2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_local.h"
12 #include "statem_local.h"
13 #include "internal/cryptlib.h"
15 #define COOKIE_STATE_FORMAT_VERSION 0
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
24 #define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
28 * Message header + 2 bytes for protocol version + number of random bytes +
29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
34 #define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
39 * Parse the client's renegotiation binding and abort if it's not right
41 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
42 X509 *x, size_t chainidx)
45 const unsigned char *data;
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
51 SSL_R_RENEGOTIATION_ENCODING_ERR);
55 /* Check that the extension matches */
56 if (ilen != s->s3.previous_client_finished_len) {
57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
58 SSL_R_RENEGOTIATION_MISMATCH);
62 if (memcmp(data, s->s3.previous_client_finished,
63 s->s3.previous_client_finished_len)) {
64 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
65 SSL_R_RENEGOTIATION_MISMATCH);
69 s->s3.send_connection_binding = 1;
75 * The servername extension is treated as follows:
77 * - Only the hostname type is supported with a maximum length of 255.
78 * - The servername is rejected if too long or if it contains zeros,
79 * in which case an fatal alert is generated.
80 * - The servername field is maintained together with the session cache.
81 * - When a session is resumed, the servername call back invoked in order
82 * to allow the application to position itself to the right context.
83 * - The servername is acknowledged if it is new for a session or when
84 * it is identical to a previously used for the same session.
85 * Applications can control the behaviour. They can at any time
86 * set a 'desirable' servername for a new SSL object. This can be the
87 * case for example with HTTPS when a Host: header field is received and
88 * a renegotiation is requested. In this case, a possible servername
89 * presented in the new client hello is only acknowledged if it matches
90 * the value of the Host: field.
91 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
92 * if they provide for changing an explicit servername context for the
93 * session, i.e. when the session has been established with a servername
95 * - On session reconnect, the servername extension may be absent.
97 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
98 X509 *x, size_t chainidx)
100 unsigned int servname_type;
101 PACKET sni, hostname;
103 if (!PACKET_as_length_prefixed_2(pkt, &sni)
104 /* ServerNameList must be at least 1 byte long. */
105 || PACKET_remaining(&sni) == 0) {
106 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
107 SSL_R_BAD_EXTENSION);
112 * Although the intent was for server_name to be extensible, RFC 4366
113 * was not clear about it; and so OpenSSL among other implementations,
114 * always and only allows a 'host_name' name types.
115 * RFC 6066 corrected the mistake but adding new name types
116 * is nevertheless no longer feasible, so act as if no other
117 * SNI types can exist, to simplify parsing.
119 * Also note that the RFC permits only one SNI value per type,
120 * i.e., we can only have a single hostname.
122 if (!PACKET_get_1(&sni, &servname_type)
123 || servname_type != TLSEXT_NAMETYPE_host_name
124 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
126 SSL_R_BAD_EXTENSION);
131 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
132 * we always use the SNI value from the handshake.
134 if (!s->hit || SSL_IS_TLS13(s)) {
135 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
136 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
137 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
138 SSL_R_BAD_EXTENSION);
142 if (PACKET_contains_zero_byte(&hostname)) {
143 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
144 SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
145 SSL_R_BAD_EXTENSION);
150 * Store the requested SNI in the SSL as temporary storage.
151 * If we accept it, it will get stored in the SSL_SESSION as well.
153 OPENSSL_free(s->ext.hostname);
154 s->ext.hostname = NULL;
155 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
156 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
157 ERR_R_INTERNAL_ERROR);
161 s->servername_done = 1;
164 * In TLSv1.2 and below we should check if the SNI is consistent between
165 * the initial handshake and the resumption. In TLSv1.3 SNI is not
166 * associated with the session.
169 * TODO(openssl-team): if the SNI doesn't match, we MUST
170 * fall back to a full handshake.
172 s->servername_done = (s->session->ext.hostname != NULL)
173 && PACKET_equal(&hostname, s->session->ext.hostname,
174 strlen(s->session->ext.hostname));
180 int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
181 X509 *x, size_t chainidx)
185 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
186 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
187 SSL_R_BAD_EXTENSION);
191 /* Received |value| should be a valid max-fragment-length code. */
192 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
193 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
194 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
195 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
200 * RFC 6066: The negotiated length applies for the duration of the session
201 * including session resumptions.
202 * We should receive the same code as in resumed session !
204 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
205 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
206 SSL_F_TLS_PARSE_CTOS_MAXFRAGMENTLEN,
207 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
212 * Store it in session, so it'll become binding for us
213 * and we'll include it in a next Server Hello.
215 s->session->ext.max_fragment_len_mode = value;
219 #ifndef OPENSSL_NO_SRP
220 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
225 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
226 || PACKET_contains_zero_byte(&srp_I)) {
227 SSLfatal(s, SSL_AD_DECODE_ERROR,
228 SSL_F_TLS_PARSE_CTOS_SRP,
229 SSL_R_BAD_EXTENSION);
234 * TODO(openssl-team): currently, we re-authenticate the user
235 * upon resumption. Instead, we MUST ignore the login.
