2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
15 * Parse the client's renegotiation binding and abort if it's not right
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
21 const unsigned char *data;
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_ILLEGAL_PARAMETER;
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
48 s->s3->send_connection_binding = 1;
54 * The servername extension is treated as follows:
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
74 * - On session reconnect, the servername extension may be absent.
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
79 unsigned int servname_type;
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
90 * Although the server_name extension was intended to be
91 * extensible to new name types, RFC 4366 defined the
92 * syntax inextensibly and OpenSSL 1.0.x parses it as
94 * RFC 6066 corrected the mistake but adding new name types
95 * is nevertheless no longer feasible, so act as if no other
96 * SNI types can exist, to simplify parsing.
98 * Also note that the RFC permits only one SNI value per type,
99 * i.e., we can only have a single hostname.
101 if (!PACKET_get_1(&sni, &servname_type)
102 || servname_type != TLSEXT_NAMETYPE_host_name
103 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
104 *al = SSL_AD_DECODE_ERROR;
109 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
110 *al = TLS1_AD_UNRECOGNIZED_NAME;
114 if (PACKET_contains_zero_byte(&hostname)) {
115 *al = TLS1_AD_UNRECOGNIZED_NAME;
119 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
120 *al = TLS1_AD_INTERNAL_ERROR;
124 s->servername_done = 1;
127 * TODO(openssl-team): if the SNI doesn't match, we MUST
128 * fall back to a full handshake.
130 s->servername_done = s->session->ext.hostname
131 && PACKET_equal(&hostname, s->session->ext.hostname,
132 strlen(s->session->ext.hostname));
138 #ifndef OPENSSL_NO_SRP
139 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
143 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
144 || PACKET_contains_zero_byte(&srp_I)) {
145 *al = SSL_AD_DECODE_ERROR;
150 * TODO(openssl-team): currently, we re-authenticate the user
151 * upon resumption. Instead, we MUST ignore the login.
153 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
154 *al = TLS1_AD_INTERNAL_ERROR;
162 #ifndef OPENSSL_NO_EC
163 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
166 PACKET ec_point_format_list;
168 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
169 || PACKET_remaining(&ec_point_format_list) == 0) {
170 *al = SSL_AD_DECODE_ERROR;
175 if (!PACKET_memdup(&ec_point_format_list,
176 &s->session->ext.ecpointformats,
177 &s->session->ext.ecpointformats_len)) {
178 *al = TLS1_AD_INTERNAL_ERROR;
185 #endif /* OPENSSL_NO_EC */
187 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
190 if (s->ext.session_ticket_cb &&
191 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
192 PACKET_remaining(pkt),
193 s->ext.session_ticket_cb_arg)) {
194 *al = TLS1_AD_INTERNAL_ERROR;
201 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
204 PACKET supported_sig_algs;
206 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
207 || PACKET_remaining(&supported_sig_algs) == 0) {
208 *al = SSL_AD_DECODE_ERROR;
212 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
213 *al = TLS1_AD_DECODE_ERROR;
220 #ifndef OPENSSL_NO_OCSP
221 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
224 PACKET responder_id_list, exts;
226 /* Not defined if we get one of these in a client Certificate */
230 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
231 *al = SSL_AD_DECODE_ERROR;
235 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
237 * We don't know what to do with any other type so ignore it.
