]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_srvr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ssl: modify libssl so that it uses OSSL_TIME
[thirdparty/openssl.git] / ssl / statem / extensions_srvr.c
CommitLineData
25670f3e 1/*
fecb3aae 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
25670f3e 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
25670f3e
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/ocsp.h>
706457b7
DMSP		 11#include "../ssl_local.h"
12#include "statem_local.h"
43054d3d
MC		 13#include "internal/cryptlib.h"
14
e8a557dc 15#define COOKIE_STATE_FORMAT_VERSION 1
43054d3d
MC		 16
17/*
18 * 2 bytes for packet length, 2 bytes for format version, 2 bytes for
19 * protocol version, 2 bytes for group id, 2 bytes for cipher id, 1 byte for
e8a557dc 20 * key_share present flag, 8 bytes for timestamp, 2 bytes for the hashlen,
d0debc0a
MC		 21 * EVP_MAX_MD_SIZE for transcript hash, 1 byte for app cookie length, app cookie
22 * length bytes, SHA256_DIGEST_LENGTH bytes for the HMAC of the whole thing.
43054d3d 23 */
e8a557dc 24#define MAX_COOKIE_SIZE (2 + 2 + 2 + 2 + 2 + 1 + 8 + 2 + EVP_MAX_MD_SIZE + 1 \
43054d3d
MC		 25 + SSL_COOKIE_LENGTH + SHA256_DIGEST_LENGTH)
26
27/*
28 * Message header + 2 bytes for protocol version + number of random bytes +
97ea1e7f
MC		 29 * + 1 byte for legacy session id length + number of bytes in legacy session id
30 * + 2 bytes for ciphersuite + 1 byte for legacy compression
31 * + 2 bytes for extension block length + 6 bytes for key_share extension
32 * + 4 bytes for cookie extension header + the number of bytes in the cookie
43054d3d 33 */
97ea1e7f 34#define MAX_HRR_SIZE (SSL3_HM_HEADER_LENGTH + 2 + SSL3_RANDOM_SIZE + 1 \
43054d3d
MC		 35 + SSL_MAX_SSL_SESSION_ID_LENGTH + 2 + 1 + 2 + 6 + 4 \
36 + MAX_COOKIE_SIZE)
25670f3e
MC		 37
38/*
39 * Parse the client's renegotiation binding and abort if it's not right
40 */
38b051a1
TM		 41int tls_parse_ctos_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
42 unsigned int context,
f63a17d6 43 X509 *x, size_t chainidx)
25670f3e
MC		 44{
45 unsigned int ilen;
46 const unsigned char *data;
47
48 /* Parse the length byte */
49 if (!PACKET_get_1(pkt, &ilen)
50 || !PACKET_get_bytes(pkt, &data, ilen)) {
c48ffbcc 51 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
25670f3e
MC		 52 return 0;
53 }
54
55 /* Check that the extension matches */
555cbb32 56 if (ilen != s->s3.previous_client_finished_len) {
c48ffbcc 57 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 58 return 0;
59 }
60
555cbb32
TS		 61 if (memcmp(data, s->s3.previous_client_finished,
62 s->s3.previous_client_finished_len)) {
c48ffbcc 63 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_RENEGOTIATION_MISMATCH);
25670f3e
MC		 64 return 0;
65 }
66
555cbb32 67 s->s3.send_connection_binding = 1;
25670f3e
MC		 68
69 return 1;
70}
71
1266eefd
MC		 72/*-
73 * The servername extension is treated as follows:
74 *
75 * - Only the hostname type is supported with a maximum length of 255.
76 * - The servername is rejected if too long or if it contains zeros,
77 * in which case an fatal alert is generated.
78 * - The servername field is maintained together with the session cache.
79 * - When a session is resumed, the servername call back invoked in order
80 * to allow the application to position itself to the right context.
81 * - The servername is acknowledged if it is new for a session or when
82 * it is identical to a previously used for the same session.
83 * Applications can control the behaviour. They can at any time
84 * set a 'desirable' servername for a new SSL object. This can be the
85 * case for example with HTTPS when a Host: header field is received and
86 * a renegotiation is requested. In this case, a possible servername
87 * presented in the new client hello is only acknowledged if it matches
88 * the value of the Host: field.
89 * - Applications must use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
90 * if they provide for changing an explicit servername context for the
91 * session, i.e. when the session has been established with a servername
92 * extension.
93 * - On session reconnect, the servername extension may be absent.
94 */
38b051a1
TM		 95int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt,
96 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 97{
98 unsigned int servname_type;
99 PACKET sni, hostname;
100
25670f3e
MC		 101 if (!PACKET_as_length_prefixed_2(pkt, &sni)
102 /* ServerNameList must be at least 1 byte long. */
103 || PACKET_remaining(&sni) == 0) {
c48ffbcc 104 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 105 return 0;
106 }
107
108 /*
44e69951
F		 109 * Although the intent was for server_name to be extensible, RFC 4366
110 * was not clear about it; and so OpenSSL among other implementations,
111 * always and only allows a 'host_name' name types.
25670f3e
MC		 112 * RFC 6066 corrected the mistake but adding new name types
113 * is nevertheless no longer feasible, so act as if no other
114 * SNI types can exist, to simplify parsing.
115 *
116 * Also note that the RFC permits only one SNI value per type,
117 * i.e., we can only have a single hostname.
118 */
119 if (!PACKET_get_1(&sni, &servname_type)
120 || servname_type != TLSEXT_NAMETYPE_host_name
121 || !PACKET_as_length_prefixed_2(&sni, &hostname)) {
c48ffbcc 122 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 123 return 0;
124 }
125
7955c1f1
MC		 126 /*
127 * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3
128 * we always use the SNI value from the handshake.
129 */
38b051a1 130 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
25670f3e 131 if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) {
c48ffbcc 132 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 133 return 0;
134 }
135
136 if (PACKET_contains_zero_byte(&hostname)) {
c48ffbcc 137 SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION);
25670f3e
MC		 138 return 0;
139 }
140
1c4aa31d
BK		 141 /*
142 * Store the requested SNI in the SSL as temporary storage.
143 * If we accept it, it will get stored in the SSL_SESSION as well.
144 */
145 OPENSSL_free(s->ext.hostname);
146 s->ext.hostname = NULL;
147 if (!PACKET_strndup(&hostname, &s->ext.hostname)) {
c48ffbcc 148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 149 return 0;
150 }
151
152 s->servername_done = 1;
7955c1f1
MC		 153 } else {
154 /*
155 * In TLSv1.2 and below we should check if the SNI is consistent between
156 * the initial handshake and the resumption. In TLSv1.3 SNI is not
157 * associated with the session.
158 */
1c4aa31d 159 s->servername_done = (s->session->ext.hostname != NULL)
aff8c126
RS		 160 && PACKET_equal(&hostname, s->session->ext.hostname,
161 strlen(s->session->ext.hostname));
25670f3e
MC		 162 }
163
164 return 1;
165}
166
38b051a1
TM		 167int tls_parse_ctos_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
168 unsigned int context,
f63a17d6 169 X509 *x, size_t chainidx)
cf72c757
F		 170{
171 unsigned int value;
172
173 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 174 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 175 return 0;
176 }
177
178 /* Received |value| should be a valid max-fragment-length code. */
179 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 180 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 181 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 182 return 0;
183 }
184
185 /*
186 * RFC 6066: The negotiated length applies for the duration of the session
187 * including session resumptions.
188 * We should receive the same code as in resumed session !
189 */
190 if (s->hit && s->session->ext.max_fragment_len_mode != value) {
f63a17d6 191 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 192 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 193 return 0;
194 }
195
196 /*
197 * Store it in session, so it'll become binding for us
198 * and we'll include it in a next Server Hello.
