Lines Matching +full:s +full:-
2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
16 EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_renegotiate() argument
20 if (!s->renegotiate) { in tls_construct_ctos_renegotiate()
27 if (!SSL_CONNECTION_IS_DTLS(s) in tls_construct_ctos_renegotiate()
28 && (s->min_proto_version >= TLS1_3_VERSION in tls_construct_ctos_renegotiate()
29 || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) in tls_construct_ctos_renegotiate()
30 && s->min_proto_version <= TLS1_VERSION))) { in tls_construct_ctos_renegotiate()
43 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_renegotiate()
53 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished, in tls_construct_ctos_renegotiate()
54 s->s3.previous_client_finished_len) in tls_construct_ctos_renegotiate()
56 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_renegotiate()
63 EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_server_name() argument
67 if (s->ext.hostname == NULL) in tls_construct_ctos_server_name()
72 /* Sub-packet for server_name extension */ in tls_construct_ctos_server_name()
74 /* Sub-packet for servername list (always 1 hostname)*/ in tls_construct_ctos_server_name()
77 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname, in tls_construct_ctos_server_name()
78 strlen(s->ext.hostname)) in tls_construct_ctos_server_name()
81 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_server_name()
89 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_maxfragmentlen() argument
93 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED) in tls_construct_ctos_maxfragmentlen()
97 /*- in tls_construct_ctos_maxfragmentlen()
102 /* Sub-packet for Max Fragment Length extension (1 byte) */ in tls_construct_ctos_maxfragmentlen()
104 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode) in tls_construct_ctos_maxfragmentlen()
106 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_maxfragmentlen()
114 EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_srp() argument
119 if (s->srp_ctx.login == NULL) in tls_construct_ctos_srp()
123 /* Sub-packet for SRP extension */ in tls_construct_ctos_srp()
128 || !WPACKET_memcpy(pkt, s->srp_ctx.login, in tls_construct_ctos_srp()
129 strlen(s->srp_ctx.login)) in tls_construct_ctos_srp()
132 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_srp()
140 static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version) in use_ecc() argument
147 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in use_ecc()
150 if (s->version == SSL3_VERSION) in use_ecc()
158 alg_k = c->algorithm_mkey; in use_ecc()
159 alg_a = c->algorithm_auth; in use_ecc()
162 || c->min_tls >= TLS1_3_VERSION) { in use_ecc()
172 tls1_get_supported_groups(s, &pgroups, &num_groups); in use_ecc()
176 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL) in use_ecc()
177 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) in use_ecc()
184 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_ec_pt_formats() argument
192 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); in tls_construct_ctos_ec_pt_formats()
194 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); in tls_construct_ctos_ec_pt_formats()
197 if (!use_ecc(s, min_version, max_version)) in tls_construct_ctos_ec_pt_formats()
201 tls1_get_formatlist(s, &pformats, &num_formats); in tls_construct_ctos_ec_pt_formats()
204 /* Sub-packet for formats extension */ in tls_construct_ctos_ec_pt_formats()
208 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_ec_pt_formats()
215 EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_supported_groups() argument
223 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); in tls_construct_ctos_supported_groups()
225 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); in tls_construct_ctos_supported_groups()
233 if (!use_ecc(s, min_version, max_version) in tls_construct_ctos_supported_groups()
234 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)) in tls_construct_ctos_supported_groups()
240 tls1_get_supported_groups(s, &pgroups, &num_groups); in tls_construct_ctos_supported_groups()
243 /* Sub-packet for supported_groups extension */ in tls_construct_ctos_supported_groups()
247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_supported_groups()
255 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13) in tls_construct_ctos_supported_groups()
256 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { in tls_construct_ctos_supported_groups()
258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_supported_groups()
268 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, in tls_construct_ctos_supported_groups()
271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_supported_groups()
276 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, in tls_construct_ctos_supported_groups()
284 EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_session_ticket() argument
290 if (!tls_use_ticket(s)) in tls_construct_ctos_session_ticket()
293 if (!s->new_session && s->session != NULL in tls_construct_ctos_session_ticket()
294 && s->session->ext.tick != NULL in tls_construct_ctos_session_ticket()
295 && s->session->ssl_version != TLS1_3_VERSION) { in tls_construct_ctos_session_ticket()
296 ticklen = s->session->ext.ticklen; in tls_construct_ctos_session_ticket()
297 } else if (s->session && s->ext.session_ticket != NULL in tls_construct_ctos_session_ticket()
298 && s->ext.session_ticket->data != NULL) { in tls_construct_ctos_session_ticket()
299 ticklen = s->ext.session_ticket->length; in tls_construct_ctos_session_ticket()
