]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Change curves to groups where relevant
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ocsp.h>
11 #include "../ssl_locl.h"
12 #include "statem_locl.h"
13
14 /*
15 * Parse the client's renegotiation binding and abort if it's not right
16 */
17 int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
18 X509 *x, size_t chainidx, int *al)
19 {
20 unsigned int ilen;
21 const unsigned char *data;
22
23 /* Parse the length byte */
24 if (!PACKET_get_1(pkt, &ilen)
25 || !PACKET_get_bytes(pkt, &data, ilen)) {
26 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
27 SSL_R_RENEGOTIATION_ENCODING_ERR);
28 *al = SSL_AD_DECODE_ERROR;
29 return 0;
30 }
31
32 /* Check that the extension matches */
33 if (ilen != s->s3->previous_client_finished_len) {
34 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
35 SSL_R_RENEGOTIATION_MISMATCH);
36 *al = SSL_AD_HANDSHAKE_FAILURE;
37 return 0;
38 }
39
40 if (memcmp(data, s->s3->previous_client_finished,
41 s->s3->previous_client_finished_len)) {
42 SSLerr(SSL_F_TLS_PARSE_CTOS_RENEGOTIATE,
43 SSL_R_RENEGOTIATION_MISMATCH);
44 *al = SSL_AD_HANDSHAKE_FAILURE;
45 return 0;
46 }
47
48 s->s3->send_connection_binding = 1;
49
50 return 1;
51 }
52
53 /*-
54 * The servername extension is treated as follows:
55 *
56 * - Only the hostname type is supported with a maximum length of 255.
57 * - The servername is rejected if too long or if it contains zeros,
58 * in which case an fatal alert is generated.
59 * - The servername field is maintained together with the session cache.
60 * - When a session is resumed, the servername call back invoked in order
61 * to allow the application to position itself to the right context.
62 * - The servername is acknowledged if it is new for a session or when
63 * it is identical to a previously used for the same session.
64 * Applications can control the behaviour. They can at any time
65 * set a 'desirable' servername for a new SSL object. This can be the
66 * case for example with HTTPS when a Host: header field is received and
67 * a renegotiation is requested. In this case, a possible servername
68 * presented in the new client hello is only acknowledged if it matches
69 * the value of the Host: field.
70 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
71 * if they provide for changing an explicit servername context for the
72 * session, i.e. when the session has been established with a servername
73 * extension.
74 * - On session reconnect, the servername extension may be absent.
75 */
76 int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
77 X509 *x, size_t chainidx, int *al)
78 {
79 unsigned int servname_type;
80 PACKET sni, hostname;
81
82 if (!PACKET_as_length_prefixed_2(pkt, &sni)
83 /* ServerNameList must be at least 1 byte long. */
84 || PACKET_remaining(&sni) == 0) {
85 *al = SSL_AD_DECODE_ERROR;
86 return 0;
87 }
88
89 /*
90 * Although the intent was for server_name to be extensible, RFC 4366
91 * was not clear about it; and so OpenSSL among other implementations,
92 * always and only allows a 'host_name' name types.
93 * RFC 6066 corrected the mistake but adding new name types
94 * is nevertheless no longer feasible, so act as if no other
95 * SNI types can exist, to simplify parsing.
96 *
97 * Also note that the RFC permits only one SNI value per type,
98 * i.e., we can only have a single hostname.
99 */
100 if (!PACKET_get_1(&sni, &servname_type)
101 || servname_type != TLSEXT_NAMETYPE_host_name
102 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
103 *al = SSL_AD_DECODE_ERROR;
104 return 0;
105 }
106
107 if (!s->hit) {
108 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
109 *al = TLS1_AD_UNRECOGNIZED_NAME;
110 return 0;
111 }
112
113 if (PACKET_contains_zero_byte(&hostname)) {
114 *al = TLS1_AD_UNRECOGNIZED_NAME;
115 return 0;
116 }
117
118 OPENSSL_free(s->session->ext.hostname);
119 s->session->ext.hostname = NULL;
120 if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
121 *al = TLS1_AD_INTERNAL_ERROR;
122 return 0;
123 }
124
125 s->servername_done = 1;
126 } else {
127 /*
128 * TODO(openssl-team): if the SNI doesn't match, we MUST
129 * fall back to a full handshake.
