/*
- * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
/*
* 2 bytes for packet length, 2 bytes for format version, 2 bytes for
* protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
- * key_share present flag, 2 bytes for the hashlen, EVP_MAX_MD_SIZE for
- * transcript hash, 1 byte for app cookie length, app cookie length bytes,
- * SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
+ * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
+ * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
+ * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
*/
-#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 2 + EVP_MAX_MD_SIZE + 1 \
+#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
+ SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
/*
* Message header + 2 bytes for protocol version + number of random bytes +
- * + number of bytes in legacy session id + 2 bytes for ciphersuite
- * + 1 byte for legacy compression + 2 bytes for extension block length
- * + 6 bytes for key_share extension + 4 bytes for cookie extension header
- * + the number of bytes in the cookie
+ * + 1 byte for legacy session id length + number of bytes in legacy session id
+ * + 2 bytes for ciphersuite + 1 byte for legacy compression
+ * + 2 bytes for extension block length + 6 bytes for key_share extension
+ * + 4 bytes for cookie extension header + the number of bytes in the cookie
*/
-#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE \
+#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
+ SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
+ MAX_COOKIE_SIZE)
return 0;
}
- if (!s->hit) {
+ if (!s->hit || SSL_IS_TLS13(s)) {
if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME,
SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
return 0;
}
- OPENSSL_free(s->session->ext.hostname);
- s->session->ext.hostname = NULL;
- if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
+ /*
+ * Store the requested SNI in the SSL as temporary storage.
+ * If we accept it, it will get stored in the SSL_SESSION as well.
+ */
+ OPENSSL_free(s->ext.hostname);
+ s->ext.hostname = NULL;
+ if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_SERVER_NAME,
ERR_R_INTERNAL_ERROR);
return 0;
}
s->servername_done = 1;
- } else {
+ }
+ if (s->hit) {
/*
* TODO(openssl-team): if the SNI doesn't match, we MUST
* fall back to a full handshake.
*/
- s->servername_done = s->session->ext.hostname
+ s->servername_done = (s->session->ext.hostname != NULL)
&& PACKET_equal(&hostname, s->session->ext.hostname,
strlen(s->session->ext.hostname));
return 1;
}
+int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ PACKET supported_sig_algs;
+
+ if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
+ || PACKET_remaining(&supported_sig_algs) == 0) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR,
+ SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
+ if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR,
+ SSL_F_TLS_PARSE_CTOS_SIG_ALGS_CERT, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
+ return 1;
+}
+
int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
return 0;
}
- if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
+ if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
SSLfatal(s, SSL_AD_DECODE_ERROR,
SSL_F_TLS_PARSE_CTOS_SIG_ALGS, SSL_R_BAD_EXTENSION);
return 0;
{
PACKET responder_id_list, exts;
+ /* We ignore this in a resumption handshake */
+ if (s->hit)
+ return 1;
+
/* Not defined if we get one of these in a client Certificate */
if (x != NULL)
return 1;
int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
- unsigned int format, version, key_share;
+#ifndef OPENSSL_NO_TLS1_3
+ unsigned int format, version, key_share, group_id;
EVP_MD_CTX *hctx;
EVP_PKEY *pkey;
PACKET cookie, raw, chhash, appcookie;
unsigned char hmac[SHA256_DIGEST_LENGTH];
unsigned char hrr[MAX_HRR_SIZE];
size_t rawlen, hmaclen, hrrlen, ciphlen;