300 s->session->ext.tick = OPENSSL_malloc(ticklen); in tls_construct_ctos_session_ticket()
301 if (s->session->ext.tick == NULL) { in tls_construct_ctos_session_ticket()
302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_session_ticket()
305 memcpy(s->session->ext.tick, in tls_construct_ctos_session_ticket()
306 s->ext.session_ticket->data, ticklen); in tls_construct_ctos_session_ticket()
307 s->session->ext.ticklen = ticklen; in tls_construct_ctos_session_ticket()
312 if (ticklen == 0 && s->ext.session_ticket != NULL && in tls_construct_ctos_session_ticket()
313 s->ext.session_ticket->data == NULL) in tls_construct_ctos_session_ticket()
317 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) { in tls_construct_ctos_session_ticket()
318 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_session_ticket()
325 EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_sig_algs() argument
337 if (!SSL_CONNECTION_IS_DTLS(s)) { in tls_construct_ctos_sig_algs()
338 if (s->client_version < TLS1_2_VERSION in tls_construct_ctos_sig_algs()
339 || (s->ssl.method->version != TLS_ANY_VERSION in tls_construct_ctos_sig_algs()
340 && s->version < TLS1_2_VERSION)) in tls_construct_ctos_sig_algs()
343 if (DTLS_VERSION_LT(s->client_version, DTLS1_2_VERSION) in tls_construct_ctos_sig_algs()
344 || (s->ssl.method->version != DTLS_ANY_VERSION in tls_construct_ctos_sig_algs()
345 && DTLS_VERSION_LT(s->version, DTLS1_2_VERSION))) in tls_construct_ctos_sig_algs()
349 salglen = tls12_get_psigalgs(s, 1, &salg); in tls_construct_ctos_sig_algs()
351 /* Sub-packet for sig-algs extension */ in tls_construct_ctos_sig_algs()
353 /* Sub-packet for the actual list */ in tls_construct_ctos_sig_algs()
355 || !tls12_copy_sigalgs(s, pkt, salg, salglen) in tls_construct_ctos_sig_algs()
358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_sig_algs()
366 EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_status_request() argument
376 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) in tls_construct_ctos_status_request()
380 /* Sub-packet for status request extension */ in tls_construct_ctos_status_request()
383 /* Sub-packet for the ids */ in tls_construct_ctos_status_request()
385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_status_request()
388 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) { in tls_construct_ctos_status_request()
390 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i); in tls_construct_ctos_status_request()
394 /* Sub-packet for an individual id */ in tls_construct_ctos_status_request()
397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_status_request()
403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_status_request()
406 if (s->ext.ocsp.exts) { in tls_construct_ctos_status_request()
408 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL); in tls_construct_ctos_status_request()
411 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_status_request()
415 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes) in tls_construct_ctos_status_request()
417 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_status_request()
422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_status_request()
431 EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_npn() argument
435 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL in tls_construct_ctos_npn()
436 || !SSL_IS_FIRST_HANDSHAKE(s)) in tls_construct_ctos_npn()
445 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_npn()
453 EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_alpn() argument
457 s->s3.alpn_sent = 0; in tls_construct_ctos_alpn()
459 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s)) in tls_construct_ctos_alpn()
464 /* Sub-packet ALPN extension */ in tls_construct_ctos_alpn()
466 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len) in tls_construct_ctos_alpn()
468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_alpn()
471 s->s3.alpn_sent = 1; in tls_construct_ctos_alpn()
478 EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_use_srtp() argument
482 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_construct_ctos_use_srtp()
490 /* Sub-packet for SRTP extension */ in tls_construct_ctos_use_srtp()
492 /* Sub-packet for the protection profile list */ in tls_construct_ctos_use_srtp()
494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_use_srtp()
503 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) { in tls_construct_ctos_use_srtp()
504 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_use_srtp()
512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_use_srtp()
520 EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_etm() argument
524 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) in tls_construct_ctos_etm()
529 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_etm()
537 EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_sct() argument
541 if (s->ct_validation_callback == NULL) in tls_construct_ctos_sct()
550 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_sct()
558 EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_ems() argument
562 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) in tls_construct_ctos_ems()
567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_ems()
574 EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_supported_versions() argument
580 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); in tls_construct_ctos_supported_versions()
582 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason); in tls_construct_ctos_supported_versions()
