]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Check for EVP_MD being NULL inside ssl.
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
25670f3e 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
25670f3e
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
706457b7
DMSP		 11#include "../ssl_local.h"
12#include "statem_local.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
15#define COOKIE_STATE_FORMAT_VERSION 0
16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
d0debc0a
MC		 20 * key_share present flag, 4 bytes for timestamp, 2 bytes for the hashlen,
21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 23 */
d0debc0a 24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 4 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 33 */
97ea1e7f 34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
25670f3e
MC		 37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
61138358 41int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 42 X509 *x, size_t chainidx)
25670f3e
MC		 43{
44 unsigned int ilen;
45 const unsigned char *data;
46
47 /* Parse the length byte */
48 if (!PACKET_get_1(pkt, &ilen)
49 || !PACKET_get_bytes(pkt, &data, ilen)) {
c48ffbcc 50 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 51 return 0;
52 }
53
54 /* Check that the extension matches */
555cbb32 55 if (ilen != s->s3.previous_client_finished_len) {
c48ffbcc 56 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 57 return 0;
58 }
59
555cbb32
TS		 60 if (memcmp(data, s->s3.previous_client_finished,
61 s->s3.previous_client_finished_len)) {
c48ffbcc 62 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 63 return 0;
64 }
65
555cbb32 66 s->s3.send_connection_binding = 1;
25670f3e
MC		 67
68 return 1;
69}
70
1266eefd
MC		 71/*-
72 * The servername extension is treated as follows:
73 *
74 * - Only the hostname type is supported with a maximum length of 255.
75 * - The servername is rejected if too long or if it contains zeros,
76 * in which case an fatal alert is generated.
77 * - The servername field is maintained together with the session cache.
78 * - When a session is resumed, the servername call back invoked in order
79 * to allow the application to position itself to the right context.
80 * - The servername is acknowledged if it is new for a session or when
81 * it is identical to a previously used for the same session.
82 * Applications can control the behaviour. They can at any time
83 * set a 'desirable' servername for a new SSL object. This can be the
84 * case for example with HTTPS when a Host: header field is received and
85 * a renegotiation is requested. In this case, a possible servername
86 * presented in the new client hello is only acknowledged if it matches
87 * the value of the Host: field.
88 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
89 * if they provide for changing an explicit servername context for the
90 * session, i.e. when the session has been established with a servername
91 * extension.
92 * - On session reconnect, the servername extension may be absent.
93 */
61138358 94int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 95 X509 *x, size_t chainidx)
25670f3e
MC		 96{
97 unsigned int servname_type;
98 PACKET sni, hostname;
99
25670f3e
MC		 100 if (!PACKET_as_length_prefixed_2(pkt, &sni)
101 /* ServerNameList must be at least 1 byte long. */
102 || PACKET_remaining(&sni) == 0) {
c48ffbcc 103 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 104 return 0;
105 }
106
107 /*
44e69951
F		 108 * Although the intent was for server_name to be extensible, RFC 4366
109 * was not clear about it; and so OpenSSL among other implementations,
110 * always and only allows a 'host_name' name types.
25670f3e
MC		 111 * RFC 6066 corrected the mistake but adding new name types
112 * is nevertheless no longer feasible, so act as if no other
113 * SNI types can exist, to simplify parsing.
114 *
115 * Also note that the RFC permits only one SNI value per type,
116 * i.e., we can only have a single hostname.
117 */
118 if (!PACKET_get_1(&sni, &servname_type)
119 || servname_type != TLSEXT_NAMETYPE_host_name
120 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
c48ffbcc 121 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 122 return 0;
123 }
124
7955c1f1
MC		 125 /*
126 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
127 * we always use the SNI value from the handshake.
128 */
1c4aa31d 129 if (!s->hit || SSL_IS_TLS13(s)) {
25670f3e 130 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
c48ffbcc 131 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 132 return 0;
133 }
134
135 if (PACKET_contains_zero_byte(&hostname)) {
c48ffbcc 136 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 137 return 0;
138 }
139
1c4aa31d
BK		 140 /*
141 * Store the requested SNI in the SSL as temporary storage.
142 * If we accept it, it will get stored in the SSL_SESSION as well.
143 */
144 OPENSSL_free(s->ext.hostname);
145 s->ext.hostname = NULL;
146 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
c48ffbcc 147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 148 return 0;
149 }
150
151 s->servername_done = 1;
7955c1f1
MC		 152 } else {
153 /*
154 * In TLSv1.2 and below we should check if the SNI is consistent between
155 * the initial handshake and the resumption. In TLSv1.3 SNI is not
156 * associated with the session.
157 */
1c4aa31d 158 s->servername_done = (s->session->ext.hostname != NULL)
aff8c126
RS		 159 && PACKET_equal(&hostname, s->session->ext.hostname,
160 strlen(s->session->ext.hostname));
25670f3e
MC		 161 }
162
163 return 1;
164}
165
cf72c757 166int tls_parse_ctos_maxfragmentlen(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 167 X509 *x, size_t chainidx)
cf72c757
F		 168{
169 unsigned int value;
170
171 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 172 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 173 return 0;
174 }
175
176 /* Received |value| should be a valid max-fragment-length code. */
177 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 178 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 179 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 180 return 0;
181 }
182
183 /*
184 * RFC 6066: The negotiated length applies for the duration of the session
185 * including session resumptions.
186 * We should receive the same code as in resumed session !
187 */
188 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6 189 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 190 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 191 return 0;
192 }
193
194 /*
195 * Store it in session, so it'll become binding for us
196 * and we'll include it in a next Server Hello.
197 */
198 s->session->ext.max_fragment_len_mode = value;
199 return 1;
200}
201
25670f3e 202#ifndef OPENSSL_NO_SRP
61138358 203int tls_parse_ctos_srp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 204 size_t chainidx)
25670f3e
MC		 205{
206 PACKET srp_I;
207
208 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
209 || PACKET_contains_zero_byte(&srp_I)) {
c48ffbcc 210 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 211 return 0;
212 }
213
25670f3e 214 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
c48ffbcc 215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 216 return 0;
217 }
218
219 return 1;
220}
221#endif
222
61138358 223int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 224 X509 *x, size_t chainidx)
25670f3e
MC		 225{
226 PACKET ec_point_format_list;
227
228 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
229 || PACKET_remaining(&ec_point_format_list) == 0) {
c48ffbcc 230 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 231 return 0;
232 }
233
234 if (!s->hit) {
235 if (!PACKET_memdup(&ec_point_format_list,
cd0fb43c
MC		 236 &s->ext.peer_ecpointformats,
237 &s->ext.peer_ecpointformats_len)) {
c48ffbcc 238 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 239 return 0;
240 }
241 }
242
243 return 1;
244}
25670f3e 245
61138358 246int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 247 X509 *x, size_t chainidx)
25670f3e 248{
aff8c126
RS		 249 if (s->ext.session_ticket_cb &&
250 !s->ext.session_ticket_cb(s, PACKET_data(pkt),
251 PACKET_remaining(pkt),
252 s->ext.session_ticket_cb_arg)) {
c48ffbcc 253 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 254 return 0;
255 }
256
257 return 1;
258}
259
a7e6a3d8
P		 260int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt,
261 ossl_unused unsigned int context,
262 ossl_unused X509 *x,
263 ossl_unused size_t chainidx)
c589c34e
BK		 264{
265 PACKET supported_sig_algs;
266
267 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
268 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 269 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 270 return 0;
271 }
272
273 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
c48ffbcc 274 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 275 return 0;
276 }
277
278 return 1;
279}
280
61138358 281int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 282 size_t chainidx)
25670f3e
MC		 283{
284 PACKET supported_sig_algs;
285
286 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 287 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 288 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 289 return 0;
290 }
291
c589c34e 292 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
c48ffbcc 293 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 294 return 0;
295 }
296
297 return 1;
298}
299
ab83e314 300#ifndef OPENSSL_NO_OCSP
61138358 301int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 302 X509 *x, size_t chainidx)
25670f3e 303{
1266eefd
MC		 304 PACKET responder_id_list, exts;
305
ded4a83d
MC		 306 /* We ignore this in a resumption handshake */
307 if (s->hit)
308 return 1;
309
e96e0f8e
MC		 310 /* Not defined if we get one of these in a client Certificate */
311 if (x != NULL)
312 return 1;
313
aff8c126 314 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
c48ffbcc 315 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 316 return 0;
317 }
ab83e314 318
aff8c126 319 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 320 /*
1266eefd 321 * We don't know what to do with any other type so ignore it.
