Lines Matching full:s
15 EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt,
20 if (!s->renegotiate)
25 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
26 s->s3.previous_client_finished_len)
28 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
35 EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt,
39 if (s->ext.hostname == NULL)
49 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
50 strlen(s->ext.hostname))
53 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
61 EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL *s, WPACKET *pkt,
65 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
76 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
78 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
86 EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context,
90 if (s->srp_ctx.login == NULL)
99 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
100 strlen(s->srp_ctx.login))
103 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
111 static int use_ecc(SSL *s, int min_version, int max_version)
120 if (s->version == SSL3_VERSION)
123 cipher_stack = SSL_get1_supported_ciphers(s);
142 tls1_get_supported_groups(s, &pgroups, &num_groups);
146 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
147 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
154 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
162 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
167 if (!use_ecc(s, min_version, max_version))
171 tls1_get_formatlist(s, &pformats, &num_formats);
178 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
185 EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
193 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
203 if (!use_ecc(s, min_version, max_version)
204 && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))
210 tls1_get_supported_groups(s, &pgroups, &num_groups);
217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
225 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
226 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
238 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
246 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
254 EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
260 if (!tls_use_ticket(s))
263 if (!s->new_session && s->session != NULL
264 && s->session->ext.tick != NULL
265 && s->session->ssl_version != TLS1_3_VERSION) {
266 ticklen = s->session->ext.ticklen;
267 } else if (s->session && s->ext.session_ticket != NULL
268 && s->ext.session_ticket->data != NULL) {
269 ticklen = s->ext.session_ticket->length;
270 s->session->ext.tick = OPENSSL_malloc(ticklen);
271 if (s->session->ext.tick == NULL) {
272 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
275 memcpy(s->session->ext.tick,
276 s->ext.session_ticket->data, ticklen);
277 s->session->ext.ticklen = ticklen;
282 if (ticklen == 0 && s->ext.session_ticket != NULL &&
283 s->ext.session_ticket->data == NULL)
287 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
295 EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
302 if (!SSL_CLIENT_USE_SIGALGS(s))
305 salglen = tls12_get_psigalgs(s, 1, &salg);
311 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
314 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
322 EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
332 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
341 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
344 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
346 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
359 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
362 if (s->ext.ocsp.exts) {
364 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
367 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
371 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
387 EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
390 if (s->ctx->ext.npn_select_cb == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
399 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
407 EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
410 s->s3.alpn_sent = 0;
412 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
419 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
421 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
424 s->s3.alpn_sent = 1;
431 EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt,
435 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(s);
446 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
456 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
464 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
472 EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
475 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
480 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
488 EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
491 if (s->ct_validation_callback == NULL)
500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
508 EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
511 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
523 EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
529 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
531 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
545 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
551 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
566 EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
571 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
580 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
584 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
586 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
593 static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
599 if (s->s3.tmp.pkey != NULL) {
600 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
601 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
607 key_share_key = s->s3.tmp.pkey;
609 key_share_key = ssl_generate_pkey_group(s, curve_id);
620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
636 s->s3.tmp.pkey = key_share_key;
637 s->s3.group_id = curve_id;
642 if (s->s3.tmp.pkey == NULL)
649 EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
668 tls1_get_supported_groups(s, &pgroups, &num_groups);
674 if (s->s3.group_id != 0) {
675 curve_id = s->s3.group_id;
679 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
682 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
692 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
696 if (!add_key_share(s, pkt, curve_id)) {
702 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
711 EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
717 if (s->ext.tls13_cookie_len == 0)
723 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
724 s->ext.tls13_cookie_len)
726 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
732 OPENSSL_free(s->ext.tls13_cookie);
733 s->ext.tls13_cookie = NULL;
734 s->ext.tls13_cookie_len = 0;
739 EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
752 if (s->hello_retry_request == SSL_HRR_PENDING)
753 handmd = ssl_handshake_md(s);
755 if (s->psk_use_session_cb != NULL
756 && (!s->psk_use_session_cb(s, handmd, &id, &idlen, &psksess)
760 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
765 if (psksess == NULL && s->psk_client_callback != NULL) {
770 psklen = s->psk_client_callback(s, NULL, identity, sizeof(identity) - 1,
774 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
782 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