239 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
243 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
244 *al = SSL_AD_DECODE_ERROR;
249 * We remove any OCSP_RESPIDs from a previous handshake
250 * to prevent unbounded memory growth - CVE-2016-6304
252 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
253 if (PACKET_remaining(&responder_id_list) > 0) {
254 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
255 if (s->ext.ocsp.ids == NULL) {
256 *al = SSL_AD_INTERNAL_ERROR;
260 s->ext.ocsp.ids = NULL;
263 while (PACKET_remaining(&responder_id_list) > 0) {
266 const unsigned char *id_data;
268 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
269 || PACKET_remaining(&responder_id) == 0) {
270 *al = SSL_AD_DECODE_ERROR;
274 id_data = PACKET_data(&responder_id);
275 /* TODO(size_t): Convert d2i_* to size_t */
276 id = d2i_OCSP_RESPID(NULL, &id_data,
277 (int)PACKET_remaining(&responder_id));
279 *al = SSL_AD_DECODE_ERROR;
283 if (id_data != PACKET_end(&responder_id)) {
284 OCSP_RESPID_free(id);
285 *al = SSL_AD_DECODE_ERROR;
289 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
290 OCSP_RESPID_free(id);
291 *al = SSL_AD_INTERNAL_ERROR;
296 /* Read in request_extensions */
297 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
298 *al = SSL_AD_DECODE_ERROR;
302 if (PACKET_remaining(&exts) > 0) {
303 const unsigned char *ext_data = PACKET_data(&exts);
305 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
306 X509_EXTENSION_free);
308 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
309 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
310 *al = SSL_AD_DECODE_ERROR;
319 #ifndef OPENSSL_NO_NEXTPROTONEG
320 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
323 * We shouldn't accept this extension on a
326 * s->new_session will be set on renegotiation, but we
327 * probably shouldn't rely that it couldn't be set on
328 * the initial renegotiation too in certain cases (when
329 * there's some other reason to disallow resuming an
330 * earlier session -- the current code won't be doing
331 * anything like that, but this might change).
333 * A valid sign that there's been a previous handshake
334 * in this connection is if s->s3->tmp.finish_md_len >
335 * 0. (We are talking about a check that will happen
336 * in the Hello protocol round, well before a new
337 * Finished message could have been computed.)
339 if (s->s3->tmp.finish_md_len == 0)
347 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
348 * extension, not including type and length. |al| is a pointer to the alert
349 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
351 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
353 PACKET protocol_list, save_protocol_list, protocol;
355 if (s->s3->tmp.finish_md_len != 0)
358 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
359 || PACKET_remaining(&protocol_list) < 2) {
360 *al = SSL_AD_DECODE_ERROR;
364 save_protocol_list = protocol_list;
366 /* Protocol names can't be empty. */
367 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
368 || PACKET_remaining(&protocol) == 0) {
369 *al = SSL_AD_DECODE_ERROR;
372 } while (PACKET_remaining(&protocol_list) != 0);
374 if (!PACKET_memdup(&save_protocol_list,
375 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
376 *al = TLS1_AD_INTERNAL_ERROR;
383 #ifndef OPENSSL_NO_SRTP
384 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
387 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
388 unsigned int ct, mki_len, id;
392 /* Ignore this if we have no SRTP profiles */
393 if (SSL_get_srtp_profiles(s) == NULL)
396 /* Pull off the length of the cipher suite list and check it is even */
397 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
398 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
399 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
400 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
401 *al = SSL_AD_DECODE_ERROR;
405 srvr = SSL_get_srtp_profiles(s);
406 s->srtp_profile = NULL;
407 /* Search all profiles for a match initially */
408 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
410 while (PACKET_remaining(&subpkt)) {
411 if (!PACKET_get_net_2(&subpkt, &id)) {
412 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
413 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
414 *al = SSL_AD_DECODE_ERROR;
419 * Only look for match in profiles of higher preference than
421 * If no profiles have been have been configured then this
424 for (i = 0; i < srtp_pref; i++) {
425 SRTP_PROTECTION_PROFILE *sprof =
426 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
428 if (sprof->id == id) {
429 s->srtp_profile = sprof;
436 /* Now extract the MKI value as a sanity check, but discard it for now */
437 if (!PACKET_get_1(pkt, &mki_len)) {
438 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
439 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
440 *al = SSL_AD_DECODE_ERROR;
444 if (!PACKET_forward(pkt, mki_len)
445 || PACKET_remaining(pkt)) {
446 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
447 *al = SSL_AD_DECODE_ERROR;
455 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
457 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
458 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
464 * Checks a list of |groups| to determine if the |group_id| is in it. If it is
465 * and |checkallow| is 1 then additionally check if the group is allowed to be
466 * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
469 #ifndef OPENSSL_NO_TLS1_3
470 static int check_in_list(SSL *s, unsigned int group_id,
471 const unsigned char *groups, size_t num_groups,
476 if (groups == NULL || num_groups == 0)
479 for (i = 0; i < num_groups; i++, groups += 2) {
480 unsigned int share_id = (groups[0] << 8) | (groups[1]);
482 if (group_id == share_id
484 || tls_curve_allowed(s, groups, SSL_SECOP_CURVE_CHECK))) {
489 /* If i == num_groups then not in the list */
490 return i < num_groups;
495 * Process a key_share extension received in the ClientHello. |pkt| contains
496 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
497 * If a failure occurs then |*al| is set to an appropriate alert value.
