]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ssl/statem: Replace size_t with int and add the checks
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
3c95ef22 2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
25670f3e 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
25670f3e
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
706457b7
DMSP		 11#include "../ssl_local.h"
12#include "statem_local.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
e8a557dc 15#define COOKIE_STATE_FORMAT_VERSION 1
43054d3d
MC		 16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
e8a557dc 20 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
d0debc0a
MC		 21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 23 */
e8a557dc 24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 33 */
97ea1e7f 34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
25670f3e
MC		 37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
38b051a1
TM		 41int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
42 unsigned int context,
f63a17d6 43 X509 *x, size_t chainidx)
25670f3e
MC		 44{
45 unsigned int ilen;
46 const unsigned char *data;
2b9e2afc 47 int ok;
25670f3e
MC		 48
49 /* Parse the length byte */
50 if (!PACKET_get_1(pkt, &ilen)
51 || !PACKET_get_bytes(pkt, &data, ilen)) {
c48ffbcc 52 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 53 return 0;
54 }
55
56 /* Check that the extension matches */
555cbb32 57 if (ilen != s->s3.previous_client_finished_len) {
c48ffbcc 58 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 59 return 0;
60 }
61
2b9e2afc
PA		 62 ok = memcmp(data, s->s3.previous_client_finished,
63 s->s3.previous_client_finished_len);
64#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
65 if (ok) {
1dbfd7fe 66 if ((data[0] ^ s->s3.previous_client_finished[0]) != 0xFF) {
2b9e2afc
PA		 67 ok = 0;
68 }
69 }
70#endif
71 if (ok) {
c48ffbcc 72 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 73 return 0;
74 }
75
555cbb32 76 s->s3.send_connection_binding = 1;
25670f3e
MC		 77
78 return 1;
79}
80
1266eefd
MC		 81/*-
82 * The servername extension is treated as follows:
83 *
84 * - Only the hostname type is supported with a maximum length of 255.
85 * - The servername is rejected if too long or if it contains zeros,
86 * in which case an fatal alert is generated.
87 * - The servername field is maintained together with the session cache.
88 * - When a session is resumed, the servername call back invoked in order
89 * to allow the application to position itself to the right context.
90 * - The servername is acknowledged if it is new for a session or when
91 * it is identical to a previously used for the same session.
92 * Applications can control the behaviour. They can at any time
93 * set a 'desirable' servername for a new SSL object. This can be the
94 * case for example with HTTPS when a Host: header field is received and
95 * a renegotiation is requested. In this case, a possible servername
96 * presented in the new client hello is only acknowledged if it matches
97 * the value of the Host: field.
98 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
99 * if they provide for changing an explicit servername context for the
100 * session, i.e. when the session has been established with a servername
101 * extension.
102 * - On session reconnect, the servername extension may be absent.
103 */
38b051a1
TM		 104int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
105 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 106{
107 unsigned int servname_type;
108 PACKET sni, hostname;
109
25670f3e
MC		 110 if (!PACKET_as_length_prefixed_2(pkt, &sni)
111 /* ServerNameList must be at least 1 byte long. */
112 || PACKET_remaining(&sni) == 0) {
c48ffbcc 113 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 114 return 0;
115 }
116
117 /*
44e69951
F		 118 * Although the intent was for server_name to be extensible, RFC 4366
119 * was not clear about it; and so OpenSSL among other implementations,
120 * always and only allows a 'host_name' name types.
25670f3e
MC		 121 * RFC 6066 corrected the mistake but adding new name types
122 * is nevertheless no longer feasible, so act as if no other
123 * SNI types can exist, to simplify parsing.
124 *
125 * Also note that the RFC permits only one SNI value per type,
126 * i.e., we can only have a single hostname.
127 */
128 if (!PACKET_get_1(&sni, &servname_type)
129 || servname_type != TLSEXT_NAMETYPE_host_name
130 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
c48ffbcc 131 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 132 return 0;
133 }
134
7955c1f1
MC		 135 /*
136 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
137 * we always use the SNI value from the handshake.
138 */
38b051a1 139 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
25670f3e 140 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
c48ffbcc 141 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 142 return 0;
143 }
144
145 if (PACKET_contains_zero_byte(&hostname)) {
c48ffbcc 146 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 147 return 0;
148 }
149
1c4aa31d
BK		 150 /*
151 * Store the requested SNI in the SSL as temporary storage.
152 * If we accept it, it will get stored in the SSL_SESSION as well.
153 */
154 OPENSSL_free(s->ext.hostname);
155 s->ext.hostname = NULL;
156 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
c48ffbcc 157 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 158 return 0;
159 }
160
161 s->servername_done = 1;
7955c1f1
MC		 162 } else {
163 /*
164 * In TLSv1.2 and below we should check if the SNI is consistent between
165 * the initial handshake and the resumption. In TLSv1.3 SNI is not
166 * associated with the session.
167 */
1c4aa31d 168 s->servername_done = (s->session->ext.hostname != NULL)
aff8c126
RS		 169 && PACKET_equal(&hostname, s->session->ext.hostname,
170 strlen(s->session->ext.hostname));
25670f3e
MC		 171 }
172
173 return 1;
174}
175
38b051a1
TM		 176int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
177 unsigned int context,
f63a17d6 178 X509 *x, size_t chainidx)
cf72c757
F		 179{
180 unsigned int value;
181
182 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 183 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 184 return 0;
185 }
186
187 /* Received |value| should be a valid max-fragment-length code. */
188 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 189 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 190 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 191 return 0;
192 }
193
194 /*
195 * RFC 6066: The negotiated length applies for the duration of the session
196 * including session resumptions.
197 * We should receive the same code as in resumed session !
198 */
199 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6 200 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 201 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 202 return 0;
203 }
204
205 /*
206 * Store it in session, so it'll become binding for us
207 * and we'll include it in a next Server Hello.
208 */
209 s->session->ext.max_fragment_len_mode = value;
210 return 1;
211}
212
25670f3e 213#ifndef OPENSSL_NO_SRP
38b051a1
TM		 214int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
215 X509 *x, size_t chainidx)
25670f3e
MC		 216{
217 PACKET srp_I;
218
219 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
220 || PACKET_contains_zero_byte(&srp_I)) {
c48ffbcc 221 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 222 return 0;
223 }
224
25670f3e 225 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
c48ffbcc 226 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 227 return 0;
228 }
229
230 return 1;
231}
232#endif
233
38b051a1
TM		 234int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
235 unsigned int context,
f63a17d6 236 X509 *x, size_t chainidx)
25670f3e
MC		 237{
238 PACKET ec_point_format_list;
239
240 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
241 || PACKET_remaining(&ec_point_format_list) == 0) {
c48ffbcc 242 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 243 return 0;
244 }
245
246 if (!s->hit) {
247 if (!PACKET_memdup(&ec_point_format_list,
cd0fb43c
MC		 248 &s->ext.peer_ecpointformats,
249 &s->ext.peer_ecpointformats_len)) {
c48ffbcc 250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 251 return 0;
252 }
253 }
254
255 return 1;
256}
25670f3e 257
38b051a1
TM		 258int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
259 unsigned int context,
f63a17d6 260 X509 *x, size_t chainidx)
25670f3e 261{
aff8c126 262 if (s->ext.session_ticket_cb &&
38b051a1
TM		 263 !s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
264 PACKET_data(pkt), PACKET_remaining(pkt),
265 s->ext.session_ticket_cb_arg)) {
c48ffbcc 266 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 267 return 0;
268 }
269
270 return 1;
271}
272
38b051a1 273int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 274 ossl_unused unsigned int context,
275 ossl_unused X509 *x,
276 ossl_unused size_t chainidx)
c589c34e
BK		 277{
278 PACKET supported_sig_algs;
279
280 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
281 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 282 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 283 return 0;
284 }
285
286 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
c48ffbcc 287 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 288 return 0;
289 }
290
291 return 1;
292}
293
38b051a1
TM		 294int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
295 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 296{
297 PACKET supported_sig_algs;
298
299 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 300 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 301 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 302 return 0;
303 }
304
c589c34e 305 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
c48ffbcc 306 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 307 return 0;
308 }
309
310 return 1;
311}
312
ab83e314 313#ifndef OPENSSL_NO_OCSP
38b051a1
TM		 314int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
315 unsigned int context,
f63a17d6 316 X509 *x, size_t chainidx)
25670f3e 317{
1266eefd
MC		 318 PACKET responder_id_list, exts;
319
ded4a83d
MC		 320 /* We ignore this in a resumption handshake */
321 if (s->hit)
322 return 1;
323
e96e0f8e
MC		 324 /* Not defined if we get one of these in a client Certificate */
325 if (x != NULL)
326 return 1;
327
aff8c126 328 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
c48ffbcc 329 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 330 return 0;
331 }
ab83e314 332
aff8c126 333 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 334 /*
1266eefd 335 * We don't know what to do with any other type so ignore it.
