]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Partial revert and reimplement "Enable brainpool curves for TLS1.3"
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
25670f3e 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
25670f3e
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
706457b7
DMSP		 11#include "../ssl_local.h"
12#include "statem_local.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
e8a557dc 15#define COOKIE_STATE_FORMAT_VERSION 1
43054d3d
MC		 16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
e8a557dc 20 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
d0debc0a
MC		 21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 23 */
e8a557dc 24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 33 */
97ea1e7f 34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
25670f3e
MC		 37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
38b051a1
TM		 41int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
42 unsigned int context,
f63a17d6 43 X509 *x, size_t chainidx)
25670f3e
MC		 44{
45 unsigned int ilen;
46 const unsigned char *data;
47
48 /* Parse the length byte */
49 if (!PACKET_get_1(pkt, &ilen)
50 || !PACKET_get_bytes(pkt, &data, ilen)) {
c48ffbcc 51 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 52 return 0;
53 }
54
55 /* Check that the extension matches */
555cbb32 56 if (ilen != s->s3.previous_client_finished_len) {
c48ffbcc 57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 58 return 0;
59 }
60
555cbb32
TS		 61 if (memcmp(data, s->s3.previous_client_finished,
62 s->s3.previous_client_finished_len)) {
c48ffbcc 63 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 64 return 0;
65 }
66
555cbb32 67 s->s3.send_connection_binding = 1;
25670f3e
MC		 68
69 return 1;
70}
71
1266eefd
MC		 72/*-
73 * The servername extension is treated as follows:
74 *
75 * - Only the hostname type is supported with a maximum length of 255.
76 * - The servername is rejected if too long or if it contains zeros,
77 * in which case an fatal alert is generated.
78 * - The servername field is maintained together with the session cache.
79 * - When a session is resumed, the servername call back invoked in order
80 * to allow the application to position itself to the right context.
81 * - The servername is acknowledged if it is new for a session or when
82 * it is identical to a previously used for the same session.
83 * Applications can control the behaviour. They can at any time
84 * set a 'desirable' servername for a new SSL object. This can be the
85 * case for example with HTTPS when a Host: header field is received and
86 * a renegotiation is requested. In this case, a possible servername
87 * presented in the new client hello is only acknowledged if it matches
88 * the value of the Host: field.
89 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
90 * if they provide for changing an explicit servername context for the
91 * session, i.e. when the session has been established with a servername
92 * extension.
93 * - On session reconnect, the servername extension may be absent.
94 */
38b051a1
TM		 95int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
96 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 97{
98 unsigned int servname_type;
99 PACKET sni, hostname;
100
25670f3e
MC		 101 if (!PACKET_as_length_prefixed_2(pkt, &sni)
102 /* ServerNameList must be at least 1 byte long. */
103 || PACKET_remaining(&sni) == 0) {
c48ffbcc 104 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 105 return 0;
106 }
107
108 /*
44e69951
F		 109 * Although the intent was for server_name to be extensible, RFC 4366
110 * was not clear about it; and so OpenSSL among other implementations,
111 * always and only allows a 'host_name' name types.
25670f3e
MC		 112 * RFC 6066 corrected the mistake but adding new name types
113 * is nevertheless no longer feasible, so act as if no other
114 * SNI types can exist, to simplify parsing.
115 *
116 * Also note that the RFC permits only one SNI value per type,
117 * i.e., we can only have a single hostname.
118 */
119 if (!PACKET_get_1(&sni, &servname_type)
120 || servname_type != TLSEXT_NAMETYPE_host_name
121 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
c48ffbcc 122 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 123 return 0;
124 }
125
7955c1f1
MC		 126 /*
127 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
128 * we always use the SNI value from the handshake.
129 */
38b051a1 130 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
25670f3e 131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
c48ffbcc 132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 133 return 0;
134 }
135
136 if (PACKET_contains_zero_byte(&hostname)) {
c48ffbcc 137 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 138 return 0;
139 }
140
1c4aa31d
BK		 141 /*
142 * Store the requested SNI in the SSL as temporary storage.
143 * If we accept it, it will get stored in the SSL_SESSION as well.
144 */
145 OPENSSL_free(s->ext.hostname);
146 s->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
c48ffbcc 148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 149 return 0;
150 }
151
152 s->servername_done = 1;
7955c1f1
MC		 153 } else {
154 /*
155 * In TLSv1.2 and below we should check if the SNI is consistent between
156 * the initial handshake and the resumption. In TLSv1.3 SNI is not
157 * associated with the session.
158 */
1c4aa31d 159 s->servername_done = (s->session->ext.hostname != NULL)
aff8c126
RS		 160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
25670f3e
MC		 162 }
163
164 return 1;
165}
166
38b051a1
TM		 167int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
168 unsigned int context,
f63a17d6 169 X509 *x, size_t chainidx)
cf72c757
F		 170{
171 unsigned int value;
172
173 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 174 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 175 return 0;
176 }
177
178 /* Received |value| should be a valid max-fragment-length code. */
179 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 180 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 181 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 182 return 0;
183 }
184
185 /*
186 * RFC 6066: The negotiated length applies for the duration of the session
187 * including session resumptions.
188 * We should receive the same code as in resumed session !
189 */
190 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6 191 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 192 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 193 return 0;
194 }
195
196 /*
197 * Store it in session, so it'll become binding for us
198 * and we'll include it in a next Server Hello.
199 */
200 s->session->ext.max_fragment_len_mode = value;
201 return 1;
202}
203
25670f3e 204#ifndef OPENSSL_NO_SRP
38b051a1
TM		 205int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
206 X509 *x, size_t chainidx)
25670f3e
MC		 207{
208 PACKET srp_I;
209
210 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
211 || PACKET_contains_zero_byte(&srp_I)) {
c48ffbcc 212 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 213 return 0;
214 }
215
25670f3e 216 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
c48ffbcc 217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 218 return 0;
219 }
220
221 return 1;
222}
223#endif
224
38b051a1
TM		 225int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
226 unsigned int context,
f63a17d6 227 X509 *x, size_t chainidx)
25670f3e
MC		 228{
229 PACKET ec_point_format_list;
230
231 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
232 || PACKET_remaining(&ec_point_format_list) == 0) {
c48ffbcc 233 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 234 return 0;
235 }
236
237 if (!s->hit) {
238 if (!PACKET_memdup(&ec_point_format_list,
cd0fb43c
MC		 239 &s->ext.peer_ecpointformats,
240 &s->ext.peer_ecpointformats_len)) {
c48ffbcc 241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 242 return 0;
243 }
244 }
245
246 return 1;
247}
25670f3e 248
38b051a1
TM		 249int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
250 unsigned int context,
f63a17d6 251 X509 *x, size_t chainidx)
25670f3e 252{
aff8c126 253 if (s->ext.session_ticket_cb &&
38b051a1
TM		 254 !s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
255 PACKET_data(pkt), PACKET_remaining(pkt),
256 s->ext.session_ticket_cb_arg)) {
c48ffbcc 257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 258 return 0;
259 }
260
261 return 1;
262}
263
38b051a1 264int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 265 ossl_unused unsigned int context,
266 ossl_unused X509 *x,
267 ossl_unused size_t chainidx)
c589c34e
BK		 268{
269 PACKET supported_sig_algs;
270
271 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
272 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 273 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 274 return 0;
275 }
276
277 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
c48ffbcc 278 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 279 return 0;
280 }
281
282 return 1;
283}
284
38b051a1
TM		 285int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
286 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 287{
288 PACKET supported_sig_algs;
289
290 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 291 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 292 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 293 return 0;
294 }
295
c589c34e 296 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
c48ffbcc 297 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 298 return 0;
299 }
300
301 return 1;
302}
303
ab83e314 304#ifndef OPENSSL_NO_OCSP
38b051a1
TM		 305int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
306 unsigned int context,
f63a17d6 307 X509 *x, size_t chainidx)
25670f3e 308{
1266eefd
MC		 309 PACKET responder_id_list, exts;
310
ded4a83d
MC		 311 /* We ignore this in a resumption handshake */
312 if (s->hit)
313 return 1;
314
e96e0f8e
MC		 315 /* Not defined if we get one of these in a client Certificate */
316 if (x != NULL)
317 return 1;
318
aff8c126 319 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
c48ffbcc 320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 321 return 0;
322 }
ab83e314 323
aff8c126 324 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 325 /*
1266eefd 326 * We don't know what to do with any other type so ignore it.