130 */
131 s->servername_done = s->session->ext.hostname
132 && PACKET_equal(&hostname, s->session->ext.hostname,
133 strlen(s->session->ext.hostname));
134
135 if (!s->servername_done && s->session->ext.hostname != NULL)
136 s->ext.early_data_ok = 0;
137 }
138
139 return 1;
140 }
141
142 #ifndef OPENSSL_NO_SRP
143 int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
144 size_t chainidx, int *al)
145 {
146 PACKET srp_I;
147
148 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
149 || PACKET_contains_zero_byte(&srp_I)) {
150 *al = SSL_AD_DECODE_ERROR;
151 return 0;
152 }
153
154 /*
155 * TODO(openssl-team): currently, we re-authenticate the user
156 * upon resumption. Instead, we MUST ignore the login.
157 */
158 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
159 *al = SSL_AD_INTERNAL_ERROR;
160 return 0;
161 }
162
163 return 1;
164 }
165 #endif
166
167 #ifndef OPENSSL_NO_EC
168 int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
169 X509 *x, size_t chainidx, int *al)
170 {
171 PACKET ec_point_format_list;
172
173 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
174 || PACKET_remaining(&ec_point_format_list) == 0) {
175 *al = SSL_AD_DECODE_ERROR;
176 return 0;
177 }
178
179 if (!s->hit) {
180 if (!PACKET_memdup(&ec_point_format_list,
181 &s->session->ext.ecpointformats,
182 &s->session->ext.ecpointformats_len)) {
183 *al = SSL_AD_INTERNAL_ERROR;
184 return 0;
185 }
186 }
187
188 return 1;
189 }
190 #endif /* OPENSSL_NO_EC */
191
192 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
193 X509 *x, size_t chainidx, int *al)
194 {
195 if (s->ext.session_ticket_cb &&
196 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
197 PACKET_remaining(pkt),
198 s->ext.session_ticket_cb_arg)) {
199 *al = SSL_AD_INTERNAL_ERROR;
200 return 0;
201 }
202
203 return 1;
204 }
205
206 int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
207 size_t chainidx, int *al)
208 {
209 PACKET supported_sig_algs;
210
211 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
212 || PACKET_remaining(&supported_sig_algs) == 0) {
213 *al = SSL_AD_DECODE_ERROR;
214 return 0;
215 }
216
217 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs)) {
218 *al = SSL_AD_DECODE_ERROR;
219 return 0;
220 }
221
222 return 1;
223 }
224
225 #ifndef OPENSSL_NO_OCSP
226 int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
227 X509 *x, size_t chainidx, int *al)
228 {
229 PACKET responder_id_list, exts;
230
231 /* Not defined if we get one of these in a client Certificate */
232 if (x != NULL)
233 return 1;
234
235 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
236 *al = SSL_AD_DECODE_ERROR;
237 return 0;
238 }
239
240 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
241 /*
242 * We don't know what to do with any other type so ignore it.
243 */
244 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
245 return 1;
246 }
247
248 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
249 *al = SSL_AD_DECODE_ERROR;
250 return 0;
251 }
252
253 /*
254 * We remove any OCSP_RESPIDs from a previous handshake
255 * to prevent unbounded memory growth - CVE-2016-6304
256 */
257 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
258 if (PACKET_remaining(&responder_id_list) > 0) {
259 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
260 if (s->ext.ocsp.ids == NULL) {
261 *al = SSL_AD_INTERNAL_ERROR;
262 return 0;
263 }
264 } else {
265 s->ext.ocsp.ids = NULL;
266 }
267
268 while (PACKET_remaining(&responder_id_list) > 0) {
269 OCSP_RESPID *id;
270 PACKET responder_id;
271 const unsigned char *id_data;
272
273 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
274 || PACKET_remaining(&responder_id) == 0) {
275 *al = SSL_AD_DECODE_ERROR;
276 return 0;
277 }
278
279 id_data = PACKET_data(&responder_id);
280 /* TODO(size_t): Convert d2i_* to size_t */
281 id = d2i_OCSP_RESPID(NULL, &id_data,
282 (int)PACKET_remaining(&responder_id));
283 if (id == NULL) {
284 *al = SSL_AD_DECODE_ERROR;
285 return 0;
286 }
287
288 if (id_data != PACKET_end(&responder_id)) {
289 OCSP_RESPID_free(id);
290 *al = SSL_AD_DECODE_ERROR;
291 return 0;
292 }
293
294 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
295 OCSP_RESPID_free(id);
296 *al = SSL_AD_INTERNAL_ERROR;
297 return 0;
298 }
299 }
300
301 /* Read in request_extensions */
302 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
303 *al = SSL_AD_DECODE_ERROR;
304 return 0;
305 }
306
307 if (PACKET_remaining(&exts) > 0) {
308 const unsigned char *ext_data = PACKET_data(&exts);
309
310 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
311 X509_EXTENSION_free);
312 s->ext.ocsp.exts =
313 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
314 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
315 *al = SSL_AD_DECODE_ERROR;
316 return 0;
317 }
318 }
319
320 return 1;
321 }
322 #endif
323
324 #ifndef OPENSSL_NO_NEXTPROTONEG
325 int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
326 size_t chainidx, int *al)
327 {
328 /*
329 * We shouldn't accept this extension on a
330 * renegotiation.