596 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_supported_versions()
600 for (currv = max_version; currv >= min_version; currv--) { in tls_construct_ctos_supported_versions()
602 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_supported_versions()
607 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_supported_versions()
617 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_psk_kex_modes() argument
622 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; in tls_construct_ctos_psk_kex_modes()
631 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_psk_kex_modes()
635 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE; in tls_construct_ctos_psk_kex_modes()
637 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE; in tls_construct_ctos_psk_kex_modes()
644 static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int group_id, size_t loop_num) in add_key_share() argument
650 if (loop_num < s->s3.tmp.num_ks_pkey) { in add_key_share()
651 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING) in add_key_share()
652 || !ossl_assert(s->s3.tmp.ks_pkey[loop_num] != NULL)) { in add_key_share()
653 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in add_key_share()
659 key_share_key = s->s3.tmp.ks_pkey[loop_num]; in add_key_share()
661 key_share_key = ssl_generate_pkey_group(s, group_id); in add_key_share()
672 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); in add_key_share()
679 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in add_key_share()
685 s->s3.tmp.pkey = key_share_key; in add_key_share()
686 s->s3.group_id = group_id; in add_key_share()
689 s->s3.tmp.ks_pkey[loop_num] = key_share_key; in add_key_share()
690 s->s3.tmp.ks_group_id[loop_num] = group_id; in add_key_share()
691 if (loop_num >= s->s3.tmp.num_ks_pkey) in add_key_share()
692 s->s3.tmp.num_ks_pkey++; in add_key_share()
698 if (key_share_key != s->s3.tmp.ks_pkey[loop_num]) in add_key_share()
705 EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_key_share() argument
718 /* Extension data sub-packet */ in tls_construct_ctos_key_share()
720 /* KeyShare list sub-packet */ in tls_construct_ctos_key_share()
722 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_key_share()
726 tls1_get_requested_keyshare_groups(s, &pgroups, &num_groups); in tls_construct_ctos_key_share()
728 tls1_get_supported_groups(s, &pgroups, &num_groups); in tls_construct_ctos_key_share()
732 /* If neither the default nor the keyshares have any entry --> fatal */ in tls_construct_ctos_key_share()
734 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); in tls_construct_ctos_key_share()
740 if (s->s3.group_id != 0 && s->s3.tmp.pkey == NULL) { in tls_construct_ctos_key_share()
742 group_id = s->s3.group_id; in tls_construct_ctos_key_share()
743 s->s3.tmp.num_ks_pkey = 0; in tls_construct_ctos_key_share()
744 if (!add_key_share(s, pkt, group_id, 0)) { in tls_construct_ctos_key_share()
750 if (s->ext.supportedgroups == NULL) /* use default */ in tls_construct_ctos_key_share()
754 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) in tls_construct_ctos_key_share()
756 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, in tls_construct_ctos_key_share()
763 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); in tls_construct_ctos_key_share()
766 if (!add_key_share(s, pkt, group_id, valid_keyshare)) { in tls_construct_ctos_key_share()
778 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE); in tls_construct_ctos_key_share()
783 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_key_share()
792 EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_cookie() argument
799 if (s->ext.tls13_cookie_len == 0) in tls_construct_ctos_cookie()
803 /* Extension data sub-packet */ in tls_construct_ctos_cookie()
805 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie, in tls_construct_ctos_cookie()
806 s->ext.tls13_cookie_len) in tls_construct_ctos_cookie()
808 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_cookie()
814 OPENSSL_free(s->ext.tls13_cookie); in tls_construct_ctos_cookie()
815 s->ext.tls13_cookie = NULL; in tls_construct_ctos_cookie()
816 s->ext.tls13_cookie_len = 0; in tls_construct_ctos_cookie()
821 EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_early_data() argument
833 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); in tls_construct_ctos_early_data()
835 if (s->hello_retry_request == SSL_HRR_PENDING) in tls_construct_ctos_early_data()
836 handmd = ssl_handshake_md(s); in tls_construct_ctos_early_data()
838 if (s->psk_use_session_cb != NULL in tls_construct_ctos_early_data()
839 && (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess) in tls_construct_ctos_early_data()
841 && psksess->ssl_version != TLS1_3_VERSION))) { in tls_construct_ctos_early_data()
843 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); in tls_construct_ctos_early_data()
848 if (psksess == NULL && s->psk_client_callback != NULL) { in tls_construct_ctos_early_data()
853 psklen = s->psk_client_callback(ussl, NULL, in tls_construct_ctos_early_data()
854 identity, sizeof(identity) - 1, in tls_construct_ctos_early_data()
858 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_early_data()
866 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_early_data()
875 cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s), in tls_construct_ctos_early_data()
878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_early_data()
887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_early_data()
