]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SSL object refactoring using SSL_CONNECTION object
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
25670f3e 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
25670f3e
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
706457b7
DMSP		 11#include "../ssl_local.h"
12#include "statem_local.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
15#define COOKIE_STATE_FORMAT_VERSION 0
16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
d0debc0a
MC		 20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 23 */
d0debc0a 24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 33 */
97ea1e7f 34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
25670f3e
MC		 37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
38b051a1
TM		 41int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
42 unsigned int context,
f63a17d6 43 X509 *x, size_t chainidx)
25670f3e
MC		 44{
45 unsigned int ilen;
46 const unsigned char *data;
47
48 /* Parse the length byte */
49 if (!PACKET_get_1(pkt, &ilen)
50 || !PACKET_get_bytes(pkt, &data, ilen)) {
c48ffbcc 51 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 52 return 0;
53 }
54
55 /* Check that the extension matches */
555cbb32 56 if (ilen != s->s3.previous_client_finished_len) {
c48ffbcc 57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 58 return 0;
59 }
60
555cbb32
TS		 61 if (memcmp(data, s->s3.previous_client_finished,
62 s->s3.previous_client_finished_len)) {
c48ffbcc 63 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 64 return 0;
65 }
66
555cbb32 67 s->s3.send_connection_binding = 1;
25670f3e
MC		 68
69 return 1;
70}
71
1266eefd
MC		 72/*-
73 * The servername extension is treated as follows:
74 *
75 * - Only the hostname type is supported with a maximum length of 255.
76 * - The servername is rejected if too long or if it contains zeros,
77 * in which case an fatal alert is generated.
78 * - The servername field is maintained together with the session cache.
79 * - When a session is resumed, the servername call back invoked in order
80 * to allow the application to position itself to the right context.
81 * - The servername is acknowledged if it is new for a session or when
82 * it is identical to a previously used for the same session.
83 * Applications can control the behaviour. They can at any time
84 * set a 'desirable' servername for a new SSL object. This can be the
85 * case for example with HTTPS when a Host: header field is received and
86 * a renegotiation is requested. In this case, a possible servername
87 * presented in the new client hello is only acknowledged if it matches
88 * the value of the Host: field.
89 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
90 * if they provide for changing an explicit servername context for the
91 * session, i.e. when the session has been established with a servername
92 * extension.
93 * - On session reconnect, the servername extension may be absent.
94 */
38b051a1
TM		 95int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
96 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 97{
98 unsigned int servname_type;
99 PACKET sni, hostname;
100
25670f3e
MC		 101 if (!PACKET_as_length_prefixed_2(pkt, &sni)
102 /* ServerNameList must be at least 1 byte long. */
103 || PACKET_remaining(&sni) == 0) {
c48ffbcc 104 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 105 return 0;
106 }
107
108 /*
44e69951
F		 109 * Although the intent was for server_name to be extensible, RFC 4366
110 * was not clear about it; and so OpenSSL among other implementations,
111 * always and only allows a 'host_name' name types.
25670f3e
MC		 112 * RFC 6066 corrected the mistake but adding new name types
113 * is nevertheless no longer feasible, so act as if no other
114 * SNI types can exist, to simplify parsing.
115 *
116 * Also note that the RFC permits only one SNI value per type,
117 * i.e., we can only have a single hostname.
118 */
119 if (!PACKET_get_1(&sni, &servname_type)
120 || servname_type != TLSEXT_NAMETYPE_host_name
121 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
c48ffbcc 122 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 123 return 0;
124 }
125
7955c1f1
MC		 126 /*
127 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
128 * we always use the SNI value from the handshake.
129 */
38b051a1 130 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
25670f3e 131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
c48ffbcc 132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 133 return 0;
134 }
135
136 if (PACKET_contains_zero_byte(&hostname)) {
c48ffbcc 137 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 138 return 0;
139 }
140
1c4aa31d
BK		 141 /*
142 * Store the requested SNI in the SSL as temporary storage.
143 * If we accept it, it will get stored in the SSL_SESSION as well.
144 */
145 OPENSSL_free(s->ext.hostname);
146 s->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
c48ffbcc 148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 149 return 0;
150 }
151
152 s->servername_done = 1;
7955c1f1
MC		 153 } else {
154 /*
155 * In TLSv1.2 and below we should check if the SNI is consistent between
156 * the initial handshake and the resumption. In TLSv1.3 SNI is not
157 * associated with the session.
158 */
1c4aa31d 159 s->servername_done = (s->session->ext.hostname != NULL)
aff8c126
RS		 160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
25670f3e
MC		 162 }
163
164 return 1;
165}
166
38b051a1
TM		 167int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
168 unsigned int context,
f63a17d6 169 X509 *x, size_t chainidx)
cf72c757
F		 170{
171 unsigned int value;
172
173 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 174 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 175 return 0;
176 }
177
178 /* Received |value| should be a valid max-fragment-length code. */
179 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 180 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 181 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 182 return 0;
183 }
184
185 /*
186 * RFC 6066: The negotiated length applies for the duration of the session
187 * including session resumptions.
188 * We should receive the same code as in resumed session !
189 */
190 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6 191 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 192 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 193 return 0;
194 }
195
196 /*
197 * Store it in session, so it'll become binding for us
198 * and we'll include it in a next Server Hello.
199 */
200 s->session->ext.max_fragment_len_mode = value;
201 return 1;
202}
203
25670f3e 204#ifndef OPENSSL_NO_SRP
38b051a1
TM		 205int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
206 X509 *x, size_t chainidx)
25670f3e
MC		 207{
208 PACKET srp_I;
209
210 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
211 || PACKET_contains_zero_byte(&srp_I)) {
c48ffbcc 212 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 213 return 0;
214 }
215
25670f3e 216 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
c48ffbcc 217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 218 return 0;
219 }
220
221 return 1;
222}
223#endif
224
38b051a1
TM		 225int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
226 unsigned int context,
f63a17d6 227 X509 *x, size_t chainidx)
25670f3e
MC		 228{
229 PACKET ec_point_format_list;
230
231 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
232 || PACKET_remaining(&ec_point_format_list) == 0) {
c48ffbcc 233 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 234 return 0;
235 }
236
237 if (!s->hit) {
238 if (!PACKET_memdup(&ec_point_format_list,
cd0fb43c
MC		 239 &s->ext.peer_ecpointformats,
240 &s->ext.peer_ecpointformats_len)) {
c48ffbcc 241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 242 return 0;
243 }
244 }
245
246 return 1;
247}
25670f3e 248
38b051a1
TM		 249int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
250 unsigned int context,
f63a17d6 251 X509 *x, size_t chainidx)
25670f3e 252{
aff8c126 253 if (s->ext.session_ticket_cb &&
38b051a1
TM		 254 !s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
255 PACKET_data(pkt), PACKET_remaining(pkt),
256 s->ext.session_ticket_cb_arg)) {
c48ffbcc 257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 258 return 0;
259 }
260
261 return 1;
262}
263
38b051a1 264int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 265 ossl_unused unsigned int context,
266 ossl_unused X509 *x,
267 ossl_unused size_t chainidx)
c589c34e
BK		 268{
269 PACKET supported_sig_algs;
270
271 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
272 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 273 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 274 return 0;
275 }
276
277 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
c48ffbcc 278 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 279 return 0;
280 }
281
282 return 1;
283}
284
38b051a1
TM		 285int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
286 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 287{
288 PACKET supported_sig_algs;
289
290 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 291 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 292 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 293 return 0;
294 }
295
c589c34e 296 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
c48ffbcc 297 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 298 return 0;
299 }
300
301 return 1;
302}
303
ab83e314 304#ifndef OPENSSL_NO_OCSP
38b051a1
TM		 305int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
306 unsigned int context,
f63a17d6 307 X509 *x, size_t chainidx)
25670f3e 308{
1266eefd
MC		 309 PACKET responder_id_list, exts;
310
ded4a83d
MC		 311 /* We ignore this in a resumption handshake */
312 if (s->hit)
313 return 1;
314
e96e0f8e
MC		 315 /* Not defined if we get one of these in a client Certificate */
316 if (x != NULL)
317 return 1;
318
aff8c126 319 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
c48ffbcc 320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 321 return 0;
322 }
ab83e314 323
aff8c126 324 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 325 /*
1266eefd 326 * We don't know what to do with any other type so ignore it.
