]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/statem/extensions_clnt.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use empty renegotiate extension instead of SCSV for TLS > 1.0
[thirdparty/openssl.git] / ssl / statem / extensions_clnt.c
CommitLineData
6dd083fd 1/*
3c95ef22 2 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
6dd083fd 3 *
2c18d164 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
6dd083fd
MC		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
ab83e314 10#include <openssl/ocsp.h>
706457b7 11#include "../ssl_local.h"
67dc995e 12#include "internal/cryptlib.h"
706457b7 13#include "statem_local.h"
6dd083fd 14
38b051a1 15EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 16 unsigned int context, X509 *x,
f63a17d6 17 size_t chainidx)
ab83e314 18{
972ee925
TP		 19 if (!s->renegotiate) {
20 /* If not renegotiating, send an empty RI extension to indicate support */
ab83e314 21
972ee925
TP		 22#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
23# error Internal DTLS version error
24#endif
25
26 if (!SSL_CONNECTION_IS_DTLS(s)
27 && (s->min_proto_version >= TLS1_3_VERSION
28 || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL)
29 && s->min_proto_version <= TLS1_VERSION))) {
30 /*
31 * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this
32 * extension isn't used at all.
33 */
34 return EXT_RETURN_NOT_SENT;
35 }
36
37
38 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
39 || !WPACKET_start_sub_packet_u16(pkt)
40 || !WPACKET_put_bytes_u8(pkt, 0)
41 || !WPACKET_close(pkt)) {
42 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
43 return EXT_RETURN_FAIL;
44 }
45
46 return EXT_RETURN_SENT;
47 }
48
49 /* Add a complete RI extension if renegotiating */
ab83e314
MC		 50 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
51 || !WPACKET_start_sub_packet_u16(pkt)
555cbb32
TS		 52 || !WPACKET_sub_memcpy_u8(pkt, s->s3.previous_client_finished,
53 s->s3.previous_client_finished_len)
ab83e314 54 || !WPACKET_close(pkt)) {
c48ffbcc 55 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 56 return EXT_RETURN_FAIL;
ab83e314
MC		 57 }
58
b186a592 59 return EXT_RETURN_SENT;
ab83e314
MC		 60}
61
38b051a1 62EXT_RETURN tls_construct_ctos_server_name(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 63 unsigned int context, X509 *x,
f63a17d6 64 size_t chainidx)
ab83e314 65{
aff8c126 66 if (s->ext.hostname == NULL)
b186a592 67 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 68
69 /* Add TLS extension servername to the Client Hello message */
70 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
71 /* Sub-packet for server_name extension */
72 || !WPACKET_start_sub_packet_u16(pkt)
73 /* Sub-packet for servername list (always 1 hostname)*/
74 || !WPACKET_start_sub_packet_u16(pkt)
75 || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
aff8c126
RS		 76 || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
77 strlen(s->ext.hostname))
ab83e314
MC		 78 || !WPACKET_close(pkt)
79 || !WPACKET_close(pkt)) {
c48ffbcc 80 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 81 return EXT_RETURN_FAIL;
ab83e314
MC		 82 }
83
b186a592 84 return EXT_RETURN_SENT;
ab83e314
MC		 85}
86
cf72c757 87/* Push a Max Fragment Len extension into ClientHello */
38b051a1 88EXT_RETURN tls_construct_ctos_maxfragmentlen(SSL_CONNECTION *s, WPACKET *pkt,
cf72c757 89 unsigned int context, X509 *x,
f63a17d6 90 size_t chainidx)
cf72c757
F		 91{
92 if (s->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_DISABLED)
93 return EXT_RETURN_NOT_SENT;
94
95 /* Add Max Fragment Length extension if client enabled it. */
96 /*-
97 * 4 bytes for this extension type and extension length
98 * 1 byte for the Max Fragment Length code value.
99 */
100 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_max_fragment_length)
101 /* Sub-packet for Max Fragment Length extension (1 byte) */
102 || !WPACKET_start_sub_packet_u16(pkt)
103 || !WPACKET_put_bytes_u8(pkt, s->ext.max_fragment_len_mode)
104 || !WPACKET_close(pkt)) {
c48ffbcc 105 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cf72c757
F		 106 return EXT_RETURN_FAIL;
107 }
108
109 return EXT_RETURN_SENT;
110}
111
ab83e314 112#ifndef OPENSSL_NO_SRP
38b051a1
TM		 113EXT_RETURN tls_construct_ctos_srp(SSL_CONNECTION *s, WPACKET *pkt,
114 unsigned int context,
f63a17d6 115 X509 *x, size_t chainidx)
ab83e314
MC		 116{
117 /* Add SRP username if there is one */
118 if (s->srp_ctx.login == NULL)
b186a592 119 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 120
121 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_srp)
122 /* Sub-packet for SRP extension */
123 || !WPACKET_start_sub_packet_u16(pkt)
124 || !WPACKET_start_sub_packet_u8(pkt)
125 /* login must not be zero...internal error if so */
126 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
127 || !WPACKET_memcpy(pkt, s->srp_ctx.login,
128 strlen(s->srp_ctx.login))
129 || !WPACKET_close(pkt)
130 || !WPACKET_close(pkt)) {
c48ffbcc 131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 132 return EXT_RETURN_FAIL;
ab83e314
MC		 133 }
134
b186a592 135 return EXT_RETURN_SENT;
ab83e314
MC		 136}
137#endif
138
38b051a1 139static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)
ab83e314 140{