499 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
502 #ifndef OPENSSL_NO_TLS1_3
503 unsigned int group_id;
504 PACKET key_share_list, encoded_pt;
505 const unsigned char *clntcurves, *srvrcurves;
506 size_t clnt_num_curves, srvr_num_curves;
507 int group_nid, found = 0;
508 unsigned int curve_flags;
514 if (s->s3->peer_tmp != NULL) {
515 *al = SSL_AD_INTERNAL_ERROR;
516 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
520 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
521 *al = SSL_AD_HANDSHAKE_FAILURE;
522 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
526 /* Get our list of supported curves */
527 if (!tls1_get_curvelist(s, 0, &srvrcurves, &srvr_num_curves)) {
528 *al = SSL_AD_INTERNAL_ERROR;
529 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
534 * Get the clients list of supported curves.
535 * TODO(TLS1.3): We should validate that we actually received
538 if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
539 *al = SSL_AD_INTERNAL_ERROR;
540 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
544 while (PACKET_remaining(&key_share_list) > 0) {
545 if (!PACKET_get_net_2(&key_share_list, &group_id)
546 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
547 || PACKET_remaining(&encoded_pt) == 0) {
548 *al = SSL_AD_HANDSHAKE_FAILURE;
549 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
550 SSL_R_LENGTH_MISMATCH);
555 * If we already found a suitable key_share we loop through the
556 * rest to verify the structure, but don't process them.
561 /* Check if this share is in supported_groups sent from client */
562 if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
563 *al = SSL_AD_HANDSHAKE_FAILURE;
564 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
568 /* Check if this share is for a group we can use */
569 if (!check_in_list(s, group_id, srvrcurves, srvr_num_curves, 1)) {
570 /* Share not suitable */
574 group_nid = tls1_ec_curve_id2nid(group_id, &curve_flags);
576 if (group_nid == 0) {
577 *al = SSL_AD_INTERNAL_ERROR;
578 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
579 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
583 if ((curve_flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
584 /* Can happen for some curves, e.g. X25519 */
585 EVP_PKEY *key = EVP_PKEY_new();
587 if (key == NULL || !EVP_PKEY_set_type(key, group_nid)) {
588 *al = SSL_AD_INTERNAL_ERROR;
589 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
593 s->s3->peer_tmp = key;
595 /* Set up EVP_PKEY with named curve as parameters */
596 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
599 || EVP_PKEY_paramgen_init(pctx) <= 0
600 || EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx,
602 || EVP_PKEY_paramgen(pctx, &s->s3->peer_tmp) <= 0) {
603 *al = SSL_AD_INTERNAL_ERROR;
604 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_EVP_LIB);
605 EVP_PKEY_CTX_free(pctx);
608 EVP_PKEY_CTX_free(pctx);
611 s->s3->group_id = group_id;
613 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
614 PACKET_data(&encoded_pt),
615 PACKET_remaining(&encoded_pt))) {
616 *al = SSL_AD_DECODE_ERROR;
617 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
628 #ifndef OPENSSL_NO_EC
629 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,
630 size_t chainidx, int *al)
632 PACKET supported_groups_list;
634 /* Each group is 2 bytes and we must have at least 1. */
635 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
636 || PACKET_remaining(&supported_groups_list) == 0
637 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
638 *al = SSL_AD_DECODE_ERROR;
643 && !PACKET_memdup(&supported_groups_list,
644 &s->session->ext.supportedgroups,
645 &s->session->ext.supportedgroups_len)) {
646 *al = SSL_AD_DECODE_ERROR;
654 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
656 /* The extension must always be empty */
657 if (PACKET_remaining(pkt) != 0) {
658 *al = SSL_AD_DECODE_ERROR;
662 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
668 * Add the server's renegotiation binding
670 int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t
673 if (!s->s3->send_connection_binding)
676 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
677 || !WPACKET_start_sub_packet_u16(pkt)
678 || !WPACKET_start_sub_packet_u8(pkt)
679 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
680 s->s3->previous_client_finished_len)
681 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
682 s->s3->previous_server_finished_len)
683 || !WPACKET_close(pkt)
684 || !WPACKET_close(pkt)) {
685 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
692 int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
693 size_t chainidx, int *al)
695 if (s->hit || s->servername_done != 1
696 || s->session->ext.hostname == NULL)
699 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
700 || !WPACKET_put_bytes_u16(pkt, 0)) {
701 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
708 #ifndef OPENSSL_NO_EC
709 int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
710 size_t chainidx, int *al)
712 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
713 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
714 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
715 && (s->session->ext.ecpointformats != NULL);
716 const unsigned char *plist;
722 tls1_get_formatlist(s, &plist, &plistlen);
723 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
724 || !WPACKET_start_sub_packet_u16(pkt)
725 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
