Fail if we receive a response to an extension that we didn't request

We already did this on an ad-hoc per extension basis (for some extensions). This centralises it and makes sure we do it for all extensions. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3418)

Fail if we receive a response to an extension that we didn't request
We already did this on an ad-hoc per extension basis (for some extensions). This centralises it and makes sure we do it for all extensions. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3418)
b186a592 · Matt Caswell · 7a94f5b0 · b186a592 · b186a592 · b186a592
6 changed file
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -686,6 +686,38 @@ typedef struct {
    RAW_EXTENSION *pre_proc_exts;
 } CLIENTHELLO_MSG;
+/*
+ * Extension index values NOTE: Any updates to these defines should be mirrored
+ * with equivalent updates to ext_defs in extensions.c
+ */
+typedef enum tlsext_index_en {
+    TLSEXT_IDX_renegotiate,
+    TLSEXT_IDX_server_name,
+    TLSEXT_IDX_srp,
+    TLSEXT_IDX_ec_point_formats,
+    TLSEXT_IDX_supported_groups,
+    TLSEXT_IDX_session_ticket,
+    TLSEXT_IDX_signature_algorithms,
+    TLSEXT_IDX_status_request,
+    TLSEXT_IDX_next_proto_neg,
+    TLSEXT_IDX_application_layer_protocol_negotiation,
+    TLSEXT_IDX_use_srtp,
+    TLSEXT_IDX_encrypt_then_mac,
+    TLSEXT_IDX_signed_certificate_timestamp,
+    TLSEXT_IDX_extended_master_secret,
+    TLSEXT_IDX_supported_versions,
+    TLSEXT_IDX_psk_kex_modes,
+    TLSEXT_IDX_key_share,
+    TLSEXT_IDX_cookie,
+    TLSEXT_IDX_cryptopro_bug,
+    TLSEXT_IDX_early_data,
+    TLSEXT_IDX_certificate_authorities,
+    TLSEXT_IDX_padding,
+    TLSEXT_IDX_psk,
+    /* Dummy index - must always be the last entry */
+    TLSEXT_IDX_num_builtins
+} TLSEXT_INDEX;
 DEFINE_LHASH_OF(SSL_SESSION);
 /* Needed in ssl_cert.c */
 DEFINE_LHASH_OF(X509_NAME);
@@ -1153,6 +1185,8 @@ struct ssl_st {
    size_t max_pipelines;
    struct {
+        /* Built-in extension flags */
+        uint8_t extflags[TLSEXT_IDX_num_builtins];
        /* TLS extension debug callback */
        void (*debug_cb)(SSL *s, int client_server, int type,
                         const unsigned char *data, int len, void *arg);
@@ -1813,36 +1847,6 @@ typedef enum downgrade_en {
    DOWNGRADE_TO_1_1
 } DOWNGRADE;
-/*
- * Extension index values NOTE: Any updates to these defines should be mirrored
- * with equivalent updates to ext_defs in extensions.c
- */
-typedef enum tlsext_index_en {
-    TLSEXT_IDX_renegotiate,
-    TLSEXT_IDX_server_name,
-    TLSEXT_IDX_srp,
-    TLSEXT_IDX_ec_point_formats,
-    TLSEXT_IDX_supported_groups,
-    TLSEXT_IDX_session_ticket,
-    TLSEXT_IDX_signature_algorithms,
-    TLSEXT_IDX_status_request,
-    TLSEXT_IDX_next_proto_neg,
-    TLSEXT_IDX_application_layer_protocol_negotiation,
-    TLSEXT_IDX_use_srtp,
-    TLSEXT_IDX_encrypt_then_mac,
-    TLSEXT_IDX_signed_certificate_timestamp,
-    TLSEXT_IDX_extended_master_secret,
-    TLSEXT_IDX_supported_versions,
-    TLSEXT_IDX_psk_kex_modes,
-    TLSEXT_IDX_key_share,
-    TLSEXT_IDX_cookie,
-    TLSEXT_IDX_cryptopro_bug,
-    TLSEXT_IDX_early_data,
-    TLSEXT_IDX_certificate_authorities,
-    TLSEXT_IDX_padding,
-    TLSEXT_IDX_psk
-} TLSEXT_INDEX;
 /*
 * Dummy status type for the status_type extension. Indicates no status type
 * set

--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
 /*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@@ -31,9 +31,11 @@ static int init_alpn(SSL *s, unsigned int context);
 static int final_alpn(SSL *s, unsigned int context, int sent, int *al);
 static int init_sig_algs(SSL *s, unsigned int context);
 static int init_certificate_authorities(SSL *s, unsigned int context);
-static int tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
+static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
-                                                 unsigned int context, X509 *x,
+                                                        unsigned int context,
-                                                 size_t chainidx, int *al);
+                                                        X509 *x,
+                                                        size_t chainidx,
+                                                        int *al);
 static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,
                                             unsigned int context, X509 *x,
                                             size_t chainidx, int *al);
@@ -74,11 +76,11 @@ typedef struct extensions_definition_st {
    int (*parse_stoc)(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                      size_t chainidx, int *al);
    /* Construct extension sent from server to client */
-    int (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+    EXT_RETURN (*construct_stoc)(SSL *s, WPACKET *pkt, unsigned int context,
-                          size_t chainidx, int *al);
+                                 X509 *x, size_t chainidx, int *al);
    /* Construct extension sent from client to server */
-    int (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+    EXT_RETURN (*construct_ctos)(SSL *s, WPACKET *pkt, unsigned int context,
-                          size_t chainidx, int *al);
+                                 X509 *x, size_t chainidx, int *al);
    /*
     * Finalise extension after parsing. Always called where an extensions was
     * initialised even if the extension was not present. |sent| is set to 1 if
@@ -461,7 +463,7 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
    }
    while (PACKET_remaining(&extensions) > 0) {
-        unsigned int type;