589b6227 141 int i, end, ret = 0;
ab83e314
MC		 142 unsigned long alg_k, alg_a;
143 STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
dbc6268f
MC		 144 const uint16_t *pgroups = NULL;
145 size_t num_groups, j;
38b051a1 146 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
ab83e314
MC		 147
148 /* See if we support any ECC ciphersuites */
149 if (s->version == SSL3_VERSION)
150 return 0;
151
38b051a1 152 cipher_stack = SSL_get1_supported_ciphers(ssl);
1266eefd
MC		 153 end = sk_SSL_CIPHER_num(cipher_stack);
154 for (i = 0; i < end; i++) {
ab83e314
MC		 155 const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
156
157 alg_k = c->algorithm_mkey;
158 alg_a = c->algorithm_auth;
159 if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
1266eefd 160 || (alg_a & SSL_aECDSA)
589b6227
MC		 161 || c->min_tls >= TLS1_3_VERSION) {
162 ret = 1;
163 break;
164 }
ab83e314 165 }
589b6227 166 sk_SSL_CIPHER_free(cipher_stack);
dbc6268f
MC		 167 if (!ret)
168 return 0;
169
170 /* Check we have at least one EC supported group */
171 tls1_get_supported_groups(s, &pgroups, &num_groups);
172 for (j = 0; j < num_groups; j++) {
173 uint16_t ctmp = pgroups[j];
174
8b1db5d3 175 if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
dbc6268f
MC		 176 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
177 return 1;
178 }
179
180 return 0;
ab83e314
MC		 181}
182
38b051a1 183EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 184 unsigned int context, X509 *x,
f63a17d6 185 size_t chainidx)
ab83e314
MC		 186{
187 const unsigned char *pformats;
188 size_t num_formats;
dbc6268f 189 int reason, min_version, max_version;
ab83e314 190
dbc6268f
MC		 191 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
192 if (reason != 0) {
c48ffbcc 193 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
dbc6268f
MC		 194 return EXT_RETURN_FAIL;
195 }
9d2d857f 196 if (!use_ecc(s, min_version, max_version))
b186a592 197 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 198
199 /* Add TLS extension ECPointFormats to the ClientHello message */
ab83e314
MC		 200 tls1_get_formatlist(s, &pformats, &num_formats);
201
202 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
203 /* Sub-packet for formats extension */
204 || !WPACKET_start_sub_packet_u16(pkt)
205 || !WPACKET_sub_memcpy_u8(pkt, pformats, num_formats)
206 || !WPACKET_close(pkt)) {
c48ffbcc 207 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 208 return EXT_RETURN_FAIL;
ab83e314
MC		 209 }
210
b186a592 211 return EXT_RETURN_SENT;
ab83e314
MC		 212}
213
38b051a1 214EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 215 unsigned int context, X509 *x,
f63a17d6 216 size_t chainidx)
ab83e314 217{
f48d826e 218 const uint16_t *pgroups = NULL;
8b1db5d3 219 size_t num_groups = 0, i, tls13added = 0, added = 0;
9aaecbfc 220 int min_version, max_version, reason;
ab83e314 221
9aaecbfc 222 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
223 if (reason != 0) {
c48ffbcc 224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
9aaecbfc 225 return EXT_RETURN_FAIL;
226 }
227
8b1db5d3
MC		 228 /*
229 * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
230 * if we don't have EC support then we don't send this extension.
231 */
232 if (!use_ecc(s, min_version, max_version)
38b051a1 233 && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
dbc6268f 234 return EXT_RETURN_NOT_SENT;
dbc6268f 235
ab83e314
MC		 236 /*
237 * Add TLS extension supported_groups to the ClientHello message
238 */
f48d826e 239 tls1_get_supported_groups(s, &pgroups, &num_groups);
ab83e314
MC		 240
241 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_groups)
242 /* Sub-packet for supported_groups extension */
243 || !WPACKET_start_sub_packet_u16(pkt)
9aaecbfc 244 || !WPACKET_start_sub_packet_u16(pkt)
245 || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)) {
c48ffbcc 246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 247 return EXT_RETURN_FAIL;
ab83e314 248 }
9aaecbfc 249 /* Copy group ID if supported */
f48d826e
DSH		 250 for (i = 0; i < num_groups; i++) {
251 uint16_t ctmp = pgroups[i];
8b1db5d3 252 int okfortls13;
9e84a42d 253
8b1db5d3 254 if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
dbc6268f 255 && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
9e84a42d 256 if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
c48ffbcc 257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9aaecbfc 258 return EXT_RETURN_FAIL;
259 }
8b1db5d3
MC		 260 if (okfortls13 && max_version == TLS1_3_VERSION)
261 tls13added++;
262 added++;
ab83e314
MC		 263 }
264 }
265 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
9afc6c54 266 if (added == 0)
8b1db5d3
MC		 267 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
268 "No groups enabled for max supported SSL/TLS version");
269 else
270 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 271 return EXT_RETURN_FAIL;
9afc6c54
MC		 272 }
273
274 if (tls13added == 0 && max_version == TLS1_3_VERSION) {
275 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
276 "No groups enabled for max supported SSL/TLS version");
277 return EXT_RETURN_FAIL;
ab83e314
MC		 278 }
279
b186a592 280 return EXT_RETURN_SENT;
ab83e314 281}
ab83e314 282