25670f3e 322 */
aff8c126 323 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 324 return 1;
325 }
25670f3e 326
1266eefd 327 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
c48ffbcc 328 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 329 return 0;
330 }
25670f3e 331
1266eefd
MC		 332 /*
333 * We remove any OCSP_RESPIDs from a previous handshake
334 * to prevent unbounded memory growth - CVE-2016-6304
335 */
aff8c126 336 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 337 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 338 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
339 if (s->ext.ocsp.ids == NULL) {
c48ffbcc 340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1266eefd
MC		 341 return 0;
342 }
343 } else {
aff8c126 344 s->ext.ocsp.ids = NULL;
1266eefd 345 }
25670f3e 346
1266eefd
MC		 347 while (PACKET_remaining(&responder_id_list) > 0) {
348 OCSP_RESPID *id;
349 PACKET responder_id;
350 const unsigned char *id_data;
25670f3e 351
1266eefd
MC		 352 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
353 || PACKET_remaining(&responder_id) == 0) {
c48ffbcc 354 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 355 return 0;
356 }
25670f3e 357
1266eefd 358 id_data = PACKET_data(&responder_id);
1266eefd
MC		 359 id = d2i_OCSP_RESPID(NULL, &id_data,
360 (int)PACKET_remaining(&responder_id));
361 if (id == NULL) {
c48ffbcc 362 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 363 return 0;
25670f3e
MC		 364 }
365
1266eefd
MC		 366 if (id_data != PACKET_end(&responder_id)) {
367 OCSP_RESPID_free(id);
c48ffbcc 368 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
f63a17d6 369
25670f3e
MC		 370 return 0;
371 }
372
aff8c126 373 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 374 OCSP_RESPID_free(id);
c48ffbcc 375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 376
1266eefd
MC		 377 return 0;
378 }
379 }
380
381 /* Read in request_extensions */
382 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
c48ffbcc 383 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 384 return 0;
385 }
386
387 if (PACKET_remaining(&exts) > 0) {
388 const unsigned char *ext_data = PACKET_data(&exts);
389
aff8c126 390 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 391 X509_EXTENSION_free);
aff8c126 392 s->ext.ocsp.exts =
1266eefd 393 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 394 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
c48ffbcc 395 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 396 return 0;
25670f3e 397 }
25670f3e
MC		 398 }
399
400 return 1;
401}
ab83e314 402#endif
25670f3e
MC		 403
404#ifndef OPENSSL_NO_NEXTPROTONEG
61138358 405int tls_parse_ctos_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 406 size_t chainidx)
25670f3e 407{
1266eefd
MC		 408 /*
409 * We shouldn't accept this extension on a
410 * renegotiation.
1266eefd 411 */
c7f47786 412 if (SSL_IS_FIRST_HANDSHAKE(s))
555cbb32 413 s->s3.npn_seen = 1;
25670f3e
MC		 414
415 return 1;
416}
417#endif
418
419/*
1266eefd 420 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 421 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 422 */
61138358 423int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 424 size_t chainidx)
25670f3e
MC		 425{
426 PACKET protocol_list, save_protocol_list, protocol;
427
c7f47786 428 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 429 return 1;
430
431 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
432 || PACKET_remaining(&protocol_list) < 2) {
c48ffbcc 433 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 434 return 0;
435 }
436
437 save_protocol_list = protocol_list;
438 do {
439 /* Protocol names can't be empty. */
440 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
441 || PACKET_remaining(&protocol) == 0) {
c48ffbcc 442 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 443 return 0;
444 }
445 } while (PACKET_remaining(&protocol_list) != 0);
446
555cbb32
TS		 447 OPENSSL_free(s->s3.alpn_proposed);
448 s->s3.alpn_proposed = NULL;
449 s->s3.alpn_proposed_len = 0;
25670f3e 450 if (!PACKET_memdup(&save_protocol_list,
555cbb32 451 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
c48ffbcc 452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 453 return 0;
454 }
455
456 return 1;
457}
458
459#ifndef OPENSSL_NO_SRTP
61138358 460int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 461 size_t chainidx)
25670f3e 462{
25670f3e
MC		 463 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
464 unsigned int ct, mki_len, id;
465 int i, srtp_pref;
466 PACKET subpkt;
467
468 /* Ignore this if we have no SRTP profiles */
469 if (SSL_get_srtp_profiles(s) == NULL)
470 return 1;
471
472 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 473 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
474 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
c48ffbcc 475 SSLfatal(s, SSL_AD_DECODE_ERROR,
25670f3e 476 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 477 return 0;
478 }
479
480 srvr = SSL_get_srtp_profiles(s);
481 s->srtp_profile = NULL;
482 /* Search all profiles for a match initially */
483 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
484
485 while (PACKET_remaining(&subpkt)) {
486 if (!PACKET_get_net_2(&subpkt, &id)) {
c48ffbcc 487 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 488 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 489 return 0;
490 }
491
492 /*
493 * Only look for match in profiles of higher preference than
494 * current match.
495 * If no profiles have been have been configured then this
496 * does nothing.
497 */
498 for (i = 0; i < srtp_pref; i++) {
d270de32 499 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 500 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
501
25670f3e
MC		 502 if (sprof->id == id) {
503 s->srtp_profile = sprof;
504 srtp_pref = i;
505 break;
506 }
507 }
508 }
509
1266eefd 510 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 511 if (!PACKET_get_1(pkt, &mki_len)) {
c48ffbcc 512 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 513 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 514 return 0;
515 }
516
517 if (!PACKET_forward(pkt, mki_len)
518 || PACKET_remaining(pkt)) {
c48ffbcc 519 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 520 return 0;
521 }
522
523 return 1;
524}
525#endif
526
61138358 527int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 528 size_t chainidx)
25670f3e
MC		 529{
530 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 531 s->ext.use_etm = 1;
25670f3e
MC		 532
533 return 1;
534}
535
b2f7e8c0
MC		 536/*
537 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
538 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 539 */
61138358 540int tls_parse_ctos_psk_kex_modes(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 541 X509 *x, size_t chainidx)
b2f7e8c0
MC		 542{
543#ifndef OPENSSL_NO_TLS1_3
544 PACKET psk_kex_modes;
545 unsigned int mode;
546
547 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
548 || PACKET_remaining(&psk_kex_modes) == 0) {
c48ffbcc 549 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 550 return 0;
551 }
552
553 while (PACKET_get_1(&psk_kex_modes, &mode)) {
554 if (mode == TLSEXT_KEX_MODE_KE_DHE)
555 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 556 else if (mode == TLSEXT_KEX_MODE_KE
557 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 558 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
559 }
560#endif
561
562 return 1;
563}
564
25670f3e
MC		 565/*
566 * Process a key_share extension received in the ClientHello. |pkt| contains
567 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 568 */
61138358 569int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 570 size_t chainidx)
25670f3e 571{
3cf96e88 572#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 573 unsigned int group_id;
574 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 575 const uint16_t *clntgroups, *srvrgroups;
576 size_t clnt_num_groups, srvr_num_groups;
43b95d73 577 int found = 0;
25670f3e 578
f4bbb37c 579 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 580 return 1;
581
582 /* Sanity check */
555cbb32 583 if (s->s3.peer_tmp != NULL) {
c48ffbcc 584 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 585 return 0;
586 }
587
588 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
c48ffbcc 589 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 590 return 0;
591 }
592
f48d826e
DSH		 593 /* Get our list of supported groups */
594 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
595 /* Get the clients list of supported groups. */
596 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
597 if (clnt_num_groups == 0) {
b6fdc12d
MC		 598 /*
599 * This can only happen if the supported_groups extension was not sent,
600 * because we verify that the length is non-zero when we process that
601 * extension.