199 */
200 s->session->ext.max_fragment_len_mode = value;
201 return 1;
202}
203
25670f3e 204#ifndef OPENSSL_NO_SRP
38b051a1
TM		 205int tls_parse_ctos_srp(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
206 X509 *x, size_t chainidx)
25670f3e
MC		 207{
208 PACKET srp_I;
209
210 if (!PACKET_as_length_prefixed_1(pkt, &srp_I)
211 || PACKET_contains_zero_byte(&srp_I)) {
c48ffbcc 212 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 213 return 0;
214 }
215
25670f3e 216 if (!PACKET_strndup(&srp_I, &s->srp_ctx.login)) {
c48ffbcc 217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 218 return 0;
219 }
220
221 return 1;
222}
223#endif
224
38b051a1
TM		 225int tls_parse_ctos_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
226 unsigned int context,
f63a17d6 227 X509 *x, size_t chainidx)
25670f3e
MC		 228{
229 PACKET ec_point_format_list;
230
231 if (!PACKET_as_length_prefixed_1(pkt, &ec_point_format_list)
232 || PACKET_remaining(&ec_point_format_list) == 0) {
c48ffbcc 233 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 234 return 0;
235 }
236
237 if (!s->hit) {
238 if (!PACKET_memdup(&ec_point_format_list,
cd0fb43c
MC		 239 &s->ext.peer_ecpointformats,
240 &s->ext.peer_ecpointformats_len)) {
c48ffbcc 241 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 242 return 0;
243 }
244 }
245
246 return 1;
247}
25670f3e 248
38b051a1
TM		 249int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
250 unsigned int context,
f63a17d6 251 X509 *x, size_t chainidx)
25670f3e 252{
aff8c126 253 if (s->ext.session_ticket_cb &&
38b051a1
TM		 254 !s->ext.session_ticket_cb(SSL_CONNECTION_GET_SSL(s),
255 PACKET_data(pkt), PACKET_remaining(pkt),
256 s->ext.session_ticket_cb_arg)) {
c48ffbcc 257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 258 return 0;
259 }
260
261 return 1;
262}
263
38b051a1 264int tls_parse_ctos_sig_algs_cert(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 265 ossl_unused unsigned int context,
266 ossl_unused X509 *x,
267 ossl_unused size_t chainidx)
c589c34e
BK		 268{
269 PACKET supported_sig_algs;
270
271 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
272 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 273 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 274 return 0;
275 }
276
277 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 1)) {
c48ffbcc 278 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
c589c34e
BK		 279 return 0;
280 }
281
282 return 1;
283}
284
38b051a1
TM		 285int tls_parse_ctos_sig_algs(SSL_CONNECTION *s, PACKET *pkt,
286 unsigned int context, X509 *x, size_t chainidx)
25670f3e
MC		 287{
288 PACKET supported_sig_algs;
289
290 if (!PACKET_as_length_prefixed_2(pkt, &supported_sig_algs)
25670f3e 291 || PACKET_remaining(&supported_sig_algs) == 0) {
c48ffbcc 292 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 293 return 0;
294 }
295
c589c34e 296 if (!s->hit && !tls1_save_sigalgs(s, &supported_sig_algs, 0)) {
c48ffbcc 297 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 298 return 0;
299 }
300
301 return 1;
302}
303
ab83e314 304#ifndef OPENSSL_NO_OCSP
38b051a1
TM		 305int tls_parse_ctos_status_request(SSL_CONNECTION *s, PACKET *pkt,
306 unsigned int context,
f63a17d6 307 X509 *x, size_t chainidx)
25670f3e 308{
1266eefd
MC		 309 PACKET responder_id_list, exts;
310
ded4a83d
MC		 311 /* We ignore this in a resumption handshake */
312 if (s->hit)
313 return 1;
314
e96e0f8e
MC		 315 /* Not defined if we get one of these in a client Certificate */
316 if (x != NULL)
317 return 1;
318
aff8c126 319 if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
c48ffbcc 320 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 321 return 0;
322 }
ab83e314 323
aff8c126 324 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
25670f3e 325 /*
1266eefd 326 * We don't know what to do with any other type so ignore it.
25670f3e 327 */
aff8c126 328 s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
1266eefd
MC		 329 return 1;
330 }
25670f3e 331
1266eefd 332 if (!PACKET_get_length_prefixed_2 (pkt, &responder_id_list)) {
c48ffbcc 333 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 334 return 0;
335 }
25670f3e 336
1266eefd
MC		 337 /*
338 * We remove any OCSP_RESPIDs from a previous handshake
339 * to prevent unbounded memory growth - CVE-2016-6304
340 */
aff8c126 341 sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
1266eefd 342 if (PACKET_remaining(&responder_id_list) > 0) {
aff8c126
RS		 343 s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
344 if (s->ext.ocsp.ids == NULL) {
c48ffbcc 345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1266eefd
MC		 346 return 0;
347 }
348 } else {
aff8c126 349 s->ext.ocsp.ids = NULL;
1266eefd 350 }
25670f3e 351
1266eefd
MC		 352 while (PACKET_remaining(&responder_id_list) > 0) {
353 OCSP_RESPID *id;
354 PACKET responder_id;
355 const unsigned char *id_data;
25670f3e 356
1266eefd
MC		 357 if (!PACKET_get_length_prefixed_2(&responder_id_list, &responder_id)
358 || PACKET_remaining(&responder_id) == 0) {
c48ffbcc 359 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 360 return 0;
361 }
25670f3e 362
1266eefd 363 id_data = PACKET_data(&responder_id);
1266eefd
MC		 364 id = d2i_OCSP_RESPID(NULL, &id_data,
365 (int)PACKET_remaining(&responder_id));
366 if (id == NULL) {
c48ffbcc 367 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 368 return 0;
25670f3e
MC		 369 }
370
1266eefd
MC		 371 if (id_data != PACKET_end(&responder_id)) {
372 OCSP_RESPID_free(id);
c48ffbcc 373 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
f63a17d6 374
25670f3e
MC		 375 return 0;
376 }
377
aff8c126 378 if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
1266eefd 379 OCSP_RESPID_free(id);
c48ffbcc 380 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f63a17d6 381
1266eefd
MC		 382 return 0;
383 }
384 }
385
386 /* Read in request_extensions */
387 if (!PACKET_as_length_prefixed_2(pkt, &exts)) {
c48ffbcc 388 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd
MC		 389 return 0;
390 }
391
392 if (PACKET_remaining(&exts) > 0) {
393 const unsigned char *ext_data = PACKET_data(&exts);
394
aff8c126 395 sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
1266eefd 396 X509_EXTENSION_free);
aff8c126 397 s->ext.ocsp.exts =
1266eefd 398 d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
aff8c126 399 if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
c48ffbcc 400 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1266eefd 401 return 0;
25670f3e 402 }
25670f3e
MC		 403 }
404
405 return 1;
406}
ab83e314 407#endif
25670f3e
MC		 408
409#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1
TM		 410int tls_parse_ctos_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
411 X509 *x, size_t chainidx)
25670f3e 412{
1266eefd
MC		 413 /*
414 * We shouldn't accept this extension on a
415 * renegotiation.
1266eefd 416 */
c7f47786 417 if (SSL_IS_FIRST_HANDSHAKE(s))
555cbb32 418 s->s3.npn_seen = 1;
25670f3e
MC		 419
420 return 1;
421}
422#endif
423
424/*
1266eefd 425 * Save the ALPN extension in a ClientHello.|pkt| holds the contents of the ALPN
29bfd5b7 426 * extension, not including type and length. Returns: 1 on success, 0 on error.
25670f3e 427 */
38b051a1
TM		 428int tls_parse_ctos_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
429 X509 *x, size_t chainidx)
25670f3e
MC		 430{
431 PACKET protocol_list, save_protocol_list, protocol;
432
c7f47786 433 if (!SSL_IS_FIRST_HANDSHAKE(s))
25670f3e
MC		 434 return 1;
435
436 if (!PACKET_as_length_prefixed_2(pkt, &protocol_list)
437 || PACKET_remaining(&protocol_list) < 2) {
c48ffbcc 438 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 439 return 0;
440 }
441
442 save_protocol_list = protocol_list;
443 do {
444 /* Protocol names can't be empty. */
445 if (!PACKET_get_length_prefixed_1(&protocol_list, &protocol)
446 || PACKET_remaining(&protocol) == 0) {
c48ffbcc 447 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 448 return 0;
449 }
450 } while (PACKET_remaining(&protocol_list) != 0);
451
555cbb32
TS		 452 OPENSSL_free(s->s3.alpn_proposed);
453 s->s3.alpn_proposed = NULL;
454 s->s3.alpn_proposed_len = 0;
25670f3e 455 if (!PACKET_memdup(&save_protocol_list,
555cbb32 456 &s->s3.alpn_proposed, &s->s3.alpn_proposed_len)) {
c48ffbcc 457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 458 return 0;
459 }
460
461 return 1;
462}
463
464#ifndef OPENSSL_NO_SRTP
38b051a1
TM		 465int tls_parse_ctos_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
466 unsigned int context, X509 *x, size_t chainidx)
25670f3e 467{
25670f3e
MC		 468 STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
469 unsigned int ct, mki_len, id;
470 int i, srtp_pref;
471 PACKET subpkt;
38b051a1 472 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
25670f3e
MC		 473
474 /* Ignore this if we have no SRTP profiles */
38b051a1 475 if (SSL_get_srtp_profiles(ssl) == NULL)
25670f3e
MC		 476 return 1;
477
478 /* Pull off the length of the cipher suite list and check it is even */
1266eefd
MC		 479 if (!PACKET_get_net_2(pkt, &ct) || (ct & 1) != 0
480 || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
c48ffbcc 481 SSLfatal(s, SSL_AD_DECODE_ERROR,
25670f3e 482 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 483 return 0;
484 }
485
38b051a1 486 srvr = SSL_get_srtp_profiles(ssl);
25670f3e
MC		 487 s->srtp_profile = NULL;
488 /* Search all profiles for a match initially */
489 srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
490
491 while (PACKET_remaining(&subpkt)) {
492 if (!PACKET_get_net_2(&subpkt, &id)) {
c48ffbcc 493 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 494 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 495 return 0;
496 }
497
498 /*
499 * Only look for match in profiles of higher preference than
500 * current match.
501 * If no profiles have been have been configured then this
502 * does nothing.