38b051a1 283EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 284 unsigned int context, X509 *x,
f63a17d6 285 size_t chainidx)
ab83e314
MC		 286{
287 size_t ticklen;
288
289 if (!tls_use_ticket(s))
b186a592 290 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 291
292 if (!s->new_session && s->session != NULL
08191294
MC		 293 && s->session->ext.tick != NULL
294 && s->session->ssl_version != TLS1_3_VERSION) {
aff8c126
RS		 295 ticklen = s->session->ext.ticklen;
296 } else if (s->session && s->ext.session_ticket != NULL
297 && s->ext.session_ticket->data != NULL) {
298 ticklen = s->ext.session_ticket->length;
299 s->session->ext.tick = OPENSSL_malloc(ticklen);
300 if (s->session->ext.tick == NULL) {
c48ffbcc 301 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 302 return EXT_RETURN_FAIL;
ab83e314 303 }
aff8c126
RS		 304 memcpy(s->session->ext.tick,
305 s->ext.session_ticket->data, ticklen);
306 s->session->ext.ticklen = ticklen;
ab83e314
MC		 307 } else {
308 ticklen = 0;
309 }
310
aff8c126
RS		 311 if (ticklen == 0 && s->ext.session_ticket != NULL &&
312 s->ext.session_ticket->data == NULL)
b186a592 313 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 314
315 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
aff8c126 316 || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
c48ffbcc 317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 318 return EXT_RETURN_FAIL;
ab83e314
MC		 319 }
320
b186a592 321 return EXT_RETURN_SENT;
ab83e314
MC		 322}
323
38b051a1 324EXT_RETURN tls_construct_ctos_sig_algs(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 325 unsigned int context, X509 *x,
f63a17d6 326 size_t chainidx)
ab83e314
MC		 327{
328 size_t salglen;
98c792d1 329 const uint16_t *salg;
ab83e314
MC		 330
331 if (!SSL_CLIENT_USE_SIGALGS(s))
b186a592 332 return EXT_RETURN_NOT_SENT;
ab83e314 333
a9669ddc 334 salglen = tls12_get_psigalgs(s, 1, &salg);
ab83e314
MC		 335 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)
336 /* Sub-packet for sig-algs extension */
337 || !WPACKET_start_sub_packet_u16(pkt)
338 /* Sub-packet for the actual list */
339 || !WPACKET_start_sub_packet_u16(pkt)
340 || !tls12_copy_sigalgs(s, pkt, salg, salglen)
341 || !WPACKET_close(pkt)
342 || !WPACKET_close(pkt)) {
c48ffbcc 343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 344 return EXT_RETURN_FAIL;
ab83e314
MC		 345 }
346
b186a592 347 return EXT_RETURN_SENT;
ab83e314
MC		 348}
349
350#ifndef OPENSSL_NO_OCSP
38b051a1 351EXT_RETURN tls_construct_ctos_status_request(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 352 unsigned int context, X509 *x,
f63a17d6 353 size_t chainidx)
ab83e314
MC		 354{
355 int i;
356
e96e0f8e
MC		 357 /* This extension isn't defined for client Certificates */
358 if (x != NULL)
b186a592 359 return EXT_RETURN_NOT_SENT;
e96e0f8e 360
aff8c126 361 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
b186a592 362 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 363
364 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
365 /* Sub-packet for status request extension */
366 || !WPACKET_start_sub_packet_u16(pkt)
367 || !WPACKET_put_bytes_u8(pkt, TLSEXT_STATUSTYPE_ocsp)
368 /* Sub-packet for the ids */
369 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 371 return EXT_RETURN_FAIL;
ab83e314 372 }
aff8c126 373 for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
ab83e314 374 unsigned char *idbytes;
aff8c126 375 OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
1266eefd 376 int idlen = i2d_OCSP_RESPID(id, NULL);
ab83e314 377
ab83e314
MC		 378 if (idlen <= 0
379 /* Sub-packet for an individual id */
380 || !WPACKET_sub_allocate_bytes_u16(pkt, idlen, &idbytes)
381 || i2d_OCSP_RESPID(id, &idbytes) != idlen) {
c48ffbcc 382 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 383 return EXT_RETURN_FAIL;
ab83e314
MC		 384 }
385 }
386 if (!WPACKET_close(pkt)
387 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 388 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 389 return EXT_RETURN_FAIL;
ab83e314 390 }
aff8c126 391 if (s->ext.ocsp.exts) {
ab83e314 392 unsigned char *extbytes;
aff8c126 393 int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
ab83e314
MC		 394
395 if (extlen < 0) {
c48ffbcc 396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 397 return EXT_RETURN_FAIL;
ab83e314
MC		 398 }
399 if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
aff8c126 400 || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
ab83e314 401 != extlen) {
c48ffbcc 402 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 403 return EXT_RETURN_FAIL;
ab83e314
MC		 404 }
405 }
406 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 408 return EXT_RETURN_FAIL;
ab83e314
MC		 409 }
410
b186a592 411 return EXT_RETURN_SENT;
ab83e314
MC		 412}
413#endif
414
415#ifndef OPENSSL_NO_NEXTPROTONEG
38b051a1
TM		 416EXT_RETURN tls_construct_ctos_npn(SSL_CONNECTION *s, WPACKET *pkt,
417 unsigned int context,
f63a17d6 418 X509 *x, size_t chainidx)
ab83e314 419{
38b051a1
TM		 420 if (SSL_CONNECTION_GET_CTX(s)->ext.npn_select_cb == NULL
421 || !SSL_IS_FIRST_HANDSHAKE(s))
b186a592 422 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 423
424 /*
425 * The client advertises an empty extension to indicate its support