+        unsigned int type, idx;
        PACKET extension;
        RAW_EXTENSION *thisex;
@@ -485,6 +487,33 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
            *al = SSL_AD_ILLEGAL_PARAMETER;
            goto err;
        }
+        idx = thisex - raw_extensions;
+        /*-
+         * Check that we requested this extension (if appropriate). Requests can
+         * be sent in the ClientHello and CertificateRequest. Unsolicited
+         * extensions can be sent in the NewSessionTicket. We only do this for
+         * the built-in extensions. Custom extensions have a different but
+         * similar check elsewhere.
+         * Special cases:
+         * - The HRR cookie extension is unsolicited
+         * - The renegotiate extension is unsolicited (the client signals
+         *   support via an SCSV)
+         * - The signed_certificate_timestamp extension can be provided by a
+         * custom extension or by the built-in version. We let the extension
+         * itself handle unsolicited response checks.
+         */
+        if (idx < OSSL_NELEM(ext_defs)
+                && (context & (SSL_EXT_CLIENT_HELLO
+                               | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+                               | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) == 0
+                && type != TLSEXT_TYPE_cookie
+                && type != TLSEXT_TYPE_renegotiate
+                && type != TLSEXT_TYPE_signed_certificate_timestamp
+                && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) {
+            SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
+            *al = SSL_AD_UNSUPPORTED_EXTENSION;
+            goto err;
+        }
        if (thisex != NULL) {
            thisex->data = extension;
            thisex->present = 1;
@@ -699,8 +728,9 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
    }
    for (i = 0, thisexd = ext_defs; i < OSSL_NELEM(ext_defs); i++, thisexd++) {
-        int (*construct)(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+        EXT_RETURN (*construct)(SSL *s, WPACKET *pkt, unsigned int context,
-                         size_t chainidx, int *al);
+                                X509 *x, size_t chainidx, int *al);
+        EXT_RETURN ret;
        /* Skip if not relevant for our context */
        if (!should_add_extension(s, thisexd->context, context, max_version))
@@ -712,8 +742,14 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
        if (construct == NULL)
            continue;
-        if (!construct(s, pkt, context, x, chainidx, &tmpal))
+        ret = construct(s, pkt, context, x, chainidx, &tmpal);
+        if (ret == EXT_RETURN_FAIL)
            goto err;
+        if (ret == EXT_RETURN_SENT
+                && (context & (SSL_EXT_CLIENT_HELLO
+                               | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST
+                               | SSL_EXT_TLS1_3_NEW_SESSION_TICKET)) != 0)
+            s->ext.extflags[i] |= SSL_EXT_FLAG_SENT;
    }
    if (!WPACKET_close(pkt)) {
@@ -997,14 +1033,16 @@ static int init_certificate_authorities(SSL *s, unsigned int context)
    return 1;
 }
-static int tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
+static EXT_RETURN tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
-                                                 unsigned int context, X509 *x,
+                                                        unsigned int context,
-                                                 size_t chainidx, int *al)
+                                                        X509 *x,
+                                                        size_t chainidx,
+                                                        int *al)
 {
    const STACK_OF(X509_NAME) *ca_sk = SSL_get0_CA_list(s);
    if (ca_sk == NULL || sk_X509_NAME_num(ca_sk) == 0)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_certificate_authorities)
        || !WPACKET_start_sub_packet_u16(pkt)
@@ -1012,10 +1050,10 @@ static int tls_construct_certificate_authorities(SSL *s, WPACKET *pkt,
        || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_AUTHORITIES,
               ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 static int tls_parse_certificate_authorities(SSL *s, PACKET *pkt,

--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
 /*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@@ -810,11 +810,12 @@ err:
 /*
 * Add the server's renegotiation binding
 */
-int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
-                                   X509 *x, size_t chainidx, int *al)
+                                          unsigned int context, X509 *x,
+                                          size_t chainidx, int *al)
 {
    if (!s->s3->send_connection_binding)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
            || !WPACKET_start_sub_packet_u16(pkt)
@@ -826,31 +827,33 @@ int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
            || !WPACKET_close(pkt)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_RENEGOTIATE, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
-int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
-                                   X509 *x, size_t chainidx, int *al)
+                                          unsigned int context, X509 *x,
+                                          size_t chainidx, int *al)
 {
    if (s->hit || s->servername_done != 1
            || s->session->ext.hostname == NULL)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
            || !WPACKET_put_bytes_u16(pkt, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SERVER_NAME, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 #ifndef OPENSSL_NO_EC