331 */
332 if (SSL_IS_FIRST_HANDSHAKE(s))
333 s->s3->npn_seen = 1;
334
335 return 1;
336 }
337 #endif
338
339 /*
340 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
341 * extension, not including type and length. |al| is a pointer to the alert
342 * value to send in the event of a failure. Returns: 1 on success, 0 on error.
343 */
344 int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
345 size_t chainidx, int *al)
346 {
347 PACKET protocol_list, save_protocol_list, protocol;
348
349 if (!SSL_IS_FIRST_HANDSHAKE(s))
350 return 1;
351
352 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
353 || PACKET_remaining(&protocol_list) < 2) {
354 *al = SSL_AD_DECODE_ERROR;
355 return 0;
356 }
357
358 save_protocol_list = protocol_list;
359 do {
360 /* Protocol names can't be empty. */
361 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
362 || PACKET_remaining(&protocol) == 0) {
363 *al = SSL_AD_DECODE_ERROR;
364 return 0;
365 }
366 } while (PACKET_remaining(&protocol_list) != 0);
367
368 OPENSSL_free(s->s3->alpn_proposed);
369 s->s3->alpn_proposed = NULL;
370 s->s3->alpn_proposed_len = 0;
371 if (!PACKET_memdup(&save_protocol_list,
372 &s->s3->alpn_proposed, &s->s3->alpn_proposed_len)) {
373 *al = SSL_AD_INTERNAL_ERROR;
374 return 0;
375 }
376
377 return 1;
378 }
379
380 #ifndef OPENSSL_NO_SRTP
381 int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
382 size_t chainidx, int *al)
383 {
384 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
385 unsigned int ct, mki_len, id;
386 int i, srtp_pref;
387 PACKET subpkt;
388
389 /* Ignore this if we have no SRTP profiles */
390 if (SSL_get_srtp_profiles(s) == NULL)
391 return 1;
392
393 /* Pull off the length of the cipher suite list and check it is even */
394 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
395 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
396 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
397 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
398 *al = SSL_AD_DECODE_ERROR;
399 return 0;
400 }
401
402 srvr = SSL_get_srtp_profiles(s);
403 s->srtp_profile = NULL;
404 /* Search all profiles for a match initially */
405 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
406
407 while (PACKET_remaining(&subpkt)) {
408 if (!PACKET_get_net_2(&subpkt, &id)) {
409 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
410 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
411 *al = SSL_AD_DECODE_ERROR;
412 return 0;
413 }
414
415 /*
416 * Only look for match in profiles of higher preference than
417 * current match.
418 * If no profiles have been have been configured then this
419 * does nothing.
420 */
421 for (i = 0; i < srtp_pref; i++) {
422 SRTP_PROTECTION_PROFILE *sprof =
423 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
424
425 if (sprof->id == id) {
426 s->srtp_profile = sprof;
427 srtp_pref = i;
428 break;
429 }
430 }
431 }
432
433 /* Now extract the MKI value as a sanity check, but discard it for now */
434 if (!PACKET_get_1(pkt, &mki_len)) {
435 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP,
436 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
437 *al = SSL_AD_DECODE_ERROR;
438 return 0;
439 }
440
441 if (!PACKET_forward(pkt, mki_len)
442 || PACKET_remaining(pkt)) {
443 SSLerr(SSL_F_TLS_PARSE_CTOS_USE_SRTP, SSL_R_BAD_SRTP_MKI_VALUE);
444 *al = SSL_AD_DECODE_ERROR;
445 return 0;
446 }
447
448 return 1;
449 }
450 #endif
451
452 int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
453 size_t chainidx, int *al)
454 {
455 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
456 s->ext.use_etm = 1;
457
458 return 1;
459 }
460
461 /*
462 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
463 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
464 * If a failure occurs then |*al| is set to an appropriate alert value.