426 * for Next Protocol Negotiation
427 */
428 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
429 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 430 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 431 return EXT_RETURN_FAIL;
ab83e314
MC		 432 }
433
b186a592 434 return EXT_RETURN_SENT;
ab83e314
MC		 435}
436#endif
437
38b051a1
TM		 438EXT_RETURN tls_construct_ctos_alpn(SSL_CONNECTION *s, WPACKET *pkt,
439 unsigned int context,
f63a17d6 440 X509 *x, size_t chainidx)
ab83e314 441{
555cbb32 442 s->s3.alpn_sent = 0;
ab83e314 443
c7f47786 444 if (s->ext.alpn == NULL || !SSL_IS_FIRST_HANDSHAKE(s))
b186a592 445 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 446
447 if (!WPACKET_put_bytes_u16(pkt,
448 TLSEXT_TYPE_application_layer_protocol_negotiation)
449 /* Sub-packet ALPN extension */
450 || !WPACKET_start_sub_packet_u16(pkt)
aff8c126 451 || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
ab83e314 452 || !WPACKET_close(pkt)) {
c48ffbcc 453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 454 return EXT_RETURN_FAIL;
ab83e314 455 }
555cbb32 456 s->s3.alpn_sent = 1;
ab83e314 457
b186a592 458 return EXT_RETURN_SENT;
ab83e314
MC		 459}
460
461
462#ifndef OPENSSL_NO_SRTP
38b051a1 463EXT_RETURN tls_construct_ctos_use_srtp(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 464 unsigned int context, X509 *x,
f63a17d6 465 size_t chainidx)
ab83e314 466{
38b051a1
TM		 467 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
468 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = SSL_get_srtp_profiles(ssl);
1266eefd 469 int i, end;
ab83e314
MC		 470
471 if (clnt == NULL)
b186a592 472 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 473
474 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_use_srtp)
475 /* Sub-packet for SRTP extension */
476 || !WPACKET_start_sub_packet_u16(pkt)
477 /* Sub-packet for the protection profile list */
478 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 480 return EXT_RETURN_FAIL;
ab83e314 481 }
1266eefd
MC		 482
483 end = sk_SRTP_PROTECTION_PROFILE_num(clnt);
484 for (i = 0; i < end; i++) {
485 const SRTP_PROTECTION_PROFILE *prof =
486 sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
487
ab83e314 488 if (prof == NULL || !WPACKET_put_bytes_u16(pkt, prof->id)) {
c48ffbcc 489 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 490 return EXT_RETURN_FAIL;
ab83e314
MC		 491 }
492 }
493 if (!WPACKET_close(pkt)
494 /* Add an empty use_mki value */
495 || !WPACKET_put_bytes_u8(pkt, 0)
496 || !WPACKET_close(pkt)) {
c48ffbcc 497 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 498 return EXT_RETURN_FAIL;
ab83e314
MC		 499 }
500
b186a592 501 return EXT_RETURN_SENT;
ab83e314
MC		 502}
503#endif
504
38b051a1
TM		 505EXT_RETURN tls_construct_ctos_etm(SSL_CONNECTION *s, WPACKET *pkt,
506 unsigned int context,
f63a17d6 507 X509 *x, size_t chainidx)
ab83e314
MC		 508{
509 if (s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
b186a592 510 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 511
512 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_encrypt_then_mac)
513 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 514 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 515 return EXT_RETURN_FAIL;
ab83e314
MC		 516 }
517
b186a592 518 return EXT_RETURN_SENT;
ab83e314
MC		 519}
520
521#ifndef OPENSSL_NO_CT
38b051a1
TM		 522EXT_RETURN tls_construct_ctos_sct(SSL_CONNECTION *s, WPACKET *pkt,
523 unsigned int context,
f63a17d6 524 X509 *x, size_t chainidx)
ab83e314
MC		 525{
526 if (s->ct_validation_callback == NULL)
b186a592 527 return EXT_RETURN_NOT_SENT;
ab83e314 528
e96e0f8e
MC		 529 /* Not defined for client Certificates */
530 if (x != NULL)
b186a592 531 return EXT_RETURN_NOT_SENT;
e96e0f8e 532
ab83e314
MC		 533 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signed_certificate_timestamp)
534 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 535 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 536 return EXT_RETURN_FAIL;
ab83e314
MC		 537 }
538
b186a592 539 return EXT_RETURN_SENT;
ab83e314
MC		 540}
541#endif
542
38b051a1
TM		 543EXT_RETURN tls_construct_ctos_ems(SSL_CONNECTION *s, WPACKET *pkt,
544 unsigned int context,
f63a17d6 545 X509 *x, size_t chainidx)
ab83e314 546{
088dfa13
TS		 547 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
548 return EXT_RETURN_NOT_SENT;
549
ab83e314
MC		 550 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret)
551 || !WPACKET_put_bytes_u16(pkt, 0)) {
c48ffbcc 552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 553 return EXT_RETURN_FAIL;
ab83e314
MC		 554 }
555
b186a592 556 return EXT_RETURN_SENT;
ab83e314
MC		 557}
558
38b051a1 559EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 560 unsigned int context, X509 *x,
f63a17d6 561 size_t chainidx)
ab83e314
MC		 562{
563 int currv, min_version, max_version, reason;
564
b5b993b2 565 reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
88050dd1 566 if (reason != 0) {
c48ffbcc 567 SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
88050dd1
MC		 568 return EXT_RETURN_FAIL;
569 }
570
571 /*
572 * Don't include this if we can't negotiate TLSv1.3. We can do a straight
573 * comparison here because we will never be called in DTLS.