896 SSL_SESSION_free(s->psksession); in tls_construct_ctos_early_data()
897 s->psksession = psksess; in tls_construct_ctos_early_data()
899 OPENSSL_free(s->psksession_id); in tls_construct_ctos_early_data()
900 s->psksession_id = OPENSSL_memdup(id, idlen); in tls_construct_ctos_early_data()
901 if (s->psksession_id == NULL) { in tls_construct_ctos_early_data()
902 s->psksession_id_len = 0; in tls_construct_ctos_early_data()
903 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_early_data()
906 s->psksession_id_len = idlen; in tls_construct_ctos_early_data()
909 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING in tls_construct_ctos_early_data()
910 || (s->session->ext.max_early_data == 0 in tls_construct_ctos_early_data()
911 && (psksess == NULL || psksess->ext.max_early_data == 0))) { in tls_construct_ctos_early_data()
912 s->max_early_data = 0; in tls_construct_ctos_early_data()
915 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess; in tls_construct_ctos_early_data()
916 s->max_early_data = edsess->ext.max_early_data; in tls_construct_ctos_early_data()
918 if (edsess->ext.hostname != NULL) { in tls_construct_ctos_early_data()
919 if (s->ext.hostname == NULL in tls_construct_ctos_early_data()
920 || (s->ext.hostname != NULL in tls_construct_ctos_early_data()
921 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) { in tls_construct_ctos_early_data()
922 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_construct_ctos_early_data()
928 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) { in tls_construct_ctos_early_data()
929 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN); in tls_construct_ctos_early_data()
937 if (edsess->ext.alpn_selected != NULL) { in tls_construct_ctos_early_data()
941 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) { in tls_construct_ctos_early_data()
942 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_early_data()
946 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected, in tls_construct_ctos_early_data()
947 edsess->ext.alpn_selected_len)) { in tls_construct_ctos_early_data()
953 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_construct_ctos_early_data()
962 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_early_data()
970 s->ext.early_data = SSL_EARLY_DATA_REJECTED; in tls_construct_ctos_early_data()
971 s->ext.early_data_ok = 1; in tls_construct_ctos_early_data()
993 EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_padding() argument
1000 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0) in tls_construct_ctos_padding()
1010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_padding()
1018 if (s->session->ssl_version == TLS1_3_VERSION in tls_construct_ctos_padding()
1019 && s->session->ext.ticklen != 0 in tls_construct_ctos_padding()
1020 && s->session->cipher != NULL) { in tls_construct_ctos_padding()
1021 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s), in tls_construct_ctos_padding()
1022 s->session->cipher->algorithm2); in tls_construct_ctos_padding()
1033 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen in tls_construct_ctos_padding()
1040 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen; in tls_construct_ctos_padding()
1049 hlen -= 4; in tls_construct_ctos_padding()
1055 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_padding()
1067 EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_psk() argument
1078 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_ctos_psk()
1081 s->ext.tick_identity = 0; in tls_construct_ctos_psk()
1093 if (s->session->ssl_version != TLS1_3_VERSION in tls_construct_ctos_psk()
1094 || (s->session->ext.ticklen == 0 && s->psksession == NULL)) in tls_construct_ctos_psk()
1097 if (s->hello_retry_request == SSL_HRR_PENDING) in tls_construct_ctos_psk()
1098 handmd = ssl_handshake_md(s); in tls_construct_ctos_psk()
1100 if (s->session->ext.ticklen != 0) { in tls_construct_ctos_psk()
1102 if (s->session->cipher == NULL) { in tls_construct_ctos_psk()
1103 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_psk()
1106 mdres = ssl_md(sctx, s->session->cipher->algorithm2); in tls_construct_ctos_psk()
1115 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) { in tls_construct_ctos_psk()
1131 t = ossl_time_subtract(ossl_time_now(), s->session->time); in tls_construct_ctos_psk()
1135 * rounding errors we could overestimate the age by up to 1s. It is in tls_construct_ctos_psk()
1138 * bigger than the age calculated on the server - which should never in tls_construct_ctos_psk()
1142 agesec--; in tls_construct_ctos_psk()
1144 if (s->session->ext.tick_lifetime_hint < agesec) { in tls_construct_ctos_psk()
1167 agems += s->session->ext.tick_age_add; in tls_construct_ctos_psk()
1172 s->ext.tick_identity++; in tls_construct_ctos_psk()
1177 if (!dores && s->psksession == NULL) in tls_construct_ctos_psk()
1180 if (s->psksession != NULL) { in tls_construct_ctos_psk()
1181 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2); in tls_construct_ctos_psk()
1185 * If this happens it's an application bug. in tls_construct_ctos_psk()
1187 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); in tls_construct_ctos_psk()
1191 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) { in tls_construct_ctos_psk()
1196 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); in tls_construct_ctos_psk()
1202 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); in tls_construct_ctos_psk()
1211 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_psk()