465 */
466 int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
467 X509 *x, size_t chainidx, int *al)
468 {
469 #ifndef OPENSSL_NO_TLS1_3
470 PACKET psk_kex_modes;
471 unsigned int mode;
472
473 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
474 || PACKET_remaining(&psk_kex_modes) == 0) {
475 *al = SSL_AD_DECODE_ERROR;
476 return 0;
477 }
478
479 while (PACKET_get_1(&psk_kex_modes, &mode)) {
480 if (mode == TLSEXT_KEX_MODE_KE_DHE)
481 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
482 else if (mode == TLSEXT_KEX_MODE_KE
483 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
484 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
485 }
486 #endif
487
488 return 1;
489 }
490
491 /*
492 * Process a key_share extension received in the ClientHello. |pkt| contains
493 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
494 * If a failure occurs then |*al| is set to an appropriate alert value.
495 */
496 int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
497 size_t chainidx, int *al)
498 {
499 #ifndef OPENSSL_NO_TLS1_3
500 unsigned int group_id;
501 PACKET key_share_list, encoded_pt;
502 const uint16_t *clntgroups, *srvrgroups;
503 size_t clnt_num_groups, srvr_num_groups;
504 int found = 0;
505
506 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
507 return 1;
508
509 /* Sanity check */
510 if (s->s3->peer_tmp != NULL) {
511 *al = SSL_AD_INTERNAL_ERROR;
512 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
513 return 0;
514 }
515
516 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
517 *al = SSL_AD_DECODE_ERROR;
518 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
519 return 0;
520 }
521
522 /* Get our list of supported groups */
523 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
524 /* Get the clients list of supported groups. */
525 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
526 if (clnt_num_groups == 0) {
527 /*
528 * This can only happen if the supported_groups extension was not sent,
529 * because we verify that the length is non-zero when we process that
530 * extension.
531 */
532 *al = SSL_AD_MISSING_EXTENSION;
533 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
534 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
535 return 0;
536 }
537
538 while (PACKET_remaining(&key_share_list) > 0) {
539 if (!PACKET_get_net_2(&key_share_list, &group_id)
540 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
541 || PACKET_remaining(&encoded_pt) == 0) {
542 *al = SSL_AD_DECODE_ERROR;
543 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
544 SSL_R_LENGTH_MISMATCH);
545 return 0;
546 }
547
548 /*
549 * If we already found a suitable key_share we loop through the
550 * rest to verify the structure, but don't process them.
551 */
552 if (found)
553 continue;
554
555 /* Check if this share is in supported_groups sent from client */
556 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
557 *al = SSL_AD_ILLEGAL_PARAMETER;
558 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
559 return 0;
560 }
561
562 /* Check if this share is for a group we can use */
563 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
564 /* Share not suitable */
565 continue;
566 }
567
568 if ((s->s3->peer_tmp = ssl_generate_param_group(group_id)) == NULL) {
569 *al = SSL_AD_INTERNAL_ERROR;
570 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
571 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
572 return 0;
573 }
574
575 s->s3->group_id = group_id;
576
577 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
578 PACKET_data(&encoded_pt),
579 PACKET_remaining(&encoded_pt))) {
580 *al = SSL_AD_ILLEGAL_PARAMETER;
581 SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_ECPOINT);
582 return 0;
583 }
584
585 found = 1;
586 }
587 #endif
588
589 return 1;
590 }
591
592 #ifndef OPENSSL_NO_EC
593 int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
594 X509 *x, size_t chainidx, int *al)
595 {
