Move the extensions context codes into the public API

                                         STACK_OF(SSL_CIPHER) *peer_ciphers,

                                         const SSL_CIPHER **cipher, void *arg);

/* Extension context codes */

/* This extension is only allowed in TLS */

#define SSL_EXT_TLS_ONLY                        0x0001

/* This extension is only allowed in DTLS */

#define SSL_EXT_DTLS_ONLY                       0x0002

/* Some extensions may be allowed in DTLS but we don't implement them for it */

#define SSL_EXT_TLS_IMPLEMENTATION_ONLY         0x0004

/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */

#define SSL_EXT_SSL3_ALLOWED                    0x0008

/* Extension is only defined for TLS1.2 and above */

#define SSL_EXT_TLS1_2_AND_BELOW_ONLY           0x0010

/* Extension is only defined for TLS1.3 and above */

#define SSL_EXT_TLS1_3_ONLY                     0x0020

#define SSL_EXT_CLIENT_HELLO                    0x0040

/* Really means TLS1.2 or below */

#define SSL_EXT_TLS1_2_SERVER_HELLO             0x0080

#define SSL_EXT_TLS1_3_SERVER_HELLO             0x0100

#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS     0x0200

#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST      0x0400

#define SSL_EXT_TLS1_3_CERTIFICATE              0x0800

#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET       0x1000

#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST      0x2000

/* Typedefs for handling custom extensions */

typedef int (*custom_ext_add_cb) (SSL *s, unsigned int ext_type,

    TICKET_RETURN r;

    if (SSL_IS_TLS13(s)) {

        if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes, EXT_CLIENT_HELLO,

                                 hello->pre_proc_exts, NULL, 0, al)

                || !tls_parse_extension(s, TLSEXT_IDX_psk, EXT_CLIENT_HELLO,

        if (!tls_parse_extension(s, TLSEXT_IDX_psk_kex_modes,

                                 SSL_EXT_CLIENT_HELLO, hello->pre_proc_exts,

                                 NULL, 0, al)

                || !tls_parse_extension(s, TLSEXT_IDX_psk, SSL_EXT_CLIENT_HELLO,

                                        hello->pre_proc_exts, NULL, 0, al))

            return -1;

static const EXTENSION_DEFINITION ext_defs[] = {

    {

        TLSEXT_TYPE_renegotiate,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_SSL3_ALLOWED

        | EXT_TLS1_2_AND_BELOW_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_SSL3_ALLOWED | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        NULL, tls_parse_ctos_renegotiate, tls_parse_stoc_renegotiate,

        tls_construct_stoc_renegotiate, tls_construct_ctos_renegotiate,

        final_renegotiate

    },

    {

        TLSEXT_TYPE_server_name,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO

        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,

        init_server_name,

        tls_parse_ctos_server_name, tls_parse_stoc_server_name,

        tls_construct_stoc_server_name, tls_construct_ctos_server_name,

#ifndef OPENSSL_NO_SRP

    {

        TLSEXT_TYPE_srp,

        EXT_CLIENT_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        init_srp, tls_parse_ctos_srp, NULL, NULL, tls_construct_ctos_srp, NULL

    },

#else

#ifndef OPENSSL_NO_EC

    {

        TLSEXT_TYPE_ec_point_formats,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats,

        tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,

        final_ec_pt_formats

    },

    {

        TLSEXT_TYPE_supported_groups,

        EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,

        NULL, tls_parse_ctos_supported_groups, NULL,

        NULL /* TODO(TLS1.3): Need to add this */,

        tls_construct_ctos_supported_groups, NULL

#endif

    {

        TLSEXT_TYPE_session_ticket,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        init_session_ticket, tls_parse_ctos_session_ticket,