1216 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, in tls_construct_ctos_psk()
1217 s->session->ext.ticklen) in tls_construct_ctos_psk()
1219 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_psk()
1224 if (s->psksession != NULL) { in tls_construct_ctos_psk()
1225 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id, in tls_construct_ctos_psk()
1226 s->psksession_id_len) in tls_construct_ctos_psk()
1228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_psk()
1231 s->ext.tick_identity++; in tls_construct_ctos_psk()
1239 || (s->psksession != NULL in tls_construct_ctos_psk()
1245 * We need to fill in all the sub-packet lengths now so we can in tls_construct_ctos_psk()
1249 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_psk()
1253 msgstart = WPACKET_get_curr(pkt) - msglen; in tls_construct_ctos_psk()
1256 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL, in tls_construct_ctos_psk()
1257 resbinder, s->session, 1, 0) != 1) { in tls_construct_ctos_psk()
1262 if (s->psksession != NULL in tls_construct_ctos_psk()
1263 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL, in tls_construct_ctos_psk()
1264 pskbinder, s->psksession, 1, 1) != 1) { in tls_construct_ctos_psk()
1275 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt, in tls_construct_ctos_post_handshake_auth() argument
1281 if (!s->pha_enabled) in tls_construct_ctos_post_handshake_auth()
1284 /* construct extension - 0 length, no contents */ in tls_construct_ctos_post_handshake_auth()
1288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_ctos_post_handshake_auth()
1292 s->post_handshake_auth = SSL_PHA_EXT_SENT; in tls_construct_ctos_post_handshake_auth()
1302 * Parse the server's renegotiation binding and abort if it's not right
1304 int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_renegotiate() argument
1308 size_t expected_len = s->s3.previous_client_finished_len in tls_parse_stoc_renegotiate()
1309 + s->s3.previous_server_finished_len; in tls_parse_stoc_renegotiate()
1315 || s->s3.previous_client_finished_len != 0) in tls_parse_stoc_renegotiate()
1317 || s->s3.previous_server_finished_len != 0)) { in tls_parse_stoc_renegotiate()
1318 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_renegotiate()
1324 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); in tls_parse_stoc_renegotiate()
1330 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR); in tls_parse_stoc_renegotiate()
1336 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); in tls_parse_stoc_renegotiate()
1340 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len) in tls_parse_stoc_renegotiate()
1341 || memcmp(data, s->s3.previous_client_finished, in tls_parse_stoc_renegotiate()
1342 s->s3.previous_client_finished_len) != 0) { in tls_parse_stoc_renegotiate()
1343 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); in tls_parse_stoc_renegotiate()
1347 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len) in tls_parse_stoc_renegotiate()
1348 || memcmp(data, s->s3.previous_server_finished, in tls_parse_stoc_renegotiate()
1349 s->s3.previous_server_finished_len) != 0) { in tls_parse_stoc_renegotiate()
1350 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH); in tls_parse_stoc_renegotiate()
1353 s->s3.send_connection_binding = 1; in tls_parse_stoc_renegotiate()
1358 /* Parse the server's max fragment len extension packet */
1359 int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_maxfragmentlen() argument
1366 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_maxfragmentlen()
1370 /* |value| should contains a valid max-fragment-length code. */ in tls_parse_stoc_maxfragmentlen()
1372 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_parse_stoc_maxfragmentlen()
1377 /* Must be the same value as client-configured one who was sent to server */ in tls_parse_stoc_maxfragmentlen()
1378 /*- in tls_parse_stoc_maxfragmentlen()
1383 if (value != s->ext.max_fragment_len_mode) { in tls_parse_stoc_maxfragmentlen()
1384 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_parse_stoc_maxfragmentlen()
1393 s->session->ext.max_fragment_len_mode = value; in tls_parse_stoc_maxfragmentlen()
1398 int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_server_name() argument
1402 if (s->ext.hostname == NULL) { in tls_parse_stoc_server_name()
1403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_server_name()
1408 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_server_name()
1412 if (!s->hit) { in tls_parse_stoc_server_name()
1413 if (s->session->ext.hostname != NULL) { in tls_parse_stoc_server_name()
1414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_server_name()
1417 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname); in tls_parse_stoc_server_name()
1418 if (s->session->ext.hostname == NULL) { in tls_parse_stoc_server_name()
1419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_server_name()
1427 int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_ec_pt_formats() argument
1435 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_ec_pt_formats()
1438 if (!s->hit) { in tls_parse_stoc_ec_pt_formats()
1441 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_parse_stoc_ec_pt_formats()
1445 s->ext.peer_ecpointformats_len = 0; in tls_parse_stoc_ec_pt_formats()
1446 OPENSSL_free(s->ext.peer_ecpointformats); in tls_parse_stoc_ec_pt_formats()
1447 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len); in tls_parse_stoc_ec_pt_formats()
1448 if (s->ext.peer_ecpointformats == NULL) { in tls_parse_stoc_ec_pt_formats()
1449 s->ext.peer_ecpointformats_len = 0; in tls_parse_stoc_ec_pt_formats()