25670f3e 327 */
aff8c126 328 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 329 return 1;
330 }
25670f3e 331
1266eefd 332 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
c48ffbcc 333 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 334 return 0;
335 }
25670f3e 336
1266eefd
MC		 337 /*
338 * We remove any OCSP_RESPIDs from a previous handshake
339 * to prevent unbounded memory growth - CVE-2016-6304
340 */
aff8c126 341 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 342 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 343 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
344 if (s->ext.ocsp.ids == NULL) {
c48ffbcc 345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1266eefd
MC		 346 return 0;
347 }
348 } else {
aff8c126 349 s->ext.ocsp.ids = NULL;
1266eefd 350 }
25670f3e 351
1266eefd
MC		 352 while (PACKET_remaining(&responder_id_list) > 0) {
353 OCSP_RESPID *id;
354 PACKET responder_id;
355 const unsigned char *id_data;
25670f3e 356
1266eefd
MC		 357 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
358 || PACKET_remaining(&responder_id) == 0) {
c48ffbcc 359 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 360 return 0;
361 }
25670f3e 362
1266eefd 363 id_data = PACKET_data(&responder_id);
1266eefd
MC		 364 id = d2i_OCSP_RESPID(NULL, &id_data,
365 (int)PACKET_remaining(&responder_id));
366 if (id == NULL) {
c48ffbcc 367 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 368 return 0;
25670f3e
MC		 369 }
370
1266eefd
MC		 371 if (id_data != PACKET_end(&responder_id)) {
372 OCSP_RESPID_free(id);
c48ffbcc 373 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
f63a17d6 374
25670f3e
MC		 375 return 0;
376 }
377
aff8c126 378 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 379 OCSP_RESPID_free(id);
c48ffbcc 380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 381
1266eefd
MC		 382 return 0;
383 }
384 }
385
386 /* Read in request_extensions */
387 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
c48ffbcc 388 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 389 return 0;
390 }
391
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
394
aff8c126 395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 396 X509_EXTENSION_free);
aff8c126 397 s->ext.ocsp.exts =
1266eefd 398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
c48ffbcc 400 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 401 return 0;
25670f3e 402 }
25670f3e
MC		 403 }
404
405 return 1;
406}
ab83e314 407#endif
25670f3e
MC		 408
409#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1
TM		 410int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
411 X509 *x, size_t chainidx)
25670f3e 412{
1266eefd
MC		 413 /*
414 * We shouldn't accept this extension on a
415 * renegotiation.
1266eefd 416 */
c7f47786 417 if (SSL_IS_FIRST_HANDSHAKE(s))
555cbb32 418 s->s3.npn_seen = 1;
25670f3e
MC		 419
420 return 1;
421}
422#endif
423
424/*
1266eefd 425 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 426 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 427 */
38b051a1
TM		 428int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
429 X509 *x, size_t chainidx)
25670f3e
MC		 430{
431 PACKET protocol_list, save_protocol_list, protocol;
432
c7f47786 433 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 434 return 1;
435
436 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
437 || PACKET_remaining(&protocol_list) < 2) {
c48ffbcc 438 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 439 return 0;
440 }
441
442 save_protocol_list = protocol_list;
443 do {
444 /* Protocol names can't be empty. */
445 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
446 || PACKET_remaining(&protocol) == 0) {
c48ffbcc 447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 448 return 0;
449 }
450 } while (PACKET_remaining(&protocol_list) != 0);
451
555cbb32
TS		 452 OPENSSL_free(s->s3.alpn_proposed);
453 s->s3.alpn_proposed = NULL;
454 s->s3.alpn_proposed_len = 0;
25670f3e 455 if (!PACKET_memdup(&save_protocol_list,
555cbb32 456 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
c48ffbcc 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 458 return 0;
459 }
460
461 return 1;
462}
463
464#ifndef OPENSSL_NO_SRTP
38b051a1
TM		 465int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
466 unsigned int context, X509 *x, size_t chainidx)
25670f3e 467{
25670f3e
MC		 468 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
469 unsigned int ct, mki_len, id;
470 int i, srtp_pref;
471 PACKET subpkt;
38b051a1 472 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
25670f3e
MC		 473
474 /* Ignore this if we have no SRTP profiles */
38b051a1 475 if (SSL_get_srtp_profiles(ssl) == NULL)
25670f3e
MC		 476 return 1;
477
478 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 479 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
480 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
c48ffbcc 481 SSLfatal(s, SSL_AD_DECODE_ERROR,
25670f3e 482 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 483 return 0;
484 }
485
38b051a1 486 srvr = SSL_get_srtp_profiles(ssl);
25670f3e
MC		 487 s->srtp_profile = NULL;
488 /* Search all profiles for a match initially */
489 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
490
491 while (PACKET_remaining(&subpkt)) {
492 if (!PACKET_get_net_2(&subpkt, &id)) {
c48ffbcc 493 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 494 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 495 return 0;
496 }
497
498 /*
499 * Only look for match in profiles of higher preference than
500 * current match.
501 * If no profiles have been have been configured then this
502 * does nothing.
503 */
504 for (i = 0; i < srtp_pref; i++) {
d270de32 505 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 506 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
507
25670f3e
MC		 508 if (sprof->id == id) {
509 s->srtp_profile = sprof;
510 srtp_pref = i;
511 break;
512 }
513 }
514 }
515
1266eefd 516 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 517 if (!PACKET_get_1(pkt, &mki_len)) {
c48ffbcc 518 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 519 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 520 return 0;
521 }
522
523 if (!PACKET_forward(pkt, mki_len)
524 || PACKET_remaining(pkt)) {
c48ffbcc 525 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 526 return 0;
527 }
528
529 return 1;
530}
531#endif
532
38b051a1
TM		 533int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
534 X509 *x, size_t chainidx)
25670f3e
MC		 535{
536 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 537 s->ext.use_etm = 1;
25670f3e
MC		 538
539 return 1;
540}
541
b2f7e8c0
MC		 542/*
543 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
544 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 545 */
38b051a1
TM		 546int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
547 unsigned int context,
f63a17d6 548 X509 *x, size_t chainidx)
b2f7e8c0
MC		 549{
550#ifndef OPENSSL_NO_TLS1_3
551 PACKET psk_kex_modes;
552 unsigned int mode;
553
554 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
555 || PACKET_remaining(&psk_kex_modes) == 0) {
c48ffbcc 556 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 557 return 0;
558 }
559
560 while (PACKET_get_1(&psk_kex_modes, &mode)) {
561 if (mode == TLSEXT_KEX_MODE_KE_DHE)
562 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 563 else if (mode == TLSEXT_KEX_MODE_KE
564 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 565 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
566 }
567#endif
568
569 return 1;
570}
571
25670f3e
MC		 572/*
573 * Process a key_share extension received in the ClientHello. |pkt| contains
574 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 575 */
38b051a1
TM		 576int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
577 unsigned int context, X509 *x, size_t chainidx)
25670f3e 578{
3cf96e88 579#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 580 unsigned int group_id;
581 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 582 const uint16_t *clntgroups, *srvrgroups;
583 size_t clnt_num_groups, srvr_num_groups;
43b95d73 584 int found = 0;
25670f3e 585
f4bbb37c 586 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 587 return 1;
588
589 /* Sanity check */
555cbb32 590 if (s->s3.peer_tmp != NULL) {
c48ffbcc 591 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 592 return 0;
593 }
594
595 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
c48ffbcc 596 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 597 return 0;
598 }
599
f48d826e
DSH		 600 /* Get our list of supported groups */
601 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
602 /* Get the clients list of supported groups. */
603 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
604 if (clnt_num_groups == 0) {
b6fdc12d
MC		 605 /*
606 * This can only happen if the supported_groups extension was not sent,
607 * because we verify that the length is non-zero when we process that
608 * extension.