503 */
504 for (i = 0; i < srtp_pref; i++) {
d270de32 505 SRTP_PROTECTION_PROFILE *sprof =
1266eefd
MC		 506 sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
507
25670f3e
MC		 508 if (sprof->id == id) {
509 s->srtp_profile = sprof;
510 srtp_pref = i;
511 break;
512 }
513 }
514 }
515
1266eefd 516 /* Now extract the MKI value as a sanity check, but discard it for now */
25670f3e 517 if (!PACKET_get_1(pkt, &mki_len)) {
c48ffbcc 518 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 519 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
25670f3e
MC		 520 return 0;
521 }
522
523 if (!PACKET_forward(pkt, mki_len)
524 || PACKET_remaining(pkt)) {
c48ffbcc 525 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRTP_MKI_VALUE);
25670f3e
MC		 526 return 0;
527 }
528
529 return 1;
530}
531#endif
532
38b051a1
TM		 533int tls_parse_ctos_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
534 X509 *x, size_t chainidx)
25670f3e
MC		 535{
536 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
28a31a0a 537 s->ext.use_etm = 1;
25670f3e
MC		 538
539 return 1;
540}
541
b2f7e8c0
MC		 542/*
543 * Process a psk_kex_modes extension received in the ClientHello. |pkt| contains
544 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
b2f7e8c0 545 */
38b051a1
TM		 546int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt,
547 unsigned int context,
f63a17d6 548 X509 *x, size_t chainidx)
b2f7e8c0
MC		 549{
550#ifndef OPENSSL_NO_TLS1_3
551 PACKET psk_kex_modes;
552 unsigned int mode;
553
554 if (!PACKET_as_length_prefixed_1(pkt, &psk_kex_modes)
555 || PACKET_remaining(&psk_kex_modes) == 0) {
c48ffbcc 556 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
b2f7e8c0
MC		 557 return 0;
558 }
559
560 while (PACKET_get_1(&psk_kex_modes, &mode)) {
561 if (mode == TLSEXT_KEX_MODE_KE_DHE)
562 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE_DHE;
e3c0d76b
MC		 563 else if (mode == TLSEXT_KEX_MODE_KE
564 && (s->options & SSL_OP_ALLOW_NO_DHE_KEX) != 0)
b2f7e8c0
MC		 565 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
566 }
567#endif
568
569 return 1;
570}
571
25670f3e
MC		 572/*
573 * Process a key_share extension received in the ClientHello. |pkt| contains
574 * the raw PACKET data for the extension. Returns 1 on success or 0 on failure.
25670f3e 575 */
38b051a1
TM		 576int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
577 unsigned int context, X509 *x, size_t chainidx)
25670f3e 578{
3cf96e88 579#ifndef OPENSSL_NO_TLS1_3
25670f3e
MC		 580 unsigned int group_id;
581 PACKET key_share_list, encoded_pt;
f48d826e
DSH		 582 const uint16_t *clntgroups, *srvrgroups;
583 size_t clnt_num_groups, srvr_num_groups;
43b95d73 584 int found = 0;
25670f3e 585
f4bbb37c 586 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0)
25670f3e
MC		 587 return 1;
588
589 /* Sanity check */
555cbb32 590 if (s->s3.peer_tmp != NULL) {
c48ffbcc 591 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
25670f3e
MC		 592 return 0;
593 }
594
595 if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
c48ffbcc 596 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 597 return 0;
598 }
599
f48d826e
DSH		 600 /* Get our list of supported groups */
601 tls1_get_supported_groups(s, &srvrgroups, &srvr_num_groups);
602 /* Get the clients list of supported groups. */
603 tls1_get_peer_groups(s, &clntgroups, &clnt_num_groups);
604 if (clnt_num_groups == 0) {
b6fdc12d
MC		 605 /*
606 * This can only happen if the supported_groups extension was not sent,
607 * because we verify that the length is non-zero when we process that
608 * extension.
609 */
c48ffbcc 610 SSLfatal(s, SSL_AD_MISSING_EXTENSION,
f63a17d6 611 SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
b6fdc12d
MC		 612 return 0;
613 }
25670f3e 614
555cbb32 615 if (s->s3.group_id != 0 && PACKET_remaining(&key_share_list) == 0) {
43054d3d
MC		 616 /*
617 * If we set a group_id already, then we must have sent an HRR
618 * requesting a new key_share. If we haven't got one then that is an
619 * error
620 */
c48ffbcc 621 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 622 return 0;
623 }
624
25670f3e
MC		 625 while (PACKET_remaining(&key_share_list) > 0) {
626 if (!PACKET_get_net_2(&key_share_list, &group_id)
627 || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
628 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 629 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
25670f3e
MC		 630 return 0;
631 }
632
633 /*
634 * If we already found a suitable key_share we loop through the
635 * rest to verify the structure, but don't process them.
636 */
637 if (found)
638 continue;
639
43054d3d
MC		 640 /*
641 * If we sent an HRR then the key_share sent back MUST be for the group
642 * we requested, and must be the only key_share sent.
643 */
555cbb32 644 if (s->s3.group_id != 0
0a10825a 645 && (ssl_group_id_tls13_to_internal(group_id) != s->s3.group_id
43054d3d 646 || PACKET_remaining(&key_share_list) != 0)) {
c48ffbcc 647 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
43054d3d
MC		 648 return 0;
649 }
650
25670f3e 651 /* Check if this share is in supported_groups sent from client */
f48d826e 652 if (!check_in_list(s, group_id, clntgroups, clnt_num_groups, 0)) {
c48ffbcc 653 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
25670f3e
MC		 654 return 0;
655 }
656
657 /* Check if this share is for a group we can use */
f48d826e 658 if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
25670f3e
MC		 659 /* Share not suitable */
660 continue;
661 }
662
0a10825a
BE		 663 s->s3.group_id = group_id;
664 /* Cache the selected group ID in the SSL_SESSION */
665 s->session->kex_group = group_id;
666
667 group_id = ssl_group_id_tls13_to_internal(group_id);
668
ada66e78 669 if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
c48ffbcc 670 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
25670f3e
MC		 671 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
672 return 0;
673 }
674
d5530efa
TM		 675 if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
676 PACKET_data(&encoded_pt),
677 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 678 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
25670f3e
MC		 679 return 0;
680 }
681
682 found = 1;
683 }
3cf96e88 684#endif
25670f3e
MC		 685
686 return 1;
687}
688
38b051a1
TM		 689int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
690 X509 *x, size_t chainidx)
43054d3d 691{
1aac20f5 692#ifndef OPENSSL_NO_TLS1_3
dd77962e 693 unsigned int format, version, key_share, group_id;
43054d3d
MC		 694 EVP_MD_CTX *hctx;
695 EVP_PKEY *pkey;
696 PACKET cookie, raw, chhash, appcookie;
697 WPACKET hrrpkt;
698 const unsigned char *data, *mdin, *ciphdata;
699 unsigned char hmac[SHA256_DIGEST_LENGTH];
700 unsigned char hrr[MAX_HRR_SIZE];
701 size_t rawlen, hmaclen, hrrlen, ciphlen;
e8a557dc 702 uint64_t tm, now;
38b051a1
TM		 703 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
704 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
43054d3d
MC		 705
706 /* Ignore any cookie if we're not set up to verify it */
38b051a1 707 if (sctx->verify_stateless_cookie_cb == NULL
555cbb32 708 || (s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 709 return 1;
710
711 if (!PACKET_as_length_prefixed_2(pkt, &cookie)) {
c48ffbcc 712 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 713 return 0;
714 }
715
716 raw = cookie;
717 data = PACKET_data(&raw);
718 rawlen = PACKET_remaining(&raw);
719 if (rawlen < SHA256_DIGEST_LENGTH
720 || !PACKET_forward(&raw, rawlen - SHA256_DIGEST_LENGTH)) {
c48ffbcc 721 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 722 return 0;
723 }
724 mdin = PACKET_data(&raw);
725
726 /* Verify the HMAC of the cookie */
727 hctx = EVP_MD_CTX_create();
38b051a1
TM		 728 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
729 sctx->propq,
d8652be0
MC		 730 s->session_ctx->ext.cookie_hmac_key,
731 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d
MC		 732 if (hctx == NULL || pkey == NULL) {
733 EVP_MD_CTX_free(hctx);
734 EVP_PKEY_free(pkey);
c48ffbcc 735 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
43054d3d
MC		 736 return 0;
737 }
738
97ea1e7f 739 hmaclen = SHA256_DIGEST_LENGTH;
38b051a1
TM		 740 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
741 sctx->propq, pkey, NULL) <= 0
97ea1e7f
MC		 742 || EVP_DigestSign(hctx, hmac, &hmaclen, data,
743 rawlen - SHA256_DIGEST_LENGTH) <= 0
43054d3d
MC		 744 || hmaclen != SHA256_DIGEST_LENGTH) {
745 EVP_MD_CTX_free(hctx);
746 EVP_PKEY_free(pkey);
c48ffbcc 747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 748 return 0;
749 }
750
751 EVP_MD_CTX_free(hctx);
752 EVP_PKEY_free(pkey);
753
754 if (CRYPTO_memcmp(hmac, mdin, SHA256_DIGEST_LENGTH) != 0) {
c48ffbcc 755 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 756 return 0;
757 }
758
759 if (!PACKET_get_net_2(&cookie, &format)) {
c48ffbcc 760 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 761 return 0;
762 }
763 /* Check the cookie format is something we recognise. Ignore it if not */
764 if (format != COOKIE_STATE_FORMAT_VERSION)
765 return 1;
766
767 /*
768 * The rest of these checks really shouldn't fail since we have verified the
769 * HMAC above.