574 */
575 if (max_version < TLS1_3_VERSION)
576 return EXT_RETURN_NOT_SENT;
577
ab83e314
MC		 578 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions)
579 || !WPACKET_start_sub_packet_u16(pkt)
580 || !WPACKET_start_sub_packet_u8(pkt)) {
c48ffbcc 581 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 582 return EXT_RETURN_FAIL;
ab83e314
MC		 583 }
584
ab83e314 585 for (currv = max_version; currv >= min_version; currv--) {
35e742ec 586 if (!WPACKET_put_bytes_u16(pkt, currv)) {
c48ffbcc 587 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 588 return EXT_RETURN_FAIL;
ab83e314
MC		 589 }
590 }
591 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 593 return EXT_RETURN_FAIL;
ab83e314
MC		 594 }
595
b186a592 596 return EXT_RETURN_SENT;
ab83e314
MC		 597}
598
b2f7e8c0 599/*
e3c0d76b 600 * Construct a psk_kex_modes extension.
b2f7e8c0 601 */
38b051a1 602EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 603 unsigned int context, X509 *x,
f63a17d6 604 size_t chainidx)
b2f7e8c0
MC		 605{
606#ifndef OPENSSL_NO_TLS1_3
e3c0d76b
MC		 607 int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX;
608
b2f7e8c0
MC		 609 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes)
610 || !WPACKET_start_sub_packet_u16(pkt)
611 || !WPACKET_start_sub_packet_u8(pkt)
612 || !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE_DHE)
e3c0d76b 613 || (nodhe && !WPACKET_put_bytes_u8(pkt, TLSEXT_KEX_MODE_KE))
b2f7e8c0
MC		 614 || !WPACKET_close(pkt)
615 || !WPACKET_close(pkt)) {
c48ffbcc 616 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 617 return EXT_RETURN_FAIL;
b2f7e8c0 618 }
b3ad72ce 619
e3c0d76b
MC		 620 s->ext.psk_kex_mode = TLSEXT_KEX_MODE_FLAG_KE_DHE;
621 if (nodhe)
622 s->ext.psk_kex_mode |= TLSEXT_KEX_MODE_FLAG_KE;
b2f7e8c0
MC		 623#endif
624
b186a592 625 return EXT_RETURN_SENT;
b2f7e8c0
MC		 626}
627
3847d426 628#ifndef OPENSSL_NO_TLS1_3
38b051a1 629static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id)
3847d426 630{
7b1ec1cf
MC		 631 unsigned char *encoded_point = NULL;
632 EVP_PKEY *key_share_key = NULL;
3847d426
MC		 633 size_t encodedlen;
634
555cbb32 635 if (s->s3.tmp.pkey != NULL) {
fc7129dc 636 if (!ossl_assert(s->hello_retry_request == SSL_HRR_PENDING)) {
c48ffbcc 637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
d8028b20 638 return 0;
7b1ec1cf
MC		 639 }
640 /*
641 * Could happen if we got an HRR that wasn't requesting a new key_share
642 */
555cbb32 643 key_share_key = s->s3.tmp.pkey;
7b1ec1cf 644 } else {
f63a17d6 645 key_share_key = ssl_generate_pkey_group(s, curve_id);
7b1ec1cf 646 if (key_share_key == NULL) {
f63a17d6 647 /* SSLfatal() already called */
d8028b20 648 return 0;
7b1ec1cf 649 }
3847d426
MC		 650 }
651
652 /* Encode the public key. */
5ac8fb58
MC		 653 encodedlen = EVP_PKEY_get1_encoded_public_key(key_share_key,
654 &encoded_point);
3847d426 655 if (encodedlen == 0) {
c48ffbcc 656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
7b1ec1cf 657 goto err;
3847d426
MC		 658 }
659
660 /* Create KeyShareEntry */
16f0e91c 661 if (!WPACKET_put_bytes_u16(pkt, curve_id)
2248dbeb 662 || !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
c48ffbcc 663 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
7b1ec1cf 664 goto err;
3847d426
MC		 665 }
666
667 /*
407820c0 668 * When changing to send more than one key_share we're
3847d426
MC		 669 * going to need to be able to save more than one EVP_PKEY. For now
670 * we reuse the existing tmp.pkey
671 */
555cbb32
TS		 672 s->s3.tmp.pkey = key_share_key;
673 s->s3.group_id = curve_id;
2248dbeb 674 OPENSSL_free(encoded_point);
3847d426 675
d8028b20 676 return 1;
7b1ec1cf 677 err:
555cbb32 678 if (s->s3.tmp.pkey == NULL)
7b1ec1cf
MC		 679 EVP_PKEY_free(key_share_key);
680 OPENSSL_free(encoded_point);
d8028b20 681 return 0;
3847d426
MC		 682}
683#endif
684
38b051a1 685EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 686 unsigned int context, X509 *x,
f63a17d6 687 size_t chainidx)
ab83e314 688{
3cf96e88 689#ifndef OPENSSL_NO_TLS1_3
f48d826e
DSH		 690 size_t i, num_groups = 0;
691 const uint16_t *pgroups = NULL;
9e84a42d 692 uint16_t curve_id = 0;
ab83e314
MC		 693
694 /* key_share extension */
695 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
696 /* Extension data sub-packet */
697 || !WPACKET_start_sub_packet_u16(pkt)
698 /* KeyShare list sub-packet */
699 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 700 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 701 return EXT_RETURN_FAIL;
ab83e314
MC		 702 }
703
f48d826e 704 tls1_get_supported_groups(s, &pgroups, &num_groups);
ab83e314
MC		 705
706 /*
407820c0
P		 707 * Make the number of key_shares sent configurable. For
708 * now, we just send one
ab83e314 709 */
555cbb32
TS		 710 if (s->s3.group_id != 0) {
711 curve_id = s->s3.group_id;
3847d426 712 } else {
f48d826e 713 for (i = 0; i < num_groups; i++) {
dbc6268f 714 if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
3847d426 715 continue;
ab83e314 716
247b8e52
MC		 717 if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
718 0, NULL))
719 continue;
720
f48d826e 721 curve_id = pgroups[i];
3847d426 722 break;
ab83e314 723 }
3847d426 724 }
ab83e314 725
3847d426 726 if (curve_id == 0) {
c48ffbcc 727 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
b186a592 728 return EXT_RETURN_FAIL;
ab83e314
MC		 729 }
730
f63a17d6
MC		 731 if (!add_key_share(s, pkt, curve_id)) {
732 /* SSLfatal() already called */
b186a592 733 return EXT_RETURN_FAIL;