25670f3e 336 */
aff8c126 337 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 338 return 1;
339 }
25670f3e 340
1266eefd 341 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
c48ffbcc 342 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 343 return 0;
344 }
25670f3e 345
1266eefd
MC		 346 /*
347 * We remove any OCSP_RESPIDs from a previous handshake
348 * to prevent unbounded memory growth - CVE-2016-6304
349 */
aff8c126 350 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 351 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 352 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
353 if (s->ext.ocsp.ids == NULL) {
e077455e 354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
1266eefd
MC		 355 return 0;
356 }
357 } else {
aff8c126 358 s->ext.ocsp.ids = NULL;
1266eefd 359 }
25670f3e 360
1266eefd
MC		 361 while (PACKET_remaining(&responder_id_list) > 0) {
362 OCSP_RESPID *id;
363 PACKET responder_id;
364 const unsigned char *id_data;
25670f3e 365
1266eefd
MC		 366 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
367 || PACKET_remaining(&responder_id) == 0) {
c48ffbcc 368 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 369 return 0;
370 }
25670f3e 371
1266eefd 372 id_data = PACKET_data(&responder_id);
1266eefd
MC		 373 id = d2i_OCSP_RESPID(NULL, &id_data,
374 (int)PACKET_remaining(&responder_id));
375 if (id == NULL) {
c48ffbcc 376 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 377 return 0;
25670f3e
MC		 378 }
379
1266eefd
MC		 380 if (id_data != PACKET_end(&responder_id)) {
381 OCSP_RESPID_free(id);
c48ffbcc 382 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
f63a17d6 383
25670f3e
MC		 384 return 0;
385 }
386
aff8c126 387 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 388 OCSP_RESPID_free(id);
c48ffbcc 389 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 390
1266eefd
MC		 391 return 0;
392 }
393 }
394
395 /* Read in request_extensions */
396 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
c48ffbcc 397 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 398 return 0;
399 }
400
401 if (PACKET_remaining(&exts) > 0) {
402 const unsigned char *ext_data = PACKET_data(&exts);
403
aff8c126 404 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 405 X509_EXTENSION_free);
aff8c126 406 s->ext.ocsp.exts =
1266eefd 407 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 408 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
c48ffbcc 409 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 410 return 0;
25670f3e 411 }
25670f3e
MC		 412 }
413
414 return 1;
415}
ab83e314 416#endif
25670f3e
MC		 417
418#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1
TM		 419int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
420 X509 *x, size_t chainidx)
25670f3e 421{
1266eefd
MC		 422 /*
423 * We shouldn't accept this extension on a
424 * renegotiation.
1266eefd 425 */
c7f47786 426 if (SSL_IS_FIRST_HANDSHAKE(s))
555cbb32 427 s->s3.npn_seen = 1;
25670f3e
MC		 428
429 return 1;
430}
431#endif
432
433/*
1266eefd 434 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 435 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 436 */
38b051a1
TM		 437int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
438 X509 *x, size_t chainidx)
25670f3e
MC		 439{
440 PACKET protocol_list, save_protocol_list, protocol;
441
c7f47786 442 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 443 return 1;
444
445 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
446 || PACKET_remaining(&protocol_list) < 2) {
c48ffbcc 447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 448 return 0;
449 }
450
451 save_protocol_list = protocol_list;
452 do {
453 /* Protocol names can't be empty. */
454 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
455 || PACKET_remaining(&protocol) == 0) {
c48ffbcc 456 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 457 return 0;
458 }
459 } while (PACKET_remaining(&protocol_list) != 0);
460
555cbb32
TS		 461 OPENSSL_free(s->s3.alpn_proposed);
462 s->s3.alpn_proposed = NULL;
463 s->s3.alpn_proposed_len = 0;
25670f3e 464 if (!PACKET_memdup(&save_protocol_list,
555cbb32 465 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
c48ffbcc 466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 467 return 0;
468 }
469
470 return 1;
471}
472
473#ifndef OPENSSL_NO_SRTP
38b051a1
TM		 474int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
475 unsigned int context, X509 *x, size_t chainidx)
25670f3e 476{
25670f3e
MC		 477 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
478 unsigned int ct, mki_len, id;
479 int i, srtp_pref;
480 PACKET subpkt;
38b051a1 481 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
25670f3e
MC		 482
483 /* Ignore this if we have no SRTP profiles */
38b051a1 484 if (SSL_get_srtp_profiles(ssl) == NULL)
25670f3e
MC		 485 return 1;
486
487 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 488 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
489 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
c48ffbcc 490 SSLfatal(s, SSL_AD_DECODE_ERROR,
25670f3e 491 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 492 return 0;
493 }
494
38b051a1 495 srvr = SSL_get_srtp_profiles(ssl);
25670f3e
MC		 496 s->srtp_profile = NULL;
497 /* Search all profiles for a match initially */
498 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
499
500 while (PACKET_remaining(&subpkt)) {
501 if (!PACKET_get_net_2(&subpkt, &id)) {
c48ffbcc 502 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 503 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 504 return 0;
505 }
506
507 /*
508 * Only look for match in profiles of higher preference than
509 * current match.
510 * If no profiles have been have been configured then this
511 * does nothing.
512 */
513 for (i = 0; i < srtp_pref; i++) {
d270de32 514 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 515 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
516
25670f3e
MC		 517 if (sprof->id == id) {
518 s->srtp_profile = sprof;
519 srtp_pref = i;
520 break;
521 }
522 }
523 }
524
1266eefd 525 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 526 if (!PACKET_get_1(pkt, &mki_len)) {
c48ffbcc 527 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 528 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 529 return 0;
530 }
531
532 if (!PACKET_forward(pkt, mki_len)
533 || PACKET_remaining(pkt)) {
c48ffbcc 534 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 535 return 0;
536 }
537
538 return 1;
539}
540#endif
541
38b051a1
TM		 542int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
543 X509 *x, size_t chainidx)
25670f3e
MC		 544{
545 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 546 s->ext.use_etm = 1;
25670f3e
MC		 547
548 return 1;
549}
550
b2f7e8c0
MC		 551/*
552 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
553 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 554 */
38b051a1
TM		 555int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
556 unsigned int context,
f63a17d6 557 X509 *x, size_t chainidx)
b2f7e8c0
MC		 558{
559#ifndef OPENSSL_NO_TLS1_3
560 PACKET psk_kex_modes;
561 unsigned int mode;
562
563 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
564 || PACKET_remaining(&psk_kex_modes) == 0) {
c48ffbcc 565 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 566 return 0;
567 }
568
569 while (PACKET_get_1(&psk_kex_modes, &mode)) {
570 if (mode == TLSEXT_KEX_MODE_KE_DHE)
571 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 572 else if (mode == TLSEXT_KEX_MODE_KE
573 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 574 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
575 }
f2906631
MM		 576
577 if (((s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) != 0)
578 && (s->options & SSL_OP_PREFER_NO_DHE_KEX) != 0) {
579
580 /*
581 * If NO_DHE is supported and preferred, then we only remember this
582 * mode. DHE PSK will not be used for sure, because in any case where
583 * it would be supported (i.e. if a key share is present), NO_DHE would
584 * be supported as well. As the latter is preferred it would be
164a541b 585 * chosen. By removing DHE PSK here, we don't have to deal with the
f2906631
MM		 586 * SSL_OP_PREFER_NO_DHE_KEX option in any other place.