-int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
-                                     X509 *x, size_t chainidx, int *al)
+                                            unsigned int context, X509 *x,
+                                            size_t chainidx, int *al)
 {
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
    unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -860,7 +863,7 @@ int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
    size_t plistlen;
    if (!using_ecc)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    tls1_get_formatlist(s, &plist, &plistlen);
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
@@ -868,29 +871,29 @@ int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
            || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EC_PT_FORMATS, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 #endif
 #ifndef OPENSSL_NO_EC
-int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
-                                        unsigned int context, X509 *x,
+                                               unsigned int context, X509 *x,
-                                        size_t chainidx, int *al)
+                                               size_t chainidx, int *al)
 {
    const unsigned char *groups;
    size_t numgroups, i, first = 1;
    /* s->s3->group_id is non zero if we accepted a key_share */
    if (s->s3->group_id == 0)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    /* Get our list of supported groups */
    if (!tls1_get_curvelist(s, 0, &groups, &numgroups) || numgroups == 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
    /* Copy group ID if supported */
@@ -902,7 +905,7 @@ int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
                 * so we don't need to add this extension
                 */
                if (s->s3->group_id == GET_GROUP_ID(groups, 0))
-                    return 1;
+                    return EXT_RETURN_NOT_SENT;
                /* Add extension header */
                if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
@@ -911,7 +914,7 @@ int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
                        || !WPACKET_start_sub_packet_u16(pkt)) {
                    SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
                           ERR_R_INTERNAL_ERROR);
-                    return 0;
+                    return EXT_RETURN_FAIL;
                }
                first = 0;
@@ -919,53 +922,53 @@ int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
            if (!WPACKET_put_bytes_u16(pkt, GET_GROUP_ID(groups, 0))) {
                    SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS,
                           ERR_R_INTERNAL_ERROR);
-                    return 0;
+                    return EXT_RETURN_FAIL;
                }
        }
    }
    if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SUPPORTED_GROUPS, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 #endif
-int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
-                                      unsigned int context, X509 *x,
+                                             unsigned int context, X509 *x,
-                                      size_t chainidx, int *al)
+                                             size_t chainidx, int *al)
 {
    if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
        s->ext.ticket_expected = 0;
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    }
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
            || !WPACKET_put_bytes_u16(pkt, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 #ifndef OPENSSL_NO_OCSP
-int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
-                                      unsigned int context, X509 *x,
+                                             unsigned int context, X509 *x,
-                                      size_t chainidx, int *al)
+                                             size_t chainidx, int *al)
 {
    if (!s->ext.status_expected)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (SSL_IS_TLS13(s) && chainidx != 0)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
            || !WPACKET_start_sub_packet_u16(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
    /*
@@ -976,17 +979,17 @@ int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
    if ((SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt))
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
-int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
-                                      unsigned int context, X509 *x,
+                                             unsigned int context, X509 *x,
-                                      size_t chainidx, int *al)
+                                             size_t chainidx, int *al)
 {
    const unsigned char *npa;
    unsigned int npalen;
@@ -995,7 +998,7 @@ int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
    s->s3->npn_seen = 0;
    if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
                                        s->ctx->ext.npn_advertised_cb_arg);
@@ -1004,20 +1007,20 @@ int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
                || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_STOC_NEXT_PROTO_NEG,
                   ERR_R_INTERNAL_ERROR);
-            return 0;
+            return EXT_RETURN_FAIL;
        }
        s->s3->npn_seen = 1;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 #endif
-int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