770 */
771
772 /* Check the version number is sane */
773 if (!PACKET_get_net_2(&cookie, &version)) {
c48ffbcc 774 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 775 return 0;
776 }
777 if (version != TLS1_3_VERSION) {
c48ffbcc 778 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
43054d3d
MC		 779 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
780 return 0;
781 }
782
dd77962e 783 if (!PACKET_get_net_2(&cookie, &group_id)) {
c48ffbcc 784 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 785 return 0;
786 }
dd77962e 787
43054d3d
MC		 788 ciphdata = PACKET_data(&cookie);
789 if (!PACKET_forward(&cookie, 2)) {
c48ffbcc 790 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 791 return 0;
792 }
555cbb32
TS		 793 if (group_id != s->s3.group_id
794 || s->s3.tmp.new_cipher
dd77962e
MC		 795 != ssl_get_cipher_by_char(s, ciphdata, 0)) {
796 /*
797 * We chose a different cipher or group id this time around to what is
798 * in the cookie. Something must have changed.
799 */
c48ffbcc 800 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER);
43054d3d
MC		 801 return 0;
802 }
803
804 if (!PACKET_get_1(&cookie, &key_share)
e8a557dc 805 || !PACKET_get_net_8(&cookie, &tm)
43054d3d
MC		 806 || !PACKET_get_length_prefixed_2(&cookie, &chhash)
807 || !PACKET_get_length_prefixed_1(&cookie, &appcookie)
808 || PACKET_remaining(&cookie) != SHA256_DIGEST_LENGTH) {
c48ffbcc 809 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
43054d3d
MC		 810 return 0;
811 }
812
d0debc0a 813 /* We tolerate a cookie age of up to 10 minutes (= 60 * 10 seconds) */
e8a557dc 814 now = time(NULL);
d0debc0a
MC		 815 if (tm > now || (now - tm) > 600) {
816 /* Cookie is stale. Ignore it */
817 return 1;
818 }
819
43054d3d 820 /* Verify the app cookie */
38b051a1
TM		 821 if (sctx->verify_stateless_cookie_cb(ssl,
822 PACKET_data(&appcookie),
823 PACKET_remaining(&appcookie)) == 0) {
c48ffbcc 824 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COOKIE_MISMATCH);
43054d3d
MC		 825 return 0;
826 }
827
828 /*
829 * Reconstruct the HRR that we would have sent in response to the original
830 * ClientHello so we can add it to the transcript hash.
831 * Note: This won't work with custom HRR extensions
832 */
833 if (!WPACKET_init_static_len(&hrrpkt, hrr, sizeof(hrr), 0)) {
c48ffbcc 834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 835 return 0;
836 }
837 if (!WPACKET_put_bytes_u8(&hrrpkt, SSL3_MT_SERVER_HELLO)
838 || !WPACKET_start_sub_packet_u24(&hrrpkt)
839 || !WPACKET_put_bytes_u16(&hrrpkt, TLS1_2_VERSION)
840 || !WPACKET_memcpy(&hrrpkt, hrrrandom, SSL3_RANDOM_SIZE)
841 || !WPACKET_sub_memcpy_u8(&hrrpkt, s->tmp_session_id,
842 s->tmp_session_id_len)
38b051a1
TM		 843 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, &hrrpkt,
844 &ciphlen)
43054d3d
MC		 845 || !WPACKET_put_bytes_u8(&hrrpkt, 0)
846 || !WPACKET_start_sub_packet_u16(&hrrpkt)) {
847 WPACKET_cleanup(&hrrpkt);
c48ffbcc 848 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 849 return 0;
850 }
851 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_supported_versions)
852 || !WPACKET_start_sub_packet_u16(&hrrpkt)
35e742ec 853 || !WPACKET_put_bytes_u16(&hrrpkt, s->version)
43054d3d
MC		 854 || !WPACKET_close(&hrrpkt)) {
855 WPACKET_cleanup(&hrrpkt);
c48ffbcc 856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 857 return 0;
858 }
859 if (key_share) {
860 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_key_share)
861 || !WPACKET_start_sub_packet_u16(&hrrpkt)
555cbb32 862 || !WPACKET_put_bytes_u16(&hrrpkt, s->s3.group_id)
43054d3d
MC		 863 || !WPACKET_close(&hrrpkt)) {
864 WPACKET_cleanup(&hrrpkt);
c48ffbcc 865 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 866 return 0;
867 }
868 }
869 if (!WPACKET_put_bytes_u16(&hrrpkt, TLSEXT_TYPE_cookie)
870 || !WPACKET_start_sub_packet_u16(&hrrpkt)
871 || !WPACKET_sub_memcpy_u16(&hrrpkt, data, rawlen)
872 || !WPACKET_close(&hrrpkt) /* cookie extension */
873 || !WPACKET_close(&hrrpkt) /* extension block */
874 || !WPACKET_close(&hrrpkt) /* message */
875 || !WPACKET_get_total_written(&hrrpkt, &hrrlen)
876 || !WPACKET_finish(&hrrpkt)) {
877 WPACKET_cleanup(&hrrpkt);
c48ffbcc 878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 879 return 0;
880 }
881
882 /* Reconstruct the transcript hash */
883 if (!create_synthetic_message_hash(s, PACKET_data(&chhash),
884 PACKET_remaining(&chhash), hrr,
885 hrrlen)) {
886 /* SSLfatal() already called */
887 return 0;
888 }
889
890 /* Act as if this ClientHello came after a HelloRetryRequest */
891 s->hello_retry_request = 1;
892
c36001c3 893 s->ext.cookieok = 1;
1aac20f5 894#endif
c36001c3 895
43054d3d
MC		 896 return 1;
897}
898
38b051a1
TM		 899int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt,
900 unsigned int context,
f63a17d6 901 X509 *x, size_t chainidx)
25670f3e
MC		 902{
903 PACKET supported_groups_list;
904
905 /* Each group is 2 bytes and we must have at least 1. */
906 if (!PACKET_as_length_prefixed_2(pkt, &supported_groups_list)
907 || PACKET_remaining(&supported_groups_list) == 0
908 || (PACKET_remaining(&supported_groups_list) % 2) != 0) {
c48ffbcc 909 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 910 return 0;
911 }
912
38b051a1 913 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) {
45436e61
MC		 914 OPENSSL_free(s->ext.peer_supportedgroups);
915 s->ext.peer_supportedgroups = NULL;
916 s->ext.peer_supportedgroups_len = 0;
9e84a42d 917 if (!tls1_save_u16(&supported_groups_list,
45436e61
MC		 918 &s->ext.peer_supportedgroups,
919 &s->ext.peer_supportedgroups_len)) {
c48ffbcc 920 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
e3743355
BK		 921 return 0;
922 }
25670f3e
MC		 923 }
924
925 return 1;
926}
25670f3e 927
38b051a1
TM		 928int tls_parse_ctos_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
929 X509 *x, size_t chainidx)
25670f3e
MC		 930{
931 /* The extension must always be empty */
932 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 933 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
25670f3e
MC		 934 return 0;
935 }
936
088dfa13
TS		 937 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
938 return 1;
939
555cbb32 940 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
25670f3e
MC		 941
942 return 1;
943}
7da160b0 944
38df5a45 945
38b051a1 946int tls_parse_ctos_early_data(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
f63a17d6 947 X509 *x, size_t chainidx)
38df5a45
MC		 948{
949 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 950 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 951 return 0;
952 }
953
fc7129dc 954 if (s->hello_retry_request != SSL_HRR_NONE) {
c48ffbcc 955 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
d4504fe5
MC		 956 return 0;
957 }
958
38df5a45
MC		 959 return 1;
960}
961
38b051a1 962static SSL_TICKET_STATUS tls_get_stateful_ticket(SSL_CONNECTION *s, PACKET *tick,
6cc0b3c2
MC		 963 SSL_SESSION **sess)
964{
965 SSL_SESSION *tmpsess = NULL;
966
5f26ddff
MC		 967 s->ext.ticket_expected = 1;
968
6cc0b3c2
MC		 969 switch (PACKET_remaining(tick)) {
970 case 0:
971 return SSL_TICKET_EMPTY;
972
973 case SSL_MAX_SSL_SESSION_ID_LENGTH:
974 break;
975
976 default:
977 return SSL_TICKET_NO_DECRYPT;
978 }
979
980 tmpsess = lookup_sess_in_cache(s, PACKET_data(tick),
981 SSL_MAX_SSL_SESSION_ID_LENGTH);
982
983 if (tmpsess == NULL)
984 return SSL_TICKET_NO_DECRYPT;
985
6cc0b3c2
MC		 986 *sess = tmpsess;
987 return SSL_TICKET_SUCCESS;
988}
989
38b051a1
TM		 990int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
991 X509 *x, size_t chainidx)
1053a6e2
MC		 992{
993 PACKET identities, binders, binder;
994 size_t binderoffset, hashsize;
995 SSL_SESSION *sess = NULL;
3a7c56b2 996 unsigned int id, i, ext = 0;
1053a6e2 997 const EVP_MD *md = NULL;
38b051a1
TM		 998 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
999 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1053a6e2 1000
1a9f457c
MC		 1001 /*
1002 * If we have no PSK kex mode that we recognise then we can't resume so
1003 * ignore this extension
1004 */
1005 if ((s->ext.psk_kex_mode
1006 & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0)
1007 return 1;
1008
1053a6e2 1009 if (!PACKET_get_length_prefixed_2(pkt, &identities)) {
c48ffbcc 1010 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1011 return 0;
1012 }
1013
61fb5923 1014 s->ext.ticket_expected = 0;
1053a6e2
MC		 1015 for (id = 0; PACKET_remaining(&identities) != 0; id++) {
1016 PACKET identity;
2c604cb9 1017 unsigned long ticket_agel;
f3d40db1 1018 size_t idlen;
1053a6e2
MC		 1019
1020 if (!PACKET_get_length_prefixed_2(&identities, &identity)
2c604cb9 1021 || !PACKET_get_net_4(&identities, &ticket_agel)) {
c48ffbcc 1022 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1023 return 0;
1024 }
1025