25670f3e 327 */
aff8c126 328 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 329 return 1;
330 }
25670f3e 331
1266eefd 332 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
c48ffbcc 333 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 334 return 0;
335 }
25670f3e 336
1266eefd
MC		 337 /*
338 * We remove any OCSP_RESPIDs from a previous handshake
339 * to prevent unbounded memory growth - CVE-2016-6304
340 */
aff8c126 341 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 342 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 343 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
344 if (s->ext.ocsp.ids == NULL) {
e077455e 345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
1266eefd
MC		 346 return 0;
347 }
348 } else {
aff8c126 349 s->ext.ocsp.ids = NULL;
1266eefd 350 }
25670f3e 351
1266eefd
MC		 352 while (PACKET_remaining(&responder_id_list) > 0) {
353 OCSP_RESPID *id;
354 PACKET responder_id;
355 const unsigned char *id_data;
25670f3e 356
1266eefd
MC		 357 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
358 || PACKET_remaining(&responder_id) == 0) {
c48ffbcc 359 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 360 return 0;
361 }
25670f3e 362
1266eefd 363 id_data = PACKET_data(&responder_id);
1266eefd
MC		 364 id = d2i_OCSP_RESPID(NULL, &id_data,
365 (int)PACKET_remaining(&responder_id));
366 if (id == NULL) {
c48ffbcc 367 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 368 return 0;
25670f3e
MC		 369 }
370
1266eefd
MC		 371 if (id_data != PACKET_end(&responder_id)) {
372 OCSP_RESPID_free(id);
c48ffbcc 373 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
f63a17d6 374
25670f3e
MC		 375 return 0;
376 }
377
aff8c126 378 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 379 OCSP_RESPID_free(id);
c48ffbcc 380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 381
1266eefd
MC		 382 return 0;
383 }
384 }
385
386 /* Read in request_extensions */
387 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
c48ffbcc 388 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 389 return 0;
390 }
391
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
394
aff8c126 395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 396 X509_EXTENSION_free);
aff8c126 397 s->ext.ocsp.exts =
1266eefd 398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
c48ffbcc 400 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 401 return 0;
25670f3e 402 }
25670f3e
MC		 403 }
404
405 return 1;
406}
ab83e314 407#endif
25670f3e
MC		 408
409#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1
TM		 410int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
411 X509 *x, size_t chainidx)
25670f3e 412{
1266eefd
MC		 413 /*
414 * We shouldn't accept this extension on a
415 * renegotiation.
1266eefd 416 */
c7f47786 417 if (SSL_IS_FIRST_HANDSHAKE(s))
555cbb32 418 s->s3.npn_seen = 1;
25670f3e
MC		 419
420 return 1;
421}
422#endif
423
424/*
1266eefd 425 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 426 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 427 */
38b051a1
TM		 428int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
429 X509 *x, size_t chainidx)
25670f3e
MC		 430{
431 PACKET protocol_list, save_protocol_list, protocol;
432
c7f47786 433 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 434 return 1;
435
436 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
437 || PACKET_remaining(&protocol_list) < 2) {
c48ffbcc 438 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 439 return 0;
440 }
441
442 save_protocol_list = protocol_list;
443 do {
444 /* Protocol names can't be empty. */
445 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
446 || PACKET_remaining(&protocol) == 0) {
c48ffbcc 447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 448 return 0;
449 }
450 } while (PACKET_remaining(&protocol_list) != 0);
451
555cbb32
TS		 452 OPENSSL_free(s->s3.alpn_proposed);
453 s->s3.alpn_proposed = NULL;
454 s->s3.alpn_proposed_len = 0;
25670f3e 455 if (!PACKET_memdup(&save_protocol_list,
555cbb32 456 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
c48ffbcc 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 458 return 0;
459 }
460
461 return 1;
462}
463
464#ifndef OPENSSL_NO_SRTP
38b051a1
TM		 465int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
466 unsigned int context, X509 *x, size_t chainidx)
25670f3e 467{
25670f3e
MC		 468 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
469 unsigned int ct, mki_len, id;
470 int i, srtp_pref;
471 PACKET subpkt;
38b051a1 472 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
25670f3e
MC		 473
474 /* Ignore this if we have no SRTP profiles */
38b051a1 475 if (SSL_get_srtp_profiles(ssl) == NULL)
25670f3e
MC		 476 return 1;
477
478 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 479 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
480 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
c48ffbcc 481 SSLfatal(s, SSL_AD_DECODE_ERROR,
25670f3e 482 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 483 return 0;
484 }
485
38b051a1 486 srvr = SSL_get_srtp_profiles(ssl);
25670f3e
MC		 487 s->srtp_profile = NULL;
488 /* Search all profiles for a match initially */
489 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
490
491 while (PACKET_remaining(&subpkt)) {
492 if (!PACKET_get_net_2(&subpkt, &id)) {
c48ffbcc 493 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 494 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 495 return 0;
496 }
497
498 /*
499 * Only look for match in profiles of higher preference than
500 * current match.
501 * If no profiles have been have been configured then this
502 * does nothing.
503 */
504 for (i = 0; i < srtp_pref; i++) {
d270de32 505 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 506 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
507
25670f3e
MC		 508 if (sprof->id == id) {
509 s->srtp_profile = sprof;
510 srtp_pref = i;
511 break;
512 }
513 }
514 }
515
1266eefd 516 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 517 if (!PACKET_get_1(pkt, &mki_len)) {
c48ffbcc 518 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 519 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 520 return 0;
521 }
522
523 if (!PACKET_forward(pkt, mki_len)
524 || PACKET_remaining(pkt)) {
c48ffbcc 525 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 526 return 0;
527 }
528
529 return 1;
530}
531#endif
532
38b051a1
TM		 533int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
534 X509 *x, size_t chainidx)
25670f3e
MC		 535{
536 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 537 s->ext.use_etm = 1;
25670f3e
MC		 538
539 return 1;
540}
541
b2f7e8c0
MC		 542/*
543 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
544 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 545 */
38b051a1
TM		 546int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
547 unsigned int context,
f63a17d6 548 X509 *x, size_t chainidx)
b2f7e8c0
MC		 549{
550#ifndef OPENSSL_NO_TLS1_3
551 PACKET psk_kex_modes;
552 unsigned int mode;
553
554 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
555 || PACKET_remaining(&psk_kex_modes) == 0) {
c48ffbcc 556 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 557 return 0;
558 }
559
560 while (PACKET_get_1(&psk_kex_modes, &mode)) {
561 if (mode == TLSEXT_KEX_MODE_KE_DHE)
562 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 563 else if (mode == TLSEXT_KEX_MODE_KE
564 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 565 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
566 }
567#endif
568
569 return 1;
570}
571
25670f3e
MC		 572/*
573 * Process a key_share extension received in the ClientHello. |pkt| contains
574 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 575 */
38b051a1
TM		 576int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
577 unsigned int context, X509 *x, size_t chainidx)
25670f3e 578{
3cf96e88 579#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 580 unsigned int group_id;
581 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 582 const uint16_t *clntgroups, *srvrgroups;
583 size_t clnt_num_groups, srvr_num_groups;
43b95d73 584 int found = 0;
25670f3e 585
f4bbb37c 586 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 587 return 1;
588
589 /* Sanity check */
555cbb32 590 if (s->s3.peer_tmp != NULL) {
c48ffbcc 591 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 592 return 0;
593 }
594
595 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
c48ffbcc 596 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 597 return 0;
598 }
599
f48d826e
DSH		 600 /* Get our list of supported groups */
601 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
602 /* Get the clients list of supported groups. */
603 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
604 if (clnt_num_groups == 0) {
b6fdc12d
MC		 605 /*
606 * This can only happen if the supported_groups extension was not sent,
607 * because we verify that the length is non-zero when we process that
608 * extension.