+ unsigned long tm, now;
/* Ignore any cookie if we're not set up to verify it */
- if (s->ctx->app_verify_cookie_cb == NULL
+ if (s->ctx->verify_stateless_cookie_cb == NULL
|| (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
return 1;
/* Verify the HMAC of the cookie */
hctx = EVP_MD_CTX_create();
- pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
- s->session_ctx->ext.cookie_hmac_key,
- sizeof(s->session_ctx->ext.cookie_hmac_key));
+ pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
+ s->session_ctx->ext.cookie_hmac_key,
+ sizeof(s->session_ctx->ext
+ .cookie_hmac_key));
if (hctx == NULL || pkey == NULL) {
EVP_MD_CTX_free(hctx);
EVP_PKEY_free(pkey);
return 0;
}
- hmaclen = sizeof(s->session_ctx->ext.cookie_hmac_key);
+ hmaclen = SHA256_DIGEST_LENGTH;
if (EVP_DigestSignInit(hctx, NULL, EVP_sha256(), NULL, pkey) <= 0
- || EVP_DigestSignUpdate(hctx, data,
- rawlen - SHA256_DIGEST_LENGTH) <= 0
- || EVP_DigestSignFinal(hctx, hmac, &hmaclen) <= 0
+ || EVP_DigestSign(hctx, hmac, &hmaclen, data,
+ rawlen - SHA256_DIGEST_LENGTH) <= 0
|| hmaclen != SHA256_DIGEST_LENGTH) {
EVP_MD_CTX_free(hctx);
EVP_PKEY_free(pkey);
return 0;
}
- if (!PACKET_get_net_2(&cookie, &s->s3->group_id)) {
+ if (!PACKET_get_net_2(&cookie, &group_id)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
SSL_R_LENGTH_MISMATCH);
return 0;
}
+
ciphdata = PACKET_data(&cookie);
if (!PACKET_forward(&cookie, 2)) {
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
SSL_R_LENGTH_MISMATCH);
return 0;
}
- s->s3->tmp.new_cipher = ssl_get_cipher_by_char(s, ciphdata, 0);
- if (s->s3->tmp.new_cipher == NULL) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
- ERR_R_INTERNAL_ERROR);
+ if (group_id != s->s3->group_id
+ || s->s3->tmp.new_cipher
+ != ssl_get_cipher_by_char(s, ciphdata, 0)) {
+ /*
+ * We chose a different cipher or group id this time around to what is
+ * in the cookie. Something must have changed.
+ */
+ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
+ SSL_R_BAD_CIPHER);
return 0;
}
if (!PACKET_get_1(&cookie, &key_share)
+ || !PACKET_get_net_4(&cookie, &tm)
|| !PACKET_get_length_prefixed_2(&cookie, &chhash)
|| !PACKET_get_length_prefixed_1(&cookie, &appcookie)
|| PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
return 0;
}
+ /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
+ now = (unsigned long)time(NULL);
+ if (tm > now || (now - tm) > 600) {
+ /* Cookie is stale. Ignore it */
+ return 1;
+ }
+
/* Verify the app cookie */
- if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&appcookie),
+ if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
PACKET_remaining(&appcookie)) == 0) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_CTOS_COOKIE,
SSL_R_COOKIE_MISMATCH);
}
if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
|| !WPACKET_start_sub_packet_u16(&hrrpkt)
- /* TODO(TLS1.3): Fix this before release */
- || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_3_VERSION_DRAFT)
+ || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
|| !WPACKET_close(&hrrpkt)) {
WPACKET_cleanup(&hrrpkt);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_COOKIE,
s->hello_retry_request = 1;
s->ext.cookieok = 1;
+#endif
return 1;
}
return 1;
}
+static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
+ SSL_SESSION **sess)
+{
+ SSL_SESSION *tmpsess = NULL;
+
+ s->ext.ticket_expected = 1;
+
+ switch (PACKET_remaining(tick)) {
+ case 0:
+ return SSL_TICKET_EMPTY;
+
+ case SSL_MAX_SSL_SESSION_ID_LENGTH:
+ break;
+
+ default:
+ return SSL_TICKET_NO_DECRYPT;
+ }
+
+ tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
+ SSL_MAX_SSL_SESSION_ID_LENGTH);
+
+ if (tmpsess == NULL)
+ return SSL_TICKET_NO_DECRYPT;
+
+ *sess = tmpsess;
+ return SSL_TICKET_SUCCESS;
+}
+
int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
return 0;
}
+ s->ext.ticket_expected = 0;
for (id = 0; PACKET_remaining(&identities) != 0; id++) {
PACKET identity;