602 */
c48ffbcc 603 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
f63a17d6 604 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 605 return 0;
606 }
25670f3e 607
555cbb32 608 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
43054d3d
MC		 609 /*
610 * If we set a group_id already, then we must have sent an HRR
611 * requesting a new key_share. If we haven't got one then that is an
612 * error
613 */
c48ffbcc 614 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 615 return 0;
616 }
617
25670f3e
MC		 618 while (PACKET_remaining(&key_share_list) > 0) {
619 if (!PACKET_get_net_2(&key_share_list, &group_id)
620 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
621 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 622 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 623 return 0;
624 }
625
626 /*
627 * If we already found a suitable key_share we loop through the
628 * rest to verify the structure, but don't process them.
629 */
630 if (found)
631 continue;
632
43054d3d
MC		 633 /*
634 * If we sent an HRR then the key_share sent back MUST be for the group
635 * we requested, and must be the only key_share sent.
636 */
555cbb32 637 if (s->s3.group_id != 0
0a10825a 638 && (ssl_group_id_tls13_to_internal(group_id) != s->s3.group_id
43054d3d 639 || PACKET_remaining(&key_share_list) != 0)) {
c48ffbcc 640 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 641 return 0;
642 }
643
25670f3e 644 /* Check if this share is in supported_groups sent from client */
f48d826e 645 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
c48ffbcc 646 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 647 return 0;
648 }
649
650 /* Check if this share is for a group we can use */
f48d826e 651 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
25670f3e
MC		 652 /* Share not suitable */
653 continue;
654 }
655
0a10825a
BE		 656 s->s3.group_id = group_id;
657 /* Cache the selected group ID in the SSL_SESSION */
658 s->session->kex_group = group_id;
659
660 group_id = ssl_group_id_tls13_to_internal(group_id);
661
ada66e78 662 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
c48ffbcc 663 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
25670f3e
MC		 664 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
665 return 0;
666 }
667
d5530efa
TM		 668 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
669 PACKET_data(&encoded_pt),
670 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 671 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
25670f3e
MC		 672 return 0;
673 }
674
675 found = 1;
676 }
3cf96e88 677#endif
25670f3e
MC		 678
679 return 1;
680}
681
43054d3d
MC		 682int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
683 size_t chainidx)
684{
1aac20f5 685#ifndef OPENSSL_NO_TLS1_3
dd77962e 686 unsigned int format, version, key_share, group_id;
43054d3d
MC		 687 EVP_MD_CTX *hctx;
688 EVP_PKEY *pkey;
689 PACKET cookie, raw, chhash, appcookie;
690 WPACKET hrrpkt;
691 const unsigned char *data, *mdin, *ciphdata;
692 unsigned char hmac[SHA256_DIGEST_LENGTH];
693 unsigned char hrr[MAX_HRR_SIZE];
694 size_t rawlen, hmaclen, hrrlen, ciphlen;
d0debc0a 695 unsigned long tm, now;
43054d3d
MC		 696
697 /* Ignore any cookie if we're not set up to verify it */
3fa2812f 698 if (s->ctx->verify_stateless_cookie_cb == NULL
555cbb32 699 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 700 return 1;
701
702 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
c48ffbcc 703 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 704 return 0;
705 }
706
707 raw = cookie;
708 data = PACKET_data(&raw);
709 rawlen = PACKET_remaining(&raw);
710 if (rawlen < SHA256_DIGEST_LENGTH
711 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
c48ffbcc 712 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 713 return 0;
714 }
715 mdin = PACKET_data(&raw);
716
717 /* Verify the HMAC of the cookie */
718 hctx = EVP_MD_CTX_create();
d8652be0
MC		 719 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
720 s->ctx->propq,
721 s->session_ctx->ext.cookie_hmac_key,
722 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d
MC		 723 if (hctx == NULL || pkey == NULL) {
724 EVP_MD_CTX_free(hctx);
725 EVP_PKEY_free(pkey);
c48ffbcc 726 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
43054d3d
MC		 727 return 0;
728 }
729
97ea1e7f 730 hmaclen = SHA256_DIGEST_LENGTH;
d8652be0 731 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
d38b6ae9 732 s->ctx->propq, pkey, NULL) <= 0
97ea1e7f
MC		 733 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
734 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 735 || hmaclen != SHA256_DIGEST_LENGTH) {
736 EVP_MD_CTX_free(hctx);
737 EVP_PKEY_free(pkey);
c48ffbcc 738 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 739 return 0;
740 }
741
742 EVP_MD_CTX_free(hctx);
743 EVP_PKEY_free(pkey);
744
745 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
c48ffbcc 746 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 747 return 0;
748 }
749
750 if (!PACKET_get_net_2(&cookie, &format)) {
c48ffbcc 751 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 752 return 0;
753 }
754 /* Check the cookie format is something we recognise. Ignore it if not */
755 if (format != COOKIE_STATE_FORMAT_VERSION)
756 return 1;
757
758 /*
759 * The rest of these checks really shouldn't fail since we have verified the
760 * HMAC above.
761 */
762
763 /* Check the version number is sane */
764 if (!PACKET_get_net_2(&cookie, &version)) {
c48ffbcc 765 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 766 return 0;
767 }
768 if (version != TLS1_3_VERSION) {
c48ffbcc 769 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
43054d3d
MC		 770 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
771 return 0;
772 }
773
dd77962e 774 if (!PACKET_get_net_2(&cookie, &group_id)) {
c48ffbcc 775 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 776 return 0;
777 }
dd77962e 778
43054d3d
MC		 779 ciphdata = PACKET_data(&cookie);
780 if (!PACKET_forward(&cookie, 2)) {
c48ffbcc 781 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 782 return 0;
783 }
555cbb32
TS		 784 if (group_id != s->s3.group_id
785 || s->s3.tmp.new_cipher
dd77962e
MC		 786 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
787 /*
788 * We chose a different cipher or group id this time around to what is
789 * in the cookie. Something must have changed.