609 */
c48ffbcc 610 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
f63a17d6 611 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 612 return 0;
613 }
25670f3e 614
555cbb32 615 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
43054d3d
MC		 616 /*
617 * If we set a group_id already, then we must have sent an HRR
618 * requesting a new key_share. If we haven't got one then that is an
619 * error
620 */
c48ffbcc 621 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 622 return 0;
623 }
624
25670f3e
MC		 625 while (PACKET_remaining(&key_share_list) > 0) {
626 if (!PACKET_get_net_2(&key_share_list, &group_id)
627 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
628 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 629 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 630 return 0;
631 }
632
633 /*
634 * If we already found a suitable key_share we loop through the
635 * rest to verify the structure, but don't process them.
636 */
637 if (found)
638 continue;
639
43054d3d
MC		 640 /*
641 * If we sent an HRR then the key_share sent back MUST be for the group
642 * we requested, and must be the only key_share sent.
643 */
555cbb32 644 if (s->s3.group_id != 0
16f0e91c 645 && (group_id != s->s3.group_id
43054d3d 646 || PACKET_remaining(&key_share_list) != 0)) {
c48ffbcc 647 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 648 return 0;
649 }
650
25670f3e 651 /* Check if this share is in supported_groups sent from client */
f48d826e 652 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
c48ffbcc 653 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 654 return 0;
655 }
656
657 /* Check if this share is for a group we can use */
f48d826e 658 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
25670f3e
MC		 659 /* Share not suitable */
660 continue;
661 }
662
0a10825a
BE		 663 s->s3.group_id = group_id;
664 /* Cache the selected group ID in the SSL_SESSION */
665 s->session->kex_group = group_id;
666
ada66e78 667 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
c48ffbcc 668 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
25670f3e
MC		 669 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
670 return 0;
671 }
672
d5530efa
TM		 673 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
674 PACKET_data(&encoded_pt),
675 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
25670f3e
MC		 677 return 0;
678 }
679
680 found = 1;
681 }
3cf96e88 682#endif
25670f3e
MC		 683
684 return 1;
685}
686
38b051a1
TM		 687int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
688 X509 *x, size_t chainidx)
43054d3d 689{
1aac20f5 690#ifndef OPENSSL_NO_TLS1_3
dd77962e 691 unsigned int format, version, key_share, group_id;
43054d3d
MC		 692 EVP_MD_CTX *hctx;
693 EVP_PKEY *pkey;
694 PACKET cookie, raw, chhash, appcookie;
695 WPACKET hrrpkt;
696 const unsigned char *data, *mdin, *ciphdata;
697 unsigned char hmac[SHA256_DIGEST_LENGTH];
698 unsigned char hrr[MAX_HRR_SIZE];
699 size_t rawlen, hmaclen, hrrlen, ciphlen;
e8a557dc 700 uint64_t tm, now;
38b051a1
TM		 701 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
702 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
43054d3d
MC		 703
704 /* Ignore any cookie if we're not set up to verify it */
38b051a1 705 if (sctx->verify_stateless_cookie_cb == NULL
555cbb32 706 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 707 return 1;
708
709 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
c48ffbcc 710 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 711 return 0;
712 }
713
714 raw = cookie;
715 data = PACKET_data(&raw);
716 rawlen = PACKET_remaining(&raw);
717 if (rawlen < SHA256_DIGEST_LENGTH
718 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
c48ffbcc 719 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 720 return 0;
721 }
722 mdin = PACKET_data(&raw);
723
724 /* Verify the HMAC of the cookie */
725 hctx = EVP_MD_CTX_create();
38b051a1
TM		 726 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
727 sctx->propq,
d8652be0
MC		 728 s->session_ctx->ext.cookie_hmac_key,
729 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d
MC		 730 if (hctx == NULL || pkey == NULL) {
731 EVP_MD_CTX_free(hctx);
732 EVP_PKEY_free(pkey);
e077455e 733 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
43054d3d
MC		 734 return 0;
735 }
736
97ea1e7f 737 hmaclen = SHA256_DIGEST_LENGTH;
38b051a1
TM		 738 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
739 sctx->propq, pkey, NULL) <= 0
97ea1e7f
MC		 740 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
741 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 742 || hmaclen != SHA256_DIGEST_LENGTH) {
743 EVP_MD_CTX_free(hctx);
744 EVP_PKEY_free(pkey);
c48ffbcc 745 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 746 return 0;
747 }
748
749 EVP_MD_CTX_free(hctx);
750 EVP_PKEY_free(pkey);
751
752 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
c48ffbcc 753 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 754 return 0;
755 }
756
757 if (!PACKET_get_net_2(&cookie, &format)) {
c48ffbcc 758 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 759 return 0;
760 }
761 /* Check the cookie format is something we recognise. Ignore it if not */
762 if (format != COOKIE_STATE_FORMAT_VERSION)
763 return 1;
764
765 /*
766 * The rest of these checks really shouldn't fail since we have verified the
767 * HMAC above.
768 */
769
770 /* Check the version number is sane */
771 if (!PACKET_get_net_2(&cookie, &version)) {
c48ffbcc 772 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 773 return 0;
774 }
775 if (version != TLS1_3_VERSION) {
c48ffbcc 776 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
43054d3d
MC		 777 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
778 return 0;
779 }
780
dd77962e 781 if (!PACKET_get_net_2(&cookie, &group_id)) {
c48ffbcc 782 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 783 return 0;
784 }
dd77962e 785
43054d3d
MC		 786 ciphdata = PACKET_data(&cookie);
787 if (!PACKET_forward(&cookie, 2)) {
c48ffbcc 788 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 789 return 0;
790 }
555cbb32
TS		 791 if (group_id != s->s3.group_id
792 || s->s3.tmp.new_cipher
dd77962e
MC		 793 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
794 /*
795 * We chose a different cipher or group id this time around to what is
796 * in the cookie. Something must have changed.