-                            size_t chainidx, int *al)
+                                   X509 *x, size_t chainidx, int *al)
 {
    if (s->s3->alpn_selected == NULL)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt,
                TLSEXT_TYPE_application_layer_protocol_negotiation)
@@ -1028,18 +1031,19 @@ int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
            || !WPACKET_close(pkt)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ALPN, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 #ifndef OPENSSL_NO_SRTP
-int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
-                                X509 *x, size_t chainidx, int *al)
+                                       unsigned int context, X509 *x,
+                                       size_t chainidx, int *al)
 {
    if (s->srtp_profile == NULL)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
            || !WPACKET_start_sub_packet_u16(pkt)
@@ -1048,18 +1052,18 @@ int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
            || !WPACKET_put_bytes_u8(pkt, 0)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_USE_SRTP, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
 #endif
-int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al)
+                                  X509 *x, size_t chainidx, int *al)
 {
    if (!s->ext.use_etm)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    /*
     * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
@@ -1070,35 +1074,36 @@ int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
        || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
        || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
        s->ext.use_etm = 0;
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    }
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
            || !WPACKET_put_bytes_u16(pkt, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_ETM, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
-int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al)
+                                  X509 *x, size_t chainidx, int *al)
 {
    if ((s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
            || !WPACKET_put_bytes_u16(pkt, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EMS, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
-int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
-                                 X509 *x, size_t chainidx, int *al)
+                                        unsigned int context, X509 *x,
+                                        size_t chainidx, int *al)
 {
 #ifndef OPENSSL_NO_TLS1_3
    unsigned char *encodedPoint;
@@ -1114,32 +1119,32 @@ int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
                    || !WPACKET_close(pkt)) {
                SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE,
                       ERR_R_INTERNAL_ERROR);
-                return 0;
+                return EXT_RETURN_FAIL;
            }
-            return 1;
+            return EXT_RETURN_SENT;
        }
        /* Must be resuming. */
        if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
            *al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
-            return 0;
+            return EXT_RETURN_FAIL;
        }
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    }
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
    skey = ssl_generate_pkey(ckey);
    if (skey == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
    /* Generate encoding of server key */
@@ -1147,7 +1152,7 @@ int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
    if (encoded_pt_len == 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB);
        EVP_PKEY_free(skey);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
    if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
@@ -1155,7 +1160,7 @@ int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
        EVP_PKEY_free(skey);
        OPENSSL_free(encodedPoint);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
    OPENSSL_free(encodedPoint);
@@ -1163,15 +1168,16 @@ int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
    s->s3->tmp.pkey = skey;
    if (ssl_derive(s, skey, ckey, 1) == 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
 #endif
-    return 1;
+    return EXT_RETURN_SENT;
 }
-int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
-                                     X509 *x, size_t chainidx, int *al)
+                                            unsigned int context, X509 *x,
+                                            size_t chainidx, int *al)
 {
    const unsigned char cryptopro_ext[36] = {
        0xfd, 0xe8,         /* 65000 */
@@ -1185,60 +1191,61 @@ int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
    if (((s->s3->tmp.new_cipher->id & 0xFFFF) != 0x80
         && (s->s3->tmp.new_cipher->id & 0xFFFF) != 0x81)
            || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_CRYPTOPRO_BUG, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
-int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
-                                  X509 *x, size_t chainidx, int *al)
+                                         unsigned int context, X509 *x,
+                                         size_t chainidx, int *al)
 {
    if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
        if (s->max_early_data == 0)
-            return 1;
+            return EXT_RETURN_NOT_SENT;
        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
                || !WPACKET_start_sub_packet_u16(pkt)
                || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