596 PACKET supported_groups_list;
597
598 /* Each group is 2 bytes and we must have at least 1. */
599 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
600 || PACKET_remaining(&supported_groups_list) == 0
601 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
602 *al = SSL_AD_DECODE_ERROR;
603 return 0;
604 }
605
606 if (!s->hit || SSL_IS_TLS13(s)) {
607 OPENSSL_free(s->session->ext.supportedgroups);
608 s->session->ext.supportedgroups = NULL;
609 s->session->ext.supportedgroups_len = 0;
610 if (!tls1_save_u16(&supported_groups_list,
611 &s->session->ext.supportedgroups,
612 &s->session->ext.supportedgroups_len)) {
613 *al = SSL_AD_INTERNAL_ERROR;
614 return 0;
615 }
616 }
617
618 return 1;
619 }
620 #endif
621
622 int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
623 size_t chainidx, int *al)
624 {
625 /* The extension must always be empty */
626 if (PACKET_remaining(pkt) != 0) {
627 *al = SSL_AD_DECODE_ERROR;
628 return 0;
629 }
630
631 s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS;
632
633 return 1;
634 }
635
636
637 int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
638 X509 *x, size_t chainidx, int *al)
639 {
640 if (PACKET_remaining(pkt) != 0) {
641 *al = SSL_AD_DECODE_ERROR;
642 return 0;
643 }
644
645 if (s->hello_retry_request) {
646 *al = SSL_AD_ILLEGAL_PARAMETER;
647 return 0;
648 }
649
650 return 1;
651 }
652
653 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
654 size_t chainidx, int *al)
655 {
656 PACKET identities, binders, binder;
657 size_t binderoffset, hashsize;
658 SSL_SESSION *sess = NULL;
659 unsigned int id, i, ext = 0;
660 const EVP_MD *md = NULL;
661
662 /*
663 * If we have no PSK kex mode that we recognise then we can't resume so
664 * ignore this extension
665 */
666 if ((s->ext.psk_kex_mode
667 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
668 return 1;
669
670 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
671 *al = SSL_AD_DECODE_ERROR;
672 return 0;
673 }
674
675 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
676 PACKET identity;
677 unsigned long ticket_agel;
678
679 if (!PACKET_get_length_prefixed_2(&identities, &identity)
680 || !PACKET_get_net_4(&identities, &ticket_agel)) {
681 *al = SSL_AD_DECODE_ERROR;
682 return 0;
683 }
684
685 if (s->psk_find_session_cb != NULL
686 && !s->psk_find_session_cb(s, PACKET_data(&identity),
687 PACKET_remaining(&identity),
688 &sess)) {
689 *al = SSL_AD_INTERNAL_ERROR;
690 return 0;
691 }
692
693 if (sess != NULL) {
694 /* We found a PSK */
695 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
696
697 if (sesstmp == NULL) {
698 *al = SSL_AD_INTERNAL_ERROR;
699 return 0;
700 }
701 SSL_SESSION_free(sess);
702 sess = sesstmp;
703
704 /*
705 * We've just been told to use this session for this context so
706 * make sure the sid_ctx matches up.
707 */
708 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
709 sess->sid_ctx_length = s->sid_ctx_length;
710 ext = 1;
711 if (id == 0)
712 s->ext.early_data_ok = 1;
713 } else {
714 uint32_t ticket_age = 0, now, agesec, agems;
715 int ret = tls_decrypt_ticket(s, PACKET_data(&identity),
716 PACKET_remaining(&identity), NULL, 0,
717 &sess);
718
719 if (ret == TICKET_FATAL_ERR_MALLOC
720 || ret == TICKET_FATAL_ERR_OTHER) {
721 *al = SSL_AD_INTERNAL_ERROR;
722 return 0;
723 }
724 if (ret == TICKET_NO_DECRYPT)
725 continue;
726
727 ticket_age = (uint32_t)ticket_agel;
728 now = (uint32_t)time(NULL);
729 agesec = now - (uint32_t)sess->time;
730 agems = agesec * (uint32_t)1000;
731 ticket_age -= sess->ext.tick_age_add;
732
733 /*
734 * For simplicity we do our age calculations in seconds. If the
735 * client does it in ms then it could appear that their ticket age
736 * is longer than ours (our ticket age calculation should always be
737 * slightly longer than the client's due to the network latency).
738 * Therefore we add 1000ms to our age calculation to adjust for
739 * rounding errors.