797 */
c48ffbcc 798 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
43054d3d
MC		 799 return 0;
800 }
801
802 if (!PACKET_get_1(&cookie, &key_share)
e8a557dc 803 || !PACKET_get_net_8(&cookie, &tm)
43054d3d
MC		 804 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
805 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
806 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
c48ffbcc 807 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 808 return 0;
809 }
810
d0debc0a 811 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
e8a557dc 812 now = time(NULL);
d0debc0a
MC		 813 if (tm > now || (now - tm) > 600) {
814 /* Cookie is stale. Ignore it */
815 return 1;
816 }
817
43054d3d 818 /* Verify the app cookie */
38b051a1
TM		 819 if (sctx->verify_stateless_cookie_cb(ssl,
820 PACKET_data(&appcookie),
821 PACKET_remaining(&appcookie)) == 0) {
c48ffbcc 822 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 823 return 0;
824 }
825
826 /*
827 * Reconstruct the HRR that we would have sent in response to the original
828 * ClientHello so we can add it to the transcript hash.
829 * Note: This won't work with custom HRR extensions
830 */
831 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
c48ffbcc 832 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 833 return 0;
834 }
835 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
836 || !WPACKET_start_sub_packet_u24(&hrrpkt)
837 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
838 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
839 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
840 s->tmp_session_id_len)
38b051a1
TM		 841 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
842 &ciphlen)
43054d3d
MC		 843 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
844 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
845 WPACKET_cleanup(&hrrpkt);
c48ffbcc 846 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 847 return 0;
848 }
849 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
850 || !WPACKET_start_sub_packet_u16(&hrrpkt)
35e742ec 851 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
43054d3d
MC		 852 || !WPACKET_close(&hrrpkt)) {
853 WPACKET_cleanup(&hrrpkt);
c48ffbcc 854 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 855 return 0;
856 }
857 if (key_share) {
858 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
859 || !WPACKET_start_sub_packet_u16(&hrrpkt)
555cbb32 860 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
43054d3d
MC		 861 || !WPACKET_close(&hrrpkt)) {
862 WPACKET_cleanup(&hrrpkt);
c48ffbcc 863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 864 return 0;
865 }
866 }
867 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
868 || !WPACKET_start_sub_packet_u16(&hrrpkt)
869 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
870 || !WPACKET_close(&hrrpkt) /* cookie extension */
871 || !WPACKET_close(&hrrpkt) /* extension block */
872 || !WPACKET_close(&hrrpkt) /* message */
873 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
874 || !WPACKET_finish(&hrrpkt)) {
875 WPACKET_cleanup(&hrrpkt);
c48ffbcc 876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 877 return 0;
878 }
879
880 /* Reconstruct the transcript hash */
881 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
882 PACKET_remaining(&chhash), hrr,
883 hrrlen)) {
884 /* SSLfatal() already called */
885 return 0;
886 }
887
888 /* Act as if this ClientHello came after a HelloRetryRequest */
889 s->hello_retry_request = 1;
890
c36001c3 891 s->ext.cookieok = 1;
1aac20f5 892#endif
c36001c3 893
43054d3d
MC		 894 return 1;
895}
896
38b051a1
TM		 897int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
898 unsigned int context,
f63a17d6 899 X509 *x, size_t chainidx)
25670f3e
MC		 900{
901 PACKET supported_groups_list;
902
903 /* Each group is 2 bytes and we must have at least 1. */
904 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
905 || PACKET_remaining(&supported_groups_list) == 0
906 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
c48ffbcc 907 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 908 return 0;
909 }
910
38b051a1 911 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
45436e61
MC		 912 OPENSSL_free(s->ext.peer_supportedgroups);
913 s->ext.peer_supportedgroups = NULL;
914 s->ext.peer_supportedgroups_len = 0;
9e84a42d 915 if (!tls1_save_u16(&supported_groups_list,
45436e61
MC		 916 &s->ext.peer_supportedgroups,
917 &s->ext.peer_supportedgroups_len)) {
c48ffbcc 918 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e3743355
BK		 919 return 0;
920 }
25670f3e
MC		 921 }
922
923 return 1;
924}
25670f3e 925
38b051a1
TM		 926int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
927 X509 *x, size_t chainidx)
25670f3e
MC		 928{
929 /* The extension must always be empty */
930 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 931 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 932 return 0;
933 }
934
088dfa13
TS		 935 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
936 return 1;
937
555cbb32 938 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
25670f3e
MC		 939
940 return 1;
941}
7da160b0 942
38df5a45 943
38b051a1 944int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
f63a17d6 945 X509 *x, size_t chainidx)
38df5a45
MC		 946{
947 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 948 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 949 return 0;
950 }
951
fc7129dc 952 if (s->hello_retry_request != SSL_HRR_NONE) {
c48ffbcc 953 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 954 return 0;
955 }
956
38df5a45
MC		 957 return 1;
958}
959
38b051a1 960static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
6cc0b3c2
MC		 961 SSL_SESSION **sess)
962{
963 SSL_SESSION *tmpsess = NULL;
964
5f26ddff
MC		 965 s->ext.ticket_expected = 1;
966
6cc0b3c2
MC		 967 switch (PACKET_remaining(tick)) {
968 case 0:
969 return SSL_TICKET_EMPTY;
970
971 case SSL_MAX_SSL_SESSION_ID_LENGTH:
972 break;
973
974 default:
975 return SSL_TICKET_NO_DECRYPT;
976 }
977
978 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
979 SSL_MAX_SSL_SESSION_ID_LENGTH);
980
981 if (tmpsess == NULL)
982 return SSL_TICKET_NO_DECRYPT;
983
6cc0b3c2
MC		 984 *sess = tmpsess;
985 return SSL_TICKET_SUCCESS;
986}
987
38b051a1
TM		 988int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
989 X509 *x, size_t chainidx)
1053a6e2
MC		 990{
991 PACKET identities, binders, binder;
992 size_t binderoffset, hashsize;
993 SSL_SESSION *sess = NULL;
3a7c56b2 994 unsigned int id, i, ext = 0;
1053a6e2 995 const EVP_MD *md = NULL;
38b051a1
TM		 996 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
997 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1053a6e2 998
1a9f457c
MC		 999 /*
1000 * If we have no PSK kex mode that we recognise then we can't resume so
1001 * ignore this extension
1002 */
1003 if ((s->ext.psk_kex_mode
1004 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1005 return 1;
1006
1053a6e2 1007 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
c48ffbcc 1008 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1009 return 0;
1010 }
1011
61fb5923 1012 s->ext.ticket_expected = 0;
1053a6e2
MC		 1013 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1014 PACKET identity;
2c604cb9 1015 unsigned long ticket_agel;
f3d40db1 1016 size_t idlen;
1053a6e2
MC		 1017
1018 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1019 || !PACKET_get_net_4(&identities, &ticket_agel)) {
c48ffbcc 1020 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1021 return 0;
1022 }
1023
f3d40db1 1024 idlen = PACKET_remaining(&identity);
3a7c56b2 1025 if (s->psk_find_session_cb != NULL
38b051a1 1026 && !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
011d768a 1027 &sess)) {
c48ffbcc 1028 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
011d768a
MC		 1029 return 0;
1030 }
1031
c2b290c3 1032#ifndef OPENSSL_NO_PSK
1287dabd 1033 if (sess == NULL
f3d40db1
MC		 1034 && s->psk_server_callback != NULL
1035 && idlen <= PSK_MAX_IDENTITY_LEN) {
1036 char *pskid = NULL;
1037 unsigned char pskdata[PSK_MAX_PSK_LEN];
1038 unsigned int pskdatalen;
1039
1040 if (!PACKET_strndup(&identity, &pskid)) {
c48ffbcc 1041 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1042 return 0;
1043 }
38b051a1 1044 pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
f3d40db1
MC		 1045 sizeof(pskdata));
1046 OPENSSL_free(pskid);
1047 if (pskdatalen > PSK_MAX_PSK_LEN) {
c48ffbcc 1048 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1049 return 0;
1050 } else if (pskdatalen > 0) {
1051 const SSL_CIPHER *cipher;
1052 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1053
1054 /*
1055 * We found a PSK using an old style callback. We don't know
1056 * the digest so we default to SHA256 as per the TLSv1.3 spec
1057 */
38b051a1 1058 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
f3d40db1
MC		 1059 if (cipher == NULL) {
1060 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1061 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1062 return 0;
1063 }
1064
1065 sess = SSL_SESSION_new();
1066 if (sess == NULL
1067 || !SSL_SESSION_set1_master_key(sess, pskdata,
1068 pskdatalen)
1069 || !SSL_SESSION_set_cipher(sess, cipher)
1070 || !SSL_SESSION_set_protocol_version(sess,
1071 TLS1_3_VERSION)) {
1072 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1074 goto err;
1075 }
1076 OPENSSL_cleanse(pskdata, pskdatalen);
1077 }
1078 }
c2b290c3 1079#endif /* OPENSSL_NO_PSK */
f3d40db1 1080
011d768a
MC		 1081 if (sess != NULL) {
1082 /* We found a PSK */
3a7c56b2 1083 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1084
3a7c56b2 1085 if (sesstmp == NULL) {
c48ffbcc 1086 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1087 return 0;
1088 }
1089 SSL_SESSION_free(sess);
1090 sess = sesstmp;
1091
1092 /*
1093 * We've just been told to use this session for this context so
1094 * make sure the sid_ctx matches up.