                || !WPACKET_close(pkt)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
-            return 0;
+            return EXT_RETURN_FAIL;
        }
-        return 1;
+        return EXT_RETURN_SENT;
    }
    if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_EARLY_DATA, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
-int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al)
+                                  X509 *x, size_t chainidx, int *al)
 {
    if (!s->hit)
-        return 1;
+        return EXT_RETURN_NOT_SENT;
    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_put_bytes_u16(pkt, s->session->ext.tick_identity)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_STOC_PSK, ERR_R_INTERNAL_ERROR);
-        return 0;
+        return EXT_RETURN_FAIL;
    }
-    return 1;
+    return EXT_RETURN_SENT;
 }
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -77,6 +77,9 @@ int tls_setup_handshake(SSL *s)
    if (!ssl3_init_finished_mac(s))
        return 0;
+    /* Reset any extension flags */
+    memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
    if (s->server) {
        STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
        int i, ver_min, ver_max, ok = 0;

--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_locl.h
@@ -156,6 +156,12 @@ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt);
 /* Extension processing */
+typedef enum {
+    EXT_RETURN_FAIL,
+    EXT_RETURN_SENT,
+    EXT_RETURN_NOT_SENT
+} EXT_RETURN;
 __owur int extension_is_relevant(SSL *s, unsigned int extctx,
                                 unsigned int thisctx);
 __owur int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
@@ -223,113 +229,125 @@ int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
 int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
                       size_t chainidx, int *al);
-int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
-                                   X509 *x, size_t chainidx, int *al);
+                                          unsigned int context, X509 *x,
-int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, unsigned int context,
+                                          size_t chainidx, int *al);
-                                   X509 *x, size_t chainidx, int *al);
+EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
-int tls_construct_stoc_early_data(SSL *s, WPACKET *pkt, unsigned int context,
+                                          unsigned int context, X509 *x,
-                                  X509 *x, size_t chainidx, int *al);
+                                          size_t chainidx, int *al);
+EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
+                                         unsigned int context, X509 *x,
+                                         size_t chainidx, int *al);
 #ifndef OPENSSL_NO_EC
-int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
-                                     X509 *x, size_t chainidx, int *al);
+                                            unsigned int context, X509 *x,
+                                            size_t chainidx, int *al);
 #endif
-int tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
-                                        unsigned int context, X509 *x,
+                                               unsigned int context, X509 *x,
-                                        size_t chainidx, int *al);
+                                               size_t chainidx, int *al);
-int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
-                                      unsigned int context, X509 *x,
+                                             unsigned int context, X509 *x,
-                                      size_t chainidx, int *al);
+                                             size_t chainidx, int *al);
 #ifndef OPENSSL_NO_OCSP
-int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
-                                      unsigned int context, X509 *x,
+                                             unsigned int context, X509 *x,
-                                      size_t chainidx, int *al);
+                                             size_t chainidx, int *al);
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
-int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
-                                      unsigned int context, X509 *x,
+                                             unsigned int context, X509 *x,
-                                      size_t chainidx, int *al);
+                                             size_t chainidx, int *al);
 #endif
-int tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
-                            size_t chainidx, int *al);
+                                   X509 *x, size_t chainidx, int *al);
 #ifndef OPENSSL_NO_SRTP
-int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
                                X509 *x, size_t chainidx, int *al);
 #endif
-int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al);
+                                  X509 *x, size_t chainidx, int *al);
-int tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al);
+                                  X509 *x, size_t chainidx, int *al);
-int tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
-                                 X509 *x, size_t chainidx, int *al);
+                                        unsigned int context, X509 *x,
+                                        size_t chainidx, int *al);
 /*
 * Not in public headers as this is not an official extension. Only used when
 * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set.