237 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
238 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SRP,
239 ERR_R_INTERNAL_ERROR);
247 #ifndef OPENSSL_NO_EC
248 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
249 X509 *x, size_t chainidx)
251 PACKET ec_point_format_list;
253 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
254 || PACKET_remaining(&ec_point_format_list) == 0) {
255 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS,
256 SSL_R_BAD_EXTENSION);
261 if (!PACKET_memdup(&ec_point_format_list,
262 &s->ext.peer_ecpointformats,
263 &s->ext.peer_ecpointformats_len)) {
264 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
265 SSL_F_TLS_PARSE_CTOS_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
272 #endif /* OPENSSL_NO_EC */
274 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
275 X509 *x, size_t chainidx)
277 if (s->ext.session_ticket_cb &&
278 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
279 PACKET_remaining(pkt),
280 s->ext.session_ticket_cb_arg)) {
281 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
282 SSL_F_TLS_PARSE_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
289 int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
290 X509 *x, size_t chainidx)
292 PACKET supported_sig_algs;
294 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
295 || PACKET_remaining(&supported_sig_algs) == 0) {
296 SSLfatal(s, SSL_AD_DECODE_ERROR,
297 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
301 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
302 SSLfatal(s, SSL_AD_DECODE_ERROR,
303 SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
310 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
313 PACKET supported_sig_algs;
315 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
316 || PACKET_remaining(&supported_sig_algs) == 0) {
317 SSLfatal(s, SSL_AD_DECODE_ERROR,
318 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
322 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
323 SSLfatal(s, SSL_AD_DECODE_ERROR,
324 SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
331 #ifndef OPENSSL_NO_OCSP
332 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
333 X509 *x, size_t chainidx)
335 PACKET responder_id_list, exts;
337 /* We ignore this in a resumption handshake */
341 /* Not defined if we get one of these in a client Certificate */
345 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
346 SSLfatal(s, SSL_AD_DECODE_ERROR,
347 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
351 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
353 * We don't know what to do with any other type so ignore it.
355 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
359 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
360 SSLfatal(s, SSL_AD_DECODE_ERROR,
361 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
366 * We remove any OCSP_RESPIDs from a previous handshake
367 * to prevent unbounded memory growth - CVE-2016-6304
369 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
370 if (PACKET_remaining(&responder_id_list) > 0) {
371 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
372 if (s->ext.ocsp.ids == NULL) {
373 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
374 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_MALLOC_FAILURE);
378 s->ext.ocsp.ids = NULL;
381 while (PACKET_remaining(&responder_id_list) > 0) {
384 const unsigned char *id_data;
386 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
387 || PACKET_remaining(&responder_id) == 0) {
388 SSLfatal(s, SSL_AD_DECODE_ERROR,
389 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
393 id_data = PACKET_data(&responder_id);
394 /* TODO(size_t): Convert d2i_* to size_t */
395 id = d2i_OCSP_RESPID(NULL, &id_data,
396 (int)PACKET_remaining(&responder_id));
398 SSLfatal(s, SSL_AD_DECODE_ERROR,
399 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
403 if (id_data != PACKET_end(&responder_id)) {
404 OCSP_RESPID_free(id);
405 SSLfatal(s, SSL_AD_DECODE_ERROR,
406 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
411 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
412 OCSP_RESPID_free(id);
413 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
414 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
420 /* Read in request_extensions */
421 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
422 SSLfatal(s, SSL_AD_DECODE_ERROR,
423 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
427 if (PACKET_remaining(&exts) > 0) {
428 const unsigned char *ext_data = PACKET_data(&exts);
430 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
431 X509_EXTENSION_free);
433 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
434 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
435 SSLfatal(s, SSL_AD_DECODE_ERROR,
436 SSL_F_TLS_PARSE_CTOS_STATUS_REQUEST, SSL_R_BAD_EXTENSION);
445 #ifndef OPENSSL_NO_NEXTPROTONEG
446 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
450 * We shouldn't accept this extension on a
453 if (SSL_IS_FIRST_HANDSHAKE(s))
461 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
462 * extension, not including type and length. Returns: 1 on success, 0 on error.
464 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
467 PACKET protocol_list, save_protocol_list, protocol;
469 if (!SSL_IS_FIRST_HANDSHAKE(s))
472 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
473 || PACKET_remaining(&protocol_list) < 2) {
474 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
475 SSL_R_BAD_EXTENSION);
479 save_protocol_list = protocol_list;
481 /* Protocol names can't be empty. */
482 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
483 || PACKET_remaining(&protocol) == 0) {
484 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
485 SSL_R_BAD_EXTENSION);
488 } while (PACKET_remaining(&protocol_list) != 0);
490 OPENSSL_free(s->s3.alpn_proposed);
491 s->s3.alpn_proposed = NULL;
492 s->s3.alpn_proposed_len = 0;
493 if (!PACKET_memdup(&save_protocol_list,
494 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
495 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_ALPN,
496 ERR_R_INTERNAL_ERROR);
503 #ifndef OPENSSL_NO_SRTP
504 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
507 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
508 unsigned int ct, mki_len, id;
512 /* Ignore this if we have no SRTP profiles */
513 if (SSL_get_srtp_profiles(s) == NULL)
516 /* Pull off the length of the cipher suite list and check it is even */
517 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
518 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
519 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
520 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
524 srvr = SSL_get_srtp_profiles(s);
525 s->srtp_profile = NULL;
526 /* Search all profiles for a match initially */
527 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
529 while (PACKET_remaining(&subpkt)) {
530 if (!PACKET_get_net_2(&subpkt, &id)) {
531 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
532 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
537 * Only look for match in profiles of higher preference than
539 * If no profiles have been have been configured then this
542 for (i = 0; i < srtp_pref; i++) {
543 SRTP_PROTECTION_PROFILE *sprof =
544 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
546 if (sprof->id == id) {
547 s->srtp_profile = sprof;
554 /* Now extract the MKI value as a sanity check, but discard it for now */
555 if (!PACKET_get_1(pkt, &mki_len)) {
556 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
557 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
561 if (!PACKET_forward(pkt, mki_len)