790 */
c48ffbcc 791 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
43054d3d
MC		 792 return 0;
793 }
794
795 if (!PACKET_get_1(&cookie, &key_share)
d0debc0a 796 || !PACKET_get_net_4(&cookie, &tm)
43054d3d
MC		 797 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
798 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
799 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
c48ffbcc 800 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 801 return 0;
802 }
803
d0debc0a
MC		 804 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
805 now = (unsigned long)time(NULL);
806 if (tm > now || (now - tm) > 600) {
807 /* Cookie is stale. Ignore it */
808 return 1;
809 }
810
43054d3d 811 /* Verify the app cookie */
3fa2812f 812 if (s->ctx->verify_stateless_cookie_cb(s, PACKET_data(&appcookie),
43054d3d 813 PACKET_remaining(&appcookie)) == 0) {
c48ffbcc 814 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 815 return 0;
816 }
817
818 /*
819 * Reconstruct the HRR that we would have sent in response to the original
820 * ClientHello so we can add it to the transcript hash.
821 * Note: This won't work with custom HRR extensions
822 */
823 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
c48ffbcc 824 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 825 return 0;
826 }
827 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
828 || !WPACKET_start_sub_packet_u24(&hrrpkt)
829 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
830 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
831 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
832 s->tmp_session_id_len)
555cbb32 833 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
43054d3d
MC		 834 &ciphlen)
835 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
836 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
837 WPACKET_cleanup(&hrrpkt);
c48ffbcc 838 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 839 return 0;
840 }
841 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
842 || !WPACKET_start_sub_packet_u16(&hrrpkt)
35e742ec 843 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
43054d3d
MC		 844 || !WPACKET_close(&hrrpkt)) {
845 WPACKET_cleanup(&hrrpkt);
c48ffbcc 846 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 847 return 0;
848 }
849 if (key_share) {
850 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
851 || !WPACKET_start_sub_packet_u16(&hrrpkt)
555cbb32 852 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
43054d3d
MC		 853 || !WPACKET_close(&hrrpkt)) {
854 WPACKET_cleanup(&hrrpkt);
c48ffbcc 855 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 856 return 0;
857 }
858 }
859 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
860 || !WPACKET_start_sub_packet_u16(&hrrpkt)
861 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
862 || !WPACKET_close(&hrrpkt) /* cookie extension */
863 || !WPACKET_close(&hrrpkt) /* extension block */
864 || !WPACKET_close(&hrrpkt) /* message */
865 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
866 || !WPACKET_finish(&hrrpkt)) {
867 WPACKET_cleanup(&hrrpkt);
c48ffbcc 868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 869 return 0;
870 }
871
872 /* Reconstruct the transcript hash */
873 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
874 PACKET_remaining(&chhash), hrr,
875 hrrlen)) {
876 /* SSLfatal() already called */
877 return 0;
878 }
879
880 /* Act as if this ClientHello came after a HelloRetryRequest */
881 s->hello_retry_request = 1;
882
c36001c3 883 s->ext.cookieok = 1;
1aac20f5 884#endif
c36001c3 885
43054d3d
MC		 886 return 1;
887}
888
61138358 889int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 890 X509 *x, size_t chainidx)
25670f3e
MC		 891{
892 PACKET supported_groups_list;
893
894 /* Each group is 2 bytes and we must have at least 1. */
895 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
896 || PACKET_remaining(&supported_groups_list) == 0
897 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
c48ffbcc 898 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 899 return 0;
900 }
901
e3743355 902 if (!s->hit || SSL_IS_TLS13(s)) {
45436e61
MC		 903 OPENSSL_free(s->ext.peer_supportedgroups);
904 s->ext.peer_supportedgroups = NULL;
905 s->ext.peer_supportedgroups_len = 0;
9e84a42d 906 if (!tls1_save_u16(&supported_groups_list,
45436e61
MC		 907 &s->ext.peer_supportedgroups,
908 &s->ext.peer_supportedgroups_len)) {
c48ffbcc 909 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e3743355
BK		 910 return 0;
911 }
25670f3e
MC		 912 }
913
914 return 1;
915}
25670f3e 916
61138358 917int tls_parse_ctos_ems(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 918 size_t chainidx)
25670f3e
MC		 919{
920 /* The extension must always be empty */
921 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 922 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 923 return 0;
924 }
925
088dfa13
TS		 926 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
927 return 1;
928
555cbb32 929 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
25670f3e
MC		 930
931 return 1;
932}
7da160b0 933
38df5a45
MC		 934
935int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context,
f63a17d6 936 X509 *x, size_t chainidx)
38df5a45
MC		 937{
938 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 939 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 940 return 0;
941 }
942
fc7129dc 943 if (s->hello_retry_request != SSL_HRR_NONE) {
c48ffbcc 944 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 945 return 0;
946 }
947
38df5a45
MC		 948 return 1;
949}
950
6cc0b3c2
MC		 951static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL *s, PACKET *tick,
952 SSL_SESSION **sess)
953{
954 SSL_SESSION *tmpsess = NULL;
955
5f26ddff
MC		 956 s->ext.ticket_expected = 1;
957
6cc0b3c2
MC		 958 switch (PACKET_remaining(tick)) {
959 case 0:
960 return SSL_TICKET_EMPTY;
961
962 case SSL_MAX_SSL_SESSION_ID_LENGTH:
963 break;
964
965 default:
966 return SSL_TICKET_NO_DECRYPT;
967 }
968
969 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
970 SSL_MAX_SSL_SESSION_ID_LENGTH);
971
972 if (tmpsess == NULL)
973 return SSL_TICKET_NO_DECRYPT;
974
6cc0b3c2
MC		 975 *sess = tmpsess;
976 return SSL_TICKET_SUCCESS;
977}
978
61138358 979int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
f63a17d6 980 size_t chainidx)
1053a6e2
MC		 981{
982 PACKET identities, binders, binder;
983 size_t binderoffset, hashsize;
984 SSL_SESSION *sess = NULL;
3a7c56b2 985 unsigned int id, i, ext = 0;
1053a6e2
MC		 986 const EVP_MD *md = NULL;
987
1a9f457c
MC		 988 /*
989 * If we have no PSK kex mode that we recognise then we can't resume so
990 * ignore this extension
991 */
992 if ((s->ext.psk_kex_mode
993 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
994 return 1;
995
1053a6e2 996 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
c48ffbcc 997 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 998 return 0;
999 }
1000
61fb5923 1001 s->ext.ticket_expected = 0;
1053a6e2
MC		 1002 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1003 PACKET identity;
2c604cb9 1004 unsigned long ticket_agel;
f3d40db1 1005 size_t idlen;
1053a6e2
MC		 1006
1007 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1008 || !PACKET_get_net_4(&identities, &ticket_agel)) {
c48ffbcc 1009 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1010 return 0;
1011 }
1012
f3d40db1 1013 idlen = PACKET_remaining(&identity);
3a7c56b2 1014 if (s->psk_find_session_cb != NULL
f3d40db1 1015 && !s->psk_find_session_cb(s, PACKET_data(&identity), idlen,
011d768a 1016 &sess)) {
c48ffbcc 1017 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
011d768a
MC		 1018 return 0;
1019 }
1020
c2b290c3 1021#ifndef OPENSSL_NO_PSK
1287dabd 1022 if (sess == NULL
f3d40db1
MC		 1023 && s->psk_server_callback != NULL
1024 && idlen <= PSK_MAX_IDENTITY_LEN) {
1025 char *pskid = NULL;
1026 unsigned char pskdata[PSK_MAX_PSK_LEN];
1027 unsigned int pskdatalen;
1028
1029 if (!PACKET_strndup(&identity, &pskid)) {
c48ffbcc 1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1031 return 0;
1032 }
1033 pskdatalen = s->psk_server_callback(s, pskid, pskdata,
1034 sizeof(pskdata));
1035 OPENSSL_free(pskid);
1036 if (pskdatalen > PSK_MAX_PSK_LEN) {
c48ffbcc 1037 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1038 return 0;
1039 } else if (pskdatalen > 0) {
1040 const SSL_CIPHER *cipher;
1041 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1042
1043 /*
1044 * We found a PSK using an old style callback. We don't know
1045 * the digest so we default to SHA256 as per the TLSv1.3 spec
1046 */
1047 cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
1048 if (cipher == NULL) {
1049 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1050 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1051 return 0;
1052 }
1053
1054 sess = SSL_SESSION_new();
1055 if (sess == NULL
1056 || !SSL_SESSION_set1_master_key(sess, pskdata,
1057 pskdatalen)
1058 || !SSL_SESSION_set_cipher(sess, cipher)
1059 || !SSL_SESSION_set_protocol_version(sess,
1060 TLS1_3_VERSION)) {
1061 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1062 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1063 goto err;
1064 }
1065 OPENSSL_cleanse(pskdata, pskdatalen);
1066 }
1067 }
c2b290c3 1068#endif /* OPENSSL_NO_PSK */
f3d40db1 1069
011d768a
MC		 1070 if (sess != NULL) {
1071 /* We found a PSK */
3a7c56b2 1072 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1073
3a7c56b2 1074 if (sesstmp == NULL) {
c48ffbcc 1075 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1076 return 0;
1077 }
1078 SSL_SESSION_free(sess);
1079 sess = sesstmp;
1080
1081 /*
1082 * We've just been told to use this session for this context so
1083 * make sure the sid_ctx matches up.