791 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
793 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
811 SSL_SESSION_free(s->psksession);
812 s->psksession = psksess;
814 OPENSSL_free(s->psksession_id);
815 s->psksession_id = OPENSSL_memdup(id, idlen);
816 if (s->psksession_id == NULL) {
817 s->psksession_id_len = 0;
818 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
821 s->psksession_id_len = idlen;
824 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
825 || (s->session->ext.max_early_data == 0
827 s->max_early_data = 0;
830 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
831 s->max_early_data = edsess->ext.max_early_data;
834 if (s->ext.hostname == NULL
835 || (s->ext.hostname != NULL
836 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
837 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
843 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
844 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
856 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
857 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
868 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
877 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
885 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
886 s->ext.early_data_ok = 1;
908 EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
915 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
925 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
933 if (s->session->ssl_version == TLS1_3_VERSION
934 && s->session->ext.ticklen != 0
935 && s->session->cipher != NULL) {
936 const EVP_MD *md = ssl_md(s->ctx, s->session->cipher->algorithm2);
943 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
965 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
977 EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
987 s->ext.tick_identity = 0;
999 if (s->session->ssl_version != TLS1_3_VERSION
1000 || (s->session->ext.ticklen == 0 && s->psksession == NULL))
1003 if (s->hello_retry_request == SSL_HRR_PENDING)
1004 handmd = ssl_handshake_md(s);
1006 if (s->session->ext.ticklen != 0) {
1008 if (s->session->cipher == NULL) {
1009 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1012 mdres = ssl_md(s->ctx, s->session->cipher->algorithm2);
1021 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
1037 agesec = (uint32_t)(time(NULL) - s->session->time);
1040 * rounding errors we could overestimate the age by up to 1s. It is
1049 if (s->session->ext.tick_lifetime_hint < agesec) {
1072 agems += s->session->ext.tick_age_add;
1075 s->ext.tick_identity++;
1080 if (!dores && s->psksession == NULL)
1083 if (s->psksession != NULL) {
1084 mdpsk = ssl_md(s->ctx, s->psksession->cipher->algorithm2);
1088 * If this happens it's an application bug.
1090 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1094 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
1099 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
1110 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1115 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1116 s->session->ext.ticklen)
1118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1123 if (s->psksession != NULL) {
1124 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1125 s->psksession_id_len)
1127 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1130 s->ext.tick_identity++;
1138 || (s->psksession != NULL
1148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1155 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1156 resbinder, s->session, 1, 0) != 1) {
1161 if (s->psksession != NULL
1162 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
1163 pskbinder, s->psksession, 1, 1) != 1) {
1174 EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt,
1180 if (!s->pha_enabled)
1187 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1191 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1201 * Parse the server's renegotiation binding and abort if it's not right
1203 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
1206 size_t expected_len = s->s3.previous_client_finished_len
1207 + s->s3.previous_server_finished_len;
1213 || s->s3.previous_client_finished_len != 0)
1215 || s->s3.previous_server_finished_len != 0)) {
1216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1222 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1228 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
1234 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1238 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
1239 || memcmp(data, s->s3.previous_client_finished,
1240 s->s3.previous_client_finished_len) != 0) {
1241 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1245 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
1246 || memcmp(data, s->s3.previous_server_finished,
1247 s->s3.previous_server_finished_len) != 0) {
1248 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
1251 s->s3.send_connection_binding = 1;
1256 /* Parse the server's max fragment len extension packet */
1257 int tls_parse_stoc_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
1263 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1269 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1280 if (value != s->ext.max_fragment_len_mode) {
1281 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1290 s->session->ext.max_fragment_len_mode = value;
1295 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,
1298 if (s->ext.hostname == NULL) {
1299 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1304 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1308 if (!s->hit) {
1309 if (s->session->ext.hostname != NULL) {
1310 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1313 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1314 if (s->session->ext.hostname == NULL) {
1315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1323 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
1330 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1333 if (!s->hit) {
1336 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1340 s->ext.peer_ecpointformats_len = 0;
1341 OPENSSL_free(s->ext.peer_ecpointformats);
1342 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
1343 if (s->ext.peer_ecpointformats == NULL) {
1344 s->ext.peer_ecpointformats_len = 0;
1345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1349 s->ext.peer_ecpointformats_len = ecpointformats_len;
1352 s->ext.peer_ecpointformats,
1354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1362 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
1365 if (s->ext.session_ticket_cb != NULL &&
1366 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
1368 s->ext.session_ticket_cb_arg)) {
1369 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1373 if (!tls_use_ticket(s)) {
1374 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1378 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1382 s->ext.ticket_expected = 1;
1388 int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
1400 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
1401 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1404 if (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
1405 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1409 if (SSL_IS_TLS13(s)) {
1410 /* We only know how to handle this if it's for the first Certificate in
1417 return tls_process_cert_status_body(s, pkt);
1421 s->ext.status_expected = 1;