562 || PACKET_remaining(pkt)) {
563 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_USE_SRTP,
564 SSL_R_BAD_SRTP_MKI_VALUE);
572 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
575 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
582 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
583 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
585 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
586 X509 *x, size_t chainidx)
588 #ifndef OPENSSL_NO_TLS1_3
589 PACKET psk_kex_modes;
592 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
593 || PACKET_remaining(&psk_kex_modes) == 0) {
594 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK_KEX_MODES,
595 SSL_R_BAD_EXTENSION);
599 while (PACKET_get_1(&psk_kex_modes, &mode)) {
600 if (mode == TLSEXT_KEX_MODE_KE_DHE)
601 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
602 else if (mode == TLSEXT_KEX_MODE_KE
603 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
604 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
612 * Process a key_share extension received in the ClientHello. |pkt| contains
613 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
615 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
618 #ifndef OPENSSL_NO_TLS1_3
619 unsigned int group_id;
620 PACKET key_share_list, encoded_pt;
621 const uint16_t *clntgroups, *srvrgroups;
622 size_t clnt_num_groups, srvr_num_groups;
625 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
629 if (s->s3.peer_tmp != NULL) {
630 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
631 ERR_R_INTERNAL_ERROR);
635 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
636 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
637 SSL_R_LENGTH_MISMATCH);
641 /* Get our list of supported groups */
642 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
643 /* Get the clients list of supported groups. */
644 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
645 if (clnt_num_groups == 0) {
647 * This can only happen if the supported_groups extension was not sent,
648 * because we verify that the length is non-zero when we process that
651 SSLfatal(s, SSL_AD_MISSING_EXTENSION, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
652 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
656 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
658 * If we set a group_id already, then we must have sent an HRR
659 * requesting a new key_share. If we haven't got one then that is an
662 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
663 SSL_R_BAD_KEY_SHARE);
667 while (PACKET_remaining(&key_share_list) > 0) {
668 if (!PACKET_get_net_2(&key_share_list, &group_id)
669 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
670 || PACKET_remaining(&encoded_pt) == 0) {
671 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
672 SSL_R_LENGTH_MISMATCH);
677 * If we already found a suitable key_share we loop through the
678 * rest to verify the structure, but don't process them.
684 * If we sent an HRR then the key_share sent back MUST be for the group
685 * we requested, and must be the only key_share sent.
687 if (s->s3.group_id != 0
688 && (group_id != s->s3.group_id
689 || PACKET_remaining(&key_share_list) != 0)) {
690 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
691 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
695 /* Check if this share is in supported_groups sent from client */
696 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
697 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
698 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
702 /* Check if this share is for a group we can use */
703 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
704 /* Share not suitable */
708 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
709 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
710 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
715 * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint()
716 * knows how to get a key from an encoded point with the help of
717 * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0()
718 * downgrades an EVP_PKEY to contain a legacy key.
722 EVP_PKEY_get0(s->s3.peer_tmp);
723 if (EVP_PKEY_id(s->s3.peer_tmp) == EVP_PKEY_NONE) {
724 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
725 ERR_R_INTERNAL_ERROR);
729 s->s3.group_id = group_id;
731 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3.peer_tmp,
732 PACKET_data(&encoded_pt),
733 PACKET_remaining(&encoded_pt))) {
734 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
735 SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
746 int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
749 #ifndef OPENSSL_NO_TLS1_3
750 unsigned int format, version, key_share, group_id;
753 PACKET cookie, raw, chhash, appcookie;
755 const unsigned char *data, *mdin, *ciphdata;
756 unsigned char hmac[SHA256_DIGEST_LENGTH];
757 unsigned char hrr[MAX_HRR_SIZE];
758 size_t rawlen, hmaclen, hrrlen, ciphlen;
759 unsigned long tm, now;
761 /* Ignore any cookie if we're not set up to verify it */
762 if (s->ctx->verify_stateless_cookie_cb == NULL
763 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
766 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
767 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
768 SSL_R_LENGTH_MISMATCH);
773 data = PACKET_data(&raw);
774 rawlen = PACKET_remaining(&raw);
775 if (rawlen < SHA256_DIGEST_LENGTH
776 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
777 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
778 SSL_R_LENGTH_MISMATCH);
781 mdin = PACKET_data(&raw);
783 /* Verify the HMAC of the cookie */
784 hctx = EVP_MD_CTX_create();
785 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
786 s->session_ctx->ext.cookie_hmac_key,
787 sizeof(s->session_ctx->ext
789 if (hctx == NULL || pkey == NULL) {
790 EVP_MD_CTX_free(hctx);
792 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
793 ERR_R_MALLOC_FAILURE);
797 hmaclen = SHA256_DIGEST_LENGTH;
798 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->propq, pkey,
800 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
801 rawlen - SHA256_DIGEST_LENGTH) <= 0
802 || hmaclen != SHA256_DIGEST_LENGTH) {
803 EVP_MD_CTX_free(hctx);
805 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
806 ERR_R_INTERNAL_ERROR);
810 EVP_MD_CTX_free(hctx);
813 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
814 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
815 SSL_R_COOKIE_MISMATCH);
819 if (!PACKET_get_net_2(&cookie, &format)) {
820 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
821 SSL_R_LENGTH_MISMATCH);
824 /* Check the cookie format is something we recognise. Ignore it if not */
825 if (format != COOKIE_STATE_FORMAT_VERSION)
829 * The rest of these checks really shouldn't fail since we have verified the
833 /* Check the version number is sane */
834 if (!PACKET_get_net_2(&cookie, &version)) {
835 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
836 SSL_R_LENGTH_MISMATCH);
839 if (version != TLS1_3_VERSION) {
840 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
841 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
845 if (!PACKET_get_net_2(&cookie, &group_id)) {
846 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
847 SSL_R_LENGTH_MISMATCH);
851 ciphdata = PACKET_data(&cookie);
852 if (!PACKET_forward(&cookie, 2)) {
853 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
854 SSL_R_LENGTH_MISMATCH);
857 if (group_id != s->s3.group_id
858 || s->s3.tmp.new_cipher
859 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
861 * We chose a different cipher or group id this time around to what is
862 * in the cookie. Something must have changed.