740 */
741 if (id == 0
742 && sess->timeout >= (long)agesec
743 && agems / (uint32_t)1000 == agesec
744 && ticket_age <= agems + 1000
745 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
746 /*
747 * Ticket age is within tolerance and not expired. We allow it
748 * for early data
749 */
750 s->ext.early_data_ok = 1;
751 }
752 }
753
754 md = ssl_md(sess->cipher->algorithm2);
755 if (md != ssl_md(s->s3->tmp.new_cipher->algorithm2)) {
756 /* The ciphersuite is not compatible with this session. */
757 SSL_SESSION_free(sess);
758 sess = NULL;
759 s->ext.early_data_ok = 0;
760 continue;
761 }
762 break;
763 }
764
765 if (sess == NULL)
766 return 1;
767
768 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
769 hashsize = EVP_MD_size(md);
770
771 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
772 *al = SSL_AD_DECODE_ERROR;
773 goto err;
774 }
775
776 for (i = 0; i <= id; i++) {
777 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
778 *al = SSL_AD_DECODE_ERROR;
779 goto err;
780 }
781 }
782
783 if (PACKET_remaining(&binder) != hashsize
784 || tls_psk_do_binder(s, md,
785 (const unsigned char *)s->init_buf->data,
786 binderoffset, PACKET_data(&binder), NULL,
787 sess, 0, ext) != 1) {
788 *al = SSL_AD_DECODE_ERROR;
789 SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
790 goto err;
791 }
792
793 sess->ext.tick_identity = id;
794
795 SSL_SESSION_free(s->session);
796 s->session = sess;
797 return 1;
798 err:
799 SSL_SESSION_free(sess);
800 return 0;
801 }
802
803 /*
804 * Add the server's renegotiation binding
805 */
806 EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
807 unsigned int context, X509 *x,
808 size_t chainidx, int *al)
809 {
810 if (!s->s3->send_connection_binding)
811 return EXT_RETURN_NOT_SENT;
812
813 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
814 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
815 || !WPACKET_start_sub_packet_u16(pkt)
816 || !WPACKET_start_sub_packet_u8(pkt)
817 || !WPACKET_memcpy(pkt, s->s3->previous_client_finished,
818 s->s3->previous_client_finished_len)
819 || !WPACKET_memcpy(pkt, s->s3->previous_server_finished,
820 s->s3->previous_server_finished_len)
821 || !WPACKET_close(pkt)
822 || !WPACKET_close(pkt)) {
823 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
824 return EXT_RETURN_FAIL;
825 }
826
827 return EXT_RETURN_SENT;
828 }
829
830 EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
831 unsigned int context, X509 *x,
832 size_t chainidx, int *al)
833 {
834 if (s->hit || s->servername_done != 1
835 || s->session->ext.hostname == NULL)
836 return EXT_RETURN_NOT_SENT;
837
838 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
839 || !WPACKET_put_bytes_u16(pkt, 0)) {
840 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
841 return EXT_RETURN_FAIL;
842 }
843
844 return EXT_RETURN_SENT;
845 }
846
847 #ifndef OPENSSL_NO_EC
848 EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
849 unsigned int context, X509 *x,
850 size_t chainidx, int *al)
851 {
852 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
853 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
854 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
855 && (s->session->ext.ecpointformats != NULL);
856 const unsigned char *plist;
857 size_t plistlen;
858
859 if (!using_ecc)
860 return EXT_RETURN_NOT_SENT;
861
862 tls1_get_formatlist(s, &plist, &plistlen);
863 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
864 || !WPACKET_start_sub_packet_u16(pkt)
865 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
866 || !WPACKET_close(pkt)) {
867 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
868 return EXT_RETURN_FAIL;
869 }
870
871 return EXT_RETURN_SENT;
872 }
873 #endif
874
875 #ifndef OPENSSL_NO_EC
876 EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
877 unsigned int context, X509 *x,
878 size_t chainidx, int *al)
879 {
880 const uint16_t *groups;
881 size_t numgroups, i, first = 1;
882
883 /* s->s3->group_id is non zero if we accepted a key_share */
884 if (s->s3->group_id == 0)
885 return EXT_RETURN_NOT_SENT;
886
887 /* Get our list of supported groups */
888 tls1_get_supported_groups(s, &groups, &numgroups);
889 if (numgroups == 0) {
890 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
891 return EXT_RETURN_FAIL;
892 }
893
894 /* Copy group ID if supported */
895 for (i = 0; i < numgroups; i++) {
896 uint16_t group = groups[i];
897
898 if (tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
899 if (first) {
900 /*
901 * Check if the client is already using our preferred group. If
902 * so we don't need to add this extension
903 */
904 if (s->s3->group_id == group)