unsigned long ticket_agel;
+ size_t idlen;
if (!PACKET_get_length_prefixed_2(&identities, &identity)
|| !PACKET_get_net_4(&identities, &ticket_agel)) {
return 0;
}
+ idlen = PACKET_remaining(&identity);
if (s->psk_find_session_cb != NULL
- && !s->psk_find_session_cb(s, PACKET_data(&identity),
- PACKET_remaining(&identity),
+ && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
&sess)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, SSL_R_BAD_EXTENSION);
return 0;
}
+#ifndef OPENSSL_NO_PSK
+ if(sess == NULL
+ && s->psk_server_callback != NULL
+ && idlen <= PSK_MAX_IDENTITY_LEN) {
+ char *pskid = NULL;
+ unsigned char pskdata[PSK_MAX_PSK_LEN];
+ unsigned int pskdatalen;
+
+ if (!PACKET_strndup(&identity, &pskid)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ pskdatalen = s->psk_server_callback(s, pskid, pskdata,
+ sizeof(pskdata));
+ OPENSSL_free(pskid);
+ if (pskdatalen > PSK_MAX_PSK_LEN) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ } else if (pskdatalen > 0) {
+ const SSL_CIPHER *cipher;
+ const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
+
+ /*
+ * We found a PSK using an old style callback. We don't know
+ * the digest so we default to SHA256 as per the TLSv1.3 spec
+ */
+ cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
+ if (cipher == NULL) {
+ OPENSSL_cleanse(pskdata, pskdatalen);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ sess = SSL_SESSION_new();
+ if (sess == NULL
+ || !SSL_SESSION_set1_master_key(sess, pskdata,
+ pskdatalen)
+ || !SSL_SESSION_set_cipher(sess, cipher)
+ || !SSL_SESSION_set_protocol_version(sess,
+ TLS1_3_VERSION)) {
+ OPENSSL_cleanse(pskdata, pskdatalen);
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
+ ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ OPENSSL_cleanse(pskdata, pskdatalen);
+ }
+ }
+#endif /* OPENSSL_NO_PSK */
+
if (sess != NULL) {
/* We found a PSK */
SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
ext = 1;
if (id == 0)
s->ext.early_data_ok = 1;
+ s->ext.ticket_expected = 1;
} else {
uint32_t ticket_age = 0, now, agesec, agems;
- int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
+ int ret;
+
+ /*
+ * If we are using anti-replay protection then we behave as if
+ * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
+ * is no point in using full stateless tickets.
+ */
+ if ((s->options & SSL_OP_NO_TICKET) != 0
+ || (s->max_early_data > 0
+ && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
+ ret = tls_get_stateful_ticket(s, &identity, &sess);
+ else
+ ret = tls_decrypt_ticket(s, PACKET_data(&identity),
PACKET_remaining(&identity), NULL, 0,
&sess);
- if (ret == TICKET_FATAL_ERR_MALLOC
- || ret == TICKET_FATAL_ERR_OTHER) {
+ if (ret == SSL_TICKET_EMPTY) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_PSK,
+ SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
+ if (ret == SSL_TICKET_FATAL_ERR_MALLOC
+ || ret == SSL_TICKET_FATAL_ERR_OTHER) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
return 0;
}
- if (ret == TICKET_NO_DECRYPT)
+ if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
continue;
+ /* Check for replay */
+ if (s->max_early_data > 0
+ && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
+ && !SSL_CTX_remove_session(s->session_ctx, sess)) {
+ SSL_SESSION_free(sess);
+ sess = NULL;
+ continue;
+ }
+
ticket_age = (uint32_t)ticket_agel;
now = (uint32_t)time(NULL);
agesec = now - (uint32_t)sess->time;
SSL_SESSION_free(sess);
sess = NULL;
s->ext.early_data_ok = 0;
+ s->ext.ticket_expected = 0;
continue;
}
break;
return 0;
}
+int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt, unsigned int context,
+ X509 *x, size_t chainidx)
+{
+ if (PACKET_remaining(pkt) != 0) {
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_CTOS_POST_HANDSHAKE_AUTH,
+ SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
+ return 0;
+ }
+
+ s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
+
+ return 1;
+}
+
/*