587 */
588 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE;
589 }
590
b2f7e8c0
MC		 591#endif
592
593 return 1;
594}
595
25670f3e
MC		 596/*
597 * Process a key_share extension received in the ClientHello. |pkt| contains
598 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 599 */
38b051a1
TM		 600int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
601 unsigned int context, X509 *x, size_t chainidx)
25670f3e 602{
3cf96e88 603#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 604 unsigned int group_id;
605 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 606 const uint16_t *clntgroups, *srvrgroups;
607 size_t clnt_num_groups, srvr_num_groups;
43b95d73 608 int found = 0;
25670f3e 609
f4bbb37c 610 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 611 return 1;
612
613 /* Sanity check */
555cbb32 614 if (s->s3.peer_tmp != NULL) {
c48ffbcc 615 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 616 return 0;
617 }
618
619 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
c48ffbcc 620 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 621 return 0;
622 }
623
f48d826e
DSH		 624 /* Get our list of supported groups */
625 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
626 /* Get the clients list of supported groups. */
627 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
628 if (clnt_num_groups == 0) {
b6fdc12d
MC		 629 /*
630 * This can only happen if the supported_groups extension was not sent,
631 * because we verify that the length is non-zero when we process that
632 * extension.
633 */
c48ffbcc 634 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
f63a17d6 635 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 636 return 0;
637 }
25670f3e 638
555cbb32 639 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
43054d3d
MC		 640 /*
641 * If we set a group_id already, then we must have sent an HRR
642 * requesting a new key_share. If we haven't got one then that is an
643 * error
644 */
c48ffbcc 645 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 646 return 0;
647 }
648
25670f3e
MC		 649 while (PACKET_remaining(&key_share_list) > 0) {
650 if (!PACKET_get_net_2(&key_share_list, &group_id)
651 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
652 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 653 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 654 return 0;
655 }
656
657 /*
658 * If we already found a suitable key_share we loop through the
659 * rest to verify the structure, but don't process them.
660 */
661 if (found)
662 continue;
663
43054d3d
MC		 664 /*
665 * If we sent an HRR then the key_share sent back MUST be for the group
666 * we requested, and must be the only key_share sent.
667 */
555cbb32 668 if (s->s3.group_id != 0
16f0e91c 669 && (group_id != s->s3.group_id
43054d3d 670 || PACKET_remaining(&key_share_list) != 0)) {
c48ffbcc 671 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 672 return 0;
673 }
674
25670f3e 675 /* Check if this share is in supported_groups sent from client */
f48d826e 676 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
c48ffbcc 677 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 678 return 0;
679 }
680
681 /* Check if this share is for a group we can use */
247b8e52
MC		 682 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
683 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
684 /*
685 * We tolerate but ignore a group id that we don't think is
686 * suitable for TLSv1.3
687 */
688 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
689 0, NULL)) {
25670f3e
MC		 690 /* Share not suitable */
691 continue;
692 }
693
0a10825a
BE		 694 s->s3.group_id = group_id;
695 /* Cache the selected group ID in the SSL_SESSION */
696 s->session->kex_group = group_id;
697
ada66e78 698 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
c48ffbcc 699 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
25670f3e
MC		 700 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
701 return 0;
702 }
703
d5530efa
TM		 704 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
705 PACKET_data(&encoded_pt),
706 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 707 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
25670f3e
MC		 708 return 0;
709 }
710
711 found = 1;
712 }
3cf96e88 713#endif
25670f3e
MC		 714
715 return 1;
716}
717
38b051a1
TM		 718int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
719 X509 *x, size_t chainidx)
43054d3d 720{
1aac20f5 721#ifndef OPENSSL_NO_TLS1_3
dd77962e 722 unsigned int format, version, key_share, group_id;
43054d3d
MC		 723 EVP_MD_CTX *hctx;
724 EVP_PKEY *pkey;
725 PACKET cookie, raw, chhash, appcookie;
726 WPACKET hrrpkt;
727 const unsigned char *data, *mdin, *ciphdata;
728 unsigned char hmac[SHA256_DIGEST_LENGTH];
729 unsigned char hrr[MAX_HRR_SIZE];
730 size_t rawlen, hmaclen, hrrlen, ciphlen;
e8a557dc 731 uint64_t tm, now;
38b051a1
TM		 732 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
733 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
43054d3d
MC		 734
735 /* Ignore any cookie if we're not set up to verify it */
38b051a1 736 if (sctx->verify_stateless_cookie_cb == NULL
555cbb32 737 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 738 return 1;
739
740 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
c48ffbcc 741 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 742 return 0;
743 }
744
745 raw = cookie;
746 data = PACKET_data(&raw);
747 rawlen = PACKET_remaining(&raw);
748 if (rawlen < SHA256_DIGEST_LENGTH
749 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
c48ffbcc 750 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 751 return 0;
752 }
753 mdin = PACKET_data(&raw);
754
755 /* Verify the HMAC of the cookie */
756 hctx = EVP_MD_CTX_create();
38b051a1
TM		 757 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
758 sctx->propq,
d8652be0
MC		 759 s->session_ctx->ext.cookie_hmac_key,
760 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d
MC		 761 if (hctx == NULL || pkey == NULL) {
762 EVP_MD_CTX_free(hctx);
763 EVP_PKEY_free(pkey);
e077455e 764 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
43054d3d
MC		 765 return 0;
766 }
767
97ea1e7f 768 hmaclen = SHA256_DIGEST_LENGTH;
38b051a1
TM		 769 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
770 sctx->propq, pkey, NULL) <= 0
97ea1e7f
MC		 771 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
772 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 773 || hmaclen != SHA256_DIGEST_LENGTH) {
774 EVP_MD_CTX_free(hctx);
775 EVP_PKEY_free(pkey);
c48ffbcc 776 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 777 return 0;
778 }
779
780 EVP_MD_CTX_free(hctx);
781 EVP_PKEY_free(pkey);
782
783 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
c48ffbcc 784 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 785 return 0;
786 }
787
788 if (!PACKET_get_net_2(&cookie, &format)) {
c48ffbcc 789 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 790 return 0;
791 }
792 /* Check the cookie format is something we recognise. Ignore it if not */
793 if (format != COOKIE_STATE_FORMAT_VERSION)
794 return 1;
795
796 /*
797 * The rest of these checks really shouldn't fail since we have verified the
798 * HMAC above.
799 */
800
801 /* Check the version number is sane */
802 if (!PACKET_get_net_2(&cookie, &version)) {
c48ffbcc 803 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 804 return 0;
805 }
806 if (version != TLS1_3_VERSION) {
c48ffbcc 807 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
43054d3d
MC		 808 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
809 return 0;
810 }
811
dd77962e 812 if (!PACKET_get_net_2(&cookie, &group_id)) {
c48ffbcc 813 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 814 return 0;
815 }
dd77962e 816
43054d3d
MC		 817 ciphdata = PACKET_data(&cookie);
818 if (!PACKET_forward(&cookie, 2)) {
c48ffbcc 819 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 820 return 0;
821 }
555cbb32
TS		 822 if (group_id != s->s3.group_id
823 || s->s3.tmp.new_cipher
dd77962e
MC		 824 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
825 /*
826 * We chose a different cipher or group id this time around to what is
827 * in the cookie. Something must have changed.
828 */
c48ffbcc 829 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
43054d3d
MC		 830 return 0;
831 }
832
833 if (!PACKET_get_1(&cookie, &key_share)
e8a557dc 834 || !PACKET_get_net_8(&cookie, &tm)
43054d3d
MC		 835 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
836 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
837 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
c48ffbcc 838 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 839 return 0;
840 }
841
d0debc0a 842 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
e8a557dc 843 now = time(NULL);
d0debc0a
MC		 844 if (tm > now || (now - tm) > 600) {
845 /* Cookie is stale. Ignore it */
846 return 1;
847 }
848
43054d3d 849 /* Verify the app cookie */
38b051a1
TM		 850 if (sctx->verify_stateless_cookie_cb(ssl,
851 PACKET_data(&appcookie),
852 PACKET_remaining(&appcookie)) == 0) {
c48ffbcc 853 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 854 return 0;
855 }
856
857 /*
858 * Reconstruct the HRR that we would have sent in response to the original
859 * ClientHello so we can add it to the transcript hash.