905 return EXT_RETURN_NOT_SENT;
906
907 /* Add extension header */
908 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
909 /* Sub-packet for supported_groups extension */
910 || !WPACKET_start_sub_packet_u16(pkt)
911 || !WPACKET_start_sub_packet_u16(pkt)) {
912 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
913 ERR_R_INTERNAL_ERROR);
914 return EXT_RETURN_FAIL;
915 }
916
917 first = 0;
918 }
919 if (!WPACKET_put_bytes_u16(pkt, group)) {
920 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
921 ERR_R_INTERNAL_ERROR);
922 return EXT_RETURN_FAIL;
923 }
924 }
925 }
926
927 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
928 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
929 return EXT_RETURN_FAIL;
930 }
931
932 return EXT_RETURN_SENT;
933 }
934 #endif
935
936 EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
937 unsigned int context, X509 *x,
938 size_t chainidx, int *al)
939 {
940 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
941 s->ext.ticket_expected = 0;
942 return EXT_RETURN_NOT_SENT;
943 }
944
945 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
946 || !WPACKET_put_bytes_u16(pkt, 0)) {
947 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
948 return EXT_RETURN_FAIL;
949 }
950
951 return EXT_RETURN_SENT;
952 }
953
954 #ifndef OPENSSL_NO_OCSP
955 EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
956 unsigned int context, X509 *x,
957 size_t chainidx, int *al)
958 {
959 if (!s->ext.status_expected)
960 return EXT_RETURN_NOT_SENT;
961
962 if (SSL_IS_TLS13(s) && chainidx != 0)
963 return EXT_RETURN_NOT_SENT;
964
965 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
966 || !WPACKET_start_sub_packet_u16(pkt)) {
967 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
968 return EXT_RETURN_FAIL;
969 }
970
971 /*
972 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
973 * send back an empty extension, with the certificate status appearing as a
974 * separate message
975 */
976 if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
977 || !WPACKET_close(pkt)) {
978 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
979 return EXT_RETURN_FAIL;
980 }
981
982 return EXT_RETURN_SENT;
983 }
984 #endif
985
986 #ifndef OPENSSL_NO_NEXTPROTONEG
987 EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
988 unsigned int context, X509 *x,
989 size_t chainidx, int *al)
990 {
991 const unsigned char *npa;
992 unsigned int npalen;
993 int ret;
994 int npn_seen = s->s3->npn_seen;
995
996 s->s3->npn_seen = 0;
997 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
998 return EXT_RETURN_NOT_SENT;
999
1000 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1001 s->ctx->ext.npn_advertised_cb_arg);
1002 if (ret == SSL_TLSEXT_ERR_OK) {
1003 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1004 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
1005 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
1006 ERR_R_INTERNAL_ERROR);
1007 return EXT_RETURN_FAIL;
1008 }
1009 s->s3->npn_seen = 1;
1010 }
1011
1012 return EXT_RETURN_SENT;
1013 }
1014 #endif
1015
1016 EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
1017 X509 *x, size_t chainidx, int *al)
1018 {
1019 if (s->s3->alpn_selected == NULL)
1020 return EXT_RETURN_NOT_SENT;
1021
1022 if (!WPACKET_put_bytes_u16(pkt,
1023 TLSEXT_TYPE_application_layer_protocol_negotiation)
1024 || !WPACKET_start_sub_packet_u16(pkt)
1025 || !WPACKET_start_sub_packet_u16(pkt)
1026 || !WPACKET_sub_memcpy_u8(pkt, s->s3->alpn_selected,
1027 s->s3->alpn_selected_len)
1028 || !WPACKET_close(pkt)
1029 || !WPACKET_close(pkt)) {
1030 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
1031 return EXT_RETURN_FAIL;
1032 }
1033
1034 return EXT_RETURN_SENT;
1035 }
1036
1037 #ifndef OPENSSL_NO_SRTP
1038 EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1039 unsigned int context, X509 *x,
1040 size_t chainidx, int *al)
1041 {
1042 if (s->srtp_profile == NULL)
1043 return EXT_RETURN_NOT_SENT;
1044
1045 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1046 || !WPACKET_start_sub_packet_u16(pkt)
1047 || !WPACKET_put_bytes_u16(pkt, 2)
1048 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1049 || !WPACKET_put_bytes_u8(pkt, 0)
1050 || !WPACKET_close(pkt)) {
1051 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
1052 return EXT_RETURN_FAIL;
1053 }
1054
1055 return EXT_RETURN_SENT;
1056 }
1057 #endif
1058
1059 EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
1060 X509 *x, size_t chainidx, int *al)
1061 {
1062 if (!s->ext.use_etm)
1063 return EXT_RETURN_NOT_SENT;
1064
1065 /*
1066 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1067 * for other cases too.