1084 */
1085 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1086 sess->sid_ctx_length = s->sid_ctx_length;
1087 ext = 1;
630369d9
MC		 1088 if (id == 0)
1089 s->ext.early_data_ok = 1;
51256b34 1090 s->ext.ticket_expected = 1;
3a7c56b2
MC		 1091 } else {
1092 uint32_t ticket_age = 0, now, agesec, agems;
61fb5923
MC		 1093 int ret;
1094
e880d4e5
MC		 1095 /*
1096 * If we are using anti-replay protection then we behave as if
1097 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1098 * is no point in using full stateless tickets.
1099 */
1100 if ((s->options & SSL_OP_NO_TICKET) != 0
5d263fb7
MC		 1101 || (s->max_early_data > 0
1102 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
6cc0b3c2
MC		 1103 ret = tls_get_stateful_ticket(s, &identity, &sess);
1104 else
1105 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1106 PACKET_remaining(&identity), NULL, 0,
1107 &sess);
61fb5923
MC		 1108
1109 if (ret == SSL_TICKET_EMPTY) {
c48ffbcc 1110 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
61fb5923
MC		 1111 return 0;
1112 }
3a7c56b2 1113
df0fed9a
TS		 1114 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1115 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
c48ffbcc 1116 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1117 return 0;
1118 }
61fb5923 1119 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
3a7c56b2
MC		 1120 continue;
1121
66d7de16
MC		 1122 /* Check for replay */
1123 if (s->max_early_data > 0
5d263fb7 1124 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
66d7de16
MC		 1125 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1126 SSL_SESSION_free(sess);
1127 sess = NULL;
1128 continue;
1129 }
1130
3a7c56b2
MC		 1131 ticket_age = (uint32_t)ticket_agel;
1132 now = (uint32_t)time(NULL);
1133 agesec = now - (uint32_t)sess->time;
1134 agems = agesec * (uint32_t)1000;
1135 ticket_age -= sess->ext.tick_age_add;
1136
1137 /*
1138 * For simplicity we do our age calculations in seconds. If the
1139 * client does it in ms then it could appear that their ticket age
1140 * is longer than ours (our ticket age calculation should always be
1141 * slightly longer than the client's due to the network latency).
1142 * Therefore we add 1000ms to our age calculation to adjust for
1143 * rounding errors.
1144 */
630369d9
MC		 1145 if (id == 0
1146 && sess->timeout >= (long)agesec
3a7c56b2
MC		 1147 && agems / (uint32_t)1000 == agesec
1148 && ticket_age <= agems + 1000
1149 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
1150 /*
1151 * Ticket age is within tolerance and not expired. We allow it
1152 * for early data
1153 */
1154 s->ext.early_data_ok = 1;
1155 }
1053a6e2 1156 }
1053a6e2 1157
c8f6c28a 1158 md = ssl_md(s->ctx, sess->cipher->algorithm2);
b740012f 1159 if (md == NULL) {
1160 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1161 goto err;
1162 }
c8f6c28a 1163 if (!EVP_MD_is_a(md,
ed576acd
TM		 1164 EVP_MD_get0_name(ssl_md(s->ctx,
1165 s->s3.tmp.new_cipher->algorithm2)))) {
0de6d66d 1166 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1167 SSL_SESSION_free(sess);
1168 sess = NULL;
630369d9 1169 s->ext.early_data_ok = 0;
51256b34 1170 s->ext.ticket_expected = 0;
1053a6e2
MC		 1171 continue;
1172 }
1053a6e2
MC		 1173 break;
1174 }
1175
1176 if (sess == NULL)
1177 return 1;
1178
1179 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
ed576acd 1180 hashsize = EVP_MD_get_size(md);
1053a6e2
MC		 1181
1182 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
c48ffbcc 1183 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1184 goto err;
1185 }
1186
1187 for (i = 0; i <= id; i++) {
1188 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
c48ffbcc 1189 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1190 goto err;
1191 }
1192 }
1193
2894e9cb 1194 if (PACKET_remaining(&binder) != hashsize) {
c48ffbcc 1195 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2894e9cb
MC		 1196 goto err;
1197 }
1198 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1199 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1200 ext) != 1) {
635c8f77 1201 /* SSLfatal() already called */
1053a6e2
MC		 1202 goto err;
1203 }
1204
c96ce52c 1205 s->ext.tick_identity = id;
2c604cb9 1206
1053a6e2
MC		 1207 SSL_SESSION_free(s->session);
1208 s->session = sess;
1053a6e2
MC		 1209 return 1;
1210err:
312e9387 1211 SSL_SESSION_free(sess);
1053a6e2
MC		 1212 return 0;
1213}
1214
a7e6a3d8
P		 1215int tls_parse_ctos_post_handshake_auth(SSL *s, PACKET *pkt,
1216 ossl_unused unsigned int context,
1217 ossl_unused X509 *x,
1218 ossl_unused size_t chainidx)
9d75dce3
TS		 1219{
1220 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1221 SSLfatal(s, SSL_AD_DECODE_ERROR,
9d75dce3
TS		 1222 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1223 return 0;
1224 }
1225
1226 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1227
1228 return 1;
1229}
1230
1266eefd
MC		 1231/*
1232 * Add the server's renegotiation binding
1233 */
b186a592
MC		 1234EXT_RETURN tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt,
1235 unsigned int context, X509 *x,
f63a17d6 1236 size_t chainidx)
7da160b0 1237{
555cbb32 1238 if (!s->s3.send_connection_binding)
b186a592 1239 return EXT_RETURN_NOT_SENT;
7da160b0 1240
db0f35dd 1241 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1242 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1243 || !WPACKET_start_sub_packet_u16(pkt)
1244 || !WPACKET_start_sub_packet_u8(pkt)
555cbb32
TS		 1245 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1246 s->s3.previous_client_finished_len)
1247 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1248 s->s3.previous_server_finished_len)
7da160b0
MC		 1249 || !WPACKET_close(pkt)
1250 || !WPACKET_close(pkt)) {
c48ffbcc 1251 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1252 return EXT_RETURN_FAIL;
7da160b0
MC		 1253 }
1254
b186a592 1255 return EXT_RETURN_SENT;
7da160b0
MC		 1256}
1257
b186a592
MC		 1258EXT_RETURN tls_construct_stoc_server_name(SSL *s, WPACKET *pkt,
1259 unsigned int context, X509 *x,
f63a17d6 1260 size_t chainidx)
7da160b0 1261{
7955c1f1
MC		 1262 if (s->servername_done != 1)
1263 return EXT_RETURN_NOT_SENT;
1264
1265 /*
1266 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1267 * We just use the servername from the initial handshake.