609 */
c48ffbcc 610 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
f63a17d6 611 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 612 return 0;
613 }
25670f3e 614
555cbb32 615 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
43054d3d
MC		 616 /*
617 * If we set a group_id already, then we must have sent an HRR
618 * requesting a new key_share. If we haven't got one then that is an
619 * error
620 */
c48ffbcc 621 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 622 return 0;
623 }
624
25670f3e
MC		 625 while (PACKET_remaining(&key_share_list) > 0) {
626 if (!PACKET_get_net_2(&key_share_list, &group_id)
627 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
628 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 629 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 630 return 0;
631 }
632
633 /*
634 * If we already found a suitable key_share we loop through the
635 * rest to verify the structure, but don't process them.
636 */
637 if (found)
638 continue;
639
43054d3d
MC		 640 /*
641 * If we sent an HRR then the key_share sent back MUST be for the group
642 * we requested, and must be the only key_share sent.
643 */
555cbb32 644 if (s->s3.group_id != 0
0a10825a 645 && (ssl_group_id_tls13_to_internal(group_id) != s->s3.group_id
43054d3d 646 || PACKET_remaining(&key_share_list) != 0)) {
c48ffbcc 647 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 648 return 0;
649 }
650
25670f3e 651 /* Check if this share is in supported_groups sent from client */
f48d826e 652 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
c48ffbcc 653 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 654 return 0;
655 }
656
657 /* Check if this share is for a group we can use */
f48d826e 658 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
25670f3e
MC		 659 /* Share not suitable */
660 continue;
661 }
662
0a10825a
BE		 663 s->s3.group_id = group_id;
664 /* Cache the selected group ID in the SSL_SESSION */
665 s->session->kex_group = group_id;
666
667 group_id = ssl_group_id_tls13_to_internal(group_id);
668
ada66e78 669 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
c48ffbcc 670 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
25670f3e
MC		 671 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
672 return 0;
673 }
674
d5530efa
TM		 675 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
676 PACKET_data(&encoded_pt),
677 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 678 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
25670f3e
MC		 679 return 0;
680 }
681
682 found = 1;
683 }
3cf96e88 684#endif
25670f3e
MC		 685
686 return 1;
687}
688
38b051a1
TM		 689int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
690 X509 *x, size_t chainidx)
43054d3d 691{
1aac20f5 692#ifndef OPENSSL_NO_TLS1_3
dd77962e 693 unsigned int format, version, key_share, group_id;
43054d3d
MC		 694 EVP_MD_CTX *hctx;
695 EVP_PKEY *pkey;
696 PACKET cookie, raw, chhash, appcookie;
697 WPACKET hrrpkt;
698 const unsigned char *data, *mdin, *ciphdata;
699 unsigned char hmac[SHA256_DIGEST_LENGTH];
700 unsigned char hrr[MAX_HRR_SIZE];
701 size_t rawlen, hmaclen, hrrlen, ciphlen;
d0debc0a 702 unsigned long tm, now;
38b051a1
TM		 703 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
704 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
43054d3d
MC		 705
706 /* Ignore any cookie if we're not set up to verify it */
38b051a1 707 if (sctx->verify_stateless_cookie_cb == NULL
555cbb32 708 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 709 return 1;
710
711 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
c48ffbcc 712 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 713 return 0;
714 }
715
716 raw = cookie;
717 data = PACKET_data(&raw);
718 rawlen = PACKET_remaining(&raw);
719 if (rawlen < SHA256_DIGEST_LENGTH
720 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
c48ffbcc 721 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 722 return 0;
723 }
724 mdin = PACKET_data(&raw);
725
726 /* Verify the HMAC of the cookie */
727 hctx = EVP_MD_CTX_create();
38b051a1
TM		 728 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
729 sctx->propq,
d8652be0
MC		 730 s->session_ctx->ext.cookie_hmac_key,
731 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d
MC		 732 if (hctx == NULL || pkey == NULL) {
733 EVP_MD_CTX_free(hctx);
734 EVP_PKEY_free(pkey);
c48ffbcc 735 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
43054d3d
MC		 736 return 0;
737 }
738
97ea1e7f 739 hmaclen = SHA256_DIGEST_LENGTH;
38b051a1
TM		 740 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
741 sctx->propq, pkey, NULL) <= 0
97ea1e7f
MC		 742 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
743 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 744 || hmaclen != SHA256_DIGEST_LENGTH) {
745 EVP_MD_CTX_free(hctx);
746 EVP_PKEY_free(pkey);
c48ffbcc 747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 748 return 0;
749 }
750
751 EVP_MD_CTX_free(hctx);
752 EVP_PKEY_free(pkey);
753
754 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
c48ffbcc 755 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 756 return 0;
757 }
758
759 if (!PACKET_get_net_2(&cookie, &format)) {
c48ffbcc 760 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 761 return 0;
762 }
763 /* Check the cookie format is something we recognise. Ignore it if not */
764 if (format != COOKIE_STATE_FORMAT_VERSION)
765 return 1;
766
767 /*
768 * The rest of these checks really shouldn't fail since we have verified the
769 * HMAC above.
770 */
771
772 /* Check the version number is sane */
773 if (!PACKET_get_net_2(&cookie, &version)) {
c48ffbcc 774 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 775 return 0;
776 }
777 if (version != TLS1_3_VERSION) {
c48ffbcc 778 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
43054d3d
MC		 779 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
780 return 0;
781 }
782
dd77962e 783 if (!PACKET_get_net_2(&cookie, &group_id)) {
c48ffbcc 784 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 785 return 0;
786 }
dd77962e 787
43054d3d
MC		 788 ciphdata = PACKET_data(&cookie);
789 if (!PACKET_forward(&cookie, 2)) {
c48ffbcc 790 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 791 return 0;
792 }
555cbb32
TS		 793 if (group_id != s->s3.group_id
794 || s->s3.tmp.new_cipher
dd77962e
MC		 795 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
796 /*
797 * We chose a different cipher or group id this time around to what is
798 * in the cookie. Something must have changed.