860 * Note: This won't work with custom HRR extensions
861 */
862 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
c48ffbcc 863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 864 return 0;
865 }
866 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
867 || !WPACKET_start_sub_packet_u24(&hrrpkt)
868 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
869 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
870 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
871 s->tmp_session_id_len)
38b051a1
TM		 872 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
873 &ciphlen)
43054d3d
MC		 874 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
875 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
876 WPACKET_cleanup(&hrrpkt);
c48ffbcc 877 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 878 return 0;
879 }
880 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
881 || !WPACKET_start_sub_packet_u16(&hrrpkt)
35e742ec 882 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
43054d3d
MC		 883 || !WPACKET_close(&hrrpkt)) {
884 WPACKET_cleanup(&hrrpkt);
c48ffbcc 885 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 886 return 0;
887 }
888 if (key_share) {
889 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
890 || !WPACKET_start_sub_packet_u16(&hrrpkt)
555cbb32 891 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
43054d3d
MC		 892 || !WPACKET_close(&hrrpkt)) {
893 WPACKET_cleanup(&hrrpkt);
c48ffbcc 894 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 895 return 0;
896 }
897 }
898 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
899 || !WPACKET_start_sub_packet_u16(&hrrpkt)
900 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
901 || !WPACKET_close(&hrrpkt) /* cookie extension */
902 || !WPACKET_close(&hrrpkt) /* extension block */
903 || !WPACKET_close(&hrrpkt) /* message */
904 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
905 || !WPACKET_finish(&hrrpkt)) {
906 WPACKET_cleanup(&hrrpkt);
c48ffbcc 907 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 908 return 0;
909 }
910
911 /* Reconstruct the transcript hash */
912 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
913 PACKET_remaining(&chhash), hrr,
914 hrrlen)) {
915 /* SSLfatal() already called */
916 return 0;
917 }
918
919 /* Act as if this ClientHello came after a HelloRetryRequest */
5ac7ee4d 920 s->hello_retry_request = SSL_HRR_PENDING;
43054d3d 921
c36001c3 922 s->ext.cookieok = 1;
1aac20f5 923#endif
c36001c3 924
43054d3d
MC		 925 return 1;
926}
927
38b051a1
TM		 928int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
929 unsigned int context,
f63a17d6 930 X509 *x, size_t chainidx)
25670f3e
MC		 931{
932 PACKET supported_groups_list;
933
934 /* Each group is 2 bytes and we must have at least 1. */
935 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
936 || PACKET_remaining(&supported_groups_list) == 0
937 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
c48ffbcc 938 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 939 return 0;
940 }
941
38b051a1 942 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
45436e61
MC		 943 OPENSSL_free(s->ext.peer_supportedgroups);
944 s->ext.peer_supportedgroups = NULL;
945 s->ext.peer_supportedgroups_len = 0;
9e84a42d 946 if (!tls1_save_u16(&supported_groups_list,
45436e61
MC		 947 &s->ext.peer_supportedgroups,
948 &s->ext.peer_supportedgroups_len)) {
c48ffbcc 949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e3743355
BK		 950 return 0;
951 }
25670f3e
MC		 952 }
953
954 return 1;
955}
25670f3e 956
38b051a1
TM		 957int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
958 X509 *x, size_t chainidx)
25670f3e
MC		 959{
960 /* The extension must always be empty */
961 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 962 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 963 return 0;
964 }
965
088dfa13
TS		 966 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
967 return 1;
968
555cbb32 969 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
25670f3e
MC		 970
971 return 1;
972}
7da160b0 973
38df5a45 974
38b051a1 975int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
f63a17d6 976 X509 *x, size_t chainidx)
38df5a45
MC		 977{
978 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 979 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 980 return 0;
981 }
982
fc7129dc 983 if (s->hello_retry_request != SSL_HRR_NONE) {
c48ffbcc 984 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 985 return 0;
986 }
987
38df5a45
MC		 988 return 1;
989}
990
38b051a1 991static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
6cc0b3c2
MC		 992 SSL_SESSION **sess)
993{
994 SSL_SESSION *tmpsess = NULL;
995
5f26ddff
MC		 996 s->ext.ticket_expected = 1;
997
6cc0b3c2
MC		 998 switch (PACKET_remaining(tick)) {
999 case 0:
1000 return SSL_TICKET_EMPTY;
1001
1002 case SSL_MAX_SSL_SESSION_ID_LENGTH:
1003 break;
1004
1005 default:
1006 return SSL_TICKET_NO_DECRYPT;
1007 }
1008
1009 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
1010 SSL_MAX_SSL_SESSION_ID_LENGTH);
1011
1012 if (tmpsess == NULL)
1013 return SSL_TICKET_NO_DECRYPT;
1014
6cc0b3c2
MC		 1015 *sess = tmpsess;
1016 return SSL_TICKET_SUCCESS;
1017}
1018
38b051a1
TM		 1019int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1020 X509 *x, size_t chainidx)
1053a6e2
MC		 1021{
1022 PACKET identities, binders, binder;
48e3cf25
JJ		 1023 size_t binderoffset;
1024 int hashsize;
1053a6e2 1025 SSL_SESSION *sess = NULL;
3a7c56b2 1026 unsigned int id, i, ext = 0;
1053a6e2 1027 const EVP_MD *md = NULL;
38b051a1
TM		 1028 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1029 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1053a6e2 1030
1a9f457c
MC		 1031 /*
1032 * If we have no PSK kex mode that we recognise then we can't resume so
1033 * ignore this extension
1034 */
1035 if ((s->ext.psk_kex_mode
1036 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1037 return 1;
1038
1053a6e2 1039 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
c48ffbcc 1040 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1041 return 0;
1042 }
1043
61fb5923 1044 s->ext.ticket_expected = 0;
1053a6e2
MC		 1045 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1046 PACKET identity;
2c604cb9 1047 unsigned long ticket_agel;
f3d40db1 1048 size_t idlen;
1053a6e2
MC		 1049
1050 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1051 || !PACKET_get_net_4(&identities, &ticket_agel)) {
c48ffbcc 1052 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1053 return 0;
1054 }
1055
f3d40db1 1056 idlen = PACKET_remaining(&identity);
3a7c56b2 1057 if (s->psk_find_session_cb != NULL
38b051a1 1058 && !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
011d768a 1059 &sess)) {
c48ffbcc 1060 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
011d768a
MC		 1061 return 0;
1062 }
1063
c2b290c3 1064#ifndef OPENSSL_NO_PSK
1287dabd 1065 if (sess == NULL
f3d40db1
MC		 1066 && s->psk_server_callback != NULL
1067 && idlen <= PSK_MAX_IDENTITY_LEN) {
1068 char *pskid = NULL;
1069 unsigned char pskdata[PSK_MAX_PSK_LEN];
1070 unsigned int pskdatalen;
1071
1072 if (!PACKET_strndup(&identity, &pskid)) {
c48ffbcc 1073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1074 return 0;
1075 }
38b051a1 1076 pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
f3d40db1
MC		 1077 sizeof(pskdata));
1078 OPENSSL_free(pskid);
1079 if (pskdatalen > PSK_MAX_PSK_LEN) {
c48ffbcc 1080 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1081 return 0;
1082 } else if (pskdatalen > 0) {
1083 const SSL_CIPHER *cipher;
1084 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1085
1086 /*
1087 * We found a PSK using an old style callback. We don't know
1088 * the digest so we default to SHA256 as per the TLSv1.3 spec
1089 */
38b051a1 1090 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
f3d40db1
MC		 1091 if (cipher == NULL) {
1092 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1093 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1094 return 0;
1095 }
1096
1097 sess = SSL_SESSION_new();
1098 if (sess == NULL
1099 || !SSL_SESSION_set1_master_key(sess, pskdata,
1100 pskdatalen)
1101 || !SSL_SESSION_set_cipher(sess, cipher)
1102 || !SSL_SESSION_set_protocol_version(sess,
1103 TLS1_3_VERSION)) {
1104 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1106 goto err;
1107 }
1108 OPENSSL_cleanse(pskdata, pskdatalen);
1109 }
1110 }
c2b290c3 1111#endif /* OPENSSL_NO_PSK */
f3d40db1 1112
011d768a
MC		 1113 if (sess != NULL) {
1114 /* We found a PSK */
3a7c56b2 1115 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1116
3a7c56b2 1117 if (sesstmp == NULL) {
c48ffbcc 1118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1119 return 0;
1120 }
1121 SSL_SESSION_free(sess);
1122 sess = sesstmp;
1123
1124 /*
1125 * We've just been told to use this session for this context so
1126 * make sure the sid_ctx matches up.
1127 */
1128 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1129 sess->sid_ctx_length = s->sid_ctx_length;
1130 ext = 1;
630369d9
MC		 1131 if (id == 0)
1132 s->ext.early_data_ok = 1;
51256b34 1133 s->ext.ticket_expected = 1;
3a7c56b2 1134 } else {
f0131dc0 1135 OSSL_TIME t, age, expire;
61fb5923
MC		 1136 int ret;
1137
e880d4e5
MC		 1138 /*
1139 * If we are using anti-replay protection then we behave as if
1140 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1141 * is no point in using full stateless tickets.