1095 */
1096 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1097 sess->sid_ctx_length = s->sid_ctx_length;
1098 ext = 1;
630369d9
MC		 1099 if (id == 0)
1100 s->ext.early_data_ok = 1;
51256b34 1101 s->ext.ticket_expected = 1;
3a7c56b2 1102 } else {
f0131dc0 1103 OSSL_TIME t, age, expire;
61fb5923
MC		 1104 int ret;
1105
e880d4e5
MC		 1106 /*
1107 * If we are using anti-replay protection then we behave as if
1108 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1109 * is no point in using full stateless tickets.
1110 */
1111 if ((s->options & SSL_OP_NO_TICKET) != 0
5d263fb7
MC		 1112 || (s->max_early_data > 0
1113 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
6cc0b3c2
MC		 1114 ret = tls_get_stateful_ticket(s, &identity, &sess);
1115 else
1116 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1117 PACKET_remaining(&identity), NULL, 0,
1118 &sess);
61fb5923
MC		 1119
1120 if (ret == SSL_TICKET_EMPTY) {
c48ffbcc 1121 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
61fb5923
MC		 1122 return 0;
1123 }
3a7c56b2 1124
df0fed9a
TS		 1125 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1126 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
c48ffbcc 1127 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1128 return 0;
1129 }
61fb5923 1130 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
3a7c56b2
MC		 1131 continue;
1132
66d7de16
MC		 1133 /* Check for replay */
1134 if (s->max_early_data > 0
5d263fb7 1135 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
66d7de16
MC		 1136 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1137 SSL_SESSION_free(sess);
1138 sess = NULL;
1139 continue;
1140 }
1141
f0131dc0
P		 1142 age = ossl_time_subtract(ossl_seconds2time(ticket_agel),
1143 ossl_seconds2time(sess->ext.tick_age_add));
1144 t = ossl_time_subtract(ossl_time_now(), sess->time);
3a7c56b2
MC		 1145
1146 /*
f0131dc0
P		 1147 * Beause we use second granuality, it could appear that
1148 * the client's ticket age is longer than ours (our ticket
1149 * age calculation should always be slightly longer than the
1150 * client's due to the network latency). Therefore we add
1151 * 1000ms to our age calculation to adjust for rounding errors.
3a7c56b2 1152 */
f0131dc0
P		 1153 expire = ossl_time_add(t, ossl_ms2time(1000));
1154
630369d9 1155 if (id == 0
f0131dc0
P		 1156 && ossl_time_compare(sess->timeout, t) >= 0
1157 && ossl_time_compare(age, expire) <= 0
1158 && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
1159 expire) >= 0) {
3a7c56b2
MC		 1160 /*
1161 * Ticket age is within tolerance and not expired. We allow it
1162 * for early data
1163 */
1164 s->ext.early_data_ok = 1;
1165 }
1053a6e2 1166 }
1053a6e2 1167
38b051a1 1168 md = ssl_md(sctx, sess->cipher->algorithm2);
b740012f 1169 if (md == NULL) {
1170 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1171 goto err;
1172 }
c8f6c28a 1173 if (!EVP_MD_is_a(md,
38b051a1 1174 EVP_MD_get0_name(ssl_md(sctx,
ed576acd 1175 s->s3.tmp.new_cipher->algorithm2)))) {
0de6d66d 1176 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1177 SSL_SESSION_free(sess);
1178 sess = NULL;
630369d9 1179 s->ext.early_data_ok = 0;
51256b34 1180 s->ext.ticket_expected = 0;
1053a6e2
MC		 1181 continue;
1182 }
1053a6e2
MC		 1183 break;
1184 }
1185
1186 if (sess == NULL)
1187 return 1;
1188
1189 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
ed576acd 1190 hashsize = EVP_MD_get_size(md);
1053a6e2
MC		 1191
1192 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
c48ffbcc 1193 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1194 goto err;
1195 }
1196
1197 for (i = 0; i <= id; i++) {
1198 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
c48ffbcc 1199 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1200 goto err;
1201 }
1202 }
1203
2894e9cb 1204 if (PACKET_remaining(&binder) != hashsize) {
c48ffbcc 1205 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2894e9cb
MC		 1206 goto err;
1207 }
1208 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1209 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1210 ext) != 1) {
635c8f77 1211 /* SSLfatal() already called */
1053a6e2
MC		 1212 goto err;
1213 }
1214
c96ce52c 1215 s->ext.tick_identity = id;
2c604cb9 1216
1053a6e2
MC		 1217 SSL_SESSION_free(s->session);
1218 s->session = sess;
1053a6e2
MC		 1219 return 1;
1220err:
312e9387 1221 SSL_SESSION_free(sess);
1053a6e2
MC		 1222 return 0;
1223}
1224
38b051a1 1225int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 1226 ossl_unused unsigned int context,
1227 ossl_unused X509 *x,
1228 ossl_unused size_t chainidx)
9d75dce3
TS		 1229{
1230 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1231 SSLfatal(s, SSL_AD_DECODE_ERROR,
9d75dce3
TS		 1232 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1233 return 0;
1234 }
1235
1236 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1237
1238 return 1;
1239}
1240
1266eefd
MC		 1241/*
1242 * Add the server's renegotiation binding
1243 */
38b051a1 1244EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1245 unsigned int context, X509 *x,
f63a17d6 1246 size_t chainidx)
7da160b0 1247{
555cbb32 1248 if (!s->s3.send_connection_binding)
b186a592 1249 return EXT_RETURN_NOT_SENT;
7da160b0 1250
db0f35dd 1251 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1252 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1253 || !WPACKET_start_sub_packet_u16(pkt)
1254 || !WPACKET_start_sub_packet_u8(pkt)
555cbb32
TS		 1255 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1256 s->s3.previous_client_finished_len)
1257 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1258 s->s3.previous_server_finished_len)
7da160b0
MC		 1259 || !WPACKET_close(pkt)
1260 || !WPACKET_close(pkt)) {
c48ffbcc 1261 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1262 return EXT_RETURN_FAIL;
7da160b0
MC		 1263 }
1264
b186a592 1265 return EXT_RETURN_SENT;
7da160b0
MC		 1266}
1267
38b051a1 1268EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1269 unsigned int context, X509 *x,
f63a17d6 1270 size_t chainidx)
7da160b0 1271{
7955c1f1
MC		 1272 if (s->servername_done != 1)
1273 return EXT_RETURN_NOT_SENT;
1274
1275 /*
1276 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1277 * We just use the servername from the initial handshake.