f63a17d6 734 }
3847d426 735
ab83e314 736 if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
c48ffbcc 737 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 738 return EXT_RETURN_FAIL;
ab83e314 739 }
b186a592 740 return EXT_RETURN_SENT;
aa2ed504
TS		 741#else
742 return EXT_RETURN_NOT_SENT;
743#endif
ab83e314
MC		 744}
745
38b051a1
TM		 746EXT_RETURN tls_construct_ctos_cookie(SSL_CONNECTION *s, WPACKET *pkt,
747 unsigned int context,
f63a17d6 748 X509 *x, size_t chainidx)
cfef5027 749{
b186a592 750 EXT_RETURN ret = EXT_RETURN_FAIL;
cfef5027
MC		 751
752 /* Should only be set if we've had an HRR */
753 if (s->ext.tls13_cookie_len == 0)
b186a592 754 return EXT_RETURN_NOT_SENT;
cfef5027
MC		 755
756 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie)
757 /* Extension data sub-packet */
758 || !WPACKET_start_sub_packet_u16(pkt)
759 || !WPACKET_sub_memcpy_u16(pkt, s->ext.tls13_cookie,
760 s->ext.tls13_cookie_len)
761 || !WPACKET_close(pkt)) {
c48ffbcc 762 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
cfef5027
MC		 763 goto end;
764 }
765
b186a592 766 ret = EXT_RETURN_SENT;
cfef5027
MC		 767 end:
768 OPENSSL_free(s->ext.tls13_cookie);
febb0afa 769 s->ext.tls13_cookie = NULL;
cfef5027
MC		 770 s->ext.tls13_cookie_len = 0;
771
772 return ret;
773}
774
38b051a1 775EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 776 unsigned int context, X509 *x,
f63a17d6 777 size_t chainidx)
38df5a45 778{
696de86f
PW		 779#ifndef OPENSSL_NO_PSK
780 char identity[PSK_MAX_IDENTITY_LEN + 1];
781#endif /* OPENSSL_NO_PSK */
ccb76685 782 const unsigned char *id = NULL;
fff202e5 783 size_t idlen = 0;
add8d0e9 784 SSL_SESSION *psksess = NULL;
ffc5bbaa 785 SSL_SESSION *edsess = NULL;
add8d0e9 786 const EVP_MD *handmd = NULL;
38b051a1 787 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
add8d0e9 788
fc7129dc 789 if (s->hello_retry_request == SSL_HRR_PENDING)
add8d0e9
MC		 790 handmd = ssl_handshake_md(s);
791
792 if (s->psk_use_session_cb != NULL
38b051a1 793 && (!s->psk_use_session_cb(ssl, handmd, &id, &idlen, &psksess)
ffc5bbaa
MC		 794 || (psksess != NULL
795 && psksess->ssl_version != TLS1_3_VERSION))) {
796 SSL_SESSION_free(psksess);
c48ffbcc 797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
add8d0e9
MC		 798 return EXT_RETURN_FAIL;
799 }
800
c2b290c3 801#ifndef OPENSSL_NO_PSK
f3d40db1
MC		 802 if (psksess == NULL && s->psk_client_callback != NULL) {
803 unsigned char psk[PSK_MAX_PSK_LEN];
804 size_t psklen = 0;
805
806 memset(identity, 0, sizeof(identity));
38b051a1
TM		 807 psklen = s->psk_client_callback(ssl, NULL,
808 identity, sizeof(identity) - 1,
f3d40db1
MC		 809 psk, sizeof(psk));
810
811 if (psklen > PSK_MAX_PSK_LEN) {
c48ffbcc 812 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 813 return EXT_RETURN_FAIL;
814 } else if (psklen > 0) {
815 const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
816 const SSL_CIPHER *cipher;
817
818 idlen = strlen(identity);
819 if (idlen > PSK_MAX_IDENTITY_LEN) {
c48ffbcc 820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 821 return EXT_RETURN_FAIL;
822 }
823 id = (unsigned char *)identity;
824
825 /*
826 * We found a PSK using an old style callback. We don't know
827 * the digest so we default to SHA256 as per the TLSv1.3 spec
828 */
38b051a1 829 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
f3d40db1 830 if (cipher == NULL) {
c48ffbcc 831 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 832 return EXT_RETURN_FAIL;
833 }
834
835 psksess = SSL_SESSION_new();
836 if (psksess == NULL
837 || !SSL_SESSION_set1_master_key(psksess, psk, psklen)
838 || !SSL_SESSION_set_cipher(psksess, cipher)
839 || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) {
c48ffbcc 840 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
f3d40db1
MC		 841 OPENSSL_cleanse(psk, psklen);
842 return EXT_RETURN_FAIL;
843 }
844 OPENSSL_cleanse(psk, psklen);
845 }
846 }
c2b290c3 847#endif /* OPENSSL_NO_PSK */
f3d40db1 848
add8d0e9
MC		 849 SSL_SESSION_free(s->psksession);
850 s->psksession = psksess;
851 if (psksess != NULL) {
852 OPENSSL_free(s->psksession_id);
853 s->psksession_id = OPENSSL_memdup(id, idlen);
854 if (s->psksession_id == NULL) {
39a14059 855 s->psksession_id_len = 0;
c48ffbcc 856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
add8d0e9
MC		 857 return EXT_RETURN_FAIL;
858 }
859 s->psksession_id_len = idlen;
860 }
861
38df5a45 862 if (s->early_data_state != SSL_EARLY_DATA_CONNECTING
add8d0e9
MC		 863 || (s->session->ext.max_early_data == 0
864 && (psksess == NULL || psksess->ext.max_early_data == 0))) {
38df5a45 865 s->max_early_data = 0;
b186a592 866 return EXT_RETURN_NOT_SENT;
38df5a45 867 }
ffc5bbaa
MC		 868 edsess = s->session->ext.max_early_data != 0 ? s->session : psksess;
869 s->max_early_data = edsess->ext.max_early_data;
870
bfab12bb
MC		 871 if (edsess->ext.hostname != NULL) {
872 if (s->ext.hostname == NULL
873 || (s->ext.hostname != NULL
874 && strcmp(s->ext.hostname, edsess->ext.hostname) != 0)) {
f63a17d6 875 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
f63a17d6 876 SSL_R_INCONSISTENT_EARLY_DATA_SNI);
bfab12bb
MC		 877 return EXT_RETURN_FAIL;
878 }
ffc5bbaa
MC		 879 }
880
881 if ((s->ext.alpn == NULL && edsess->ext.alpn_selected != NULL)) {
c48ffbcc 882 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
ffc5bbaa
MC		 883 return EXT_RETURN_FAIL;
884 }
885
886 /*
887 * Verify that we are offering an ALPN protocol consistent with the early
888 * data.