1142 */
1143 if ((s->options & SSL_OP_NO_TICKET) != 0
5d263fb7
MC		 1144 || (s->max_early_data > 0
1145 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
6cc0b3c2
MC		 1146 ret = tls_get_stateful_ticket(s, &identity, &sess);
1147 else
1148 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1149 PACKET_remaining(&identity), NULL, 0,
1150 &sess);
61fb5923
MC		 1151
1152 if (ret == SSL_TICKET_EMPTY) {
c48ffbcc 1153 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
61fb5923
MC		 1154 return 0;
1155 }
3a7c56b2 1156
df0fed9a
TS		 1157 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1158 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
c48ffbcc 1159 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1160 return 0;
1161 }
61fb5923 1162 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
3a7c56b2
MC		 1163 continue;
1164
66d7de16
MC		 1165 /* Check for replay */
1166 if (s->max_early_data > 0
5d263fb7 1167 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
66d7de16
MC		 1168 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1169 SSL_SESSION_free(sess);
1170 sess = NULL;
1171 continue;
1172 }
1173
0513a383
MC		 1174 age = ossl_time_subtract(ossl_ms2time(ticket_agel),
1175 ossl_ms2time(sess->ext.tick_age_add));
f0131dc0 1176 t = ossl_time_subtract(ossl_time_now(), sess->time);
3a7c56b2
MC		 1177
1178 /*
0513a383
MC		 1179 * Although internally we use OSS_TIME which has ns granularity,
1180 * when SSL_SESSION structures are serialised/deserialised we use
1181 * second granularity for the sess->time field. Therefore it could
1182 * appear that the client's ticket age is longer than ours (our
1183 * ticket age calculation should always be slightly longer than the
1184 * client's due to the network latency). Therefore we add 1000ms to
1185 * our age calculation to adjust for rounding errors.
3a7c56b2 1186 */
f0131dc0
P		 1187 expire = ossl_time_add(t, ossl_ms2time(1000));
1188
630369d9 1189 if (id == 0
f0131dc0
P		 1190 && ossl_time_compare(sess->timeout, t) >= 0
1191 && ossl_time_compare(age, expire) <= 0
1192 && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
1193 expire) >= 0) {
3a7c56b2
MC		 1194 /*
1195 * Ticket age is within tolerance and not expired. We allow it
1196 * for early data
1197 */
1198 s->ext.early_data_ok = 1;
1199 }
1053a6e2 1200 }
1053a6e2 1201
38b051a1 1202 md = ssl_md(sctx, sess->cipher->algorithm2);
b740012f 1203 if (md == NULL) {
1204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1205 goto err;
1206 }
c8f6c28a 1207 if (!EVP_MD_is_a(md,
38b051a1 1208 EVP_MD_get0_name(ssl_md(sctx,
ed576acd 1209 s->s3.tmp.new_cipher->algorithm2)))) {
0de6d66d 1210 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1211 SSL_SESSION_free(sess);
1212 sess = NULL;
630369d9 1213 s->ext.early_data_ok = 0;
51256b34 1214 s->ext.ticket_expected = 0;
1053a6e2
MC		 1215 continue;
1216 }
1053a6e2
MC		 1217 break;
1218 }
1219
1220 if (sess == NULL)
1221 return 1;
1222
1223 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
ed576acd 1224 hashsize = EVP_MD_get_size(md);
48e3cf25
JJ		 1225 if (hashsize <= 0)
1226 goto err;
1053a6e2
MC		 1227
1228 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
c48ffbcc 1229 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1230 goto err;
1231 }
1232
1233 for (i = 0; i <= id; i++) {
1234 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
c48ffbcc 1235 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1236 goto err;
1237 }
1238 }
1239
48e3cf25 1240 if (PACKET_remaining(&binder) != (size_t)hashsize) {
c48ffbcc 1241 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2894e9cb
MC		 1242 goto err;
1243 }
1244 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1245 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1246 ext) != 1) {
635c8f77 1247 /* SSLfatal() already called */
1053a6e2
MC		 1248 goto err;
1249 }
1250
c96ce52c 1251 s->ext.tick_identity = id;
2c604cb9 1252
1053a6e2
MC		 1253 SSL_SESSION_free(s->session);
1254 s->session = sess;
1053a6e2
MC		 1255 return 1;
1256err:
312e9387 1257 SSL_SESSION_free(sess);
1053a6e2
MC		 1258 return 0;
1259}
1260
38b051a1 1261int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 1262 ossl_unused unsigned int context,
1263 ossl_unused X509 *x,
1264 ossl_unused size_t chainidx)
9d75dce3
TS		 1265{
1266 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1267 SSLfatal(s, SSL_AD_DECODE_ERROR,
9d75dce3
TS		 1268 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1269 return 0;
1270 }
1271
1272 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1273
1274 return 1;
1275}
1276
1266eefd
MC		 1277/*
1278 * Add the server's renegotiation binding
1279 */
38b051a1 1280EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1281 unsigned int context, X509 *x,
f63a17d6 1282 size_t chainidx)
7da160b0 1283{
555cbb32 1284 if (!s->s3.send_connection_binding)
b186a592 1285 return EXT_RETURN_NOT_SENT;
7da160b0 1286
db0f35dd 1287 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1288 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1289 || !WPACKET_start_sub_packet_u16(pkt)
1290 || !WPACKET_start_sub_packet_u8(pkt)
555cbb32
TS		 1291 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1292 s->s3.previous_client_finished_len)
1293 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1294 s->s3.previous_server_finished_len)
7da160b0
MC		 1295 || !WPACKET_close(pkt)
1296 || !WPACKET_close(pkt)) {
c48ffbcc 1297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1298 return EXT_RETURN_FAIL;
7da160b0
MC		 1299 }
1300
b186a592 1301 return EXT_RETURN_SENT;
7da160b0
MC		 1302}
1303
38b051a1 1304EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1305 unsigned int context, X509 *x,
f63a17d6 1306 size_t chainidx)
7da160b0 1307{
7955c1f1
MC		 1308 if (s->servername_done != 1)
1309 return EXT_RETURN_NOT_SENT;
1310
1311 /*
1312 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1313 * We just use the servername from the initial handshake.
1314 */
38b051a1 1315 if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
b186a592 1316 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1317
1318 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1319 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1320 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1321 return EXT_RETURN_FAIL;
7da160b0
MC		 1322 }
1323
b186a592 1324 return EXT_RETURN_SENT;
7da160b0
MC		 1325}
1326
cf72c757 1327/* Add/include the server's max fragment len extension into ServerHello */
38b051a1 1328EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
cf72c757 1329 unsigned int context, X509 *x,
f63a17d6 1330 size_t chainidx)
cf72c757
F		 1331{
1332 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1333 return EXT_RETURN_NOT_SENT;
1334
1335 /*-
1336 * 4 bytes for this extension type and extension length
1337 * 1 byte for the Max Fragment Length code value.