799 */
c48ffbcc 800 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
43054d3d
MC		 801 return 0;
802 }
803
804 if (!PACKET_get_1(&cookie, &key_share)
d0debc0a 805 || !PACKET_get_net_4(&cookie, &tm)
43054d3d
MC		 806 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
807 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
808 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
c48ffbcc 809 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 810 return 0;
811 }
812
d0debc0a
MC		 813 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
814 now = (unsigned long)time(NULL);
815 if (tm > now || (now - tm) > 600) {
816 /* Cookie is stale. Ignore it */
817 return 1;
818 }
819
43054d3d 820 /* Verify the app cookie */
38b051a1
TM		 821 if (sctx->verify_stateless_cookie_cb(ssl,
822 PACKET_data(&appcookie),
823 PACKET_remaining(&appcookie)) == 0) {
c48ffbcc 824 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 825 return 0;
826 }
827
828 /*
829 * Reconstruct the HRR that we would have sent in response to the original
830 * ClientHello so we can add it to the transcript hash.
831 * Note: This won't work with custom HRR extensions
832 */
833 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
c48ffbcc 834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 835 return 0;
836 }
837 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
838 || !WPACKET_start_sub_packet_u24(&hrrpkt)
839 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
840 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
841 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
842 s->tmp_session_id_len)
38b051a1
TM		 843 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
844 &ciphlen)
43054d3d
MC		 845 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
846 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
847 WPACKET_cleanup(&hrrpkt);
c48ffbcc 848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 849 return 0;
850 }
851 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
852 || !WPACKET_start_sub_packet_u16(&hrrpkt)
35e742ec 853 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
43054d3d
MC		 854 || !WPACKET_close(&hrrpkt)) {
855 WPACKET_cleanup(&hrrpkt);
c48ffbcc 856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 857 return 0;
858 }
859 if (key_share) {
860 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
861 || !WPACKET_start_sub_packet_u16(&hrrpkt)
555cbb32 862 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
43054d3d
MC		 863 || !WPACKET_close(&hrrpkt)) {
864 WPACKET_cleanup(&hrrpkt);
c48ffbcc 865 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 866 return 0;
867 }
868 }
869 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
870 || !WPACKET_start_sub_packet_u16(&hrrpkt)
871 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
872 || !WPACKET_close(&hrrpkt) /* cookie extension */
873 || !WPACKET_close(&hrrpkt) /* extension block */
874 || !WPACKET_close(&hrrpkt) /* message */
875 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
876 || !WPACKET_finish(&hrrpkt)) {
877 WPACKET_cleanup(&hrrpkt);
c48ffbcc 878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 879 return 0;
880 }
881
882 /* Reconstruct the transcript hash */
883 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
884 PACKET_remaining(&chhash), hrr,
885 hrrlen)) {
886 /* SSLfatal() already called */
887 return 0;
888 }
889
890 /* Act as if this ClientHello came after a HelloRetryRequest */
891 s->hello_retry_request = 1;
892
c36001c3 893 s->ext.cookieok = 1;
1aac20f5 894#endif
c36001c3 895
43054d3d
MC		 896 return 1;
897}
898
38b051a1
TM		 899int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
900 unsigned int context,
f63a17d6 901 X509 *x, size_t chainidx)
25670f3e
MC		 902{
903 PACKET supported_groups_list;
904
905 /* Each group is 2 bytes and we must have at least 1. */
906 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
907 || PACKET_remaining(&supported_groups_list) == 0
908 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
c48ffbcc 909 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 910 return 0;
911 }
912
38b051a1 913 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
45436e61
MC		 914 OPENSSL_free(s->ext.peer_supportedgroups);
915 s->ext.peer_supportedgroups = NULL;
916 s->ext.peer_supportedgroups_len = 0;
9e84a42d 917 if (!tls1_save_u16(&supported_groups_list,
45436e61
MC		 918 &s->ext.peer_supportedgroups,
919 &s->ext.peer_supportedgroups_len)) {
c48ffbcc 920 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e3743355
BK		 921 return 0;
922 }
25670f3e
MC		 923 }
924
925 return 1;
926}
25670f3e 927
38b051a1
TM		 928int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
929 X509 *x, size_t chainidx)
25670f3e
MC		 930{
931 /* The extension must always be empty */
932 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 933 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 934 return 0;
935 }
936
088dfa13
TS		 937 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
938 return 1;
939
555cbb32 940 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
25670f3e
MC		 941
942 return 1;
943}
7da160b0 944
38df5a45 945
38b051a1 946int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
f63a17d6 947 X509 *x, size_t chainidx)
38df5a45
MC		 948{
949 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 950 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 951 return 0;
952 }
953
fc7129dc 954 if (s->hello_retry_request != SSL_HRR_NONE) {
c48ffbcc 955 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 956 return 0;
957 }
958
38df5a45
MC		 959 return 1;
960}
961
38b051a1 962static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
6cc0b3c2
MC		 963 SSL_SESSION **sess)
964{
965 SSL_SESSION *tmpsess = NULL;
966
5f26ddff
MC		 967 s->ext.ticket_expected = 1;
968
6cc0b3c2
MC		 969 switch (PACKET_remaining(tick)) {
970 case 0:
971 return SSL_TICKET_EMPTY;
972
973 case SSL_MAX_SSL_SESSION_ID_LENGTH:
974 break;
975
976 default:
977 return SSL_TICKET_NO_DECRYPT;
978 }
979
980 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
981 SSL_MAX_SSL_SESSION_ID_LENGTH);
982
983 if (tmpsess == NULL)
984 return SSL_TICKET_NO_DECRYPT;
985
6cc0b3c2
MC		 986 *sess = tmpsess;
987 return SSL_TICKET_SUCCESS;
988}
989
38b051a1
TM		 990int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
991 X509 *x, size_t chainidx)
1053a6e2
MC		 992{
993 PACKET identities, binders, binder;
994 size_t binderoffset, hashsize;
995 SSL_SESSION *sess = NULL;
3a7c56b2 996 unsigned int id, i, ext = 0;
1053a6e2 997 const EVP_MD *md = NULL;
38b051a1
TM		 998 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
999 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1053a6e2 1000
1a9f457c
MC		 1001 /*
1002 * If we have no PSK kex mode that we recognise then we can't resume so
1003 * ignore this extension
1004 */
1005 if ((s->ext.psk_kex_mode
1006 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1007 return 1;
1008
1053a6e2 1009 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
c48ffbcc 1010 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1011 return 0;
1012 }
1013
61fb5923 1014 s->ext.ticket_expected = 0;
1053a6e2
MC		 1015 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1016 PACKET identity;
2c604cb9 1017 unsigned long ticket_agel;
f3d40db1 1018 size_t idlen;
1053a6e2
MC		 1019
1020 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1021 || !PACKET_get_net_4(&identities, &ticket_agel)) {
c48ffbcc 1022 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1023 return 0;
1024 }
1025
f3d40db1 1026 idlen = PACKET_remaining(&identity);
3a7c56b2 1027 if (s->psk_find_session_cb != NULL
38b051a1 1028 && !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
011d768a 1029 &sess)) {
c48ffbcc 1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
011d768a
MC		 1031 return 0;
1032 }
1033
c2b290c3 1034#ifndef OPENSSL_NO_PSK
1287dabd 1035 if (sess == NULL
f3d40db1
MC		 1036 && s->psk_server_callback != NULL
1037 && idlen <= PSK_MAX_IDENTITY_LEN) {
1038 char *pskid = NULL;
1039 unsigned char pskdata[PSK_MAX_PSK_LEN];
1040 unsigned int pskdatalen;
1041
1042 if (!PACKET_strndup(&identity, &pskid)) {
c48ffbcc 1043 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1044 return 0;
1045 }
38b051a1 1046 pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
f3d40db1
MC		 1047 sizeof(pskdata));
1048 OPENSSL_free(pskid);
1049 if (pskdatalen > PSK_MAX_PSK_LEN) {
c48ffbcc 1050 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1051 return 0;
1052 } else if (pskdatalen > 0) {
1053 const SSL_CIPHER *cipher;
1054 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1055
1056 /*
1057 * We found a PSK using an old style callback. We don't know
1058 * the digest so we default to SHA256 as per the TLSv1.3 spec
1059 */
38b051a1 1060 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
f3d40db1
MC		 1061 if (cipher == NULL) {
1062 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1063 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1064 return 0;
1065 }
1066
1067 sess = SSL_SESSION_new();
1068 if (sess == NULL
1069 || !SSL_SESSION_set1_master_key(sess, pskdata,
1070 pskdatalen)
1071 || !SSL_SESSION_set_cipher(sess, cipher)
1072 || !SSL_SESSION_set_protocol_version(sess,
1073 TLS1_3_VERSION)) {
1074 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1075 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1076 goto err;
1077 }
1078 OPENSSL_cleanse(pskdata, pskdatalen);
1079 }
1080 }
c2b290c3 1081#endif /* OPENSSL_NO_PSK */
f3d40db1 1082
011d768a
MC		 1083 if (sess != NULL) {
1084 /* We found a PSK */
3a7c56b2 1085 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1086
3a7c56b2 1087 if (sesstmp == NULL) {
c48ffbcc 1088 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1089 return 0;
1090 }
1091 SSL_SESSION_free(sess);
1092 sess = sesstmp;
1093
1094 /*
1095 * We've just been told to use this session for this context so
1096 * make sure the sid_ctx matches up.
