al)
791 if (s->hit || s->servername_done != 1
792 || s->session->ext.hostname == NULL)
795 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
796 || !WPACKET_put_bytes_u16(pkt, 0)) {
797 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
804 #ifndef OPENSSL_NO_EC
805 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
806 X509 *x, size_t chainidx, int *al)
808 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
809 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
810 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
811 && (s->session->ext.ecpointformats != NULL);
812 const unsigned char *plist;
818 tls1_get_formatlist(s, &plist, &plistlen);
819 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
820 || !WPACKET_start_sub_packet_u16(pkt)
821 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
822 || !WPACKET_close(pkt)) {
823 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
831 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
832 unsigned int context, X509 *x,
833 size_t chainidx, int *al)
835 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
836 s->ext.ticket_expected = 0;
840 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
841 || !WPACKET_put_bytes_u16(pkt, 0)) {
842 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
849 #ifndef OPENSSL_NO_OCSP
850 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
851 unsigned int context, X509 *x,
852 size_t chainidx, int *al)
854 if (!s->ext.status_expected)
857 if (SSL_IS_TLS13(s) && chainidx != 0)
860 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
861 || !WPACKET_start_sub_packet_u16(pkt)) {
862 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
867 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
868 * send back an empty extension, with the certificate status appearing as a
871 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
872 || !WPACKET_close(pkt)) {
873 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
881 #ifndef OPENSSL_NO_NEXTPROTONEG
882 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
883 unsigned int context, X509 *x,
884 size_t chainidx, int *al)
886 const unsigned char *npa;
889 int npn_seen = s->s3->npn_seen;
892 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
895 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
896 s->ctx->ext.npn_advertised_cb_arg);
897 if (ret == SSL_TLSEXT_ERR_OK) {
898 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
899 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
900 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
901 ERR_R_INTERNAL_ERROR);
911 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
912 size_t chainidx, int *al)
914 if (s->s3->alpn_selected == NULL)
917 if (!WPACKET_put_bytes_u16(pkt,
918 TLSEXT_TYPE_application_layer_protocol_negotiation)
919 || !WPACKET_start_sub_packet_u16(pkt)
920 || !WPACKET_start_sub_packet_u16(pkt)
921 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
922 s->s3->alpn_selected_len)
923 || !WPACKET_close(pkt)
924 || !WPACKET_close(pkt)) {
925 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
932 #ifndef OPENSSL_NO_SRTP
933 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
934 X509 *x, size_t chainidx, int *al)
936 if (s->srtp_profile == NULL)
939 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
940 || !WPACKET_start_sub_packet_u16(pkt)
941 || !WPACKET_put_bytes_u16(pkt, 2)
942 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
943 || !WPACKET_put_bytes_u8(pkt, 0)
944 || !WPACKET_close(pkt)) {
945 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
953 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
954 size_t chainidx, int *al)
956 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
960 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
961 * for other cases too.
963 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
964 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
965 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
966 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
967 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
971 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
972 || !WPACKET_put_bytes_u16(pkt, 0)) {
973 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
980 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
981 size_t chainidx, int *al)
983 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
986 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
987 || !WPACKET_put_bytes_u16(pkt, 0)) {
988 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
995 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
996 X509 *x, size_t chainidx, int *al)
998 #ifndef OPENSSL_NO_TLS1_3
999 unsigned char *encodedPoint;
1000 size_t encoded_pt_len = 0;
1001 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1004 /* No key_share received from client */
1005 if (s->hello_retry_request) {
1006 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1007 || !WPACKET_start_sub_packet_u16(pkt)
1008 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1009 || !WPACKET_close(pkt)) {
1010 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1011 ERR_R_INTERNAL_ERROR);
1018 /* Must be resuming. */
1019 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1020 *al = SSL_AD_INTERNAL_ERROR;
1021 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1027 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1028 || !WPACKET_start_sub_packet_u16(pkt)
1029 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1030 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1034 skey = ssl_generate_pkey(ckey);
1036 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1040 /* Generate encoding of server key */
1041 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1042 if (encoded_pt_len == 0) {
1043 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1044 EVP_PKEY_free(skey);
1048 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1049 || !WPACKET_close(pkt)) {
1050 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1051 EVP_PKEY_free(skey);
1052 OPENSSL_free(encodedPoint);
1055 OPENSSL_free(encodedPoint);
1057 /* This causes the crypto state to be updated based on the derived keys */
1058 s->s3->tmp.pkey = skey;
1059 if (ssl_derive(s, skey, ckey, 1) == 0) {
1060 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1068 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
1069 X509 *x, size_t chainidx, int *al)
1071 const unsigned char cryptopro_ext[36] = {
1072 0xfd, 0xe8, /* 65000 */
1073 0x00, 0x20, /* 32 bytes length */
1074 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1075 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1076 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1077 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1080 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1081 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1082 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1085 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1086 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1093 int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
1094 size_t chainidx, int *al)
1099 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1100 || !WPACKET_start_sub_packet_u16(pkt)
1101 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1102 || !WPACKET_close(pkt)) {
1103 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);