f3d40db1 1026 idlen = PACKET_remaining(&identity);
3a7c56b2 1027 if (s->psk_find_session_cb != NULL
38b051a1 1028 && !s->psk_find_session_cb(ssl, PACKET_data(&identity), idlen,
011d768a 1029 &sess)) {
c48ffbcc 1030 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_EXTENSION);
011d768a
MC		 1031 return 0;
1032 }
1033
c2b290c3 1034#ifndef OPENSSL_NO_PSK
1287dabd 1035 if (sess == NULL
f3d40db1
MC		 1036 && s->psk_server_callback != NULL
1037 && idlen <= PSK_MAX_IDENTITY_LEN) {
1038 char *pskid = NULL;
1039 unsigned char pskdata[PSK_MAX_PSK_LEN];
1040 unsigned int pskdatalen;
1041
1042 if (!PACKET_strndup(&identity, &pskid)) {
c48ffbcc 1043 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1044 return 0;
1045 }
38b051a1 1046 pskdatalen = s->psk_server_callback(ssl, pskid, pskdata,
f3d40db1
MC		 1047 sizeof(pskdata));
1048 OPENSSL_free(pskid);
1049 if (pskdatalen > PSK_MAX_PSK_LEN) {
c48ffbcc 1050 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1051 return 0;
1052 } else if (pskdatalen > 0) {
1053 const SSL_CIPHER *cipher;
1054 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
1055
1056 /*
1057 * We found a PSK using an old style callback. We don't know
1058 * the digest so we default to SHA256 as per the TLSv1.3 spec
1059 */
38b051a1 1060 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
f3d40db1
MC		 1061 if (cipher == NULL) {
1062 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1063 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1064 return 0;
1065 }
1066
1067 sess = SSL_SESSION_new();
1068 if (sess == NULL
1069 || !SSL_SESSION_set1_master_key(sess, pskdata,
1070 pskdatalen)
1071 || !SSL_SESSION_set_cipher(sess, cipher)
1072 || !SSL_SESSION_set_protocol_version(sess,
1073 TLS1_3_VERSION)) {
1074 OPENSSL_cleanse(pskdata, pskdatalen);
c48ffbcc 1075 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 1076 goto err;
1077 }
1078 OPENSSL_cleanse(pskdata, pskdatalen);
1079 }
1080 }
c2b290c3 1081#endif /* OPENSSL_NO_PSK */
f3d40db1 1082
011d768a
MC		 1083 if (sess != NULL) {
1084 /* We found a PSK */
3a7c56b2 1085 SSL_SESSION *sesstmp = ssl_session_dup(sess, 0);
1b8bacff 1086
3a7c56b2 1087 if (sesstmp == NULL) {
c48ffbcc 1088 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1089 return 0;
1090 }
1091 SSL_SESSION_free(sess);
1092 sess = sesstmp;
1093
1094 /*
1095 * We've just been told to use this session for this context so
1096 * make sure the sid_ctx matches up.
1097 */
1098 memcpy(sess->sid_ctx, s->sid_ctx, s->sid_ctx_length);
1099 sess->sid_ctx_length = s->sid_ctx_length;
1100 ext = 1;
630369d9
MC		 1101 if (id == 0)
1102 s->ext.early_data_ok = 1;
51256b34 1103 s->ext.ticket_expected = 1;
3a7c56b2 1104 } else {
f0131dc0 1105 OSSL_TIME t, age, expire;
61fb5923
MC		 1106 int ret;
1107
e880d4e5
MC		 1108 /*
1109 * If we are using anti-replay protection then we behave as if
1110 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there
1111 * is no point in using full stateless tickets.
1112 */
1113 if ((s->options & SSL_OP_NO_TICKET) != 0
5d263fb7
MC		 1114 || (s->max_early_data > 0
1115 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))
6cc0b3c2
MC		 1116 ret = tls_get_stateful_ticket(s, &identity, &sess);
1117 else
1118 ret = tls_decrypt_ticket(s, PACKET_data(&identity),
1119 PACKET_remaining(&identity), NULL, 0,
1120 &sess);
61fb5923
MC		 1121
1122 if (ret == SSL_TICKET_EMPTY) {
c48ffbcc 1123 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
61fb5923
MC		 1124 return 0;
1125 }
3a7c56b2 1126
df0fed9a
TS		 1127 if (ret == SSL_TICKET_FATAL_ERR_MALLOC
1128 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
c48ffbcc 1129 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3a7c56b2
MC		 1130 return 0;
1131 }
61fb5923 1132 if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
3a7c56b2
MC		 1133 continue;
1134
66d7de16
MC		 1135 /* Check for replay */
1136 if (s->max_early_data > 0
5d263fb7 1137 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0
66d7de16
MC		 1138 && !SSL_CTX_remove_session(s->session_ctx, sess)) {
1139 SSL_SESSION_free(sess);
1140 sess = NULL;
1141 continue;
1142 }
1143
f0131dc0
P		 1144 age = ossl_time_subtract(ossl_seconds2time(ticket_agel),
1145 ossl_seconds2time(sess->ext.tick_age_add));
1146 t = ossl_time_subtract(ossl_time_now(), sess->time);
3a7c56b2
MC		 1147
1148 /*
f0131dc0
P		 1149 * Beause we use second granuality, it could appear that
1150 * the client's ticket age is longer than ours (our ticket
1151 * age calculation should always be slightly longer than the
1152 * client's due to the network latency). Therefore we add
1153 * 1000ms to our age calculation to adjust for rounding errors.
3a7c56b2 1154 */
f0131dc0
P		 1155 expire = ossl_time_add(t, ossl_ms2time(1000));
1156
630369d9 1157 if (id == 0
f0131dc0
P		 1158 && ossl_time_compare(sess->timeout, t) >= 0
1159 && ossl_time_compare(age, expire) <= 0
1160 && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
1161 expire) >= 0) {
3a7c56b2
MC		 1162 /*
1163 * Ticket age is within tolerance and not expired. We allow it
1164 * for early data
1165 */
1166 s->ext.early_data_ok = 1;
1167 }
1053a6e2 1168 }
1053a6e2 1169
38b051a1 1170 md = ssl_md(sctx, sess->cipher->algorithm2);
b740012f 1171 if (md == NULL) {
1172 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1173 goto err;
1174 }
c8f6c28a 1175 if (!EVP_MD_is_a(md,
38b051a1 1176 EVP_MD_get0_name(ssl_md(sctx,
ed576acd 1177 s->s3.tmp.new_cipher->algorithm2)))) {
0de6d66d 1178 /* The ciphersuite is not compatible with this session. */
1053a6e2
MC		 1179 SSL_SESSION_free(sess);
1180 sess = NULL;
630369d9 1181 s->ext.early_data_ok = 0;
51256b34 1182 s->ext.ticket_expected = 0;
1053a6e2
MC		 1183 continue;
1184 }
1053a6e2
MC		 1185 break;
1186 }
1187
1188 if (sess == NULL)
1189 return 1;
1190
1191 binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data;
ed576acd 1192 hashsize = EVP_MD_get_size(md);
1053a6e2
MC		 1193
1194 if (!PACKET_get_length_prefixed_2(pkt, &binders)) {
c48ffbcc 1195 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1196 goto err;
1197 }
1198
1199 for (i = 0; i <= id; i++) {
1200 if (!PACKET_get_length_prefixed_1(&binders, &binder)) {
c48ffbcc 1201 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
1053a6e2
MC		 1202 goto err;
1203 }
1204 }
1205
2894e9cb 1206 if (PACKET_remaining(&binder) != hashsize) {
c48ffbcc 1207 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2894e9cb
MC		 1208 goto err;
1209 }
1210 if (tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data,
1211 binderoffset, PACKET_data(&binder), NULL, sess, 0,
1212 ext) != 1) {
635c8f77 1213 /* SSLfatal() already called */
1053a6e2
MC		 1214 goto err;
1215 }
1216
c96ce52c 1217 s->ext.tick_identity = id;
2c604cb9 1218
1053a6e2
MC		 1219 SSL_SESSION_free(s->session);
1220 s->session = sess;
1053a6e2
MC		 1221 return 1;
1222err:
312e9387 1223 SSL_SESSION_free(sess);
1053a6e2
MC		 1224 return 0;
1225}
1226
38b051a1 1227int tls_parse_ctos_post_handshake_auth(SSL_CONNECTION *s, PACKET *pkt,
a7e6a3d8
P		 1228 ossl_unused unsigned int context,
1229 ossl_unused X509 *x,
1230 ossl_unused size_t chainidx)
9d75dce3
TS		 1231{
1232 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1233 SSLfatal(s, SSL_AD_DECODE_ERROR,
9d75dce3
TS		 1234 SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR);
1235 return 0;
1236 }
1237
1238 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
1239
1240 return 1;
1241}
1242
1266eefd
MC		 1243/*
1244 * Add the server's renegotiation binding
1245 */
38b051a1 1246EXT_RETURN tls_construct_stoc_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1247 unsigned int context, X509 *x,
f63a17d6 1248 size_t chainidx)
7da160b0 1249{
555cbb32 1250 if (!s->s3.send_connection_binding)
b186a592 1251 return EXT_RETURN_NOT_SENT;
7da160b0 1252
db0f35dd 1253 /* Still add this even if SSL_OP_NO_RENEGOTIATION is set */
7da160b0
MC		 1254 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
1255 || !WPACKET_start_sub_packet_u16(pkt)
1256 || !WPACKET_start_sub_packet_u8(pkt)
555cbb32
TS		 1257 || !WPACKET_memcpy(pkt, s->s3.previous_client_finished,
1258 s->s3.previous_client_finished_len)
1259 || !WPACKET_memcpy(pkt, s->s3.previous_server_finished,
1260 s->s3.previous_server_finished_len)
7da160b0
MC		 1261 || !WPACKET_close(pkt)
1262 || !WPACKET_close(pkt)) {
c48ffbcc 1263 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1264 return EXT_RETURN_FAIL;
7da160b0
MC		 1265 }
1266
b186a592 1267 return EXT_RETURN_SENT;
7da160b0
MC		 1268}
1269
38b051a1 1270EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1271 unsigned int context, X509 *x,
f63a17d6 1272 size_t chainidx)
7da160b0 1273{
7955c1f1
MC		 1274 if (s->servername_done != 1)
1275 return EXT_RETURN_NOT_SENT;
1276
1277 /*
1278 * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming.