 */
 #define TLSEXT_TYPE_cryptopro_bug      0xfde8
-int tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
-                                     X509 *x, size_t chainidx, int *al);
+                                            unsigned int context, X509 *x,
-int tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+                                            size_t chainidx, int *al);
-                           size_t chainidx, int *al);
+EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
+                                  X509 *x, size_t chainidx, int *al);
 /* Client Extension processing */
-int tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, unsigned int context,
                                   X509 *x, size_t chainidx, int *al);
-int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, unsigned int context,
                                   X509 *x, size_t chainidx, int *al);
 #ifndef OPENSSL_NO_SRP
-int tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
                           size_t chainidx, int *al);
 #endif
 #ifndef OPENSSL_NO_EC
-int tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
-                                     X509 *x, size_t chainidx, int *al);
+                                            unsigned int context, X509 *x,
-int tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
+                                            size_t chainidx, int *al);
-                                        unsigned int context, X509 *x,
+EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
-                                        size_t chainidx, int *al);
+                                               unsigned int context, X509 *x,
+                                               size_t chainidx, int *al);
 #endif
-int tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt,
-                                  X509 *x, size_t chainidx, int *al);
+                                         unsigned int context, X509 *x,
-int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
+                                         size_t chainidx, int *al);
-                                      unsigned int context, X509 *x,
+EXT_RETURN tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt,
-                                      size_t chainidx, int *al);
+                                             unsigned int context, X509 *x,
-int tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt, unsigned int context,
+                                             size_t chainidx, int *al);
-                                X509 *x, size_t chainidx, int *al);
+EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,
+                                       unsigned int context, X509 *x,
+                                       size_t chainidx, int *al);
 #ifndef OPENSSL_NO_OCSP
-int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_ctos_status_request(SSL *s, WPACKET *pkt,
-                                      unsigned int context, X509 *x,
+                                             unsigned int context, X509 *x,
-                                      size_t chainidx, int *al);
+                                             size_t chainidx, int *al);
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
-int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_ctos_npn(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al);
+                                  X509 *x, size_t chainidx, int *al);
 #endif
-int tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, unsigned int context,
-                            size_t chainidx, int *al);
+                                   X509 *x, size_t chainidx, int *al);
 #ifndef OPENSSL_NO_SRTP
-int tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_ctos_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
-                                X509 *x, size_t chainidx, int *al);
+                                       X509 *x, size_t chainidx, int *al);
 #endif
-int tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_ctos_etm(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al);
+                                  X509 *x, size_t chainidx, int *al);
 #ifndef OPENSSL_NO_CT
-int tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_ctos_sct(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al);
+                                  X509 *x, size_t chainidx, int *al);
 #endif
-int tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+EXT_RETURN tls_construct_ctos_ems(SSL *s, WPACKET *pkt, unsigned int context,
-                           size_t chainidx, int *al);
+                                  X509 *x, size_t chainidx, int *al);
-int tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
+EXT_RETURN tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
-                                          unsigned int context, X509 *x,
+                                                 unsigned int context, X509 *x,
-                                          size_t chainidx, int *al);
+                                                 size_t chainidx, int *al);
-int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
-                                 X509 *x, size_t chainidx, int *al);
+                                        unsigned int context, X509 *x,
-int tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt, unsigned int context,
+                                        size_t chainidx, int *al);
+EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL *s, WPACKET *pkt,
+                                            unsigned int context, X509 *x,
+                                            size_t chainidx, int *al);
+EXT_RETURN tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
                                     X509 *x, size_t chainidx, int *al);
-int tls_construct_ctos_cookie(SSL *s, WPACKET *pkt, unsigned int context,
+EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
-                              X509 *x, size_t chainidx, int *al);
+                                      unsigned int context, X509 *x,
-int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, unsigned int context,
+                                      size_t chainidx, int *al);
-                               X509 *x, size_t chainidx, int *al);
+EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
-int tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
+                                  X509 *x, size_t chainidx, int *al);
-                           size_t chainidx, int *al);
 int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
                               X509 *x, size_t chainidx, int *al);
 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, unsigned int context,