1338 */
1339 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1340 || !WPACKET_start_sub_packet_u16(pkt)
1341 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1342 || !WPACKET_close(pkt)) {
c48ffbcc 1343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1344 return EXT_RETURN_FAIL;
1345 }
1346
1347 return EXT_RETURN_SENT;
1348}
1349
38b051a1 1350EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1351 unsigned int context, X509 *x,
f63a17d6 1352 size_t chainidx)
7da160b0 1353{
555cbb32
TS		 1354 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1355 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
89247375 1356 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
cd0fb43c 1357 && (s->ext.peer_ecpointformats != NULL);
7da160b0
MC		 1358 const unsigned char *plist;
1359 size_t plistlen;
1360
1361 if (!using_ecc)
b186a592 1362 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1363
1364 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1365 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1366 || !WPACKET_start_sub_packet_u16(pkt)
1367 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1368 || !WPACKET_close(pkt)) {
c48ffbcc 1369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1370 return EXT_RETURN_FAIL;
7da160b0
MC		 1371 }
1372
b186a592 1373 return EXT_RETURN_SENT;
7da160b0 1374}
7da160b0 1375
38b051a1 1376EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1377 unsigned int context, X509 *x,
f63a17d6 1378 size_t chainidx)
6af87546 1379{
9e84a42d 1380 const uint16_t *groups;
6af87546 1381 size_t numgroups, i, first = 1;
9d2d857f 1382 int version;
6af87546 1383
555cbb32
TS		 1384 /* s->s3.group_id is non zero if we accepted a key_share */
1385 if (s->s3.group_id == 0)
b186a592 1386 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1387
1388 /* Get our list of supported groups */
ff6d20a6 1389 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1390 if (numgroups == 0) {
c48ffbcc 1391 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1392 return EXT_RETURN_FAIL;
6af87546
MC		 1393 }
1394
1395 /* Copy group ID if supported */
38b051a1 1396 version = SSL_version(SSL_CONNECTION_GET_SSL(s));
9e84a42d
DSH		 1397 for (i = 0; i < numgroups; i++) {
1398 uint16_t group = groups[i];
1399
8b1db5d3 1400 if (tls_valid_group(s, group, version, version, 0, NULL)
dbc6268f 1401 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1402 if (first) {
1403 /*
1404 * Check if the client is already using our preferred group. If
1405 * so we don't need to add this extension
1406 */
555cbb32 1407 if (s->s3.group_id == group)
b186a592 1408 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1409
1410 /* Add extension header */
1411 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1412 /* Sub-packet for supported_groups extension */
1413 || !WPACKET_start_sub_packet_u16(pkt)
1414 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1416 return EXT_RETURN_FAIL;
6af87546
MC		 1417 }
1418
1419 first = 0;
1420 }
9e84a42d 1421 if (!WPACKET_put_bytes_u16(pkt, group)) {
c48ffbcc 1422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1423 return EXT_RETURN_FAIL;
6af87546
MC		 1424 }
1425 }
1426 }
1427
1428 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 1429 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1430 return EXT_RETURN_FAIL;
6af87546
MC		 1431 }
1432
b186a592 1433 return EXT_RETURN_SENT;
6af87546
MC		 1434}
1435
38b051a1 1436EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1437 unsigned int context, X509 *x,
f63a17d6 1438 size_t chainidx)
7da160b0 1439{
aff8c126
RS		 1440 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1441 s->ext.ticket_expected = 0;
b186a592 1442 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1443 }
1444
1445 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1446 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1447 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1448 return EXT_RETURN_FAIL;
7da160b0
MC		 1449 }
1450
b186a592 1451 return EXT_RETURN_SENT;
7da160b0
MC		 1452}
1453
ab83e314 1454#ifndef OPENSSL_NO_OCSP
38b051a1 1455EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1456 unsigned int context, X509 *x,
f63a17d6 1457 size_t chainidx)
7da160b0 1458{
debb64a0
MC		 1459 /* We don't currently support this extension inside a CertificateRequest */
1460 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1461 return EXT_RETURN_NOT_SENT;
1462
aff8c126 1463 if (!s->ext.status_expected)
b186a592 1464 return EXT_RETURN_NOT_SENT;
7da160b0 1465
38b051a1 1466 if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
b186a592 1467 return EXT_RETURN_NOT_SENT;
e96e0f8e 1468
7da160b0 1469 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1470 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1471 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1472 return EXT_RETURN_FAIL;
f63e4288
MC		 1473 }
1474
1475 /*
1476 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1477 * send back an empty extension, with the certificate status appearing as a
1478 * separate message
1479 */
38b051a1 1480 if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
3ec8d113 1481 /* SSLfatal() already called */
56d36288 1482 return EXT_RETURN_FAIL;
3ec8d113
MC		 1483 }
1484 if (!WPACKET_close(pkt)) {
c48ffbcc 1485 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1486 return EXT_RETURN_FAIL;
7da160b0
MC		 1487 }
1488
b186a592 1489 return EXT_RETURN_SENT;
7da160b0 1490}
ab83e314 1491#endif
7da160b0 1492
7da160b0 1493#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1 1494EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1495 unsigned int context, X509 *x,
f63a17d6 1496 size_t chainidx)
7da160b0
MC		 1497{
1498 const unsigned char *npa;
1499 unsigned int npalen;
1500 int ret;
555cbb32 1501 int npn_seen = s->s3.npn_seen;
38b051a1 1502 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
7da160b0 1503
555cbb32 1504 s->s3.npn_seen = 0;
38b051a1 1505 if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
b186a592 1506 return EXT_RETURN_NOT_SENT;
7da160b0 1507
38b051a1
TM		 1508 ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
1509 sctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1510 if (ret == SSL_TLSEXT_ERR_OK) {
1511 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1512 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
c48ffbcc 1513 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1514 return EXT_RETURN_FAIL;
7da160b0 1515 }
555cbb32 1516 s->s3.npn_seen = 1;
7da160b0
MC		 1517 }
1518
b186a592 1519 return EXT_RETURN_SENT;
7da160b0
MC		 1520}
1521#endif
1522
38b051a1 1523EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
f63a17d6 1524 X509 *x, size_t chainidx)
7da160b0 1525{
555cbb32 1526 if (s->s3.alpn_selected == NULL)
b186a592 1527 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1528
1529 if (!WPACKET_put_bytes_u16(pkt,
1530 TLSEXT_TYPE_application_layer_protocol_negotiation)
1531 || !WPACKET_start_sub_packet_u16(pkt)
1532 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 1533 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1534 s->s3.alpn_selected_len)
7da160b0
MC		 1535 || !WPACKET_close(pkt)
1536 || !WPACKET_close(pkt)) {
c48ffbcc 1537 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1538 return EXT_RETURN_FAIL;
7da160b0
MC		 1539 }
1540
b186a592 1541 return EXT_RETURN_SENT;
7da160b0
MC		 1542}
1543
1544#ifndef OPENSSL_NO_SRTP
38b051a1 1545EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1546 unsigned int context, X509 *x,
f63a17d6 1547 size_t chainidx)
7da160b0
MC		 1548{
1549 if (s->srtp_profile == NULL)
b186a592 1550 return EXT_RETURN_NOT_SENT;
a1448c26 1551
7da160b0
MC		 1552 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1553 || !WPACKET_start_sub_packet_u16(pkt)
1554 || !WPACKET_put_bytes_u16(pkt, 2)
1555 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1556 || !WPACKET_put_bytes_u8(pkt, 0)
1557 || !WPACKET_close(pkt)) {
c48ffbcc 1558 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1559 return EXT_RETURN_FAIL;
7da160b0
MC		 1560 }
1561
b186a592 1562 return EXT_RETURN_SENT;
7da160b0
MC		 1563}
1564#endif
1565
38b051a1
TM		 1566EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1567 unsigned int context,
f63a17d6 1568 X509 *x, size_t chainidx)
7da160b0 1569{
28a31a0a 1570 if (!s->ext.use_etm)
b186a592 1571 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1572
1573 /*
1574 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1575 * for other cases too.
1576 */
555cbb32
TS		 1577 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1578 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1579 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
5a5530a2
DB		 1580 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1581 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1582 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
28a31a0a 1583 s->ext.use_etm = 0;
b186a592 1584 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1585 }
1586
1587 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1588 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1589 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1590 return EXT_RETURN_FAIL;
7da160b0
MC		 1591 }
1592
b186a592 1593 return EXT_RETURN_SENT;
7da160b0
MC		 1594}
1595
38b051a1
TM		 1596EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1597 unsigned int context,
f63a17d6 1598 X509 *x, size_t chainidx)
7da160b0 1599{
555cbb32 1600 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1601 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1602
1603 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1604 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1605 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1606 return EXT_RETURN_FAIL;
7da160b0
MC		 1607 }
1608
b186a592 1609 return EXT_RETURN_SENT;
7da160b0
MC		 1610}
1611
38b051a1 1612EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
88050dd1
MC		 1613 unsigned int context, X509 *x,
1614 size_t chainidx)
1615{
38b051a1 1616 if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
c48ffbcc 1617 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
27e462f1
MC		 1618 return EXT_RETURN_FAIL;
1619 }
88050dd1
MC		 1620
1621 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1622 || !WPACKET_start_sub_packet_u16(pkt)
35e742ec 1623 || !WPACKET_put_bytes_u16(pkt, s->version)
88050dd1 1624 || !WPACKET_close(pkt)) {
c48ffbcc 1625 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
88050dd1
MC		 1626 return EXT_RETURN_FAIL;
1627 }
1628
1629 return EXT_RETURN_SENT;
1630}
1631
38b051a1 1632EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1633 unsigned int context, X509 *x,
f63a17d6 1634 size_t chainidx)
7da160b0 1635{
3cf96e88 1636#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1637 unsigned char *encodedPoint;
1638 size_t encoded_pt_len = 0;
555cbb32 1639 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
8b17fbaf 1640 const TLS_GROUP_INFO *ginf = NULL;
7da160b0 1641
dd77962e
MC		 1642 if (s->hello_retry_request == SSL_HRR_PENDING) {
1643 if (ckey != NULL) {
1644 /* Original key_share was acceptable so don't ask for another one */
1645 return EXT_RETURN_NOT_SENT;
1646 }
1647 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1648 || !WPACKET_start_sub_packet_u16(pkt)
16f0e91c 1649 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
dd77962e 1650 || !WPACKET_close(pkt)) {
c48ffbcc 1651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
dd77962e 1652 return EXT_RETURN_FAIL;
7d061fce
MC		 1653 }
1654
dd77962e
MC		 1655 return EXT_RETURN_SENT;
1656 }
1657
1658 if (ckey == NULL) {
1659 /* No key_share received from client - must be resuming */
0247086d 1660 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
c48ffbcc 1661 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1662 return EXT_RETURN_FAIL;
0247086d 1663 }
b186a592 1664 return EXT_RETURN_NOT_SENT;
7da160b0 1665 }
b8590b2f 1666
f2906631 1667 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
e776858b 1668 /*
f2906631
MM		 1669 * PSK ('hit') and explicitly not doing DHE. If the client sent the
1670 * DHE option, we take it by default, except if non-DHE would be
1671 * preferred by config, but this case would have been handled in
1672 * tls_parse_ctos_psk_kex_modes().