1097 */
1098 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1099 sess->sid_ctx_length = s->sid_ctx_length;
1100 ext = 1;
630369d9
MC		 1101 if (id == 0)
1102 s->ext.early_data_ok = 1;
51256b34 1103 s->ext.ticket_expected = 1;
3a7c56b2
MC		 1104 } else {
1105 uint32_t ticket_age = 0, now, agesec, agems;
61fb5923
MC		 1106 int ret;
1107
e880d4e5
MC		 1108 /*
1109 * If we are using anti-replay protection then we behave as if
1110 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1111 * is no point in using full stateless tickets.
1112 */
1113 if ((s->options & SSL_OP_NO_TICKET) != 0
5d263fb7
MC		 1114 || (s->max_early_data > 0
1115 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
6cc0b3c2
MC		 1116 ret = tls_get_stateful_ticket(s, &identity, &sess);
1117 else
1118 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1119 PACKET_remaining(&identity), NULL, 0,
1120 &sess);
61fb5923
MC		 1121
1122 if (ret == SSL_TICKET_EMPTY) {
c48ffbcc 1123 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
61fb5923
MC		 1124 return 0;
1125 }
3a7c56b2 1126
df0fed9a
TS		 1127 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1128 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
c48ffbcc 1129 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1130 return 0;
1131 }
61fb5923 1132 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
3a7c56b2
MC		 1133 continue;
1134
66d7de16
MC		 1135 /* Check for replay */
1136 if (s->max_early_data > 0
5d263fb7 1137 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
66d7de16
MC		 1138 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1139 SSL_SESSION_free(sess);
1140 sess = NULL;
1141 continue;
1142 }
1143
3a7c56b2
MC		 1144 ticket_age = (uint32_t)ticket_agel;
1145 now = (uint32_t)time(NULL);
1146 agesec = now - (uint32_t)sess->time;
1147 agems = agesec * (uint32_t)1000;
1148 ticket_age -= sess->ext.tick_age_add;
1149
1150 /*
1151 * For simplicity we do our age calculations in seconds. If the
1152 * client does it in ms then it could appear that their ticket age
1153 * is longer than ours (our ticket age calculation should always be
1154 * slightly longer than the client's due to the network latency).
1155 * Therefore we add 1000ms to our age calculation to adjust for
1156 * rounding errors.
1157 */
630369d9
MC		 1158 if (id == 0
1159 && sess->timeout >= (long)agesec
3a7c56b2
MC		 1160 && agems / (uint32_t)1000 == agesec
1161 && ticket_age <= agems + 1000
1162 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1163 /*
1164 * Ticket age is within tolerance and not expired. We allow it
1165 * for early data
1166 */
1167 s->ext.early_data_ok = 1;
1168 }
1053a6e2 1169 }
1053a6e2 1170
38b051a1 1171 md = ssl_md(sctx, sess->cipher->algorithm2);
b740012f 1172 if (md == NULL) {
1173 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1174 goto err;
1175 }
c8f6c28a 1176 if (!EVP_MD_is_a(md,
38b051a1 1177 EVP_MD_get0_name(ssl_md(sctx,
ed576acd 1178 s->s3.tmp.new_cipher->algorithm2)))) {
0de6d66d 1179 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1180 SSL_SESSION_free(sess);
1181 sess = NULL;
630369d9 1182 s->ext.early_data_ok = 0;
51256b34 1183 s->ext.ticket_expected = 0;
1053a6e2
MC		 1184 continue;
1185 }
1053a6e2
MC		 1186 break;
1187 }
1188
1189 if (sess == NULL)
1190 return 1;
1191
1192 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
ed576acd 1193 hashsize = EVP_MD_get_size(md);
1053a6e2
MC		 1194
1195 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
c48ffbcc 1196 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1197 goto err;
1198 }
1199
1200 for (i = 0; i <= id; i++) {
1201 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
c48ffbcc 1202 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1203 goto err;
1204 }
1205 }
1206
2894e9cb 1207 if (PACKET_remaining(&binder) != hashsize) {
c48ffbcc 1208 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2894e9cb
MC		 1209 goto err;
1210 }
1211 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1212 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1213 ext) != 1) {
635c8f77 1214 /* SSLfatal() already called */
1053a6e2
MC		 1215 goto err;
1216 }
1217
c96ce52c 1218 s->ext.tick_identity = id;
2c604cb9 1219
1053a6e2
MC		 1220 SSL_SESSION_free(s->session);
1221 s->session = sess;
1053a6e2
MC		 1222 return 1;
1223err:
312e9387 1224 SSL_SESSION_free(sess);
1053a6e2
MC		 1225 return 0;
1226}
1227
38b051a1 1228int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 1229 ossl_unused unsigned int context,
1230 ossl_unused X509 *x,
1231 ossl_unused size_t chainidx)
9d75dce3
TS		 1232{
1233 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1234 SSLfatal(s, SSL_AD_DECODE_ERROR,
9d75dce3
TS		 1235 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1236 return 0;
1237 }
1238
1239 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1240
1241 return 1;
1242}
1243
1266eefd
MC		 1244/*
1245 * Add the server's renegotiation binding
1246 */
38b051a1 1247EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1248 unsigned int context, X509 *x,
f63a17d6 1249 size_t chainidx)
7da160b0 1250{
555cbb32 1251 if (!s->s3.send_connection_binding)
b186a592 1252 return EXT_RETURN_NOT_SENT;
7da160b0 1253
db0f35dd 1254 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1255 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1256 || !WPACKET_start_sub_packet_u16(pkt)
1257 || !WPACKET_start_sub_packet_u8(pkt)
555cbb32
TS		 1258 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1259 s->s3.previous_client_finished_len)
1260 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1261 s->s3.previous_server_finished_len)
7da160b0
MC		 1262 || !WPACKET_close(pkt)
1263 || !WPACKET_close(pkt)) {
c48ffbcc 1264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1265 return EXT_RETURN_FAIL;
7da160b0
MC		 1266 }
1267
b186a592 1268 return EXT_RETURN_SENT;
7da160b0
MC		 1269}
1270
38b051a1 1271EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1272 unsigned int context, X509 *x,
f63a17d6 1273 size_t chainidx)
7da160b0 1274{
7955c1f1
MC		 1275 if (s->servername_done != 1)
1276 return EXT_RETURN_NOT_SENT;
1277
1278 /*
1279 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1280 * We just use the servername from the initial handshake.