1278 */
38b051a1 1279 if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
b186a592 1280 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1281
1282 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1283 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1284 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1285 return EXT_RETURN_FAIL;
7da160b0
MC		 1286 }
1287
b186a592 1288 return EXT_RETURN_SENT;
7da160b0
MC		 1289}
1290
cf72c757 1291/* Add/include the server's max fragment len extension into ServerHello */
38b051a1 1292EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
cf72c757 1293 unsigned int context, X509 *x,
f63a17d6 1294 size_t chainidx)
cf72c757
F		 1295{
1296 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1297 return EXT_RETURN_NOT_SENT;
1298
1299 /*-
1300 * 4 bytes for this extension type and extension length
1301 * 1 byte for the Max Fragment Length code value.
1302 */
1303 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1304 || !WPACKET_start_sub_packet_u16(pkt)
1305 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1306 || !WPACKET_close(pkt)) {
c48ffbcc 1307 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1308 return EXT_RETURN_FAIL;
1309 }
1310
1311 return EXT_RETURN_SENT;
1312}
1313
38b051a1 1314EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1315 unsigned int context, X509 *x,
f63a17d6 1316 size_t chainidx)
7da160b0 1317{
555cbb32
TS		 1318 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1319 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
89247375 1320 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
cd0fb43c 1321 && (s->ext.peer_ecpointformats != NULL);
7da160b0
MC		 1322 const unsigned char *plist;
1323 size_t plistlen;
1324
1325 if (!using_ecc)
b186a592 1326 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1327
1328 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1329 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1330 || !WPACKET_start_sub_packet_u16(pkt)
1331 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1332 || !WPACKET_close(pkt)) {
c48ffbcc 1333 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1334 return EXT_RETURN_FAIL;
7da160b0
MC		 1335 }
1336
b186a592 1337 return EXT_RETURN_SENT;
7da160b0 1338}
7da160b0 1339
38b051a1 1340EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1341 unsigned int context, X509 *x,
f63a17d6 1342 size_t chainidx)
6af87546 1343{
9e84a42d 1344 const uint16_t *groups;
6af87546 1345 size_t numgroups, i, first = 1;
9d2d857f 1346 int version;
6af87546 1347
555cbb32
TS		 1348 /* s->s3.group_id is non zero if we accepted a key_share */
1349 if (s->s3.group_id == 0)
b186a592 1350 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1351
1352 /* Get our list of supported groups */
ff6d20a6 1353 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1354 if (numgroups == 0) {
c48ffbcc 1355 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1356 return EXT_RETURN_FAIL;
6af87546
MC		 1357 }
1358
1359 /* Copy group ID if supported */
38b051a1 1360 version = SSL_version(SSL_CONNECTION_GET_SSL(s));
9e84a42d
DSH		 1361 for (i = 0; i < numgroups; i++) {
1362 uint16_t group = groups[i];
1363
8b1db5d3 1364 if (tls_valid_group(s, group, version, version, 0, NULL)
dbc6268f 1365 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1366 if (first) {
1367 /*
1368 * Check if the client is already using our preferred group. If
1369 * so we don't need to add this extension
1370 */
555cbb32 1371 if (s->s3.group_id == group)
b186a592 1372 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1373
1374 /* Add extension header */
1375 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1376 /* Sub-packet for supported_groups extension */
1377 || !WPACKET_start_sub_packet_u16(pkt)
1378 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1379 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1380 return EXT_RETURN_FAIL;
6af87546
MC		 1381 }
1382
1383 first = 0;
1384 }
9e84a42d 1385 if (!WPACKET_put_bytes_u16(pkt, group)) {
c48ffbcc 1386 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1387 return EXT_RETURN_FAIL;
6af87546
MC		 1388 }
1389 }
1390 }
1391
1392 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 1393 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1394 return EXT_RETURN_FAIL;
6af87546
MC		 1395 }
1396
b186a592 1397 return EXT_RETURN_SENT;
6af87546
MC		 1398}
1399
38b051a1 1400EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1401 unsigned int context, X509 *x,
f63a17d6 1402 size_t chainidx)
7da160b0 1403{
aff8c126
RS		 1404 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1405 s->ext.ticket_expected = 0;
b186a592 1406 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1407 }
1408
1409 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1410 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1411 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1412 return EXT_RETURN_FAIL;
7da160b0
MC		 1413 }
1414
b186a592 1415 return EXT_RETURN_SENT;
7da160b0
MC		 1416}
1417
ab83e314 1418#ifndef OPENSSL_NO_OCSP
38b051a1 1419EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1420 unsigned int context, X509 *x,
f63a17d6 1421 size_t chainidx)
7da160b0 1422{
debb64a0
MC		 1423 /* We don't currently support this extension inside a CertificateRequest */
1424 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1425 return EXT_RETURN_NOT_SENT;
1426
aff8c126 1427 if (!s->ext.status_expected)
b186a592 1428 return EXT_RETURN_NOT_SENT;
7da160b0 1429
38b051a1 1430 if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
b186a592 1431 return EXT_RETURN_NOT_SENT;
e96e0f8e 1432
7da160b0 1433 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1434 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1435 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1436 return EXT_RETURN_FAIL;
f63e4288
MC		 1437 }
1438
1439 /*
1440 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1441 * send back an empty extension, with the certificate status appearing as a
1442 * separate message
1443 */
38b051a1 1444 if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
3ec8d113 1445 /* SSLfatal() already called */
56d36288 1446 return EXT_RETURN_FAIL;
3ec8d113
MC		 1447 }
1448 if (!WPACKET_close(pkt)) {
c48ffbcc 1449 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1450 return EXT_RETURN_FAIL;
7da160b0
MC		 1451 }
1452
b186a592 1453 return EXT_RETURN_SENT;
7da160b0 1454}
ab83e314 1455#endif
7da160b0 1456
7da160b0 1457#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1 1458EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1459 unsigned int context, X509 *x,
f63a17d6 1460 size_t chainidx)
7da160b0
MC		 1461{
1462 const unsigned char *npa;
1463 unsigned int npalen;
1464 int ret;
555cbb32 1465 int npn_seen = s->s3.npn_seen;
38b051a1 1466 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
7da160b0 1467
555cbb32 1468 s->s3.npn_seen = 0;
38b051a1 1469 if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
b186a592 1470 return EXT_RETURN_NOT_SENT;
7da160b0 1471
38b051a1
TM		 1472 ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
1473 sctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1474 if (ret == SSL_TLSEXT_ERR_OK) {
1475 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1476 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
c48ffbcc 1477 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1478 return EXT_RETURN_FAIL;
7da160b0 1479 }
555cbb32 1480 s->s3.npn_seen = 1;
7da160b0
MC		 1481 }
1482
b186a592 1483 return EXT_RETURN_SENT;
7da160b0
MC		 1484}
1485#endif
1486
38b051a1 1487EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
f63a17d6 1488 X509 *x, size_t chainidx)
7da160b0 1489{
555cbb32 1490 if (s->s3.alpn_selected == NULL)
b186a592 1491 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1492
1493 if (!WPACKET_put_bytes_u16(pkt,
1494 TLSEXT_TYPE_application_layer_protocol_negotiation)
1495 || !WPACKET_start_sub_packet_u16(pkt)
1496 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 1497 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1498 s->s3.alpn_selected_len)
7da160b0
MC		 1499 || !WPACKET_close(pkt)
1500 || !WPACKET_close(pkt)) {
c48ffbcc 1501 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1502 return EXT_RETURN_FAIL;
7da160b0
MC		 1503 }
1504
b186a592 1505 return EXT_RETURN_SENT;
7da160b0
MC		 1506}
1507
1508#ifndef OPENSSL_NO_SRTP
38b051a1 1509EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1510 unsigned int context, X509 *x,
f63a17d6 1511 size_t chainidx)
7da160b0
MC		 1512{
1513 if (s->srtp_profile == NULL)
b186a592 1514 return EXT_RETURN_NOT_SENT;
a1448c26 1515
7da160b0
MC		 1516 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1517 || !WPACKET_start_sub_packet_u16(pkt)
1518 || !WPACKET_put_bytes_u16(pkt, 2)
1519 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1520 || !WPACKET_put_bytes_u8(pkt, 0)
1521 || !WPACKET_close(pkt)) {
c48ffbcc 1522 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1523 return EXT_RETURN_FAIL;
7da160b0
MC		 1524 }
1525
b186a592 1526 return EXT_RETURN_SENT;
7da160b0
MC		 1527}
1528#endif
1529
38b051a1
TM		 1530EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1531 unsigned int context,
f63a17d6 1532 X509 *x, size_t chainidx)
7da160b0 1533{
28a31a0a 1534 if (!s->ext.use_etm)
b186a592 1535 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1536
1537 /*
1538 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1539 * for other cases too.