e776858b 1673 */
f2906631 1674 return EXT_RETURN_NOT_SENT;
e776858b 1675 }
7da160b0
MC		 1676
1677 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1678 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1679 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
c48ffbcc 1680 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1681 return EXT_RETURN_FAIL;
7da160b0
MC		 1682 }
1683
38b051a1
TM		 1684 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1685 s->s3.group_id)) == NULL) {
c48ffbcc 1686 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1687 return EXT_RETURN_FAIL;
7da160b0
MC		 1688 }
1689
8b17fbaf
NT		 1690 if (!ginf->is_kem) {
1691 /* Regular KEX */
1692 skey = ssl_generate_pkey(s, ckey);
1693 if (skey == NULL) {
e077455e 1694 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
8b17fbaf
NT		 1695 return EXT_RETURN_FAIL;
1696 }
7da160b0 1697
8b17fbaf 1698 /* Generate encoding of server key */
5ac8fb58 1699 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
8b17fbaf 1700 if (encoded_pt_len == 0) {
c48ffbcc 1701 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
8b17fbaf
NT		 1702 EVP_PKEY_free(skey);
1703 return EXT_RETURN_FAIL;
1704 }
1705
1706 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1707 || !WPACKET_close(pkt)) {
c48ffbcc 1708 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1709 EVP_PKEY_free(skey);
1710 OPENSSL_free(encodedPoint);
1711 return EXT_RETURN_FAIL;
1712 }
7da160b0 1713 OPENSSL_free(encodedPoint);
7da160b0 1714
8b17fbaf
NT		 1715 /*
1716 * This causes the crypto state to be updated based on the derived keys
1717 */
1718 s->s3.tmp.pkey = skey;
1719 if (ssl_derive(s, skey, ckey, 1) == 0) {
1720 /* SSLfatal() already called */
1721 return EXT_RETURN_FAIL;
1722 }
1723 } else {
1724 /* KEM mode */
1725 unsigned char *ct = NULL;
1726 size_t ctlen = 0;
1727
1728 /*
1729 * This does not update the crypto state.
1730 *
1731 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1732 * ssl_gensecret().
1733 */
1734 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1735 /* SSLfatal() already called */
1736 return EXT_RETURN_FAIL;
1737 }
1738
1739 if (ctlen == 0) {
c48ffbcc 1740 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1741 OPENSSL_free(ct);
1742 return EXT_RETURN_FAIL;
1743 }
1744
1745 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1746 || !WPACKET_close(pkt)) {
c48ffbcc 1747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1748 OPENSSL_free(ct);
1749 return EXT_RETURN_FAIL;
1750 }
1751 OPENSSL_free(ct);
1752
1753 /*
1754 * This causes the crypto state to be updated based on the generated pms
1755 */
1756 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1757 /* SSLfatal() already called */
1758 return EXT_RETURN_FAIL;
1759 }
7da160b0 1760 }
aa6bd216 1761 s->s3.did_kex = 1;
b186a592 1762 return EXT_RETURN_SENT;
1aac20f5
MC		 1763#else
1764 return EXT_RETURN_FAIL;
1765#endif
7da160b0
MC		 1766}
1767
38b051a1
TM		 1768EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
1769 unsigned int context,
43054d3d
MC		 1770 X509 *x, size_t chainidx)
1771{
1aac20f5 1772#ifndef OPENSSL_NO_TLS1_3
43054d3d
MC		 1773 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1774 unsigned char *hmac, *hmac2;
3fa2812f 1775 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
43054d3d
MC		 1776 EVP_MD_CTX *hctx;
1777 EVP_PKEY *pkey;
1778 int ret = EXT_RETURN_FAIL;
38b051a1
TM		 1779 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1780 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
43054d3d 1781
555cbb32 1782 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 1783 return EXT_RETURN_NOT_SENT;
1784
38b051a1 1785 if (sctx->gen_stateless_cookie_cb == NULL) {
c48ffbcc 1786 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
e440f513
MC		 1787 return EXT_RETURN_FAIL;
1788 }
1789
43054d3d
MC		 1790 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1791 || !WPACKET_start_sub_packet_u16(pkt)
1792 || !WPACKET_start_sub_packet_u16(pkt)
1793 || !WPACKET_get_total_written(pkt, &startlen)
1794 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1795 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1796 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
555cbb32 1797 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
38b051a1
TM		 1798 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1799 &ciphlen)
43054d3d 1800 /* Is there a key_share extension present in this HRR? */
555cbb32 1801 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
e8a557dc 1802 || !WPACKET_put_bytes_u64(pkt, time(NULL))
43054d3d
MC		 1803 || !WPACKET_start_sub_packet_u16(pkt)
1804 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
c48ffbcc 1805 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1806 return EXT_RETURN_FAIL;
1807 }
1808
1809 /*
1810 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1811 * on raw buffers, so we first reserve sufficient bytes (above) and then
1812 * subsequently allocate them (below)
1813 */
1814 if (!ssl3_digest_cached_records(s, 0)
1815 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1816 /* SSLfatal() already called */
1817 return EXT_RETURN_FAIL;
1818 }
1819
1820 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1821 || !ossl_assert(hashval1 == hashval2)
1822 || !WPACKET_close(pkt)
1823 || !WPACKET_start_sub_packet_u8(pkt)
1824 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
c48ffbcc 1825 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1826 return EXT_RETURN_FAIL;
1827 }
1828
1829 /* Generate the application cookie */
38b051a1
TM		 1830 if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
1831 &appcookielen) == 0) {
c48ffbcc 1832 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
43054d3d
MC		 1833 return EXT_RETURN_FAIL;
1834 }
1835
1836 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1837 || !ossl_assert(appcookie1 == appcookie2)
1838 || !WPACKET_close(pkt)
1839 || !WPACKET_get_total_written(pkt, &totcookielen)
1840 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
c48ffbcc 1841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1842 return EXT_RETURN_FAIL;
1843 }
1844 hmaclen = SHA256_DIGEST_LENGTH;
1845
1846 totcookielen -= startlen;
1847 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
c48ffbcc 1848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1849 return EXT_RETURN_FAIL;
1850 }
1851
1852 /* HMAC the cookie */
1853 hctx = EVP_MD_CTX_create();
38b051a1
TM		 1854 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1855 sctx->propq,
d8652be0
MC		 1856 s->session_ctx->ext.cookie_hmac_key,
1857 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d 1858 if (hctx == NULL || pkey == NULL) {
e077455e 1859 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
43054d3d
MC		 1860 goto err;
1861 }
1862
38b051a1
TM		 1863 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1864 sctx->propq, pkey, NULL) <= 0
43054d3d
MC		 1865 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1866 totcookielen) <= 0) {
c48ffbcc 1867 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1868 goto err;
1869 }
1870
1871 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
c48ffbcc 1872 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1873 goto err;
1874 }
1875
1876 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1877 || !ossl_assert(hmac == hmac2)
1878 || !ossl_assert(cookie == hmac - totcookielen)
1879 || !WPACKET_close(pkt)
1880 || !WPACKET_close(pkt)) {
c48ffbcc 1881 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1882 goto err;
1883 }
1884
1885 ret = EXT_RETURN_SENT;
1886
1887 err:
1888 EVP_MD_CTX_free(hctx);
1889 EVP_PKEY_free(pkey);
1890 return ret;
1aac20f5
MC		 1891#else
1892 return EXT_RETURN_FAIL;
1893#endif
43054d3d
MC		 1894}
1895
38b051a1 1896EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1897 unsigned int context, X509 *x,
f63a17d6 1898 size_t chainidx)
7da160b0
MC		 1899{
1900 const unsigned char cryptopro_ext[36] = {
1901 0xfd, 0xe8, /* 65000 */
1902 0x00, 0x20, /* 32 bytes length */
1903 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1904 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1905 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1906 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1907 };