726 || !WPACKET_close(pkt)) {
727 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
735 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
736 size_t chainidx, int *al)
738 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
739 s->ext.ticket_expected = 0;
743 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
744 || !WPACKET_put_bytes_u16(pkt, 0)) {
745 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
752 #ifndef OPENSSL_NO_OCSP
753 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
754 size_t chainidx, int *al)
756 if (!s->ext.status_expected)
759 if (SSL_IS_TLS13(s) && chainidx != 0)
762 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
763 || !WPACKET_start_sub_packet_u16(pkt)) {
764 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
769 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
770 * send back an empty extension, with the certificate status appearing as a
773 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
774 || !WPACKET_close(pkt)) {
775 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
783 #ifndef OPENSSL_NO_NEXTPROTONEG
784 int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
785 size_t chainidx, int *al)
787 const unsigned char *npa;
790 int npn_seen = s->s3->npn_seen;
793 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
796 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
797 s->ctx->ext.npn_advertised_cb_arg);
798 if (ret == SSL_TLSEXT_ERR_OK) {
799 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
800 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
801 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
802 ERR_R_INTERNAL_ERROR);
812 int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
815 if (s->s3->alpn_selected == NULL)
818 if (!WPACKET_put_bytes_u16(pkt,
819 TLSEXT_TYPE_application_layer_protocol_negotiation)
820 || !WPACKET_start_sub_packet_u16(pkt)
821 || !WPACKET_start_sub_packet_u16(pkt)
822 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
823 s->s3->alpn_selected_len)
824 || !WPACKET_close(pkt)
825 || !WPACKET_close(pkt)) {
826 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
833 #ifndef OPENSSL_NO_SRTP
834 int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
837 if (s->srtp_profile == NULL)
840 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
841 || !WPACKET_start_sub_packet_u16(pkt)
842 || !WPACKET_put_bytes_u16(pkt, 2)
843 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
844 || !WPACKET_put_bytes_u8(pkt, 0)
845 || !WPACKET_close(pkt)) {
846 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
854 int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
857 if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
861 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
862 * for other cases too.
864 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
865 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
866 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
867 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
868 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
872 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
873 || !WPACKET_put_bytes_u16(pkt, 0)) {
874 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
881 int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
884 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
887 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
888 || !WPACKET_put_bytes_u16(pkt, 0)) {
889 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
896 int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
899 #ifndef OPENSSL_NO_TLS1_3
900 unsigned char *encodedPoint;
901 size_t encoded_pt_len = 0;
902 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
908 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
912 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
913 || !WPACKET_start_sub_packet_u16(pkt)
914 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
915 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
919 skey = ssl_generate_pkey(ckey);
921 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
925 /* Generate encoding of server key */
926 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
927 if (encoded_pt_len == 0) {
928 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
933 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
934 || !WPACKET_close(pkt)) {
935 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
937 OPENSSL_free(encodedPoint);
940 OPENSSL_free(encodedPoint);
942 /* This causes the crypto state to be updated based on the derived keys */
943 s->s3->tmp.pkey = skey;
944 if (ssl_derive(s, skey, ckey, 1) == 0) {
945 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
953 int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, X509 *x,
954 size_t chainidx, int *al)
956 const unsigned char cryptopro_ext[36] = {
957 0xfd, 0xe8, /* 65000 */
958 0x00, 0x20, /* 32 bytes length */
959 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
960 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
961 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
962 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
965 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
966 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
967 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
970 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
971 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);