1429 int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1442 if (s->ct_validation_callback != NULL) {
1446 OPENSSL_free(s->ext.scts);
1447 s->ext.scts = NULL;
1449 s->ext.scts_len = (uint16_t)size;
1451 s->ext.scts = OPENSSL_malloc(size);
1452 if (s->ext.scts == NULL) {
1453 s->ext.scts_len = 0;
1454 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1457 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
1458 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1470 if (custom_ext_find(&s->cert->custext, role,
1473 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1477 if (!custom_ext_parse(s, context,
1497 static int ssl_next_proto_validate(SSL *s, PACKET *pkt)
1504 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1512 int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1520 if (!SSL_IS_FIRST_HANDSHAKE(s))
1524 if (s->ctx->ext.npn_select_cb == NULL) {
1525 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1531 if (!ssl_next_proto_validate(s, &tmppkt)) {
1535 if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
1538 s->ctx->ext.npn_select_cb_arg) !=
1541 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
1549 OPENSSL_free(s->ext.npn);
1550 s->ext.npn = OPENSSL_malloc(selected_len);
1551 if (s->ext.npn == NULL) {
1552 s->ext.npn_len = 0;
1553 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1557 memcpy(s->ext.npn, selected, selected_len);
1558 s->ext.npn_len = selected_len;
1559 s->s3.npn_seen = 1;
1565 int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1573 if (!s->s3.alpn_sent) {
1574 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
1586 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1591 if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
1592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1607 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1611 OPENSSL_free(s->s3.alpn_selected);
1612 s->s3.alpn_selected = OPENSSL_malloc(len);
1613 if (s->s3.alpn_selected == NULL) {
1614 s->s3.alpn_selected_len = 0;
1615 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1618 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
1619 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1622 s->s3.alpn_selected_len = len;
1624 if (s->session->ext.alpn_selected == NULL
1625 || s->session->ext.alpn_selected_len != len
1626 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
1629 s->ext.early_data_ok = 0;
1631 if (!s->hit) {
1636 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
1637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1640 s->session->ext.alpn_selected =
1641 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
1642 if (s->session->ext.alpn_selected == NULL) {
1643 s->session->ext.alpn_selected_len = 0;
1644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1647 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
1654 int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1666 SSLfatal(s, SSL_AD_DECODE_ERROR,
1673 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
1678 clnt = SSL_get_srtp_profiles(s);
1680 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
1692 s->srtp_profile = prof;
1697 SSLfatal(s, SSL_AD_DECODE_ERROR,
1703 int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1707 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
1708 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
1709 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
1710 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
1711 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
1712 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
1713 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
1714 s->ext.use_etm = 1;
1719 int tls_parse_stoc_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1722 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1724 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
1725 if (!s->hit)
1726 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1731 int tls_parse_stoc_supported_versions(SSL *s, PACKET *pkt, unsigned int context,
1738 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1747 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1757 s->version = version;
1762 int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1768 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
1772 if (ckey == NULL || s->s3.peer_tmp != NULL) {
1773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1778 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1787 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1795 if (group_id == s->s3.group_id) {
1796 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1801 tls1_get_supported_groups(s, &pgroups, &num_groups);
1807 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
1808 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
1810 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1814 s->s3.group_id = group_id;
1815 EVP_PKEY_free(s->s3.tmp.pkey);
1816 s->s3.tmp.pkey = NULL;
1820 if (group_id != s->s3.group_id) {
1825 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1829 if (!s->hit) {
1830 s->session->kex_group = group_id;
1831 } else if (group_id != s->session->kex_group) {
1836 * a copy of the session to record the new information so that it's
1842 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
1843 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1846 SSL_SESSION_free(s->session);
1847 s->session = new_sess;
1848 s->session->kex_group = group_id;
1851 if ((ginf = tls1_group_id_lookup(s->ctx, group_id)) == NULL) {
1852 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
1858 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1866 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
1873 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
1878 if (ssl_derive(s, ckey, skey, 1) == 0) {
1883 s->s3.peer_tmp = skey;
1889 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
1894 s->s3.did_kex = 1;
1900 int tls_parse_stoc_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1906 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1907 &s->ext.tls13_cookie_len)) {
1908 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1915 int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
1923 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
1927 s->session->ext.max_early_data = max_early_data;
1933 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1937 if (!s->ext.early_data_ok
1938 || !s->hit) {
1944 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
1948 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
1953 int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
1960 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1964 if (identity >= (unsigned int)s->ext.tick_identity) {
1965 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
1974 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
1975 s->hit = 1;
1976 SSL_SESSION_free(s->psksession);
1977 s->psksession = NULL;
1981 if (s->psksession == NULL) {
1983 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1988 * If we used the external PSK for sending early_data then s->early_secret
1992 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
1993 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
1994 || s->session->ext.max_early_data > 0
1995 || s->psksession->ext.max_early_data == 0)
1996 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
1998 SSL_SESSION_free(s->session);
1999 s->session = s->psksession;
2000 s->psksession = NULL;
2001 s->hit = 1;
2004 s->ext.early_data_ok = 0;