889 */
890 if (edsess->ext.alpn_selected != NULL) {
891 PACKET prots, alpnpkt;
892 int found = 0;
893
894 if (!PACKET_buf_init(&prots, s->ext.alpn, s->ext.alpn_len)) {
c48ffbcc 895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
ffc5bbaa
MC		 896 return EXT_RETURN_FAIL;
897 }
898 while (PACKET_get_length_prefixed_1(&prots, &alpnpkt)) {
899 if (PACKET_equal(&alpnpkt, edsess->ext.alpn_selected,
900 edsess->ext.alpn_selected_len)) {
901 found = 1;
902 break;
903 }
904 }
905 if (!found) {
f63a17d6 906 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
f63a17d6 907 SSL_R_INCONSISTENT_EARLY_DATA_ALPN);
ffc5bbaa
MC		 908 return EXT_RETURN_FAIL;
909 }
910 }
38df5a45
MC		 911
912 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_early_data)
913 || !WPACKET_start_sub_packet_u16(pkt)
914 || !WPACKET_close(pkt)) {
c48ffbcc 915 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 916 return EXT_RETURN_FAIL;
38df5a45
MC		 917 }
918
919 /*
920 * We set this to rejected here. Later, if the server acknowledges the
921 * extension, we set it to accepted.
922 */
923 s->ext.early_data = SSL_EARLY_DATA_REJECTED;
4be3a7c7 924 s->ext.early_data_ok = 1;
38df5a45 925
b186a592 926 return EXT_RETURN_SENT;
38df5a45
MC		 927}
928
1266eefd
MC		 929#define F5_WORKAROUND_MIN_MSG_LEN 0xff
930#define F5_WORKAROUND_MAX_MSG_LEN 0x200
931
d702ad12
MC		 932/*
933 * PSK pre binder overhead =
934 * 2 bytes for TLSEXT_TYPE_psk
935 * 2 bytes for extension length
936 * 2 bytes for identities list length
937 * 2 bytes for identity length
938 * 4 bytes for obfuscated_ticket_age
939 * 2 bytes for binder list length
940 * 1 byte for binder length
941 * The above excludes the number of bytes for the identity itself and the
942 * subsequent binder bytes
943 */
944#define PSK_PRE_BINDER_OVERHEAD (2 + 2 + 2 + 2 + 4 + 2 + 1)
945
38b051a1 946EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt,
b186a592 947 unsigned int context, X509 *x,
f63a17d6 948 size_t chainidx)
ab83e314
MC		 949{
950 unsigned char *padbytes;
951 size_t hlen;
952
953 if ((s->options & SSL_OP_TLSEXT_PADDING) == 0)
b186a592 954 return EXT_RETURN_NOT_SENT;
ab83e314
MC		 955
956 /*
d702ad12
MC		 957 * Add padding to workaround bugs in F5 terminators. See RFC7685.
958 * This code calculates the length of all extensions added so far but
959 * excludes the PSK extension (because that MUST be written last). Therefore
960 * this extension MUST always appear second to last.
ab83e314
MC		 961 */
962 if (!WPACKET_get_total_written(pkt, &hlen)) {
c48ffbcc 963 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b186a592 964 return EXT_RETURN_FAIL;
ab83e314
MC		 965 }
966
d702ad12
MC		 967 /*
968 * If we're going to send a PSK then that will be written out after this
969 * extension, so we need to calculate how long it is going to be.
970 */
971 if (s->session->ssl_version == TLS1_3_VERSION
972 && s->session->ext.ticklen != 0
973 && s->session->cipher != NULL) {
38b051a1
TM		 974 const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s),
975 s->session->cipher->algorithm2);
d702ad12
MC		 976
977 if (md != NULL) {
978 /*
979 * Add the fixed PSK overhead, the identity length and the binder
980 * length.