1279 * We just use the servername from the initial handshake.
1280 */
38b051a1 1281 if (s->hit && !SSL_CONNECTION_IS_TLS13(s))
b186a592 1282 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1283
1284 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
1285 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1287 return EXT_RETURN_FAIL;
7da160b0
MC		 1288 }
1289
b186a592 1290 return EXT_RETURN_SENT;
7da160b0
MC		 1291}
1292
cf72c757 1293/* Add/include the server's max fragment len extension into ServerHello */
38b051a1 1294EXT_RETURN tls_construct_stoc_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
cf72c757 1295 unsigned int context, X509 *x,
f63a17d6 1296 size_t chainidx)
cf72c757
F		 1297{
1298 if (!USE_MAX_FRAGMENT_LENGTH_EXT(s->session))
1299 return EXT_RETURN_NOT_SENT;
1300
1301 /*-
1302 * 4 bytes for this extension type and extension length
1303 * 1 byte for the Max Fragment Length code value.
1304 */
1305 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
1306 || !WPACKET_start_sub_packet_u16(pkt)
1307 || !WPACKET_put_bytes_u8(pkt, s->session->ext.max_fragment_len_mode)
1308 || !WPACKET_close(pkt)) {
c48ffbcc 1309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 1310 return EXT_RETURN_FAIL;
1311 }
1312
1313 return EXT_RETURN_SENT;
1314}
1315
38b051a1 1316EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1317 unsigned int context, X509 *x,
f63a17d6 1318 size_t chainidx)
7da160b0 1319{
555cbb32
TS		 1320 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
1321 unsigned long alg_a = s->s3.tmp.new_cipher->algorithm_auth;
89247375 1322 int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
cd0fb43c 1323 && (s->ext.peer_ecpointformats != NULL);
7da160b0
MC		 1324 const unsigned char *plist;
1325 size_t plistlen;
1326
1327 if (!using_ecc)
b186a592 1328 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1329
1330 tls1_get_formatlist(s, &plist, &plistlen);
7da160b0
MC		 1331 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
1332 || !WPACKET_start_sub_packet_u16(pkt)
1333 || !WPACKET_sub_memcpy_u8(pkt, plist, plistlen)
1334 || !WPACKET_close(pkt)) {
c48ffbcc 1335 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1336 return EXT_RETURN_FAIL;
7da160b0
MC		 1337 }
1338
b186a592 1339 return EXT_RETURN_SENT;
7da160b0 1340}
7da160b0 1341
38b051a1 1342EXT_RETURN tls_construct_stoc_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1343 unsigned int context, X509 *x,
f63a17d6 1344 size_t chainidx)
6af87546 1345{
9e84a42d 1346 const uint16_t *groups;
6af87546 1347 size_t numgroups, i, first = 1;
9d2d857f 1348 int version;
6af87546 1349
555cbb32
TS		 1350 /* s->s3.group_id is non zero if we accepted a key_share */
1351 if (s->s3.group_id == 0)
b186a592 1352 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1353
1354 /* Get our list of supported groups */
ff6d20a6 1355 tls1_get_supported_groups(s, &groups, &numgroups);
34e5292c 1356 if (numgroups == 0) {
c48ffbcc 1357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1358 return EXT_RETURN_FAIL;
6af87546
MC		 1359 }
1360
1361 /* Copy group ID if supported */
38b051a1 1362 version = SSL_version(SSL_CONNECTION_GET_SSL(s));
9e84a42d
DSH		 1363 for (i = 0; i < numgroups; i++) {
1364 uint16_t group = groups[i];
1365
8b1db5d3 1366 if (tls_valid_group(s, group, version, version, 0, NULL)
dbc6268f 1367 && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
6af87546
MC		 1368 if (first) {
1369 /*
1370 * Check if the client is already using our preferred group. If
1371 * so we don't need to add this extension
1372 */
555cbb32 1373 if (s->s3.group_id == group)
b186a592 1374 return EXT_RETURN_NOT_SENT;
6af87546
MC		 1375
1376 /* Add extension header */
1377 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
1378 /* Sub-packet for supported_groups extension */
1379 || !WPACKET_start_sub_packet_u16(pkt)
1380 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1381 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1382 return EXT_RETURN_FAIL;
6af87546
MC		 1383 }
1384
1385 first = 0;
1386 }
9e84a42d 1387 if (!WPACKET_put_bytes_u16(pkt, group)) {
c48ffbcc 1388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1389 return EXT_RETURN_FAIL;
6af87546
MC		 1390 }
1391 }
1392 }
1393
1394 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 1395 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1396 return EXT_RETURN_FAIL;
6af87546
MC		 1397 }
1398
b186a592 1399 return EXT_RETURN_SENT;
6af87546
MC		 1400}
1401
38b051a1 1402EXT_RETURN tls_construct_stoc_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1403 unsigned int context, X509 *x,
f63a17d6 1404 size_t chainidx)
7da160b0 1405{
aff8c126
RS		 1406 if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
1407 s->ext.ticket_expected = 0;
b186a592 1408 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1409 }
1410
1411 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
1412 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1413 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1414 return EXT_RETURN_FAIL;
7da160b0
MC		 1415 }
1416
b186a592 1417 return EXT_RETURN_SENT;
7da160b0
MC		 1418}
1419
ab83e314 1420#ifndef OPENSSL_NO_OCSP
38b051a1 1421EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1422 unsigned int context, X509 *x,
f63a17d6 1423 size_t chainidx)
7da160b0 1424{
debb64a0
MC		 1425 /* We don't currently support this extension inside a CertificateRequest */
1426 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
1427 return EXT_RETURN_NOT_SENT;
1428
aff8c126 1429 if (!s->ext.status_expected)
b186a592 1430 return EXT_RETURN_NOT_SENT;
7da160b0 1431
38b051a1 1432 if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0)
b186a592 1433 return EXT_RETURN_NOT_SENT;
e96e0f8e 1434
7da160b0 1435 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
f63e4288 1436 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1437 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1438 return EXT_RETURN_FAIL;
f63e4288
MC		 1439 }
1440
1441 /*
1442 * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we
1443 * send back an empty extension, with the certificate status appearing as a
1444 * separate message
1445 */
38b051a1 1446 if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) {
3ec8d113 1447 /* SSLfatal() already called */
56d36288 1448 return EXT_RETURN_FAIL;
3ec8d113
MC		 1449 }
1450 if (!WPACKET_close(pkt)) {
c48ffbcc 1451 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1452 return EXT_RETURN_FAIL;
7da160b0
MC		 1453 }
1454
b186a592 1455 return EXT_RETURN_SENT;
7da160b0 1456}
ab83e314 1457#endif
7da160b0 1458
7da160b0 1459#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1 1460EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1461 unsigned int context, X509 *x,
f63a17d6 1462 size_t chainidx)
7da160b0
MC		 1463{
1464 const unsigned char *npa;
1465 unsigned int npalen;
1466 int ret;
555cbb32 1467 int npn_seen = s->s3.npn_seen;
38b051a1 1468 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
7da160b0 1469
555cbb32 1470 s->s3.npn_seen = 0;
38b051a1 1471 if (!npn_seen || sctx->ext.npn_advertised_cb == NULL)
b186a592 1472 return EXT_RETURN_NOT_SENT;
7da160b0 1473
38b051a1
TM		 1474 ret = sctx->ext.npn_advertised_cb(SSL_CONNECTION_GET_SSL(s), &npa, &npalen,
1475 sctx->ext.npn_advertised_cb_arg);
7da160b0
MC		 1476 if (ret == SSL_TLSEXT_ERR_OK) {
1477 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
1478 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
c48ffbcc 1479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1480 return EXT_RETURN_FAIL;
7da160b0 1481 }
555cbb32 1482 s->s3.npn_seen = 1;
7da160b0
MC		 1483 }
1484
b186a592 1485 return EXT_RETURN_SENT;
7da160b0
MC		 1486}
1487#endif
1488
38b051a1 1489EXT_RETURN tls_construct_stoc_alpn(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context,
f63a17d6 1490 X509 *x, size_t chainidx)
7da160b0 1491{
555cbb32 1492 if (s->s3.alpn_selected == NULL)
b186a592 1493 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1494
1495 if (!WPACKET_put_bytes_u16(pkt,
1496 TLSEXT_TYPE_application_layer_protocol_negotiation)
1497 || !WPACKET_start_sub_packet_u16(pkt)
1498 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 1499 || !WPACKET_sub_memcpy_u8(pkt, s->s3.alpn_selected,
1500 s->s3.alpn_selected_len)
7da160b0
MC		 1501 || !WPACKET_close(pkt)
1502 || !WPACKET_close(pkt)) {
c48ffbcc 1503 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1504 return EXT_RETURN_FAIL;
7da160b0
MC		 1505 }
1506
b186a592 1507 return EXT_RETURN_SENT;
7da160b0
MC		 1508}
1509
1510#ifndef OPENSSL_NO_SRTP
38b051a1 1511EXT_RETURN tls_construct_stoc_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1512 unsigned int context, X509 *x,
f63a17d6 1513 size_t chainidx)
7da160b0
MC		 1514{
1515 if (s->srtp_profile == NULL)
b186a592 1516 return EXT_RETURN_NOT_SENT;
a1448c26 1517
7da160b0
MC		 1518 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
1519 || !WPACKET_start_sub_packet_u16(pkt)
1520 || !WPACKET_put_bytes_u16(pkt, 2)
1521 || !WPACKET_put_bytes_u16(pkt, s->srtp_profile->id)
1522 || !WPACKET_put_bytes_u8(pkt, 0)
1523 || !WPACKET_close(pkt)) {
c48ffbcc 1524 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1525 return EXT_RETURN_FAIL;
7da160b0
MC		 1526 }
1527
b186a592 1528 return EXT_RETURN_SENT;
7da160b0
MC		 1529}
1530#endif
1531
38b051a1
TM		 1532EXT_RETURN tls_construct_stoc_etm(SSL_CONNECTION *s, WPACKET *pkt,
1533 unsigned int context,
f63a17d6 1534 X509 *x, size_t chainidx)
7da160b0 1535{
28a31a0a 1536 if (!s->ext.use_etm)
b186a592 1537 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1538
1539 /*
1540 * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
1541 * for other cases too.