1068 */
1069 if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
1070 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
1071 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
1072 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
1073 s->ext.use_etm = 0;
1074 return EXT_RETURN_NOT_SENT;
1075 }
1076
1077 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1078 || !WPACKET_put_bytes_u16(pkt, 0)) {
1079 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
1080 return EXT_RETURN_FAIL;
1081 }
1082
1083 return EXT_RETURN_SENT;
1084 }
1085
1086 EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
1087 X509 *x, size_t chainidx, int *al)
1088 {
1089 if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
1090 return EXT_RETURN_NOT_SENT;
1091
1092 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1093 || !WPACKET_put_bytes_u16(pkt, 0)) {
1094 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
1095 return EXT_RETURN_FAIL;
1096 }
1097
1098 return EXT_RETURN_SENT;
1099 }
1100
1101 EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1102 unsigned int context, X509 *x,
1103 size_t chainidx, int *al)
1104 {
1105 #ifndef OPENSSL_NO_TLS1_3
1106 unsigned char *encodedPoint;
1107 size_t encoded_pt_len = 0;
1108 EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL;
1109
1110 if (ckey == NULL) {
1111 /* No key_share received from client */
1112 if (s->hello_retry_request) {
1113 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1114 || !WPACKET_start_sub_packet_u16(pkt)
1115 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)
1116 || !WPACKET_close(pkt)) {
1117 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
1118 ERR_R_INTERNAL_ERROR);
1119 return EXT_RETURN_FAIL;
1120 }
1121
1122 return EXT_RETURN_SENT;
1123 }
1124
1125 /* Must be resuming. */
1126 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
1127 *al = SSL_AD_INTERNAL_ERROR;
1128 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1129 return EXT_RETURN_FAIL;
1130 }
1131 return EXT_RETURN_NOT_SENT;
1132 }
1133
1134 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1135 || !WPACKET_start_sub_packet_u16(pkt)
1136 || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
1137 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1138 return EXT_RETURN_FAIL;
1139 }
1140
1141 skey = ssl_generate_pkey(ckey);
1142 if (skey == NULL) {
1143 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
1144 return EXT_RETURN_FAIL;
1145 }
1146
1147 /* Generate encoding of server key */
1148 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
1149 if (encoded_pt_len == 0) {
1150 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
1151 EVP_PKEY_free(skey);
1152 return EXT_RETURN_FAIL;
1153 }
1154
1155 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1156 || !WPACKET_close(pkt)) {
1157 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1158 EVP_PKEY_free(skey);
1159 OPENSSL_free(encodedPoint);
1160 return EXT_RETURN_FAIL;
1161 }
1162 OPENSSL_free(encodedPoint);
1163
1164 /* This causes the crypto state to be updated based on the derived keys */
1165 s->s3->tmp.pkey = skey;
1166 if (ssl_derive(s, skey, ckey, 1) == 0) {
1167 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
1168 return EXT_RETURN_FAIL;
1169 }
1170 #endif
1171
1172 return EXT_RETURN_SENT;
1173 }
1174
1175 EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1176 unsigned int context, X509 *x,
1177 size_t chainidx, int *al)
1178 {
1179 const unsigned char cryptopro_ext[36] = {
1180 0xfd, 0xe8, /* 65000 */
1181 0x00, 0x20, /* 32 bytes length */
1182 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1183 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1184 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1185 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1186 };
1187
1188 if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
1189 && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
1190 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
1191 return EXT_RETURN_NOT_SENT;
1192
1193 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
1194 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
1195 return EXT_RETURN_FAIL;
1196 }
1197
1198 return EXT_RETURN_SENT;
1199 }
1200
1201 EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1202 unsigned int context, X509 *x,
1203 size_t chainidx, int *al)
1204 {
1205 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
1206 if (s->max_early_data == 0)
1207 return EXT_RETURN_NOT_SENT;
1208
1209 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1210 || !WPACKET_start_sub_packet_u16(pkt)
1211 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1212 || !WPACKET_close(pkt)) {
1213 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1214 return EXT_RETURN_FAIL;
1215 }
1216
1217 return EXT_RETURN_SENT;
1218 }
1219
1220 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
1221 return EXT_RETURN_NOT_SENT;
1222
1223 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1224 || !WPACKET_start_sub_packet_u16(pkt)
1225 || !WPACKET_close(pkt)) {
1226 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
1227 return EXT_RETURN_FAIL;
1228 }
1229
1230 return EXT_RETURN_SENT;
1231 }
1232
1233 EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
1234 X509 *x, size_t chainidx, int *al)
1235 {
1236 if (!s->hit)
1237 return EXT_RETURN_NOT_SENT;
1238
1239 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1240 || !WPACKET_start_sub_packet_u16(pkt)
1241 || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
1242 || !WPACKET_close(pkt)) {
1243 SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
1244 return EXT_RETURN_FAIL;
1245 }
1246
1247 return EXT_RETURN_SENT;
1248 }
A mirror of the official openssl repository