1450 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_ec_pt_formats()
1454 s->ext.peer_ecpointformats_len = ecpointformats_len; in tls_parse_stoc_ec_pt_formats()
1457 s->ext.peer_ecpointformats, in tls_parse_stoc_ec_pt_formats()
1459 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_ec_pt_formats()
1467 int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_session_ticket() argument
1471 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); in tls_parse_stoc_session_ticket()
1473 if (s->ext.session_ticket_cb != NULL && in tls_parse_stoc_session_ticket()
1474 !s->ext.session_ticket_cb(ssl, PACKET_data(pkt), in tls_parse_stoc_session_ticket()
1476 s->ext.session_ticket_cb_arg)) { in tls_parse_stoc_session_ticket()
1477 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); in tls_parse_stoc_session_ticket()
1481 if (!tls_use_ticket(s)) { in tls_parse_stoc_session_ticket()
1482 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); in tls_parse_stoc_session_ticket()
1486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_session_ticket()
1490 s->ext.ticket_expected = 1; in tls_parse_stoc_session_ticket()
1496 int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_status_request() argument
1509 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { in tls_parse_stoc_status_request()
1510 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); in tls_parse_stoc_status_request()
1513 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { in tls_parse_stoc_status_request()
1514 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_status_request()
1518 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_parse_stoc_status_request()
1519 /* We only know how to handle this if it's for the first Certificate in in tls_parse_stoc_status_request()
1526 return tls_process_cert_status_body(s, pkt); in tls_parse_stoc_status_request()
1530 s->ext.status_expected = 1; in tls_parse_stoc_status_request()
1538 int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, in tls_parse_stoc_sct() argument
1547 * Only take it if we asked for it - i.e if there is no CT validation in tls_parse_stoc_sct()
1551 if (s->ct_validation_callback != NULL) { in tls_parse_stoc_sct()
1555 OPENSSL_free(s->ext.scts); in tls_parse_stoc_sct()
1556 s->ext.scts = NULL; in tls_parse_stoc_sct()
1558 s->ext.scts_len = (uint16_t)size; in tls_parse_stoc_sct()
1560 s->ext.scts = OPENSSL_malloc(size); in tls_parse_stoc_sct()
1561 if (s->ext.scts == NULL) { in tls_parse_stoc_sct()
1562 s->ext.scts_len = 0; in tls_parse_stoc_sct()
1563 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_parse_stoc_sct()
1566 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) { in tls_parse_stoc_sct()
1567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_sct()
1579 if (custom_ext_find(&s->cert->custext, role, in tls_parse_stoc_sct()
1582 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); in tls_parse_stoc_sct()
1586 if (!custom_ext_parse(s, context, in tls_parse_stoc_sct()
1606 static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt) in ssl_next_proto_validate() argument
1613 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in ssl_next_proto_validate()
1621 int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, in tls_parse_stoc_npn() argument
1627 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_parse_stoc_npn()
1630 if (!SSL_IS_FIRST_HANDSHAKE(s)) in tls_parse_stoc_npn()
1634 if (sctx->ext.npn_select_cb == NULL) { in tls_parse_stoc_npn()
1635 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); in tls_parse_stoc_npn()
1641 if (!ssl_next_proto_validate(s, &tmppkt)) { in tls_parse_stoc_npn()
1645 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s), in tls_parse_stoc_npn()
1648 sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK in tls_parse_stoc_npn()
1650 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); in tls_parse_stoc_npn()
1655 * Could be non-NULL if server has sent multiple NPN extensions in in tls_parse_stoc_npn()
1658 OPENSSL_free(s->ext.npn); in tls_parse_stoc_npn()
1659 s->ext.npn = OPENSSL_malloc(selected_len); in tls_parse_stoc_npn()
1660 if (s->ext.npn == NULL) { in tls_parse_stoc_npn()
1661 s->ext.npn_len = 0; in tls_parse_stoc_npn()
1662 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_npn()
1666 memcpy(s->ext.npn, selected, selected_len); in tls_parse_stoc_npn()
1667 s->ext.npn_len = selected_len; in tls_parse_stoc_npn()
1668 s->s3.npn_seen = 1; in tls_parse_stoc_npn()
1674 int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, in tls_parse_stoc_alpn() argument
1682 if (!s->s3.alpn_sent) { in tls_parse_stoc_alpn()
1683 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); in tls_parse_stoc_alpn()
1686 /*- in tls_parse_stoc_alpn()
1695 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_alpn()
1700 if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { in tls_parse_stoc_alpn()
1701 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_alpn()
1716 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_alpn()
1720 OPENSSL_free(s->s3.alpn_selected); in tls_parse_stoc_alpn()
1721 s->s3.alpn_selected = OPENSSL_malloc(len); in tls_parse_stoc_alpn()
1722 if (s->s3.alpn_selected == NULL) { in tls_parse_stoc_alpn()
1723 s->s3.alpn_selected_len = 0; in tls_parse_stoc_alpn()
1724 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_alpn()
1727 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) { in tls_parse_stoc_alpn()
1728 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_alpn()