1542 */
555cbb32
TS		 1543 if (s->s3.tmp.new_cipher->algorithm_mac == SSL_AEAD
1544 || s->s3.tmp.new_cipher->algorithm_enc == SSL_RC4
1545 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
5a5530a2
DB		 1546 || s->s3.tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12
1547 || s->s3.tmp.new_cipher->algorithm_enc == SSL_MAGMA
1548 || s->s3.tmp.new_cipher->algorithm_enc == SSL_KUZNYECHIK) {
28a31a0a 1549 s->ext.use_etm = 0;
b186a592 1550 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1551 }
1552
1553 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
1554 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1555 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1556 return EXT_RETURN_FAIL;
7da160b0
MC		 1557 }
1558
b186a592 1559 return EXT_RETURN_SENT;
7da160b0
MC		 1560}
1561
38b051a1
TM		 1562EXT_RETURN tls_construct_stoc_ems(SSL_CONNECTION *s, WPACKET *pkt,
1563 unsigned int context,
f63a17d6 1564 X509 *x, size_t chainidx)
7da160b0 1565{
555cbb32 1566 if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0)
b186a592 1567 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1568
1569 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
1570 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 1571 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1572 return EXT_RETURN_FAIL;
7da160b0
MC		 1573 }
1574
b186a592 1575 return EXT_RETURN_SENT;
7da160b0
MC		 1576}
1577
38b051a1 1578EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
88050dd1
MC		 1579 unsigned int context, X509 *x,
1580 size_t chainidx)
1581{
38b051a1 1582 if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) {
c48ffbcc 1583 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
27e462f1
MC		 1584 return EXT_RETURN_FAIL;
1585 }
88050dd1
MC		 1586
1587 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
1588 || !WPACKET_start_sub_packet_u16(pkt)
35e742ec 1589 || !WPACKET_put_bytes_u16(pkt, s->version)
88050dd1 1590 || !WPACKET_close(pkt)) {
c48ffbcc 1591 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
88050dd1
MC		 1592 return EXT_RETURN_FAIL;
1593 }
1594
1595 return EXT_RETURN_SENT;
1596}
1597
38b051a1 1598EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1599 unsigned int context, X509 *x,
f63a17d6 1600 size_t chainidx)
7da160b0 1601{
3cf96e88 1602#ifndef OPENSSL_NO_TLS1_3
7da160b0
MC		 1603 unsigned char *encodedPoint;
1604 size_t encoded_pt_len = 0;
555cbb32 1605 EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL;
8b17fbaf 1606 const TLS_GROUP_INFO *ginf = NULL;
7da160b0 1607
dd77962e
MC		 1608 if (s->hello_retry_request == SSL_HRR_PENDING) {
1609 if (ckey != NULL) {
1610 /* Original key_share was acceptable so don't ask for another one */
1611 return EXT_RETURN_NOT_SENT;
1612 }
1613 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1614 || !WPACKET_start_sub_packet_u16(pkt)
0a10825a
BE		 1615 || !WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(
1616 s->s3.group_id))
dd77962e 1617 || !WPACKET_close(pkt)) {
c48ffbcc 1618 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
dd77962e 1619 return EXT_RETURN_FAIL;
7d061fce
MC		 1620 }
1621
dd77962e
MC		 1622 return EXT_RETURN_SENT;
1623 }
1624
1625 if (ckey == NULL) {
1626 /* No key_share received from client - must be resuming */
0247086d 1627 if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) {
c48ffbcc 1628 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1629 return EXT_RETURN_FAIL;
0247086d 1630 }
b186a592 1631 return EXT_RETURN_NOT_SENT;
7da160b0 1632 }
e776858b
BK		 1633 if (s->hit && (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE_DHE) == 0) {
1634 /*
1635 * PSK ('hit') and explicitly not doing DHE (if the client sent the
1636 * DHE option we always take it); don't send key share.
1637 */
1638 return EXT_RETURN_NOT_SENT;
1639 }
7da160b0
MC		 1640
1641 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
1642 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32 1643 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)) {
c48ffbcc 1644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1645 return EXT_RETURN_FAIL;
7da160b0
MC		 1646 }
1647
38b051a1
TM		 1648 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1649 s->s3.group_id)) == NULL) {
c48ffbcc 1650 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1651 return EXT_RETURN_FAIL;
7da160b0
MC		 1652 }
1653
8b17fbaf
NT		 1654 if (!ginf->is_kem) {
1655 /* Regular KEX */
1656 skey = ssl_generate_pkey(s, ckey);
1657 if (skey == NULL) {
c48ffbcc 1658 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
8b17fbaf
NT		 1659 return EXT_RETURN_FAIL;
1660 }
7da160b0 1661
8b17fbaf 1662 /* Generate encoding of server key */
5ac8fb58 1663 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(skey, &encodedPoint);
8b17fbaf 1664 if (encoded_pt_len == 0) {
c48ffbcc 1665 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
8b17fbaf
NT		 1666 EVP_PKEY_free(skey);
1667 return EXT_RETURN_FAIL;
1668 }
1669
1670 if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
1671 || !WPACKET_close(pkt)) {
c48ffbcc 1672 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1673 EVP_PKEY_free(skey);
1674 OPENSSL_free(encodedPoint);
1675 return EXT_RETURN_FAIL;
1676 }
7da160b0 1677 OPENSSL_free(encodedPoint);
7da160b0 1678
8b17fbaf
NT		 1679 /*
1680 * This causes the crypto state to be updated based on the derived keys
1681 */
1682 s->s3.tmp.pkey = skey;
1683 if (ssl_derive(s, skey, ckey, 1) == 0) {
1684 /* SSLfatal() already called */
1685 return EXT_RETURN_FAIL;
1686 }
1687 } else {
1688 /* KEM mode */
1689 unsigned char *ct = NULL;
1690 size_t ctlen = 0;
1691
1692 /*
1693 * This does not update the crypto state.
1694 *
1695 * The generated pms is stored in `s->s3.tmp.pms` to be later used via
1696 * ssl_gensecret().