1908
555cbb32
TS		 1909 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1910 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
38b051a1
TM		 1911 || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1912 & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1913 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1914
1915 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
c48ffbcc 1916 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1917 return EXT_RETURN_FAIL;
7da160b0
MC		 1918 }
1919
b186a592 1920 return EXT_RETURN_SENT;
7da160b0 1921}
0247086d 1922
38b051a1 1923EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1924 unsigned int context, X509 *x,
f63a17d6 1925 size_t chainidx)
38df5a45 1926{
fe874d27 1927 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1928 if (s->max_early_data == 0)
b186a592 1929 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1930
1931 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1932 || !WPACKET_start_sub_packet_u16(pkt)
1933 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1934 || !WPACKET_close(pkt)) {
c48ffbcc 1935 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1936 return EXT_RETURN_FAIL;
6594189f
MC		 1937 }
1938
b186a592 1939 return EXT_RETURN_SENT;
6594189f
MC		 1940 }
1941
38df5a45 1942 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1943 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1944
1945 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1946 || !WPACKET_start_sub_packet_u16(pkt)
1947 || !WPACKET_close(pkt)) {
c48ffbcc 1948 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1949 return EXT_RETURN_FAIL;
38df5a45
MC		 1950 }
1951
b186a592 1952 return EXT_RETURN_SENT;
38df5a45
MC		 1953}
1954
38b051a1
TM		 1955EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
1956 unsigned int context,
f63a17d6 1957 X509 *x, size_t chainidx)
0247086d
MC		 1958{
1959 if (!s->hit)
b186a592 1960 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1961
1962 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1963 || !WPACKET_start_sub_packet_u16(pkt)
c96ce52c 1964 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
0247086d 1965 || !WPACKET_close(pkt)) {
c48ffbcc 1966 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1967 return EXT_RETURN_FAIL;
0247086d
MC		 1968 }
1969
b186a592 1970 return EXT_RETURN_SENT;
0247086d 1971}
3c95ef22
TS		 1972
1973EXT_RETURN tls_construct_stoc_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
1974 unsigned int context,
1975 X509 *x, size_t chainidx)
1976{
1977 if (sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_ERROR
1978 && (send_certificate_request(sc)
1979 || sc->post_handshake_auth == SSL_PHA_EXT_RECEIVED)) {
1980 /* Did not receive an acceptable cert type - and doing client auth */
1981 SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
1982 return EXT_RETURN_FAIL;
1983 }
1984
1985 if (sc->ext.client_cert_type == TLSEXT_cert_type_x509) {
1986 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
1987 return EXT_RETURN_NOT_SENT;
1988 }
1989
1990 /*
1991 * Note: only supposed to send this if we are going to do a cert request,
1992 * but TLSv1.3 could do a PHA request if the client supports it
1993 */
1994 if ((!send_certificate_request(sc) && sc->post_handshake_auth != SSL_PHA_EXT_RECEIVED)
1995 || sc->ext.client_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
1996 || sc->client_cert_type == NULL) {
1997 /* if we don't send it, reset to TLSEXT_cert_type_x509 */
1998 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
1999 sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2000 return EXT_RETURN_NOT_SENT;
2001 }
2002
2003 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2004 || !WPACKET_start_sub_packet_u16(pkt)
2005 || !WPACKET_put_bytes_u8(pkt, sc->ext.client_cert_type)
2006 || !WPACKET_close(pkt)) {
2007 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2008 return EXT_RETURN_FAIL;
2009 }
2010 return EXT_RETURN_SENT;
2011}
2012
2013/* One of |pref|, |other| is configured and the values are sanitized */
2014static int reconcile_cert_type(const unsigned char *pref, size_t pref_len,
2015 const unsigned char *other, size_t other_len,
2016 uint8_t *chosen_cert_type)
2017{
2018 size_t i;
2019
2020 for (i = 0; i < pref_len; i++) {
2021 if (memchr(other, pref[i], other_len) != NULL) {
2022 *chosen_cert_type = pref[i];
2023 return OSSL_CERT_TYPE_CTOS_GOOD;
2024 }
2025 }
2026 return OSSL_CERT_TYPE_CTOS_ERROR;
2027}
2028
2029int tls_parse_ctos_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2030 unsigned int context,
2031 X509 *x, size_t chainidx)
2032{
2033 PACKET supported_cert_types;
2034 const unsigned char *data;
2035 size_t len;
2036
2037 /* Ignore the extension */
2038 if (sc->client_cert_type == NULL) {
2039 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2040 sc->ext.client_cert_type = TLSEXT_cert_type_x509;
2041 return 1;
2042 }
2043
2044 if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2045 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2046 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2047 return 0;
2048 }
2049 if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2050 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2051 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2052 return 0;
2053 }
2054 if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2055 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_ERROR;
2056 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2057 return 0;
2058 }
2059 /* client_cert_type: client (peer) has priority */
2060 sc->ext.client_cert_type_ctos = reconcile_cert_type(data, len,
2061 sc->client_cert_type, sc->client_cert_type_len,
2062 &sc->ext.client_cert_type);
2063
2064 /* Ignore the error until sending - so we can check cert auth*/
2065 return 1;
2066}
2067
2068EXT_RETURN tls_construct_stoc_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2069 unsigned int context,
2070 X509 *x, size_t chainidx)
2071{
2072 if (sc->ext.server_cert_type == TLSEXT_cert_type_x509) {
2073 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2074 return EXT_RETURN_NOT_SENT;
2075 }
2076 if (sc->ext.server_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD
2077 || sc->server_cert_type == NULL) {
2078 /* if we don't send it, reset to TLSEXT_cert_type_x509 */
2079 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2080 sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2081 return EXT_RETURN_NOT_SENT;
2082 }
2083
2084 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2085 || !WPACKET_start_sub_packet_u16(pkt)
2086 || !WPACKET_put_bytes_u8(pkt, sc->ext.server_cert_type)
2087 || !WPACKET_close(pkt)) {
2088 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2089 return EXT_RETURN_FAIL;
2090 }
2091 return EXT_RETURN_SENT;
2092}
2093
2094int tls_parse_ctos_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2095 unsigned int context,
2096 X509 *x, size_t chainidx)
2097{
2098 PACKET supported_cert_types;
2099 const unsigned char *data;
2100 size_t len;
2101
2102 /* Ignore the extension */
2103 if (sc->server_cert_type == NULL) {
2104 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2105 sc->ext.server_cert_type = TLSEXT_cert_type_x509;
2106 return 1;
2107 }
2108
2109 if (!PACKET_as_length_prefixed_1(pkt, &supported_cert_types)) {
2110 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2111 return 0;
2112 }
2113
2114 if ((len = PACKET_remaining(&supported_cert_types)) == 0) {
2115 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2116 return 0;
2117 }
2118 if (!PACKET_get_bytes(&supported_cert_types, &data, len)) {
2119 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2120 return 0;
2121 }
2122 /* server_cert_type: server (this) has priority */
2123 sc->ext.server_cert_type_ctos = reconcile_cert_type(sc->server_cert_type, sc->server_cert_type_len,
2124 data, len,
2125 &sc->ext.server_cert_type);
2126 if (sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)
2127 return 1;
2128
2129 /* Did not receive an acceptable cert type */
2130 SSLfatal(sc, SSL_AD_UNSUPPORTED_CERTIFICATE, SSL_R_BAD_EXTENSION);
2131 return 0;
2132}
A mirror of the official openssl repository