1281 */
38b051a1 1282 if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
b186a592 1283 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1284
1285 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1286 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1287 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1288 return EXT_RETURN_FAIL;
7da160b0
MC		 1289 }
1290
b186a592 1291 return EXT_RETURN_SENT;
7da160b0
MC		 1292}
1293
cf72c757 1294/* Add/include the server's max fragment len extension into ServerHello */
38b051a1 1295EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
cf72c757 1296 unsigned int context, X509 *x,
f63a17d6 1297 size_t chainidx)
cf72c757
F		 1298{
1299 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1300 return EXT_RETURN_NOT_SENT;
1301
1302 /*-
1303 * 4 bytes for this extension type and extension length
1304 * 1 byte for the Max Fragment Length code value.
1305 */
1306 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1307 || !WPACKET_start_sub_packet_u16(pkt)
1308 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1309 || !WPACKET_close(pkt)) {
c48ffbcc 1310 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1311 return EXT_RETURN_FAIL;
1312 }
1313
1314 return EXT_RETURN_SENT;
1315}
1316
38b051a1 1317EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1318 unsigned int context, X509 *x,
f63a17d6 1319 size_t chainidx)
7da160b0 1320{
555cbb32
TS		 1321 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1322 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
89247375 1323 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
cd0fb43c 1324 && (s->ext.peer_ecpointformats != NULL);
7da160b0
MC		 1325 const unsigned char *plist;
1326 size_t plistlen;
1327
1328 if (!using_ecc)
b186a592 1329 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1330
1331 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1332 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1333 || !WPACKET_start_sub_packet_u16(pkt)
1334 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1335 || !WPACKET_close(pkt)) {
c48ffbcc 1336 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1337 return EXT_RETURN_FAIL;
7da160b0
MC		 1338 }
1339
b186a592 1340 return EXT_RETURN_SENT;
7da160b0 1341}
7da160b0 1342
38b051a1 1343EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1344 unsigned int context, X509 *x,
f63a17d6 1345 size_t chainidx)
6af87546 1346{
9e84a42d 1347 const uint16_t *groups;
6af87546 1348 size_t numgroups, i, first = 1;
9d2d857f 1349 int version;
6af87546 1350
555cbb32
TS		 1351 /* s->s3.group_id is non zero if we accepted a key_share */
1352 if (s->s3.group_id == 0)
b186a592 1353 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1354
1355 /* Get our list of supported groups */
ff6d20a6 1356 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1357 if (numgroups == 0) {
c48ffbcc 1358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1359 return EXT_RETURN_FAIL;
6af87546
MC		 1360 }
1361
1362 /* Copy group ID if supported */
38b051a1 1363 version = SSL_version(SSL_CONNECTION_GET_SSL(s));
9e84a42d
DSH		 1364 for (i = 0; i < numgroups; i++) {
1365 uint16_t group = groups[i];
1366
8b1db5d3 1367 if (tls_valid_group(s, group, version, version, 0, NULL)
dbc6268f 1368 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1369 if (first) {
1370 /*
1371 * Check if the client is already using our preferred group. If
1372 * so we don't need to add this extension
1373 */
555cbb32 1374 if (s->s3.group_id == group)
b186a592 1375 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1376
1377 /* Add extension header */
1378 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1379 /* Sub-packet for supported_groups extension */
1380 || !WPACKET_start_sub_packet_u16(pkt)
1381 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1383 return EXT_RETURN_FAIL;
6af87546
MC		 1384 }
1385
1386 first = 0;
1387 }
9e84a42d 1388 if (!WPACKET_put_bytes_u16(pkt, group)) {
c48ffbcc 1389 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1390 return EXT_RETURN_FAIL;
6af87546
MC		 1391 }
1392 }
1393 }
1394
1395 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 1396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1397 return EXT_RETURN_FAIL;
6af87546
MC		 1398 }
1399
b186a592 1400 return EXT_RETURN_SENT;
6af87546
MC		 1401}
1402
38b051a1 1403EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1404 unsigned int context, X509 *x,
f63a17d6 1405 size_t chainidx)
7da160b0 1406{
aff8c126
RS		 1407 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1408 s->ext.ticket_expected = 0;
b186a592 1409 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1410 }
1411
1412 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1413 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1415 return EXT_RETURN_FAIL;
7da160b0
MC		 1416 }
1417
b186a592 1418 return EXT_RETURN_SENT;
7da160b0
MC		 1419}
1420
ab83e314 1421#ifndef OPENSSL_NO_OCSP
38b051a1 1422EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1423 unsigned int context, X509 *x,
f63a17d6 1424 size_t chainidx)
7da160b0 1425{
debb64a0
MC		 1426 /* We don't currently support this extension inside a CertificateRequest */
1427 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1428 return EXT_RETURN_NOT_SENT;
1429
aff8c126 1430 if (!s->ext.status_expected)
b186a592 1431 return EXT_RETURN_NOT_SENT;
7da160b0 1432
38b051a1 1433 if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
b186a592 1434 return EXT_RETURN_NOT_SENT;
e96e0f8e 1435
7da160b0 1436 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1437 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1438 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1439 return EXT_RETURN_FAIL;
f63e4288
MC		 1440 }
1441
1442 /*
1443 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1444 * send back an empty extension, with the certificate status appearing as a
1445 * separate message
1446 */
38b051a1 1447 if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
3ec8d113 1448 /* SSLfatal() already called */
56d36288 1449 return EXT_RETURN_FAIL;
3ec8d113
MC		 1450 }
1451 if (!WPACKET_close(pkt)) {
c48ffbcc 1452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1453 return EXT_RETURN_FAIL;
7da160b0
MC		 1454 }
1455
b186a592 1456 return EXT_RETURN_SENT;
7da160b0 1457}
ab83e314 1458#endif
7da160b0 1459
7da160b0 1460#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1 1461EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1462 unsigned int context, X509 *x,
f63a17d6 1463 size_t chainidx)
7da160b0
MC		 1464{
1465 const unsigned char *npa;
1466 unsigned int npalen;
1467 int ret;
555cbb32 1468 int npn_seen = s->s3.npn_seen;
38b051a1 1469 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
7da160b0 1470
555cbb32 1471 s->s3.npn_seen = 0;
38b051a1 1472 if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
b186a592 1473 return EXT_RETURN_NOT_SENT;
7da160b0 1474
38b051a1
TM		 1475 ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
1476 sctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1477 if (ret == SSL_TLSEXT_ERR_OK) {
1478 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1479 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
c48ffbcc 1480 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1481 return EXT_RETURN_FAIL;
7da160b0 1482 }
555cbb32 1483 s->s3.npn_seen = 1;
7da160b0
MC		 1484 }
1485
b186a592 1486 return EXT_RETURN_SENT;
7da160b0
MC		 1487}
1488#endif
1489
38b051a1 1490EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
f63a17d6 1491 X509 *x, size_t chainidx)
7da160b0 1492{
555cbb32 1493 if (s->s3.alpn_selected == NULL)
b186a592 1494 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1495
1496 if (!WPACKET_put_bytes_u16(pkt,
1497 TLSEXT_TYPE_application_layer_protocol_negotiation)
1498 || !WPACKET_start_sub_packet_u16(pkt)
1499 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 1500 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1501 s->s3.alpn_selected_len)
7da160b0
MC		 1502 || !WPACKET_close(pkt)
1503 || !WPACKET_close(pkt)) {
c48ffbcc 1504 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1505 return EXT_RETURN_FAIL;
7da160b0
MC		 1506 }
1507
b186a592 1508 return EXT_RETURN_SENT;
7da160b0
MC		 1509}
1510
1511#ifndef OPENSSL_NO_SRTP
38b051a1 1512EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1513 unsigned int context, X509 *x,
f63a17d6 1514 size_t chainidx)
7da160b0
MC		 1515{
1516 if (s->srtp_profile == NULL)
b186a592 1517 return EXT_RETURN_NOT_SENT;
a1448c26 1518
7da160b0
MC		 1519 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1520 || !WPACKET_start_sub_packet_u16(pkt)
1521 || !WPACKET_put_bytes_u16(pkt, 2)
1522 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1523 || !WPACKET_put_bytes_u8(pkt, 0)
1524 || !WPACKET_close(pkt)) {
c48ffbcc 1525 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1526 return EXT_RETURN_FAIL;
7da160b0
MC		 1527 }
1528
b186a592 1529 return EXT_RETURN_SENT;
7da160b0
MC		 1530}
1531#endif
1532
38b051a1
TM		 1533EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1534 unsigned int context,
f63a17d6 1535 X509 *x, size_t chainidx)
7da160b0 1536{
28a31a0a 1537 if (!s->ext.use_etm)
b186a592 1538 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1539
1540 /*
1541 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1542 * for other cases too.