1268 */
1269 if (s->hit && !SSL_IS_TLS13(s))
b186a592 1270 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1271
1272 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1273 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1274 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1275 return EXT_RETURN_FAIL;
7da160b0
MC		 1276 }
1277
b186a592 1278 return EXT_RETURN_SENT;
7da160b0
MC		 1279}
1280
cf72c757
F		 1281/* Add/include the server's max fragment len extension into ServerHello */
1282EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL *s, WPACKET *pkt,
1283 unsigned int context, X509 *x,
f63a17d6 1284 size_t chainidx)
cf72c757
F		 1285{
1286 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1287 return EXT_RETURN_NOT_SENT;
1288
1289 /*-
1290 * 4 bytes for this extension type and extension length
1291 * 1 byte for the Max Fragment Length code value.
1292 */
1293 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1294 || !WPACKET_start_sub_packet_u16(pkt)
1295 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1296 || !WPACKET_close(pkt)) {
c48ffbcc 1297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1298 return EXT_RETURN_FAIL;
1299 }
1300
1301 return EXT_RETURN_SENT;
1302}
1303
b186a592
MC		 1304EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt,
1305 unsigned int context, X509 *x,
f63a17d6 1306 size_t chainidx)
7da160b0 1307{
555cbb32
TS		 1308 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1309 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
89247375 1310 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
cd0fb43c 1311 && (s->ext.peer_ecpointformats != NULL);
7da160b0
MC		 1312 const unsigned char *plist;
1313 size_t plistlen;
1314
1315 if (!using_ecc)
b186a592 1316 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1317
1318 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1319 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1320 || !WPACKET_start_sub_packet_u16(pkt)
1321 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1322 || !WPACKET_close(pkt)) {
c48ffbcc 1323 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1324 return EXT_RETURN_FAIL;
7da160b0
MC		 1325 }
1326
b186a592 1327 return EXT_RETURN_SENT;
7da160b0 1328}
7da160b0 1329
b186a592
MC		 1330EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt,
1331 unsigned int context, X509 *x,
f63a17d6 1332 size_t chainidx)
6af87546 1333{
9e84a42d 1334 const uint16_t *groups;
6af87546 1335 size_t numgroups, i, first = 1;
9d2d857f 1336 int version;
6af87546 1337
555cbb32
TS		 1338 /* s->s3.group_id is non zero if we accepted a key_share */
1339 if (s->s3.group_id == 0)
b186a592 1340 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1341
1342 /* Get our list of supported groups */
ff6d20a6 1343 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1344 if (numgroups == 0) {
c48ffbcc 1345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1346 return EXT_RETURN_FAIL;
6af87546
MC		 1347 }
1348
1349 /* Copy group ID if supported */
9d2d857f 1350 version = SSL_version(s);
9e84a42d
DSH		 1351 for (i = 0; i < numgroups; i++) {
1352 uint16_t group = groups[i];
1353
8b1db5d3 1354 if (tls_valid_group(s, group, version, version, 0, NULL)
dbc6268f 1355 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1356 if (first) {
1357 /*
1358 * Check if the client is already using our preferred group. If
1359 * so we don't need to add this extension
1360 */
555cbb32 1361 if (s->s3.group_id == group)
b186a592 1362 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1363
1364 /* Add extension header */
1365 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1366 /* Sub-packet for supported_groups extension */
1367 || !WPACKET_start_sub_packet_u16(pkt)
1368 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1370 return EXT_RETURN_FAIL;
6af87546
MC		 1371 }
1372
1373 first = 0;
1374 }
9e84a42d 1375 if (!WPACKET_put_bytes_u16(pkt, group)) {
c48ffbcc 1376 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1377 return EXT_RETURN_FAIL;
6af87546
MC		 1378 }
1379 }
1380 }
1381
1382 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 1383 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1384 return EXT_RETURN_FAIL;
6af87546
MC		 1385 }
1386
b186a592 1387 return EXT_RETURN_SENT;
6af87546
MC		 1388}
1389
b186a592
MC		 1390EXT_RETURN tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt,
1391 unsigned int context, X509 *x,
f63a17d6 1392 size_t chainidx)
7da160b0 1393{
aff8c126
RS		 1394 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1395 s->ext.ticket_expected = 0;
b186a592 1396 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1397 }
1398
1399 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1400 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1402 return EXT_RETURN_FAIL;
7da160b0
MC		 1403 }
1404
b186a592 1405 return EXT_RETURN_SENT;
7da160b0
MC		 1406}
1407
ab83e314 1408#ifndef OPENSSL_NO_OCSP
b186a592
MC		 1409EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
1410 unsigned int context, X509 *x,
f63a17d6 1411 size_t chainidx)
7da160b0 1412{
debb64a0
MC		 1413 /* We don't currently support this extension inside a CertificateRequest */
1414 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1415 return EXT_RETURN_NOT_SENT;
1416
aff8c126 1417 if (!s->ext.status_expected)
b186a592 1418 return EXT_RETURN_NOT_SENT;
7da160b0 1419
8521ced6 1420 if (SSL_IS_TLS13(s) && chainidx != 0)
b186a592 1421 return EXT_RETURN_NOT_SENT;
e96e0f8e 1422
7da160b0 1423 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1424 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1425 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1426 return EXT_RETURN_FAIL;
f63e4288
MC		 1427 }
1428
1429 /*
1430 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1431 * send back an empty extension, with the certificate status appearing as a
1432 * separate message
1433 */
3ec8d113
MC		 1434 if (SSL_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
1435 /* SSLfatal() already called */
56d36288 1436 return EXT_RETURN_FAIL;
3ec8d113
MC		 1437 }
1438 if (!WPACKET_close(pkt)) {
c48ffbcc 1439 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1440 return EXT_RETURN_FAIL;
7da160b0
MC		 1441 }
1442
b186a592 1443 return EXT_RETURN_SENT;
7da160b0 1444}
ab83e314 1445#endif
7da160b0 1446
7da160b0 1447#ifndef OPENSSL_NO_NEXTPROTONEG
b186a592
MC		 1448EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
1449 unsigned int context, X509 *x,
f63a17d6 1450 size_t chainidx)
7da160b0
MC		 1451{
1452 const unsigned char *npa;
1453 unsigned int npalen;
1454 int ret;
555cbb32 1455 int npn_seen = s->s3.npn_seen;
7da160b0 1456
555cbb32 1457 s->s3.npn_seen = 0;
aff8c126 1458 if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
b186a592 1459 return EXT_RETURN_NOT_SENT;
7da160b0 1460
aff8c126
RS		 1461 ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
1462 s->ctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1463 if (ret == SSL_TLSEXT_ERR_OK) {
1464 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1465 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
c48ffbcc 1466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1467 return EXT_RETURN_FAIL;
7da160b0 1468 }
555cbb32 1469 s->s3.npn_seen = 1;
7da160b0
MC		 1470 }
1471
b186a592 1472 return EXT_RETURN_SENT;
7da160b0
MC		 1473}
1474#endif
1475
b186a592 1476EXT_RETURN tls_construct_stoc_alpn(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1477 X509 *x, size_t chainidx)
7da160b0 1478{
555cbb32 1479 if (s->s3.alpn_selected == NULL)
b186a592 1480 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1481
1482 if (!WPACKET_put_bytes_u16(pkt,
1483 TLSEXT_TYPE_application_layer_protocol_negotiation)
1484 || !WPACKET_start_sub_packet_u16(pkt)
1485 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 1486 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1487 s->s3.alpn_selected_len)
7da160b0
MC		 1488 || !WPACKET_close(pkt)
1489 || !WPACKET_close(pkt)) {
c48ffbcc 1490 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1491 return EXT_RETURN_FAIL;
7da160b0
MC		 1492 }
1493
b186a592 1494 return EXT_RETURN_SENT;
7da160b0
MC		 1495}
1496
1497#ifndef OPENSSL_NO_SRTP
b186a592
MC		 1498EXT_RETURN tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt,
1499 unsigned int context, X509 *x,
f63a17d6 1500 size_t chainidx)
7da160b0
MC		 1501{
1502 if (s->srtp_profile == NULL)
b186a592 1503 return EXT_RETURN_NOT_SENT;
a1448c26 1504
7da160b0
MC		 1505 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1506 || !WPACKET_start_sub_packet_u16(pkt)
1507 || !WPACKET_put_bytes_u16(pkt, 2)
1508 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1509 || !WPACKET_put_bytes_u8(pkt, 0)
1510 || !WPACKET_close(pkt)) {
c48ffbcc 1511 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1512 return EXT_RETURN_FAIL;
7da160b0
MC		 1513 }
1514
b186a592 1515 return EXT_RETURN_SENT;
7da160b0
MC		 1516}
1517#endif
1518
b186a592 1519EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1520 X509 *x, size_t chainidx)
7da160b0 1521{
28a31a0a 1522 if (!s->ext.use_etm)
b186a592 1523 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1524
1525 /*
1526 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1527 * for other cases too.