1731 s->s3.alpn_selected_len = len; in tls_parse_stoc_alpn()
1733 if (s->session->ext.alpn_selected == NULL in tls_parse_stoc_alpn()
1734 || s->session->ext.alpn_selected_len != len in tls_parse_stoc_alpn()
1735 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len) in tls_parse_stoc_alpn()
1738 s->ext.early_data_ok = 0; in tls_parse_stoc_alpn()
1740 if (!s->hit) { in tls_parse_stoc_alpn()
1745 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { in tls_parse_stoc_alpn()
1746 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_alpn()
1749 s->session->ext.alpn_selected = in tls_parse_stoc_alpn()
1750 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); in tls_parse_stoc_alpn()
1751 if (s->session->ext.alpn_selected == NULL) { in tls_parse_stoc_alpn()
1752 s->session->ext.alpn_selected_len = 0; in tls_parse_stoc_alpn()
1753 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_alpn()
1756 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; in tls_parse_stoc_alpn()
1763 int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_use_srtp() argument
1775 SSLfatal(s, SSL_AD_DECODE_ERROR, in tls_parse_stoc_use_srtp()
1782 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE); in tls_parse_stoc_use_srtp()
1787 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s)); in tls_parse_stoc_use_srtp()
1789 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES); in tls_parse_stoc_use_srtp()
1800 if (prof->id == id) { in tls_parse_stoc_use_srtp()
1801 s->srtp_profile = prof; in tls_parse_stoc_use_srtp()
1806 SSLfatal(s, SSL_AD_DECODE_ERROR, in tls_parse_stoc_use_srtp()
1812 int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, in tls_parse_stoc_etm() argument
1816 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) in tls_parse_stoc_etm()
1817 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD in tls_parse_stoc_etm()
1818 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4 in tls_parse_stoc_etm()
1819 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT in tls_parse_stoc_etm()
1820 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12 in tls_parse_stoc_etm()
1821 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA in tls_parse_stoc_etm()
1822 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK) in tls_parse_stoc_etm()
1823 s->ext.use_etm = 1; in tls_parse_stoc_etm()
1828 int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, in tls_parse_stoc_ems() argument
1831 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET) in tls_parse_stoc_ems()
1833 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS; in tls_parse_stoc_ems()
1834 if (!s->hit) in tls_parse_stoc_ems()
1835 s->session->flags |= SSL_SESS_FLAG_EXTMS; in tls_parse_stoc_ems()
1840 int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_supported_versions() argument
1848 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_parse_stoc_supported_versions()
1857 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_parse_stoc_supported_versions()
1867 s->version = version; in tls_parse_stoc_supported_versions()
1868 if (!ssl_set_record_protocol_version(s, version)) { in tls_parse_stoc_supported_versions()
1869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_supported_versions()
1876 int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_key_share() argument
1883 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; in tls_parse_stoc_key_share()
1889 if (ckey == NULL || s->s3.peer_tmp != NULL) { in tls_parse_stoc_key_share()
1890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_key_share()
1894 /* Which group ID does the server want -> group_id */ in tls_parse_stoc_key_share()
1896 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_parse_stoc_key_share()
1905 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_parse_stoc_key_share()
1913 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { in tls_parse_stoc_key_share()
1914 if (s->s3.tmp.ks_group_id[i] == group_id) { in tls_parse_stoc_key_share()
1915 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); in tls_parse_stoc_key_share()
1921 tls1_get_supported_groups(s, &pgroups, &num_groups); in tls_parse_stoc_key_share()
1927 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) in tls_parse_stoc_key_share()
1928 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, in tls_parse_stoc_key_share()
1930 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); in tls_parse_stoc_key_share()
1935 s->s3.group_id = group_id; in tls_parse_stoc_key_share()
1938 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { in tls_parse_stoc_key_share()
1939 if (s->s3.tmp.ks_pkey[i] != NULL) { in tls_parse_stoc_key_share()
1940 EVP_PKEY_free(s->s3.tmp.ks_pkey[i]); in tls_parse_stoc_key_share()
1941 s->s3.tmp.ks_pkey[i] = NULL; in tls_parse_stoc_key_share()
1944 s->s3.tmp.num_ks_pkey = 0; in tls_parse_stoc_key_share()
1945 s->s3.tmp.pkey = NULL; in tls_parse_stoc_key_share()
1954 for (i = 0; i < s->s3.tmp.num_ks_pkey; i++) { in tls_parse_stoc_key_share()
1955 if (s->s3.tmp.ks_group_id[i] == group_id) { in tls_parse_stoc_key_share()
1957 ckey = s->s3.tmp.ks_pkey[i]; in tls_parse_stoc_key_share()
1958 s->s3.group_id = group_id; in tls_parse_stoc_key_share()
1959 s->s3.tmp.pkey = ckey; in tls_parse_stoc_key_share()
1968 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); in tls_parse_stoc_key_share()
1972 if (!s->hit) { in tls_parse_stoc_key_share()
1973 s->session->kex_group = group_id; in tls_parse_stoc_key_share()
1974 } else if (group_id != s->session->kex_group) { in tls_parse_stoc_key_share()