1697 */
1698 if (ssl_encapsulate(s, ckey, &ct, &ctlen, 0) == 0) {
1699 /* SSLfatal() already called */
1700 return EXT_RETURN_FAIL;
1701 }
1702
1703 if (ctlen == 0) {
c48ffbcc 1704 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1705 OPENSSL_free(ct);
1706 return EXT_RETURN_FAIL;
1707 }
1708
1709 if (!WPACKET_sub_memcpy_u16(pkt, ct, ctlen)
1710 || !WPACKET_close(pkt)) {
c48ffbcc 1711 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
8b17fbaf
NT		 1712 OPENSSL_free(ct);
1713 return EXT_RETURN_FAIL;
1714 }
1715 OPENSSL_free(ct);
1716
1717 /*
1718 * This causes the crypto state to be updated based on the generated pms
1719 */
1720 if (ssl_gensecret(s, s->s3.tmp.pms, s->s3.tmp.pmslen) == 0) {
1721 /* SSLfatal() already called */
1722 return EXT_RETURN_FAIL;
1723 }
7da160b0 1724 }
aa6bd216 1725 s->s3.did_kex = 1;
b186a592 1726 return EXT_RETURN_SENT;
1aac20f5
MC		 1727#else
1728 return EXT_RETURN_FAIL;
1729#endif
7da160b0
MC		 1730}
1731
38b051a1
TM		 1732EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt,
1733 unsigned int context,
43054d3d
MC		 1734 X509 *x, size_t chainidx)
1735{
1aac20f5 1736#ifndef OPENSSL_NO_TLS1_3
43054d3d
MC		 1737 unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie;
1738 unsigned char *hmac, *hmac2;
3fa2812f 1739 size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen;
43054d3d
MC		 1740 EVP_MD_CTX *hctx;
1741 EVP_PKEY *pkey;
1742 int ret = EXT_RETURN_FAIL;
38b051a1
TM		 1743 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
1744 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
43054d3d 1745
555cbb32 1746 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0)
43054d3d
MC		 1747 return EXT_RETURN_NOT_SENT;
1748
38b051a1 1749 if (sctx->gen_stateless_cookie_cb == NULL) {
c48ffbcc 1750 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_COOKIE_CALLBACK_SET);
e440f513
MC		 1751 return EXT_RETURN_FAIL;
1752 }
1753
43054d3d
MC		 1754 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
1755 || !WPACKET_start_sub_packet_u16(pkt)
1756 || !WPACKET_start_sub_packet_u16(pkt)
1757 || !WPACKET_get_total_written(pkt, &startlen)
1758 || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie)
1759 || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION)
1760 || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION)
555cbb32 1761 || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
38b051a1
TM		 1762 || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt,
1763 &ciphlen)
43054d3d 1764 /* Is there a key_share extension present in this HRR? */
555cbb32 1765 || !WPACKET_put_bytes_u8(pkt, s->s3.peer_tmp == NULL)
e8a557dc 1766 || !WPACKET_put_bytes_u64(pkt, time(NULL))
43054d3d
MC		 1767 || !WPACKET_start_sub_packet_u16(pkt)
1768 || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &hashval1)) {
c48ffbcc 1769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1770 return EXT_RETURN_FAIL;
1771 }
1772
1773 /*
1774 * Get the hash of the initial ClientHello. ssl_handshake_hash() operates
1775 * on raw buffers, so we first reserve sufficient bytes (above) and then
1776 * subsequently allocate them (below)
1777 */
1778 if (!ssl3_digest_cached_records(s, 0)
1779 || !ssl_handshake_hash(s, hashval1, EVP_MAX_MD_SIZE, &hashlen)) {
1780 /* SSLfatal() already called */
1781 return EXT_RETURN_FAIL;
1782 }
1783
1784 if (!WPACKET_allocate_bytes(pkt, hashlen, &hashval2)
1785 || !ossl_assert(hashval1 == hashval2)
1786 || !WPACKET_close(pkt)
1787 || !WPACKET_start_sub_packet_u8(pkt)
1788 || !WPACKET_reserve_bytes(pkt, SSL_COOKIE_LENGTH, &appcookie1)) {
c48ffbcc 1789 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1790 return EXT_RETURN_FAIL;
1791 }
1792
1793 /* Generate the application cookie */
38b051a1
TM		 1794 if (sctx->gen_stateless_cookie_cb(ssl, appcookie1,
1795 &appcookielen) == 0) {
c48ffbcc 1796 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
43054d3d
MC		 1797 return EXT_RETURN_FAIL;
1798 }
1799
1800 if (!WPACKET_allocate_bytes(pkt, appcookielen, &appcookie2)
1801 || !ossl_assert(appcookie1 == appcookie2)
1802 || !WPACKET_close(pkt)
1803 || !WPACKET_get_total_written(pkt, &totcookielen)
1804 || !WPACKET_reserve_bytes(pkt, SHA256_DIGEST_LENGTH, &hmac)) {
c48ffbcc 1805 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1806 return EXT_RETURN_FAIL;
1807 }
1808 hmaclen = SHA256_DIGEST_LENGTH;
1809
1810 totcookielen -= startlen;
1811 if (!ossl_assert(totcookielen <= MAX_COOKIE_SIZE - SHA256_DIGEST_LENGTH)) {
c48ffbcc 1812 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1813 return EXT_RETURN_FAIL;
1814 }
1815
1816 /* HMAC the cookie */
1817 hctx = EVP_MD_CTX_create();
38b051a1
TM		 1818 pkey = EVP_PKEY_new_raw_private_key_ex(sctx->libctx, "HMAC",
1819 sctx->propq,
d8652be0
MC		 1820 s->session_ctx->ext.cookie_hmac_key,
1821 sizeof(s->session_ctx->ext.cookie_hmac_key));
43054d3d 1822 if (hctx == NULL || pkey == NULL) {
c48ffbcc 1823 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
43054d3d
MC		 1824 goto err;
1825 }
1826
38b051a1
TM		 1827 if (EVP_DigestSignInit_ex(hctx, NULL, "SHA2-256", sctx->libctx,
1828 sctx->propq, pkey, NULL) <= 0
43054d3d
MC		 1829 || EVP_DigestSign(hctx, hmac, &hmaclen, cookie,
1830 totcookielen) <= 0) {
c48ffbcc 1831 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1832 goto err;
1833 }
1834
1835 if (!ossl_assert(totcookielen + hmaclen <= MAX_COOKIE_SIZE)) {
c48ffbcc 1836 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1837 goto err;
1838 }
1839
1840 if (!WPACKET_allocate_bytes(pkt, hmaclen, &hmac2)
1841 || !ossl_assert(hmac == hmac2)
1842 || !ossl_assert(cookie == hmac - totcookielen)
1843 || !WPACKET_close(pkt)
1844 || !WPACKET_close(pkt)) {
c48ffbcc 1845 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43054d3d
MC		 1846 goto err;
1847 }
1848
1849 ret = EXT_RETURN_SENT;
1850
1851 err:
1852 EVP_MD_CTX_free(hctx);
1853 EVP_PKEY_free(pkey);
1854 return ret;
1aac20f5
MC		 1855#else
1856 return EXT_RETURN_FAIL;
1857#endif
43054d3d
MC		 1858}
1859
38b051a1 1860EXT_RETURN tls_construct_stoc_cryptopro_bug(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1861 unsigned int context, X509 *x,
f63a17d6 1862 size_t chainidx)
7da160b0
MC		 1863{
1864 const unsigned char cryptopro_ext[36] = {
1865 0xfd, 0xe8, /* 65000 */
1866 0x00, 0x20, /* 32 bytes length */
1867 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1868 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1869 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1870 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1871 };
1872
555cbb32
TS		 1873 if (((s->s3.tmp.new_cipher->id & 0xFFFF) != 0x80
1874 && (s->s3.tmp.new_cipher->id & 0xFFFF) != 0x81)
38b051a1
TM		 1875 || (SSL_get_options(SSL_CONNECTION_GET_SSL(s))
1876 & SSL_OP_CRYPTOPRO_TLSEXT_BUG) == 0)
b186a592 1877 return EXT_RETURN_NOT_SENT;
7da160b0
MC		 1878
1879 if (!WPACKET_memcpy(pkt, cryptopro_ext, sizeof(cryptopro_ext))) {
c48ffbcc 1880 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1881 return EXT_RETURN_FAIL;
7da160b0
MC		 1882 }
1883
b186a592 1884 return EXT_RETURN_SENT;
7da160b0 1885}
0247086d 1886
38b051a1 1887EXT_RETURN tls_construct_stoc_early_data(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 1888 unsigned int context, X509 *x,
f63a17d6 1889 size_t chainidx)
38df5a45 1890{
fe874d27 1891 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f 1892 if (s->max_early_data == 0)
b186a592 1893 return EXT_RETURN_NOT_SENT;
6594189f
MC		 1894
1895 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1896 || !WPACKET_start_sub_packet_u16(pkt)
1897 || !WPACKET_put_bytes_u32(pkt, s->max_early_data)
1898 || !WPACKET_close(pkt)) {
c48ffbcc 1899 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1900 return EXT_RETURN_FAIL;
6594189f
MC		 1901 }
1902
b186a592 1903 return EXT_RETURN_SENT;
6594189f
MC		 1904 }
1905
38df5a45 1906 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED)
b186a592 1907 return EXT_RETURN_NOT_SENT;
38df5a45
MC		 1908
1909 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
1910 || !WPACKET_start_sub_packet_u16(pkt)
1911 || !WPACKET_close(pkt)) {
c48ffbcc 1912 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1913 return EXT_RETURN_FAIL;
38df5a45
MC		 1914 }
1915
b186a592 1916 return EXT_RETURN_SENT;
38df5a45
MC		 1917}
1918
38b051a1
TM		 1919EXT_RETURN tls_construct_stoc_psk(SSL_CONNECTION *s, WPACKET *pkt,
1920 unsigned int context,
f63a17d6 1921 X509 *x, size_t chainidx)
0247086d
MC		 1922{
1923 if (!s->hit)
b186a592 1924 return EXT_RETURN_NOT_SENT;
0247086d
MC		 1925
1926 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1927 || !WPACKET_start_sub_packet_u16(pkt)
c96ce52c 1928 || !WPACKET_put_bytes_u16(pkt, s->ext.tick_identity)
0247086d 1929 || !WPACKET_close(pkt)) {
c48ffbcc 1930 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 1931 return EXT_RETURN_FAIL;
0247086d
MC		 1932 }
1933
b186a592 1934 return EXT_RETURN_SENT;
0247086d 1935}
A mirror of the official openssl repository