1528 */
555cbb32
TS		 1529 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1530 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1531 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
5a5530a2
DB		 1532 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1533 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1534 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
28a31a0a 1535 s->ext.use_etm = 0;
b186a592 1536 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1537 }
1538
1539 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1540 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1541 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1542 return EXT_RETURN_FAIL;
7da160b0
MC		 1543 }
1544
b186a592 1545 return EXT_RETURN_SENT;
7da160b0
MC		 1546}
1547
b186a592 1548EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1549 X509 *x, size_t chainidx)
7da160b0 1550{
555cbb32 1551 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1552 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1553
1554 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1555 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1557 return EXT_RETURN_FAIL;
7da160b0
MC		 1558 }
1559
b186a592 1560 return EXT_RETURN_SENT;
7da160b0
MC		 1561}
1562
88050dd1
MC		 1563EXT_RETURN tls_construct_stoc_supported_versions(SSL *s, WPACKET *pkt,
1564 unsigned int context, X509 *x,
1565 size_t chainidx)
1566{
27e462f1 1567 if (!ossl_assert(SSL_IS_TLS13(s))) {
c48ffbcc 1568 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
27e462f1
MC		 1569 return EXT_RETURN_FAIL;
1570 }
88050dd1
MC		 1571
1572 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1573 || !WPACKET_start_sub_packet_u16(pkt)
35e742ec 1574 || !WPACKET_put_bytes_u16(pkt, s->version)
88050dd1 1575 || !WPACKET_close(pkt)) {
c48ffbcc 1576 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
88050dd1
MC		 1577 return EXT_RETURN_FAIL;
1578 }
1579
1580 return EXT_RETURN_SENT;
1581}
1582
b186a592
MC		 1583EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
1584 unsigned int context, X509 *x,
f63a17d6 1585 size_t chainidx)
7da160b0 1586{
3cf96e88 1587#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1588 unsigned char *encodedPoint;
1589 size_t encoded_pt_len = 0;
555cbb32 1590 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
8b17fbaf 1591 const TLS_GROUP_INFO *ginf = NULL;
7da160b0 1592
dd77962e
MC		 1593 if (s->hello_retry_request == SSL_HRR_PENDING) {
1594 if (ckey != NULL) {
1595 /* Original key_share was acceptable so don't ask for another one */
1596 return EXT_RETURN_NOT_SENT;
1597 }
1598 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1599 || !WPACKET_start_sub_packet_u16(pkt)
0a10825a
BE		 1600 || !WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(
1601 s->s3.group_id))
dd77962e 1602 || !WPACKET_close(pkt)) {
c48ffbcc 1603 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
dd77962e 1604 return EXT_RETURN_FAIL;
7d061fce
MC		 1605 }
1606
dd77962e
MC		 1607 return EXT_RETURN_SENT;
1608 }
1609
1610 if (ckey == NULL) {
1611 /* No key_share received from client - must be resuming */
0247086d 1612 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
c48ffbcc 1613 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1614 return EXT_RETURN_FAIL;
0247086d 1615 }
b186a592 1616 return EXT_RETURN_NOT_SENT;
7da160b0 1617 }
e776858b
BK		 1618 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1619 /*
1620 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1621 * DHE option we always take it); don't send key share.
1622 */
1623 return EXT_RETURN_NOT_SENT;
1624 }
7da160b0
MC		 1625
1626 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1627 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1628 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
c48ffbcc 1629 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1630 return EXT_RETURN_FAIL;
7da160b0
MC		 1631 }
1632
8b17fbaf 1633 if ((ginf = tls1_group_id_lookup(s->ctx, s->s3.group_id)) == NULL) {
c48ffbcc 1634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1635 return EXT_RETURN_FAIL;
7da160b0
MC		 1636 }
1637
8b17fbaf
NT		 1638 if (!ginf->is_kem) {
1639 /* Regular KEX */
1640 skey = ssl_generate_pkey(s, ckey);
1641 if (skey == NULL) {
c48ffbcc 1642 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
8b17fbaf
NT		 1643 return EXT_RETURN_FAIL;
1644 }
7da160b0 1645
8b17fbaf 1646 /* Generate encoding of server key */
5ac8fb58 1647 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
8b17fbaf 1648 if (encoded_pt_len == 0) {
c48ffbcc 1649 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
8b17fbaf
NT		 1650 EVP_PKEY_free(skey);
1651 return EXT_RETURN_FAIL;
1652 }
1653
1654 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1655 || !WPACKET_close(pkt)) {
c48ffbcc 1656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1657 EVP_PKEY_free(skey);
1658 OPENSSL_free(encodedPoint);
1659 return EXT_RETURN_FAIL;
1660 }
7da160b0 1661 OPENSSL_free(encodedPoint);
7da160b0 1662
8b17fbaf
NT		 1663 /*
1664 * This causes the crypto state to be updated based on the derived keys
1665 */
1666 s->s3.tmp.pkey = skey;
1667 if (ssl_derive(s, skey, ckey, 1) == 0) {
1668 /* SSLfatal() already called */
1669 return EXT_RETURN_FAIL;
1670 }
1671 } else {
1672 /* KEM mode */
1673 unsigned char *ct = NULL;
1674 size_t ctlen = 0;
1675
1676 /*
1677 * This does not update the crypto state.
1678 *
1679 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1680 * ssl_gensecret().