1543 */
555cbb32
TS		 1544 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1545 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1546 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
5a5530a2
DB		 1547 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1548 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1549 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
28a31a0a 1550 s->ext.use_etm = 0;
b186a592 1551 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1552 }
1553
1554 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1555 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1557 return EXT_RETURN_FAIL;
7da160b0
MC		 1558 }
1559
b186a592 1560 return EXT_RETURN_SENT;
7da160b0
MC		 1561}
1562
38b051a1
TM		 1563EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1564 unsigned int context,
f63a17d6 1565 X509 *x, size_t chainidx)
7da160b0 1566{
555cbb32 1567 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1568 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1569
1570 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1571 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1572 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1573 return EXT_RETURN_FAIL;
7da160b0
MC		 1574 }
1575
b186a592 1576 return EXT_RETURN_SENT;
7da160b0
MC		 1577}
1578
38b051a1 1579EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
88050dd1
MC		 1580 unsigned int context, X509 *x,
1581 size_t chainidx)
1582{
38b051a1 1583 if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
c48ffbcc 1584 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
27e462f1
MC		 1585 return EXT_RETURN_FAIL;
1586 }
88050dd1
MC		 1587
1588 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1589 || !WPACKET_start_sub_packet_u16(pkt)
35e742ec 1590 || !WPACKET_put_bytes_u16(pkt, s->version)
88050dd1 1591 || !WPACKET_close(pkt)) {
c48ffbcc 1592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
88050dd1
MC		 1593 return EXT_RETURN_FAIL;
1594 }
1595
1596 return EXT_RETURN_SENT;
1597}
1598
38b051a1 1599EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1600 unsigned int context, X509 *x,
f63a17d6 1601 size_t chainidx)
7da160b0 1602{
3cf96e88 1603#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1604 unsigned char *encodedPoint;
1605 size_t encoded_pt_len = 0;
555cbb32 1606 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
8b17fbaf 1607 const TLS_GROUP_INFO *ginf = NULL;
7da160b0 1608
dd77962e
MC		 1609 if (s->hello_retry_request == SSL_HRR_PENDING) {
1610 if (ckey != NULL) {
1611 /* Original key_share was acceptable so don't ask for another one */
1612 return EXT_RETURN_NOT_SENT;
1613 }
1614 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1615 || !WPACKET_start_sub_packet_u16(pkt)
0a10825a
BE		 1616 || !WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(
1617 s->s3.group_id))
dd77962e 1618 || !WPACKET_close(pkt)) {
c48ffbcc 1619 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
dd77962e 1620 return EXT_RETURN_FAIL;
7d061fce
MC		 1621 }
1622
dd77962e
MC		 1623 return EXT_RETURN_SENT;
1624 }
1625
1626 if (ckey == NULL) {
1627 /* No key_share received from client - must be resuming */
0247086d 1628 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
c48ffbcc 1629 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1630 return EXT_RETURN_FAIL;
0247086d 1631 }
b186a592 1632 return EXT_RETURN_NOT_SENT;
7da160b0 1633 }
e776858b
BK		 1634 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1635 /*
1636 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1637 * DHE option we always take it); don't send key share.
1638 */
1639 return EXT_RETURN_NOT_SENT;
1640 }
7da160b0
MC		 1641
1642 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1643 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1644 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
c48ffbcc 1645 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1646 return EXT_RETURN_FAIL;
7da160b0
MC		 1647 }
1648
38b051a1
TM		 1649 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1650 s->s3.group_id)) == NULL) {
c48ffbcc 1651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1652 return EXT_RETURN_FAIL;
7da160b0
MC		 1653 }
1654
8b17fbaf
NT		 1655 if (!ginf->is_kem) {
1656 /* Regular KEX */
1657 skey = ssl_generate_pkey(s, ckey);
1658 if (skey == NULL) {
c48ffbcc 1659 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
8b17fbaf
NT		 1660 return EXT_RETURN_FAIL;
1661 }
7da160b0 1662
8b17fbaf 1663 /* Generate encoding of server key */
5ac8fb58 1664 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
8b17fbaf 1665 if (encoded_pt_len == 0) {
c48ffbcc 1666 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
8b17fbaf
NT		 1667 EVP_PKEY_free(skey);
1668 return EXT_RETURN_FAIL;
1669 }
1670
1671 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1672 || !WPACKET_close(pkt)) {
c48ffbcc 1673 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1674 EVP_PKEY_free(skey);
1675 OPENSSL_free(encodedPoint);
1676 return EXT_RETURN_FAIL;
1677 }
7da160b0 1678 OPENSSL_free(encodedPoint);
7da160b0 1679
8b17fbaf
NT		 1680 /*
1681 * This causes the crypto state to be updated based on the derived keys
1682 */
1683 s->s3.tmp.pkey = skey;
1684 if (ssl_derive(s, skey, ckey, 1) == 0) {
1685 /* SSLfatal() already called */
1686 return EXT_RETURN_FAIL;
1687 }
1688 } else {
1689 /* KEM mode */
1690 unsigned char *ct = NULL;
1691 size_t ctlen = 0;
1692
1693 /*
1694 * This does not update the crypto state.
1695 *
1696 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1697 * ssl_gensecret().