864 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
869 if (!PACKET_get_1(&cookie, &key_share)
870 || !PACKET_get_net_4(&cookie, &tm)
871 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
872 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
873 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
874 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
875 SSL_R_LENGTH_MISMATCH);
879 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
880 now = (unsigned long)time(NULL);
881 if (tm > now || (now - tm) > 600) {
882 /* Cookie is stale. Ignore it */
886 /* Verify the app cookie */
887 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
888 PACKET_remaining(&appcookie)) == 0) {
889 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
890 SSL_R_COOKIE_MISMATCH);
895 * Reconstruct the HRR that we would have sent in response to the original
896 * ClientHello so we can add it to the transcript hash.
897 * Note: This won't work with custom HRR extensions
899 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
901 ERR_R_INTERNAL_ERROR);
904 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
905 || !WPACKET_start_sub_packet_u24(&hrrpkt)
906 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
907 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
908 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
909 s->tmp_session_id_len)
910 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
912 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
913 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
914 WPACKET_cleanup(&hrrpkt);
915 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
916 ERR_R_INTERNAL_ERROR);
919 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
920 || !WPACKET_start_sub_packet_u16(&hrrpkt)
921 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
922 || !WPACKET_close(&hrrpkt)) {
923 WPACKET_cleanup(&hrrpkt);
924 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
925 ERR_R_INTERNAL_ERROR);
929 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
930 || !WPACKET_start_sub_packet_u16(&hrrpkt)
931 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
932 || !WPACKET_close(&hrrpkt)) {
933 WPACKET_cleanup(&hrrpkt);
934 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
935 ERR_R_INTERNAL_ERROR);
939 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
940 || !WPACKET_start_sub_packet_u16(&hrrpkt)
941 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
942 || !WPACKET_close(&hrrpkt) /* cookie extension */
943 || !WPACKET_close(&hrrpkt) /* extension block */
944 || !WPACKET_close(&hrrpkt) /* message */
945 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
946 || !WPACKET_finish(&hrrpkt)) {
947 WPACKET_cleanup(&hrrpkt);
948 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
949 ERR_R_INTERNAL_ERROR);
953 /* Reconstruct the transcript hash */
954 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
955 PACKET_remaining(&chhash), hrr,
957 /* SSLfatal() already called */
961 /* Act as if this ClientHello came after a HelloRetryRequest */
962 s->hello_retry_request = 1;
970 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
971 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
972 X509 *x, size_t chainidx)
974 PACKET supported_groups_list;
976 /* Each group is 2 bytes and we must have at least 1. */
977 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
978 || PACKET_remaining(&supported_groups_list) == 0
979 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
980 SSLfatal(s, SSL_AD_DECODE_ERROR,
981 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS, SSL_R_BAD_EXTENSION);
985 if (!s->hit || SSL_IS_TLS13(s)) {
986 OPENSSL_free(s->ext.peer_supportedgroups);
987 s->ext.peer_supportedgroups = NULL;
988 s->ext.peer_supportedgroups_len = 0;
989 if (!tls1_save_u16(&supported_groups_list,
990 &s->ext.peer_supportedgroups,
991 &s->ext.peer_supportedgroups_len)) {
992 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
993 SSL_F_TLS_PARSE_CTOS_SUPPORTED_GROUPS,
994 ERR_R_INTERNAL_ERROR);
1003 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1006 /* The extension must always be empty */
1007 if (PACKET_remaining(pkt) != 0) {
1008 SSLfatal(s, SSL_AD_DECODE_ERROR,
1009 SSL_F_TLS_PARSE_CTOS_EMS, SSL_R_BAD_EXTENSION);
1013 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1016 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1022 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
1023 X509 *x, size_t chainidx)
1025 if (PACKET_remaining(pkt) != 0) {
1026 SSLfatal(s, SSL_AD_DECODE_ERROR,
1027 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1031 if (s->hello_retry_request != SSL_HRR_NONE) {
1032 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1033 SSL_F_TLS_PARSE_CTOS_EARLY_DATA, SSL_R_BAD_EXTENSION);
1040 static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
1043 SSL_SESSION *tmpsess = NULL;
1045 s->ext.ticket_expected = 1;
1047 switch (PACKET_remaining(tick)) {
1049 return SSL_TICKET_EMPTY;
1051 case SSL_MAX_SSL_SESSION_ID_LENGTH:
1055 return SSL_TICKET_NO_DECRYPT;
1058 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1059 SSL_MAX_SSL_SESSION_ID_LENGTH);
1061 if (tmpsess == NULL)
1062 return SSL_TICKET_NO_DECRYPT;
1065 return SSL_TICKET_SUCCESS;
1068 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1071 PACKET identities, binders, binder;
1072 size_t binderoffset, hashsize;
1073 SSL_SESSION *sess = NULL;
1074 unsigned int id, i, ext = 0;
1075 const EVP_MD *md = NULL;
1078 * If we have no PSK kex mode that we recognise then we can't resume so
1079 * ignore this extension
1081 if ((s->ext.psk_kex_mode
1082 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1085 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
1086 SSLfatal(s, SSL_AD_DECODE_ERROR,
1087 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1091 s->ext.ticket_expected = 0;
1092 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1094 unsigned long ticket_agel;
1097 if (!PACKET_get_length_prefixed_2(&identities, &identity)
1098 || !PACKET_get_net_4(&identities, &ticket_agel)) {
1099 SSLfatal(s, SSL_AD_DECODE_ERROR,
1100 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1104 idlen = PACKET_remaining(&identity);
1105 if (s->psk_find_session_cb != NULL
1106 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
1108 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1109 SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