1979 * a copy of the session to record the new information so that it's in tls_parse_stoc_key_share()
1985 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) { in tls_parse_stoc_key_share()
1986 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in tls_parse_stoc_key_share()
1989 SSL_SESSION_free(s->session); in tls_parse_stoc_key_share()
1990 s->session = new_sess; in tls_parse_stoc_key_share()
1991 s->session->kex_group = group_id; in tls_parse_stoc_key_share()
1994 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s), in tls_parse_stoc_key_share()
1996 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); in tls_parse_stoc_key_share()
2002 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_parse_stoc_key_share()
2006 if (!ginf->is_kem) { in tls_parse_stoc_key_share()
2010 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); in tls_parse_stoc_key_share()
2017 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); in tls_parse_stoc_key_share()
2022 if (ssl_derive(s, ckey, skey, 1) == 0) { in tls_parse_stoc_key_share()
2027 s->s3.peer_tmp = skey; in tls_parse_stoc_key_share()
2033 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) { in tls_parse_stoc_key_share()
2038 s->s3.did_kex = 1; in tls_parse_stoc_key_share()
2044 int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, in tls_parse_stoc_cookie() argument
2050 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie, in tls_parse_stoc_cookie()
2051 &s->ext.tls13_cookie_len)) { in tls_parse_stoc_cookie()
2052 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_parse_stoc_cookie()
2059 int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_early_data() argument
2068 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA); in tls_parse_stoc_early_data()
2072 s->session->ext.max_early_data = max_early_data; in tls_parse_stoc_early_data()
2074 if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) { in tls_parse_stoc_early_data()
2082 * value in the same (non-zero) way. Otherwise we would have to in tls_parse_stoc_early_data()
2085 s->session->ext.max_early_data = 1; in tls_parse_stoc_early_data()
2086 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA); in tls_parse_stoc_early_data()
2094 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); in tls_parse_stoc_early_data()
2098 if (!s->ext.early_data_ok in tls_parse_stoc_early_data()
2099 || !s->hit) { in tls_parse_stoc_early_data()
2105 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); in tls_parse_stoc_early_data()
2109 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED; in tls_parse_stoc_early_data()
2114 int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt, in tls_parse_stoc_psk() argument
2122 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_parse_stoc_psk()
2126 if (identity >= (unsigned int)s->ext.tick_identity) { in tls_parse_stoc_psk()
2127 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY); in tls_parse_stoc_psk()
2136 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) { in tls_parse_stoc_psk()
2137 s->hit = 1; in tls_parse_stoc_psk()
2138 SSL_SESSION_free(s->psksession); in tls_parse_stoc_psk()
2139 s->psksession = NULL; in tls_parse_stoc_psk()
2143 if (s->psksession == NULL) { in tls_parse_stoc_psk()
2145 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_parse_stoc_psk()
2150 * If we used the external PSK for sending early_data then s->early_secret in tls_parse_stoc_psk()
2154 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY in tls_parse_stoc_psk()
2155 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) in tls_parse_stoc_psk()
2156 || s->session->ext.max_early_data > 0 in tls_parse_stoc_psk()
2157 || s->psksession->ext.max_early_data == 0) in tls_parse_stoc_psk()
2158 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE); in tls_parse_stoc_psk()
2160 SSL_SESSION_free(s->session); in tls_parse_stoc_psk()
2161 s->session = s->psksession; in tls_parse_stoc_psk()
2162 s->psksession = NULL; in tls_parse_stoc_psk()
2163 s->hit = 1; in tls_parse_stoc_psk()
2166 s->ext.early_data_ok = 0; in tls_parse_stoc_psk()
2176 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; in tls_construct_ctos_client_cert_type()
2177 if (sc->client_cert_type == NULL) in tls_construct_ctos_client_cert_type()
2182 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len) in tls_construct_ctos_client_cert_type()
2187 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; in tls_construct_ctos_client_cert_type()
2206 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { in tls_parse_stoc_client_cert_type()
2211 if (sc->client_cert_type == NULL) { in tls_parse_stoc_client_cert_type()
2216 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) { in tls_parse_stoc_client_cert_type()
2220 sc->ext.client_cert_type = type; in tls_parse_stoc_client_cert_type()
2228 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE; in tls_construct_ctos_server_cert_type()
2229 if (sc->server_cert_type == NULL) in tls_construct_ctos_server_cert_type()
2234 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len) in tls_construct_ctos_server_cert_type()
2239 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD; in tls_construct_ctos_server_cert_type()
2258 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) { in tls_parse_stoc_server_cert_type()
2263 if (sc->server_cert_type == NULL) { in tls_parse_stoc_server_cert_type()
2268 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) { in tls_parse_stoc_server_cert_type()
2272 sc->ext.server_cert_type = type; in tls_parse_stoc_server_cert_type()