1698 */
1699 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1700 /* SSLfatal() already called */
1701 return EXT_RETURN_FAIL;
1702 }
1703
1704 if (ctlen == 0) {
c48ffbcc 1705 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1706 OPENSSL_free(ct);
1707 return EXT_RETURN_FAIL;
1708 }
1709
1710 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1711 || !WPACKET_close(pkt)) {
c48ffbcc 1712 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1713 OPENSSL_free(ct);
1714 return EXT_RETURN_FAIL;
1715 }
1716 OPENSSL_free(ct);
1717
1718 /*
1719 * This causes the crypto state to be updated based on the generated pms
1720 */
1721 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1722 /* SSLfatal() already called */
1723 return EXT_RETURN_FAIL;
1724 }
7da160b0 1725 }
aa6bd216 1726 s->s3.did_kex = 1;
b186a592 1727 return EXT_RETURN_SENT;
1aac20f5
MC		 1728#else
1729 return EXT_RETURN_FAIL;
1730#endif
7da160b0
MC		 1731}
1732
38b051a1
TM		 1733EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
1734 unsigned int context,
43054d3d
MC		 1735 X509 *x, size_t chainidx)
1736{
1aac20f5 1737#ifndef OPENSSL_NO_TLS1_3
43054d3d
MC		 1738 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1739 unsigned char *hmac, *hmac2;
3fa2812f 1740 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
43054d3d
MC		 1741 EVP_MD_CTX *hctx;
1742 EVP_PKEY *pkey;
1743 int ret = EXT_RETURN_FAIL;
38b051a1
TM		 1744 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1745 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
43054d3d 1746
555cbb32 1747 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 1748 return EXT_RETURN_NOT_SENT;
1749
38b051a1 1750 if (sctx->gen_stateless_cookie_cb == NULL) {
c48ffbcc 1751 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
e440f513
MC		 1752 return EXT_RETURN_FAIL;
1753 }
1754
43054d3d
MC		 1755 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1756 || !WPACKET_start_sub_packet_u16(pkt)
1757 || !WPACKET_start_sub_packet_u16(pkt)
1758 || !WPACKET_get_total_written(pkt, &startlen)
1759 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1760 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1761 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
555cbb32 1762 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
38b051a1
TM		 1763 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1764 &ciphlen)
43054d3d 1765 /* Is there a key_share extension present in this HRR? */
555cbb32 1766 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
d0debc0a 1767 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
43054d3d
MC		 1768 || !WPACKET_start_sub_packet_u16(pkt)
1769 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
c48ffbcc 1770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1771 return EXT_RETURN_FAIL;
1772 }
1773
1774 /*
1775 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1776 * on raw buffers, so we first reserve sufficient bytes (above) and then
1777 * subsequently allocate them (below)
1778 */
1779 if (!ssl3_digest_cached_records(s, 0)
1780 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1781 /* SSLfatal() already called */
1782 return EXT_RETURN_FAIL;
1783 }
1784
1785 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1786 || !ossl_assert(hashval1 == hashval2)
1787 || !WPACKET_close(pkt)
1788 || !WPACKET_start_sub_packet_u8(pkt)
1789 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
c48ffbcc 1790 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1791 return EXT_RETURN_FAIL;
1792 }
1793
1794 /* Generate the application cookie */
38b051a1
TM		 1795 if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
1796 &appcookielen) == 0) {
c48ffbcc 1797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
43054d3d
MC		 1798 return EXT_RETURN_FAIL;
1799 }
1800
1801 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1802 || !ossl_assert(appcookie1 == appcookie2)
1803 || !WPACKET_close(pkt)
1804 || !WPACKET_get_total_written(pkt, &totcookielen)
1805 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
c48ffbcc 1806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1807 return EXT_RETURN_FAIL;
1808 }
1809 hmaclen = SHA256_DIGEST_LENGTH;
1810
1811 totcookielen -= startlen;
1812 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
c48ffbcc 1813 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1814 return EXT_RETURN_FAIL;
1815 }
1816
1817 /* HMAC the cookie */
1818 hctx = EVP_MD_CTX_create();
38b051a1
TM		 1819 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1820 sctx->propq,
d8652be0
MC		 1821 s->session_ctx->ext.cookie_hmac_key,
1822 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d 1823 if (hctx == NULL || pkey == NULL) {
c48ffbcc 1824 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
43054d3d
MC		 1825 goto err;
1826 }
1827
38b051a1
TM		 1828 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1829 sctx->propq, pkey, NULL) <= 0
43054d3d
MC		 1830 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1831 totcookielen) <= 0) {
c48ffbcc 1832 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1833 goto err;
1834 }
1835
1836 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
c48ffbcc 1837 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1838 goto err;
1839 }
1840
1841 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1842 || !ossl_assert(hmac == hmac2)
1843 || !ossl_assert(cookie == hmac - totcookielen)
1844 || !WPACKET_close(pkt)
1845 || !WPACKET_close(pkt)) {
c48ffbcc 1846 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1847 goto err;
1848 }
1849
1850 ret = EXT_RETURN_SENT;
1851
1852 err:
1853 EVP_MD_CTX_free(hctx);
1854 EVP_PKEY_free(pkey);
1855 return ret;
1aac20f5
MC		 1856#else
1857 return EXT_RETURN_FAIL;
1858#endif
43054d3d
MC		 1859}
1860
38b051a1 1861EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1862 unsigned int context, X509 *x,
f63a17d6 1863 size_t chainidx)
7da160b0
MC		 1864{
1865 const unsigned char cryptopro_ext[36] = {
1866 0xfd, 0xe8, /* 65000 */
1867 0x00, 0x20, /* 32 bytes length */
1868 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1869 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1870 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1871 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1872 };
1873
555cbb32
TS		 1874 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1875 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
38b051a1
TM		 1876 || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1877 & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1878 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1879
1880 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
c48ffbcc 1881 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1882 return EXT_RETURN_FAIL;
7da160b0
MC		 1883 }
1884
b186a592 1885 return EXT_RETURN_SENT;
7da160b0 1886}
0247086d 1887
38b051a1 1888EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1889 unsigned int context, X509 *x,
f63a17d6 1890 size_t chainidx)
38df5a45 1891{
fe874d27 1892 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1893 if (s->max_early_data == 0)
b186a592 1894 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1895
1896 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1897 || !WPACKET_start_sub_packet_u16(pkt)
1898 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1899 || !WPACKET_close(pkt)) {
c48ffbcc 1900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1901 return EXT_RETURN_FAIL;
6594189f
MC		 1902 }
1903
b186a592 1904 return EXT_RETURN_SENT;
6594189f
MC		 1905 }
1906
38df5a45 1907 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1908 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1909
1910 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1911 || !WPACKET_start_sub_packet_u16(pkt)
1912 || !WPACKET_close(pkt)) {
c48ffbcc 1913 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1914 return EXT_RETURN_FAIL;
38df5a45
MC		 1915 }
1916
b186a592 1917 return EXT_RETURN_SENT;
38df5a45
MC		 1918}
1919
38b051a1
TM		 1920EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
1921 unsigned int context,
f63a17d6 1922 X509 *x, size_t chainidx)
0247086d
MC		 1923{
1924 if (!s->hit)
b186a592 1925 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1926
1927 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1928 || !WPACKET_start_sub_packet_u16(pkt)
c96ce52c 1929 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
0247086d 1930 || !WPACKET_close(pkt)) {
c48ffbcc 1931 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1932 return EXT_RETURN_FAIL;
0247086d
MC		 1933 }
1934
b186a592 1935 return EXT_RETURN_SENT;
0247086d 1936}
A mirror of the official openssl repository