1113 #ifndef OPENSSL_NO_PSK
1115 && s->psk_server_callback != NULL
1116 && idlen <= PSK_MAX_IDENTITY_LEN) {
1118 unsigned char pskdata[PSK_MAX_PSK_LEN];
1119 unsigned int pskdatalen;
1121 if (!PACKET_strndup(&identity, &pskid)) {
1122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1123 ERR_R_INTERNAL_ERROR);
1126 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1128 OPENSSL_free(pskid);
1129 if (pskdatalen > PSK_MAX_PSK_LEN) {
1130 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1131 ERR_R_INTERNAL_ERROR);
1133 } else if (pskdatalen > 0) {
1134 const SSL_CIPHER *cipher;
1135 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1138 * We found a PSK using an old style callback. We don't know
1139 * the digest so we default to SHA256 as per the TLSv1.3 spec
1141 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1142 if (cipher == NULL) {
1143 OPENSSL_cleanse(pskdata, pskdatalen);
1144 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1145 ERR_R_INTERNAL_ERROR);
1149 sess = SSL_SESSION_new();
1151 || !SSL_SESSION_set1_master_key(sess, pskdata,
1153 || !SSL_SESSION_set_cipher(sess, cipher)
1154 || !SSL_SESSION_set_protocol_version(sess,
1156 OPENSSL_cleanse(pskdata, pskdatalen);
1157 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1158 ERR_R_INTERNAL_ERROR);
1161 OPENSSL_cleanse(pskdata, pskdatalen);
1164 #endif /* OPENSSL_NO_PSK */
1167 /* We found a PSK */
1168 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1170 if (sesstmp == NULL) {
1171 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1172 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1175 SSL_SESSION_free(sess);
1179 * We've just been told to use this session for this context so
1180 * make sure the sid_ctx matches up.
1182 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1183 sess->sid_ctx_length = s->sid_ctx_length;
1186 s->ext.early_data_ok = 1;
1187 s->ext.ticket_expected = 1;
1189 uint32_t ticket_age = 0, now, agesec, agems;
1193 * If we are using anti-replay protection then we behave as if
1194 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1195 * is no point in using full stateless tickets.
1197 if ((s->options & SSL_OP_NO_TICKET) != 0
1198 || (s->max_early_data > 0
1199 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
1200 ret = tls_get_stateful_ticket(s, &identity, &sess);
1202 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1203 PACKET_remaining(&identity), NULL, 0,
1206 if (ret == SSL_TICKET_EMPTY) {
1207 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1208 SSL_R_BAD_EXTENSION);
1212 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1213 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
1214 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1215 SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
1218 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
1221 /* Check for replay */
1222 if (s->max_early_data > 0
1223 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
1224 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1225 SSL_SESSION_free(sess);
1230 ticket_age = (uint32_t)ticket_agel;
1231 now = (uint32_t)time(NULL);
1232 agesec = now - (uint32_t)sess->time;
1233 agems = agesec * (uint32_t)1000;
1234 ticket_age -= sess->ext.tick_age_add;
1237 * For simplicity we do our age calculations in seconds. If the
1238 * client does it in ms then it could appear that their ticket age
1239 * is longer than ours (our ticket age calculation should always be
1240 * slightly longer than the client's due to the network latency).
1241 * Therefore we add 1000ms to our age calculation to adjust for
1245 && sess->timeout >= (long)agesec
1246 && agems / (uint32_t)1000 == agesec
1247 && ticket_age <= agems + 1000
1248 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1250 * Ticket age is within tolerance and not expired. We allow it
1253 s->ext.early_data_ok = 1;
1257 md = ssl_md(s->ctx, sess->cipher->algorithm2);
1258 if (!EVP_MD_is_a(md,
1259 EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
1260 /* The ciphersuite is not compatible with this session. */
1261 SSL_SESSION_free(sess);
1263 s->ext.early_data_ok = 0;
1264 s->ext.ticket_expected = 0;
1273 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
1274 hashsize = EVP_MD_size(md);
1276 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
1277 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1278 SSL_R_BAD_EXTENSION);
1282 for (i = 0; i <= id; i++) {
1283 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
1284 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1285 SSL_R_BAD_EXTENSION);
1290 if (PACKET_remaining(&binder) != hashsize) {
1291 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
1292 SSL_R_BAD_EXTENSION);
1295 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1296 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1298 /* SSLfatal() already called */
1302 s->ext.tick_identity = id;
1304 SSL_SESSION_free(s->session);
1308 SSL_SESSION_free(sess);
1312 int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
1313 X509 *x, size_t chainidx)
1315 if (PACKET_remaining(pkt) != 0) {
1316 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
1317 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1321 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1327 * Add the server's renegotiation binding
1329 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1330 unsigned int context, X509 *x,
1333 if (!s->s3.send_connection_binding)
1334 return EXT_RETURN_NOT_SENT;
1336 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
1337 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1338 || !WPACKET_start_sub_packet_u16(pkt)
1339 || !WPACKET_start_sub_packet_u8(pkt)
1340 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1341 s->s3.previous_client_finished_len)
1342 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1343 s->s3.previous_server_finished_len)
1344 || !WPACKET_close(pkt)
1345 || !WPACKET_close(pkt)) {
1346 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE,
1347 ERR_R_INTERNAL_ERROR);
1348 return EXT_RETURN_FAIL;
1351 return EXT_RETURN_SENT;
1354 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1355 unsigned int context, X509 *x,
1358 if (s->servername_done != 1)
1359 return EXT_RETURN_NOT_SENT;
1362 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1363 * We just use the servername from the initial handshake.