1681 */
1682 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1683 /* SSLfatal() already called */
1684 return EXT_RETURN_FAIL;
1685 }
1686
1687 if (ctlen == 0) {
c48ffbcc 1688 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1689 OPENSSL_free(ct);
1690 return EXT_RETURN_FAIL;
1691 }
1692
1693 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1694 || !WPACKET_close(pkt)) {
c48ffbcc 1695 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1696 OPENSSL_free(ct);
1697 return EXT_RETURN_FAIL;
1698 }
1699 OPENSSL_free(ct);
1700
1701 /*
1702 * This causes the crypto state to be updated based on the generated pms
1703 */
1704 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1705 /* SSLfatal() already called */
1706 return EXT_RETURN_FAIL;
1707 }
7da160b0 1708 }
aa6bd216 1709 s->s3.did_kex = 1;
b186a592 1710 return EXT_RETURN_SENT;
1aac20f5
MC		 1711#else
1712 return EXT_RETURN_FAIL;
1713#endif
7da160b0
MC		 1714}
1715
43054d3d
MC		 1716EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
1717 X509 *x, size_t chainidx)
1718{
1aac20f5 1719#ifndef OPENSSL_NO_TLS1_3
43054d3d
MC		 1720 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1721 unsigned char *hmac, *hmac2;
3fa2812f 1722 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
43054d3d
MC		 1723 EVP_MD_CTX *hctx;
1724 EVP_PKEY *pkey;
1725 int ret = EXT_RETURN_FAIL;
1726
555cbb32 1727 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 1728 return EXT_RETURN_NOT_SENT;
1729
3fa2812f 1730 if (s->ctx->gen_stateless_cookie_cb == NULL) {
c48ffbcc 1731 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
e440f513
MC		 1732 return EXT_RETURN_FAIL;
1733 }
1734
43054d3d
MC		 1735 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1736 || !WPACKET_start_sub_packet_u16(pkt)
1737 || !WPACKET_start_sub_packet_u16(pkt)
1738 || !WPACKET_get_total_written(pkt, &startlen)
1739 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1740 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1741 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
555cbb32
TS		 1742 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
1743 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
43054d3d
MC		 1744 &ciphlen)
1745 /* Is there a key_share extension present in this HRR? */
555cbb32 1746 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
d0debc0a 1747 || !WPACKET_put_bytes_u32(pkt, (unsigned int)time(NULL))
43054d3d
MC		 1748 || !WPACKET_start_sub_packet_u16(pkt)
1749 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
c48ffbcc 1750 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1751 return EXT_RETURN_FAIL;
1752 }
1753
1754 /*
1755 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1756 * on raw buffers, so we first reserve sufficient bytes (above) and then
1757 * subsequently allocate them (below)
1758 */
1759 if (!ssl3_digest_cached_records(s, 0)
1760 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1761 /* SSLfatal() already called */
1762 return EXT_RETURN_FAIL;
1763 }
1764
1765 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1766 || !ossl_assert(hashval1 == hashval2)
1767 || !WPACKET_close(pkt)
1768 || !WPACKET_start_sub_packet_u8(pkt)
1769 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
c48ffbcc 1770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1771 return EXT_RETURN_FAIL;
1772 }
1773
1774 /* Generate the application cookie */
3fa2812f 1775 if (s->ctx->gen_stateless_cookie_cb(s, appcookie1, &appcookielen) == 0) {
c48ffbcc 1776 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
43054d3d
MC		 1777 return EXT_RETURN_FAIL;
1778 }
1779
1780 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1781 || !ossl_assert(appcookie1 == appcookie2)
1782 || !WPACKET_close(pkt)
1783 || !WPACKET_get_total_written(pkt, &totcookielen)
1784 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
c48ffbcc 1785 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1786 return EXT_RETURN_FAIL;
1787 }
1788 hmaclen = SHA256_DIGEST_LENGTH;
1789
1790 totcookielen -= startlen;
1791 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
c48ffbcc 1792 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1793 return EXT_RETURN_FAIL;
1794 }
1795
1796 /* HMAC the cookie */
1797 hctx = EVP_MD_CTX_create();
d8652be0
MC		 1798 pkey = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC",
1799 s->ctx->propq,
1800 s->session_ctx->ext.cookie_hmac_key,
1801 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d 1802 if (hctx == NULL || pkey == NULL) {
c48ffbcc 1803 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
43054d3d
MC		 1804 goto err;
1805 }
1806
d8652be0 1807 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", s->ctx->libctx,
d38b6ae9 1808 s->ctx->propq, pkey, NULL) <= 0
43054d3d
MC		 1809 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1810 totcookielen) <= 0) {
c48ffbcc 1811 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1812 goto err;
1813 }
1814
1815 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
c48ffbcc 1816 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1817 goto err;
1818 }
1819
1820 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1821 || !ossl_assert(hmac == hmac2)
1822 || !ossl_assert(cookie == hmac - totcookielen)
1823 || !WPACKET_close(pkt)
1824 || !WPACKET_close(pkt)) {
c48ffbcc 1825 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1826 goto err;
1827 }
1828
1829 ret = EXT_RETURN_SENT;
1830
1831 err:
1832 EVP_MD_CTX_free(hctx);
1833 EVP_PKEY_free(pkey);
1834 return ret;
1aac20f5
MC		 1835#else
1836 return EXT_RETURN_FAIL;
1837#endif
43054d3d
MC		 1838}
1839
b186a592
MC		 1840EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL *s, WPACKET *pkt,
1841 unsigned int context, X509 *x,
f63a17d6 1842 size_t chainidx)
7da160b0
MC		 1843{
1844 const unsigned char cryptopro_ext[36] = {
1845 0xfd, 0xe8, /* 65000 */
1846 0x00, 0x20, /* 32 bytes length */
1847 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1848 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1849 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1850 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1851 };
1852
555cbb32
TS		 1853 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1854 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
7da160b0 1855 || (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1856 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1857
1858 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
c48ffbcc 1859 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1860 return EXT_RETURN_FAIL;
7da160b0
MC		 1861 }
1862
b186a592 1863 return EXT_RETURN_SENT;
7da160b0 1864}
0247086d 1865
b186a592
MC		 1866EXT_RETURN tls_construct_stoc_early_data(SSL *s, WPACKET *pkt,
1867 unsigned int context, X509 *x,
f63a17d6 1868 size_t chainidx)
38df5a45 1869{
fe874d27 1870 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1871 if (s->max_early_data == 0)
b186a592 1872 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1873
1874 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1875 || !WPACKET_start_sub_packet_u16(pkt)
1876 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1877 || !WPACKET_close(pkt)) {
c48ffbcc 1878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1879 return EXT_RETURN_FAIL;
6594189f
MC		 1880 }
1881
b186a592 1882 return EXT_RETURN_SENT;
6594189f
MC		 1883 }
1884
38df5a45 1885 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1886 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1887
1888 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1889 || !WPACKET_start_sub_packet_u16(pkt)
1890 || !WPACKET_close(pkt)) {
c48ffbcc 1891 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1892 return EXT_RETURN_FAIL;
38df5a45
MC		 1893 }
1894
b186a592 1895 return EXT_RETURN_SENT;
38df5a45
MC		 1896}
1897
b186a592 1898EXT_RETURN tls_construct_stoc_psk(SSL *s, WPACKET *pkt, unsigned int context,
f63a17d6 1899 X509 *x, size_t chainidx)
0247086d
MC		 1900{
1901 if (!s->hit)
b186a592 1902 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1903
1904 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1905 || !WPACKET_start_sub_packet_u16(pkt)
c96ce52c 1906 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
0247086d 1907 || !WPACKET_close(pkt)) {
c48ffbcc 1908 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1909 return EXT_RETURN_FAIL;
0247086d
MC		 1910 }
1911
b186a592 1912 return EXT_RETURN_SENT;
0247086d 1913}
A mirror of the official openssl repository