        tls_parse_stoc_session_ticket, tls_construct_stoc_session_ticket,

        tls_construct_ctos_session_ticket, NULL

    },

    {

        TLSEXT_TYPE_signature_algorithms,

        EXT_CLIENT_HELLO | EXT_TLS1_3_CERTIFICATE_REQUEST,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,

        init_sig_algs, tls_parse_ctos_sig_algs,

        tls_parse_ctos_sig_algs, tls_construct_ctos_sig_algs,

        tls_construct_ctos_sig_algs, final_sig_algs

#ifndef OPENSSL_NO_OCSP

    {

        TLSEXT_TYPE_status_request,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO

        | EXT_TLS1_3_CERTIFICATE,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_3_CERTIFICATE,

        init_status_request, tls_parse_ctos_status_request,

        tls_parse_stoc_status_request, tls_construct_stoc_status_request,

        tls_construct_ctos_status_request, NULL

#ifndef OPENSSL_NO_NEXTPROTONEG

    {

        TLSEXT_TYPE_next_proto_neg,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        init_npn, tls_parse_ctos_npn, tls_parse_stoc_npn,

        tls_construct_stoc_next_proto_neg, tls_construct_ctos_npn, NULL

    },

         * happens after server_name callbacks

         */

        TLSEXT_TYPE_application_layer_protocol_negotiation,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO

        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,

        init_alpn, tls_parse_ctos_alpn, tls_parse_stoc_alpn,

        tls_construct_stoc_alpn, tls_construct_ctos_alpn, final_alpn

    },

#ifndef OPENSSL_NO_SRTP

    {

        TLSEXT_TYPE_use_srtp,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO

        | EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_DTLS_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_DTLS_ONLY,

        init_srtp, tls_parse_ctos_use_srtp, tls_parse_stoc_use_srtp,

        tls_construct_stoc_use_srtp, tls_construct_ctos_use_srtp, NULL

    },

#endif

    {

        TLSEXT_TYPE_encrypt_then_mac,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY | EXT_SSL3_ALLOWED,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,

        tls_construct_stoc_etm, tls_construct_ctos_etm, NULL

    },

#ifndef OPENSSL_NO_CT

    {

        TLSEXT_TYPE_signed_certificate_timestamp,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO

        | EXT_TLS1_3_CERTIFICATE,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_3_CERTIFICATE,

        NULL,

        /*

         * No server side support for this, but can be provided by a custom

#endif

    {

        TLSEXT_TYPE_extended_master_secret,

        EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO

        | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        init_ems, tls_parse_ctos_ems, tls_parse_stoc_ems,

        tls_construct_stoc_ems, tls_construct_ctos_ems, final_ems

    },

    {

        TLSEXT_TYPE_supported_versions,

        EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY

        | SSL_EXT_TLS1_3_ONLY,

        NULL,

        /* Processed inline as part of version selection */

        NULL, NULL, NULL, tls_construct_ctos_supported_versions, NULL

    },

    {

        TLSEXT_TYPE_psk_kex_modes,

        EXT_CLIENT_HELLO | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY

        | SSL_EXT_TLS1_3_ONLY,

        init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL,

        tls_construct_ctos_psk_kex_modes, NULL

    },

         * been parsed before we do this one.

         */

        TLSEXT_TYPE_key_share,

        EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO

        | EXT_TLS1_3_HELLO_RETRY_REQUEST | EXT_TLS_IMPLEMENTATION_ONLY

        | EXT_TLS1_3_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO

        | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY

        | SSL_EXT_TLS1_3_ONLY,

        NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share,

        tls_construct_stoc_key_share, tls_construct_ctos_key_share,

        final_key_share

#endif

    {

        TLSEXT_TYPE_cookie,

        EXT_CLIENT_HELLO | EXT_TLS1_3_HELLO_RETRY_REQUEST

        | EXT_TLS_IMPLEMENTATION_ONLY | EXT_TLS1_3_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST

        | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,

        NULL, NULL, tls_parse_stoc_cookie, NULL, tls_construct_ctos_cookie,

        NULL

    },

         * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set

         */

        TLSEXT_TYPE_cryptopro_bug,

        EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,

        SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,

        NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL

    },

    {

        TLSEXT_TYPE_early_data,

        EXT_CLIENT_HELLO | EXT_TLS1_3_ENCRYPTED_EXTENSIONS

        | EXT_TLS1_3_NEW_SESSION_TICKET,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS

        | SSL_EXT_TLS1_3_NEW_SESSION_TICKET,

        NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data,

        tls_construct_stoc_early_data, tls_construct_ctos_early_data,

        final_early_data

    },

    {

        TLSEXT_TYPE_certificate_authorities,

        EXT_CLIENT_HELLO | EXT_TLS1_3_CERTIFICATE_REQUEST | EXT_TLS1_3_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST

        | SSL_EXT_TLS1_3_ONLY,

        init_certificate_authorities,

        tls_parse_certificate_authorities, tls_parse_certificate_authorities,

        tls_construct_certificate_authorities,

    {

        /* Must be immediately before pre_shared_key */

        TLSEXT_TYPE_padding,

        EXT_CLIENT_HELLO,

        SSL_EXT_CLIENT_HELLO,

        NULL,

        /* We send this, but don't read it */

        NULL, NULL, NULL, tls_construct_ctos_padding, NULL

    {

        /* Required by the TLSv1.3 spec to always be the last extension */

        TLSEXT_TYPE_psk,

        EXT_CLIENT_HELLO | EXT_TLS1_3_SERVER_HELLO | EXT_TLS_IMPLEMENTATION_ONLY

        | EXT_TLS1_3_ONLY,

        SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO

        | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY,

        NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk,

        tls_construct_ctos_psk, NULL

    }

                return 0;

            if (SSL_IS_DTLS(s)) {

                if ((thisext->context & EXT_TLS_ONLY) != 0)

                if ((thisext->context & SSL_EXT_TLS_ONLY) != 0)

                    return 0;

            } else if ((thisext->context & EXT_DTLS_ONLY) != 0) {

            } else if ((thisext->context & SSL_EXT_DTLS_ONLY) != 0) {

                    return 0;

            }

        }

    }

    if ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) == 0) {

    if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) == 0) {

        /*

         * Custom extensions only apply to <=TLS1.2. This extension is unknown

         * in this context - we allow it

                                 unsigned int thisctx)

{

    if ((SSL_IS_DTLS(s)

                && (extctx & EXT_TLS_IMPLEMENTATION_ONLY) != 0)

                && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0)

            || (s->version == SSL3_VERSION

                    && (extctx & EXT_SSL3_ALLOWED) == 0)

                    && (extctx & SSL_EXT_SSL3_ALLOWED) == 0)

            || (SSL_IS_TLS13(s)

                && (extctx & EXT_TLS1_2_AND_BELOW_ONLY) != 0)

            || (!SSL_IS_TLS13(s) && (extctx & EXT_TLS1_3_ONLY) != 0))

                && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0)

            || (!SSL_IS_TLS13(s) && (extctx & SSL_EXT_TLS1_3_ONLY) != 0))

        return 0;

    return 1;

     * Initialise server side custom extensions. Client side is done during

     * construction of extensions for the ClientHello.

     */

    if ((context & EXT_CLIENT_HELLO) != 0) {

    if ((context & SSL_EXT_CLIENT_HELLO) != 0) {

        exts = &s->cert->srv_ext;

        custom_ext_init(&s->cert->srv_ext);

    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {

    } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {

        exts = &s->cert->cli_ext;

    }

        if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)

                || (thisex != NULL && thisex->present == 1)

                || (type == TLSEXT_TYPE_psk

                    && (context & EXT_CLIENT_HELLO) != 0

                    && (context & SSL_EXT_CLIENT_HELLO) != 0

                    && PACKET_remaining(&extensions) != 0)) {

            SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);