1365 if (s->hit && !SSL_IS_TLS13(s))
1366 return EXT_RETURN_NOT_SENT;
1368 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1369 || !WPACKET_put_bytes_u16(pkt, 0)) {
1370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME,
1371 ERR_R_INTERNAL_ERROR);
1372 return EXT_RETURN_FAIL;
1375 return EXT_RETURN_SENT;
1378 /* Add/include the server's max fragment len extension into ServerHello */
1379 EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1380 unsigned int context, X509 *x,
1383 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1384 return EXT_RETURN_NOT_SENT;
1387 * 4 bytes for this extension type and extension length
1388 * 1 byte for the Max Fragment Length code value.
1390 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1391 || !WPACKET_start_sub_packet_u16(pkt)
1392 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1393 || !WPACKET_close(pkt)) {
1394 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1395 SSL_F_TLS_CONSTRUCT_STOC_MAXFRAGMENTLEN, ERR_R_INTERNAL_ERROR);
1396 return EXT_RETURN_FAIL;
1399 return EXT_RETURN_SENT;
1402 #ifndef OPENSSL_NO_EC
1403 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1404 unsigned int context, X509 *x,
1407 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1408 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
1409 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
1410 && (s->ext.peer_ecpointformats != NULL);
1411 const unsigned char *plist;
1415 return EXT_RETURN_NOT_SENT;
1417 tls1_get_formatlist(s, &plist, &plistlen);
1418 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1419 || !WPACKET_start_sub_packet_u16(pkt)
1420 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1421 || !WPACKET_close(pkt)) {
1422 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1423 SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
1424 return EXT_RETURN_FAIL;
1427 return EXT_RETURN_SENT;
1431 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1432 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1433 unsigned int context, X509 *x,
1436 const uint16_t *groups;
1437 size_t numgroups, i, first = 1;
1439 /* s->s3.group_id is non zero if we accepted a key_share */
1440 if (s->s3.group_id == 0)
1441 return EXT_RETURN_NOT_SENT;
1443 /* Get our list of supported groups */
1444 tls1_get_supported_groups(s, &groups, &numgroups);
1445 if (numgroups == 0) {
1446 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1447 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
1448 return EXT_RETURN_FAIL;
1451 /* Copy group ID if supported */
1452 for (i = 0; i < numgroups; i++) {
1453 uint16_t group = groups[i];
1455 if (tls_valid_group(s, group, SSL_version(s))
1456 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
1459 * Check if the client is already using our preferred group. If
1460 * so we don't need to add this extension
1462 if (s->s3.group_id == group)
1463 return EXT_RETURN_NOT_SENT;
1465 /* Add extension header */
1466 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1467 /* Sub-packet for supported_groups extension */
1468 || !WPACKET_start_sub_packet_u16(pkt)
1469 || !WPACKET_start_sub_packet_u16(pkt)) {
1470 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1471 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1472 ERR_R_INTERNAL_ERROR);
1473 return EXT_RETURN_FAIL;
1478 if (!WPACKET_put_bytes_u16(pkt, group)) {
1479 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1480 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1481 ERR_R_INTERNAL_ERROR);
1482 return EXT_RETURN_FAIL;
1487 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
1488 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1489 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
1490 ERR_R_INTERNAL_ERROR);
1491 return EXT_RETURN_FAIL;
1494 return EXT_RETURN_SENT;
1498 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1499 unsigned int context, X509 *x,
1502 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1503 s->ext.ticket_expected = 0;
1504 return EXT_RETURN_NOT_SENT;
1507 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1508 || !WPACKET_put_bytes_u16(pkt, 0)) {
1509 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1510 SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
1511 return EXT_RETURN_FAIL;
1514 return EXT_RETURN_SENT;
1517 #ifndef OPENSSL_NO_OCSP
1518 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1519 unsigned int context, X509 *x,
1522 /* We don't currently support this extension inside a CertificateRequest */
1523 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1524 return EXT_RETURN_NOT_SENT;
1526 if (!s->ext.status_expected)
1527 return EXT_RETURN_NOT_SENT;
1529 if (SSL_IS_TLS13(s) && chainidx != 0)
1530 return EXT_RETURN_NOT_SENT;
1532 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
1533 || !WPACKET_start_sub_packet_u16(pkt)) {
1534 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1535 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1536 return EXT_RETURN_FAIL;
1540 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1541 * send back an empty extension, with the certificate status appearing as a
1544 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1545 /* SSLfatal() already called */
1546 return EXT_RETURN_FAIL;
1548 if (!WPACKET_close(pkt)) {
1549 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1550 SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
1551 return EXT_RETURN_FAIL;
1554 return EXT_RETURN_SENT;
1558 #ifndef OPENSSL_NO_NEXTPROTONEG
1559 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1560 unsigned int context, X509 *x,