* Add the server's renegotiation binding
*/
size_t chainidx)
{
if (s->hit || s->servername_done != 1
- || s->session->ext.hostname == NULL)
+ || s->ext.hostname == NULL)
return EXT_RETURN_NOT_SENT;
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
unsigned int context, X509 *x,
size_t chainidx)
{
- if (!SSL_IS_TLS13(s))
- return EXT_RETURN_NOT_SENT;
+ if (!ossl_assert(SSL_IS_TLS13(s))) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
+ ERR_R_INTERNAL_ERROR);
+ return EXT_RETURN_FAIL;
+ }
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
|| !WPACKET_start_sub_packet_u16(pkt)
- /* TODO(TLS1.3): Update to remove the TLSv1.3 draft indicator */
- || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
+ || !WPACKET_put_bytes_u16(pkt, s->version)
|| !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_VERSIONS,
size_t encoded_pt_len = 0;
EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
- if (ckey == NULL) {
- /* No key_share received from client */
- if (s->hello_retry_request == SSL_HRR_PENDING) {
- if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
- || !WPACKET_start_sub_packet_u16(pkt)
- || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
- || !WPACKET_close(pkt)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
- ERR_R_INTERNAL_ERROR);
- return EXT_RETURN_FAIL;
- }
-
- return EXT_RETURN_SENT;
+ if (s->hello_retry_request == SSL_HRR_PENDING) {
+ if (ckey != NULL) {
+ /* Original key_share was acceptable so don't ask for another one */
+ return EXT_RETURN_NOT_SENT;
+ }
+ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
+ || !WPACKET_close(pkt)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
+ ERR_R_INTERNAL_ERROR);
+ return EXT_RETURN_FAIL;
}
- /* Must be resuming. */
+ return EXT_RETURN_SENT;
+ }
+
+ if (ckey == NULL) {
+ /* No key_share received from client - must be resuming */
if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
/* SSLfatal() already called */
return EXT_RETURN_FAIL;
}
-#endif
-
return EXT_RETURN_SENT;
+#else
+ return EXT_RETURN_FAIL;
+#endif
}
EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
+#ifndef OPENSSL_NO_TLS1_3
unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
unsigned char *hmac, *hmac2;
- size_t startlen, ciphlen, totcookielen, hashlen, hmaclen;
- unsigned int appcookielen;
+ size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
EVP_MD_CTX *hctx;
EVP_PKEY *pkey;
int ret = EXT_RETURN_FAIL;
- if (s->ctx->app_gen_cookie_cb == NULL
- || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
+ if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
return EXT_RETURN_NOT_SENT;
+ if (s->ctx->gen_stateless_cookie_cb == NULL) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
+ SSL_R_NO_COOKIE_CALLBACK_SET);
+ return EXT_RETURN_FAIL;
+ }
+
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_start_sub_packet_u16(pkt)
&ciphlen)
/* Is there a key_share extension present in this HRR? */
|| !WPACKET_put_bytes_u8(pkt, s->s3->peer_tmp == NULL)
+ || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
|| !WPACKET_start_sub_packet_u16(pkt)
|| !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
}
/* Generate the application cookie */
- if (s->ctx->app_gen_cookie_cb(s, appcookie1, &appcookielen) == 0) {
+ if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
return EXT_RETURN_FAIL;
/* HMAC the cookie */
hctx = EVP_MD_CTX_create();
- pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
- s->session_ctx->ext.cookie_hmac_key,
- sizeof(s->session_ctx->ext.cookie_hmac_key));
+ pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
+ s->session_ctx->ext.cookie_hmac_key,
+ sizeof(s->session_ctx->ext
+ .cookie_hmac_key));
if (hctx == NULL || pkey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
ERR_R_MALLOC_FAILURE);
EVP_MD_CTX_free(hctx);
EVP_PKEY_free(pkey);
return ret;
+#else
+ return EXT_RETURN_FAIL;
+#endif
}
EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,