            *al = SSL_AD_ILLEGAL_PARAMETER;

     */

    if ((!s->hit || !s->server)

            && (context

                & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0

                & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0

            && custom_ext_parse(s, s->server, currext->type,

                                PACKET_data(&currext->data),

                                PACKET_remaining(&currext->data),

    const EXTENSION_DEFINITION *thisexd;

    /* Calculate the number of extensions in the extensions list */

    if ((context & EXT_CLIENT_HELLO) != 0) {

    if ((context & SSL_EXT_CLIENT_HELLO) != 0) {

        numexts += s->cert->srv_ext.meths_count;

    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {

    } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {

        numexts += s->cert->cli_ext.meths_count;

    }

                * If extensions are of zero length then we don't even add the

                * extensions length bytes to a ClientHello/ServerHello in SSLv3

                */

            || ((context & (EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO)) != 0

            || ((context &

                 (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0

                && s->version == SSL3_VERSION

                && !WPACKET_set_flags(pkt,

                                     WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH))) {

        goto err;

    }

    if ((context & EXT_CLIENT_HELLO) != 0) {

    if ((context & SSL_EXT_CLIENT_HELLO) != 0) {

        reason = ssl_get_client_min_max_version(s, &min_version, &max_version);

        if (reason != 0) {

            SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);

    }

    /* Add custom extensions first */

    if ((context & EXT_CLIENT_HELLO) != 0) {

    if ((context & SSL_EXT_CLIENT_HELLO) != 0) {

        custom_ext_init(&s->cert->cli_ext);

        addcustom = 1;

    } else if ((context & EXT_TLS1_2_SERVER_HELLO) != 0) {

    } else if ((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0) {

        /*

         * We already initialised the custom extensions during ClientHello

         * parsing.

        /* Check if this extension is defined for our protocol. If not, skip */

        if ((SSL_IS_DTLS(s)

                    && (thisexd->context & EXT_TLS_IMPLEMENTATION_ONLY)

                    && (thisexd->context & SSL_EXT_TLS_IMPLEMENTATION_ONLY)

                       != 0)

                || (s->version == SSL3_VERSION

                        && (thisexd->context & EXT_SSL3_ALLOWED) == 0)

                        && (thisexd->context & SSL_EXT_SSL3_ALLOWED) == 0)

                || (SSL_IS_TLS13(s)

                    && (thisexd->context & EXT_TLS1_2_AND_BELOW_ONLY)

                    && (thisexd->context & SSL_EXT_TLS1_2_AND_BELOW_ONLY)

                       != 0)

                || (!SSL_IS_TLS13(s)

                    && (thisexd->context & EXT_TLS1_3_ONLY) != 0

                    && (context & EXT_CLIENT_HELLO) == 0)

                || ((thisexd->context & EXT_TLS1_3_ONLY) != 0

                    && (context & EXT_CLIENT_HELLO) != 0

                    && (thisexd->context & SSL_EXT_TLS1_3_ONLY) != 0

                    && (context & SSL_EXT_CLIENT_HELLO) == 0)

                || ((thisexd->context & SSL_EXT_TLS1_3_ONLY) != 0

                    && (context & SSL_EXT_CLIENT_HELLO) != 0

                    && (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION))

                || construct == NULL)

            continue;

        return 0;

    }

    if ((context & EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {

    if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {

        unsigned const char *pcurves = NULL;

        size_t i, num_curves;

int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,

                              X509 *x, size_t chainidx, int *al)

{

    if (context == EXT_TLS1_3_NEW_SESSION_TICKET) {

    if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {

        unsigned long max_early_data;

        if (!PACKET_get_net_4(pkt, &max_early_data)

int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,

                                  X509 *x, size_t chainidx, int *al)

{

    if (context == EXT_TLS1_3_NEW_SESSION_TICKET) {

    if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {

        if (s->max_early_data == 0)

            return 1;