1563 const unsigned char *npa;
1564 unsigned int npalen;
1566 int npn_seen = s->s3.npn_seen;
1569 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
1570 return EXT_RETURN_NOT_SENT;
1572 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1573 s->ctx->ext.npn_advertised_cb_arg);
1574 if (ret == SSL_TLSEXT_ERR_OK) {
1575 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1576 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1577 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1578 SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1579 ERR_R_INTERNAL_ERROR);
1580 return EXT_RETURN_FAIL;
1585 return EXT_RETURN_SENT;
1589 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1590 X509 *x, size_t chainidx)
1592 if (s->s3.alpn_selected == NULL)
1593 return EXT_RETURN_NOT_SENT;
1595 if (!WPACKET_put_bytes_u16(pkt,
1596 TLSEXT_TYPE_application_layer_protocol_negotiation)
1597 || !WPACKET_start_sub_packet_u16(pkt)
1598 || !WPACKET_start_sub_packet_u16(pkt)
1599 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1600 s->s3.alpn_selected_len)
1601 || !WPACKET_close(pkt)
1602 || !WPACKET_close(pkt)) {
1603 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1604 SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1605 return EXT_RETURN_FAIL;
1608 return EXT_RETURN_SENT;
1611 #ifndef OPENSSL_NO_SRTP
1612 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1613 unsigned int context, X509 *x,
1616 if (s->srtp_profile == NULL)
1617 return EXT_RETURN_NOT_SENT;
1619 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1620 || !WPACKET_start_sub_packet_u16(pkt)
1621 || !WPACKET_put_bytes_u16(pkt, 2)
1622 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1623 || !WPACKET_put_bytes_u8(pkt, 0)
1624 || !WPACKET_close(pkt)) {
1625 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP,
1626 ERR_R_INTERNAL_ERROR);
1627 return EXT_RETURN_FAIL;
1630 return EXT_RETURN_SENT;
1634 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1635 X509 *x, size_t chainidx)
1637 if (!s->ext.use_etm)
1638 return EXT_RETURN_NOT_SENT;
1641 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1642 * for other cases too.
1644 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1645 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1646 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1647 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1649 return EXT_RETURN_NOT_SENT;
1652 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1653 || !WPACKET_put_bytes_u16(pkt, 0)) {
1654 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_ETM,
1655 ERR_R_INTERNAL_ERROR);
1656 return EXT_RETURN_FAIL;
1659 return EXT_RETURN_SENT;
1662 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1663 X509 *x, size_t chainidx)
1665 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1666 return EXT_RETURN_NOT_SENT;
1668 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1669 || !WPACKET_put_bytes_u16(pkt, 0)) {
1670 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EMS,
1671 ERR_R_INTERNAL_ERROR);
1672 return EXT_RETURN_FAIL;
1675 return EXT_RETURN_SENT;
1678 EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1679 unsigned int context, X509 *x,
1682 if (!ossl_assert(SSL_IS_TLS13(s))) {
1683 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1684 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1685 ERR_R_INTERNAL_ERROR);
1686 return EXT_RETURN_FAIL;
1689 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1690 || !WPACKET_start_sub_packet_u16(pkt)
1691 || !WPACKET_put_bytes_u16(pkt, s->version)
1692 || !WPACKET_close(pkt)) {
1693 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1694 SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
1695 ERR_R_INTERNAL_ERROR);
1696 return EXT_RETURN_FAIL;
1699 return EXT_RETURN_SENT;
1702 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1703 unsigned int context, X509 *x,
1706 #ifndef OPENSSL_NO_TLS1_3
1707 unsigned char *encodedPoint;
1708 size_t encoded_pt_len = 0;
1709 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
1711 if (s->hello_retry_request == SSL_HRR_PENDING) {
1713 /* Original key_share was acceptable so don't ask for another one */
1714 return EXT_RETURN_NOT_SENT;
1716 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1717 || !WPACKET_start_sub_packet_u16(pkt)
1718 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1719 || !WPACKET_close(pkt)) {
1720 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1721 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1722 ERR_R_INTERNAL_ERROR);
1723 return EXT_RETURN_FAIL;
1726 return EXT_RETURN_SENT;
1730 /* No key_share received from client - must be resuming */
1731 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1732 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1733 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1734 return EXT_RETURN_FAIL;
1736 return EXT_RETURN_NOT_SENT;
1739 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1740 || !WPACKET_start_sub_packet_u16(pkt)
1741 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
1742 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1743 SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1744 return EXT_RETURN_FAIL;
1747 skey = ssl_generate_pkey(s, ckey);
1749 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1750 ERR_R_MALLOC_FAILURE);
1751 return EXT_RETURN_FAIL;
1755 * TODO(3.0) Remove this when EVP_PKEY_get1_tls_encodedpoint()
1756 * knows how to get a key from an encoded point with the help of
1757 * a OSSL_SERIALIZER deserializer. We know that EVP_PKEY_get0()
1758 * downgrades an EVP_PKEY to contain a legacy key.