1540 */
555cbb32
TS		 1541 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1542 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1543 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
5a5530a2
DB		 1544 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1545 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1546 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
28a31a0a 1547 s->ext.use_etm = 0;
b186a592 1548 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1549 }
1550
1551 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1552 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1553 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1554 return EXT_RETURN_FAIL;
7da160b0
MC		 1555 }
1556
b186a592 1557 return EXT_RETURN_SENT;
7da160b0
MC		 1558}
1559
38b051a1
TM		 1560EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1561 unsigned int context,
f63a17d6 1562 X509 *x, size_t chainidx)
7da160b0 1563{
555cbb32 1564 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1565 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1566
1567 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1568 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1569 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1570 return EXT_RETURN_FAIL;
7da160b0
MC		 1571 }
1572
b186a592 1573 return EXT_RETURN_SENT;
7da160b0
MC		 1574}
1575
38b051a1 1576EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
88050dd1
MC		 1577 unsigned int context, X509 *x,
1578 size_t chainidx)
1579{
38b051a1 1580 if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
c48ffbcc 1581 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
27e462f1
MC		 1582 return EXT_RETURN_FAIL;
1583 }
88050dd1
MC		 1584
1585 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1586 || !WPACKET_start_sub_packet_u16(pkt)
35e742ec 1587 || !WPACKET_put_bytes_u16(pkt, s->version)
88050dd1 1588 || !WPACKET_close(pkt)) {
c48ffbcc 1589 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
88050dd1
MC		 1590 return EXT_RETURN_FAIL;
1591 }
1592
1593 return EXT_RETURN_SENT;
1594}
1595
38b051a1 1596EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1597 unsigned int context, X509 *x,
f63a17d6 1598 size_t chainidx)
7da160b0 1599{
3cf96e88 1600#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1601 unsigned char *encodedPoint;
1602 size_t encoded_pt_len = 0;
555cbb32 1603 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
8b17fbaf 1604 const TLS_GROUP_INFO *ginf = NULL;
7da160b0 1605
dd77962e
MC		 1606 if (s->hello_retry_request == SSL_HRR_PENDING) {
1607 if (ckey != NULL) {
1608 /* Original key_share was acceptable so don't ask for another one */
1609 return EXT_RETURN_NOT_SENT;
1610 }
1611 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1612 || !WPACKET_start_sub_packet_u16(pkt)
16f0e91c 1613 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
dd77962e 1614 || !WPACKET_close(pkt)) {
c48ffbcc 1615 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
dd77962e 1616 return EXT_RETURN_FAIL;
7d061fce
MC		 1617 }
1618
dd77962e
MC		 1619 return EXT_RETURN_SENT;
1620 }
1621
1622 if (ckey == NULL) {
1623 /* No key_share received from client - must be resuming */
0247086d 1624 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
c48ffbcc 1625 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1626 return EXT_RETURN_FAIL;
0247086d 1627 }
b186a592 1628 return EXT_RETURN_NOT_SENT;
7da160b0 1629 }
e776858b
BK		 1630 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1631 /*
1632 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1633 * DHE option we always take it); don't send key share.
1634 */
1635 return EXT_RETURN_NOT_SENT;
1636 }
7da160b0
MC		 1637
1638 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1639 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1640 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
c48ffbcc 1641 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1642 return EXT_RETURN_FAIL;
7da160b0
MC		 1643 }
1644
38b051a1
TM		 1645 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1646 s->s3.group_id)) == NULL) {
c48ffbcc 1647 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1648 return EXT_RETURN_FAIL;
7da160b0
MC		 1649 }
1650
8b17fbaf
NT		 1651 if (!ginf->is_kem) {
1652 /* Regular KEX */
1653 skey = ssl_generate_pkey(s, ckey);
1654 if (skey == NULL) {
e077455e 1655 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
8b17fbaf
NT		 1656 return EXT_RETURN_FAIL;
1657 }
7da160b0 1658
8b17fbaf 1659 /* Generate encoding of server key */
5ac8fb58 1660 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
8b17fbaf 1661 if (encoded_pt_len == 0) {
c48ffbcc 1662 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
8b17fbaf
NT		 1663 EVP_PKEY_free(skey);
1664 return EXT_RETURN_FAIL;
1665 }
1666
1667 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1668 || !WPACKET_close(pkt)) {
c48ffbcc 1669 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1670 EVP_PKEY_free(skey);
1671 OPENSSL_free(encodedPoint);
1672 return EXT_RETURN_FAIL;
1673 }
7da160b0 1674 OPENSSL_free(encodedPoint);
7da160b0 1675
8b17fbaf
NT		 1676 /*
1677 * This causes the crypto state to be updated based on the derived keys
1678 */
1679 s->s3.tmp.pkey = skey;
1680 if (ssl_derive(s, skey, ckey, 1) == 0) {
1681 /* SSLfatal() already called */
1682 return EXT_RETURN_FAIL;
1683 }
1684 } else {
1685 /* KEM mode */
1686 unsigned char *ct = NULL;
1687 size_t ctlen = 0;
1688
1689 /*
1690 * This does not update the crypto state.
1691 *
1692 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1693 * ssl_gensecret().