1762 EVP_PKEY_get0(skey);
1763 if (EVP_PKEY_id(skey) == EVP_PKEY_NONE) {
1764 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1765 ERR_R_INTERNAL_ERROR);
1766 return EXT_RETURN_FAIL;
1769 /* Generate encoding of server key */
1770 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1771 if (encoded_pt_len == 0) {
1772 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1774 EVP_PKEY_free(skey);
1775 return EXT_RETURN_FAIL;
1778 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1779 || !WPACKET_close(pkt)) {
1780 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1781 ERR_R_INTERNAL_ERROR);
1782 EVP_PKEY_free(skey);
1783 OPENSSL_free(encodedPoint);
1784 return EXT_RETURN_FAIL;
1786 OPENSSL_free(encodedPoint);
1788 /* This causes the crypto state to be updated based on the derived keys */
1789 s->s3.tmp.pkey = skey;
1790 if (ssl_derive(s, skey, ckey, 1) == 0) {
1791 /* SSLfatal() already called */
1792 return EXT_RETURN_FAIL;
1794 return EXT_RETURN_SENT;
1796 return EXT_RETURN_FAIL;
1800 EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1801 X509 *x, size_t chainidx)
1803 #ifndef OPENSSL_NO_TLS1_3
1804 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1805 unsigned char *hmac, *hmac2;
1806 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
1809 int ret = EXT_RETURN_FAIL;
1811 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
1812 return EXT_RETURN_NOT_SENT;
1814 if (s->ctx->gen_stateless_cookie_cb == NULL) {
1815 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1816 SSL_R_NO_COOKIE_CALLBACK_SET);
1817 return EXT_RETURN_FAIL;
1820 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1821 || !WPACKET_start_sub_packet_u16(pkt)
1822 || !WPACKET_start_sub_packet_u16(pkt)
1823 || !WPACKET_get_total_written(pkt, &startlen)
1824 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1825 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1826 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
1827 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1828 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1830 /* Is there a key_share extension present in this HRR? */
1831 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
1832 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
1833 || !WPACKET_start_sub_packet_u16(pkt)
1834 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
1835 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1836 ERR_R_INTERNAL_ERROR);
1837 return EXT_RETURN_FAIL;
1841 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1842 * on raw buffers, so we first reserve sufficient bytes (above) and then
1843 * subsequently allocate them (below)
1845 if (!ssl3_digest_cached_records(s, 0)
1846 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1847 /* SSLfatal() already called */
1848 return EXT_RETURN_FAIL;
1851 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1852 || !ossl_assert(hashval1 == hashval2)
1853 || !WPACKET_close(pkt)
1854 || !WPACKET_start_sub_packet_u8(pkt)
1855 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
1856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1857 ERR_R_INTERNAL_ERROR);
1858 return EXT_RETURN_FAIL;
1861 /* Generate the application cookie */
1862 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
1863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1864 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
1865 return EXT_RETURN_FAIL;
1868 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1869 || !ossl_assert(appcookie1 == appcookie2)
1870 || !WPACKET_close(pkt)
1871 || !WPACKET_get_total_written(pkt, &totcookielen)
1872 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
1873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1874 ERR_R_INTERNAL_ERROR);
1875 return EXT_RETURN_FAIL;
1877 hmaclen = SHA256_DIGEST_LENGTH;
1879 totcookielen -= startlen;
1880 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
1881 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1882 ERR_R_INTERNAL_ERROR);
1883 return EXT_RETURN_FAIL;
1886 /* HMAC the cookie */
1887 hctx = EVP_MD_CTX_create();
1888 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
1889 s->session_ctx->ext.cookie_hmac_key,
1890 sizeof(s->session_ctx->ext
1892 if (hctx == NULL || pkey == NULL) {
1893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1894 ERR_R_MALLOC_FAILURE);
1898 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->propq, pkey,
1899 s->ctx->libctx) <= 0
1900 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1901 totcookielen) <= 0) {
1902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1903 ERR_R_INTERNAL_ERROR);
1907 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
1908 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1909 ERR_R_INTERNAL_ERROR);
1913 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1914 || !ossl_assert(hmac == hmac2)
1915 || !ossl_assert(cookie == hmac - totcookielen)
1916 || !WPACKET_close(pkt)
1917 || !WPACKET_close(pkt)) {
1918 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
1919 ERR_R_INTERNAL_ERROR);
1923 ret = EXT_RETURN_SENT;
1926 EVP_MD_CTX_free(hctx);
1927 EVP_PKEY_free(pkey);
1930 return EXT_RETURN_FAIL;
1934 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1935 unsigned int context, X509 *x,
1938 const unsigned char cryptopro_ext[36] = {
1939 0xfd, 0xe8, /* 65000 */
1940 0x00, 0x20, /* 32 bytes length */
1941 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1942 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1943 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1944 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1947 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1948 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
1949 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1950 return EXT_RETURN_NOT_SENT;
1952 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1953 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1954 SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1955 return EXT_RETURN_FAIL;
1958 return EXT_RETURN_SENT;
1961 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1962 unsigned int context, X509 *x,
1965 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1966 if (s->max_early_data == 0)
1967 return EXT_RETURN_NOT_SENT;
1969 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1970 || !WPACKET_start_sub_packet_u16(pkt)
1971 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1972 || !WPACKET_close(pkt)) {
1973 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1974 SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1975 return EXT_RETURN_FAIL;
1978 return EXT_RETURN_SENT;
1981 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1982 return EXT_RETURN_NOT_SENT;
1984 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1985 || !WPACKET_start_sub_packet_u16(pkt)
1986 || !WPACKET_close(pkt)) {
1987 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA,
1988 ERR_R_INTERNAL_ERROR);
1989 return EXT_RETURN_FAIL;
1992 return EXT_RETURN_SENT;
1995 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1996 X509 *x, size_t chainidx)
1999 return EXT_RETURN_NOT_SENT;
2001 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
2002 || !WPACKET_start_sub_packet_u16(pkt)
2003 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
2004 || !WPACKET_close(pkt)) {
2005 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2006 SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
2007 return EXT_RETURN_FAIL;
2010 return EXT_RETURN_SENT;