1694 */
1695 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1696 /* SSLfatal() already called */
1697 return EXT_RETURN_FAIL;
1698 }
1699
1700 if (ctlen == 0) {
c48ffbcc 1701 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1702 OPENSSL_free(ct);
1703 return EXT_RETURN_FAIL;
1704 }
1705
1706 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1707 || !WPACKET_close(pkt)) {
c48ffbcc 1708 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1709 OPENSSL_free(ct);
1710 return EXT_RETURN_FAIL;
1711 }
1712 OPENSSL_free(ct);
1713
1714 /*
1715 * This causes the crypto state to be updated based on the generated pms
1716 */
1717 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1718 /* SSLfatal() already called */
1719 return EXT_RETURN_FAIL;
1720 }
7da160b0 1721 }
aa6bd216 1722 s->s3.did_kex = 1;
b186a592 1723 return EXT_RETURN_SENT;
1aac20f5
MC		 1724#else
1725 return EXT_RETURN_FAIL;
1726#endif
7da160b0
MC		 1727}
1728
38b051a1
TM		 1729EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
1730 unsigned int context,
43054d3d
MC		 1731 X509 *x, size_t chainidx)
1732{
1aac20f5 1733#ifndef OPENSSL_NO_TLS1_3
43054d3d
MC		 1734 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1735 unsigned char *hmac, *hmac2;
3fa2812f 1736 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
43054d3d
MC		 1737 EVP_MD_CTX *hctx;
1738 EVP_PKEY *pkey;
1739 int ret = EXT_RETURN_FAIL;
38b051a1
TM		 1740 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1741 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
43054d3d 1742
555cbb32 1743 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 1744 return EXT_RETURN_NOT_SENT;
1745
38b051a1 1746 if (sctx->gen_stateless_cookie_cb == NULL) {
c48ffbcc 1747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
e440f513
MC		 1748 return EXT_RETURN_FAIL;
1749 }
1750
43054d3d
MC		 1751 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1752 || !WPACKET_start_sub_packet_u16(pkt)
1753 || !WPACKET_start_sub_packet_u16(pkt)
1754 || !WPACKET_get_total_written(pkt, &startlen)
1755 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1756 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1757 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
555cbb32 1758 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
38b051a1
TM		 1759 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1760 &ciphlen)
43054d3d 1761 /* Is there a key_share extension present in this HRR? */
555cbb32 1762 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
e8a557dc 1763 || !WPACKET_put_bytes_u64(pkt, time(NULL))
43054d3d
MC		 1764 || !WPACKET_start_sub_packet_u16(pkt)
1765 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
c48ffbcc 1766 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1767 return EXT_RETURN_FAIL;
1768 }
1769
1770 /*
1771 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1772 * on raw buffers, so we first reserve sufficient bytes (above) and then
1773 * subsequently allocate them (below)
1774 */
1775 if (!ssl3_digest_cached_records(s, 0)
1776 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1777 /* SSLfatal() already called */
1778 return EXT_RETURN_FAIL;
1779 }
1780
1781 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1782 || !ossl_assert(hashval1 == hashval2)
1783 || !WPACKET_close(pkt)
1784 || !WPACKET_start_sub_packet_u8(pkt)
1785 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
c48ffbcc 1786 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1787 return EXT_RETURN_FAIL;
1788 }
1789
1790 /* Generate the application cookie */
38b051a1
TM		 1791 if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
1792 &appcookielen) == 0) {
c48ffbcc 1793 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
43054d3d
MC		 1794 return EXT_RETURN_FAIL;
1795 }
1796
1797 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1798 || !ossl_assert(appcookie1 == appcookie2)
1799 || !WPACKET_close(pkt)
1800 || !WPACKET_get_total_written(pkt, &totcookielen)
1801 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
c48ffbcc 1802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1803 return EXT_RETURN_FAIL;
1804 }
1805 hmaclen = SHA256_DIGEST_LENGTH;
1806
1807 totcookielen -= startlen;
1808 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
c48ffbcc 1809 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1810 return EXT_RETURN_FAIL;
1811 }
1812
1813 /* HMAC the cookie */
1814 hctx = EVP_MD_CTX_create();
38b051a1
TM		 1815 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1816 sctx->propq,
d8652be0
MC		 1817 s->session_ctx->ext.cookie_hmac_key,
1818 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d 1819 if (hctx == NULL || pkey == NULL) {
e077455e 1820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
43054d3d
MC		 1821 goto err;
1822 }
1823
38b051a1
TM		 1824 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1825 sctx->propq, pkey, NULL) <= 0
43054d3d
MC		 1826 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1827 totcookielen) <= 0) {
c48ffbcc 1828 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1829 goto err;
1830 }
1831
1832 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
c48ffbcc 1833 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1834 goto err;
1835 }
1836
1837 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1838 || !ossl_assert(hmac == hmac2)
1839 || !ossl_assert(cookie == hmac - totcookielen)
1840 || !WPACKET_close(pkt)
1841 || !WPACKET_close(pkt)) {
c48ffbcc 1842 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1843 goto err;
1844 }
1845
1846 ret = EXT_RETURN_SENT;
1847
1848 err:
1849 EVP_MD_CTX_free(hctx);
1850 EVP_PKEY_free(pkey);
1851 return ret;
1aac20f5
MC		 1852#else
1853 return EXT_RETURN_FAIL;
1854#endif
43054d3d
MC		 1855}
1856
38b051a1 1857EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1858 unsigned int context, X509 *x,
f63a17d6 1859 size_t chainidx)
7da160b0
MC		 1860{
1861 const unsigned char cryptopro_ext[36] = {
1862 0xfd, 0xe8, /* 65000 */
1863 0x00, 0x20, /* 32 bytes length */
1864 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1865 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1866 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1867 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1868 };
1869
555cbb32
TS		 1870 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1871 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
38b051a1
TM		 1872 || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1873 & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1874 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1875
1876 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
c48ffbcc 1877 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1878 return EXT_RETURN_FAIL;
7da160b0
MC		 1879 }
1880
b186a592 1881 return EXT_RETURN_SENT;
7da160b0 1882}
0247086d 1883
38b051a1 1884EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1885 unsigned int context, X509 *x,
f63a17d6 1886 size_t chainidx)
38df5a45 1887{
fe874d27 1888 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1889 if (s->max_early_data == 0)
b186a592 1890 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1891
1892 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1893 || !WPACKET_start_sub_packet_u16(pkt)
1894 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1895 || !WPACKET_close(pkt)) {
c48ffbcc 1896 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1897 return EXT_RETURN_FAIL;
6594189f
MC		 1898 }
1899
b186a592 1900 return EXT_RETURN_SENT;
6594189f
MC		 1901 }
1902
38df5a45 1903 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1904 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1905
1906 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1907 || !WPACKET_start_sub_packet_u16(pkt)
1908 || !WPACKET_close(pkt)) {
c48ffbcc 1909 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1910 return EXT_RETURN_FAIL;
38df5a45
MC		 1911 }
1912
b186a592 1913 return EXT_RETURN_SENT;
38df5a45
MC		 1914}
1915
38b051a1
TM		 1916EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
1917 unsigned int context,
f63a17d6 1918 X509 *x, size_t chainidx)
0247086d
MC		 1919{
1920 if (!s->hit)
b186a592 1921 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1922
1923 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1924 || !WPACKET_start_sub_packet_u16(pkt)
c96ce52c 1925 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
0247086d 1926 || !WPACKET_close(pkt)) {
c48ffbcc 1927 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1928 return EXT_RETURN_FAIL;
0247086d
MC		 1929 }
1930
b186a592 1931 return EXT_RETURN_SENT;
0247086d 1932}
A mirror of the official openssl repository