981 */
982 hlen += PSK_PRE_BINDER_OVERHEAD + s->session->ext.ticklen
ed576acd 983 + EVP_MD_get_size(md);
d702ad12
MC		 984 }
985 }
986
1266eefd 987 if (hlen > F5_WORKAROUND_MIN_MSG_LEN && hlen < F5_WORKAROUND_MAX_MSG_LEN) {
1ee4b98e 988 /* Calculate the amount of padding we need to add */
1266eefd
MC		 989 hlen = F5_WORKAROUND_MAX_MSG_LEN - hlen;
990
991 /*
992 * Take off the size of extension header itself (2 bytes for type and
10ed1b72
TS		 993 * 2 bytes for length bytes), but ensure that the extension is at least
994 * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
995 * 8.x are intolerant of that condition)
1266eefd 996 */
3d85c7f4 997 if (hlen > 4)
ab83e314
MC		 998 hlen -= 4;
999 else
10ed1b72 1000 hlen = 1;
ab83e314
MC		 1001
1002 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_padding)
1003 || !WPACKET_sub_allocate_bytes_u16(pkt, hlen, &padbytes)) {
c48ffbcc 1004 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
eb5fd03b 1005 return EXT_RETURN_FAIL;
ab83e314
MC		 1006 }
1007 memset(padbytes, 0, hlen);
1008 }
1009
b186a592 1010 return EXT_RETURN_SENT;
ab83e314
MC		 1011}
1012
ec15acb6
MC		 1013/*
1014 * Construct the pre_shared_key extension
1015 */
38b051a1
TM		 1016EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
1017 unsigned int context,
f63a17d6 1018 X509 *x, size_t chainidx)
ec15acb6
MC		 1019{
1020#ifndef OPENSSL_NO_TLS1_3
e8a557dc 1021 uint32_t agesec, agems = 0;
add8d0e9 1022 size_t reshashsize = 0, pskhashsize = 0, binderoffset, msglen;
9368f865 1023 unsigned char *resbinder = NULL, *pskbinder = NULL, *msgstart = NULL;
15b1688a 1024 const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
9368f865 1025 int dores = 0;
38b051a1 1026 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
f0131dc0 1027 OSSL_TIME t;
ec15acb6 1028
c96ce52c 1029 s->ext.tick_identity = 0;
ec15acb6 1030
d702ad12
MC		 1031 /*
1032 * Note: At this stage of the code we only support adding a single
1033 * resumption PSK. If we add support for multiple PSKs then the length
1034 * calculations in the padding extension will need to be adjusted.
1035 */
1036
ec15acb6 1037 /*
08191294
MC		 1038 * If this is an incompatible or new session then we have nothing to resume
1039 * so don't add this extension.
ec15acb6 1040 */
08191294 1041 if (s->session->ssl_version != TLS1_3_VERSION
add8d0e9 1042 || (s->session->ext.ticklen == 0 && s->psksession == NULL))
b186a592 1043 return EXT_RETURN_NOT_SENT;
ec15acb6 1044
fc7129dc 1045 if (s->hello_retry_request == SSL_HRR_PENDING)
9368f865
MC		 1046 handmd = ssl_handshake_md(s);
1047
9368f865 1048 if (s->session->ext.ticklen != 0) {
72257204 1049 /* Get the digest associated with the ciphersuite in the session */
9368f865 1050 if (s->session->cipher == NULL) {
c48ffbcc 1051 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1052 return EXT_RETURN_FAIL;
9368f865 1053 }
38b051a1 1054 mdres = ssl_md(sctx, s->session->cipher->algorithm2);
9368f865 1055 if (mdres == NULL) {
72257204
MC		 1056 /*
1057 * Don't recognize this cipher so we can't use the session.
1058 * Ignore it
1059 */
9368f865
MC		 1060 goto dopsksess;
1061 }
1062
fc7129dc 1063 if (s->hello_retry_request == SSL_HRR_PENDING && mdres != handmd) {
9368f865 1064 /*
72257204
MC		 1065 * Selected ciphersuite hash does not match the hash for the session
1066 * so we can't use it.
9368f865
MC		 1067 */
1068 goto dopsksess;
1069 }
1f5b44e9 1070
cf3e221b 1071 /*
9368f865 1072 * Technically the C standard just says time() returns a time_t and says
72257204
MC		 1073 * nothing about the encoding of that type. In practice most
1074 * implementations follow POSIX which holds it as an integral type in
1075 * seconds since epoch. We've already made the assumption that we can do
1076 * this in multiple places in the code, so portability shouldn't be an
1077 * issue.
cf3e221b 1078 */
f0131dc0
P		 1079 t = ossl_time_subtract(ossl_time_now(), s->session->time);
1080 agesec = (uint32_t)ossl_time2seconds(t);
7e70213f
MC		 1081 /*
1082 * We calculate the age in seconds but the server may work in ms. Due to
1083 * rounding errors we could overestimate the age by up to 1s. It is
1084 * better to underestimate it. Otherwise, if the RTT is very short, when
1085 * the server calculates the age reported by the client it could be
1086 * bigger than the age calculated on the server - which should never
1087 * happen.
1088 */
1089 if (agesec > 0)
1090 agesec--;
cf3e221b 1091
9368f865
MC		 1092 if (s->session->ext.tick_lifetime_hint < agesec) {
1093 /* Ticket is too old. Ignore it. */
1094 goto dopsksess;
1095 }
ec15acb6 1096
9368f865
MC		 1097 /*
1098 * Calculate age in ms. We're just doing it to nearest second. Should be
1099 * good enough.
1100 */
1101 agems = agesec * (uint32_t)1000;
fc24f0bf 1102
9368f865
MC		 1103 if (agesec != 0 && agems / (uint32_t)1000 != agesec) {
1104 /*
72257204
MC		 1105 * Overflow. Shouldn't happen unless this is a *really* old session.
1106 * If so we just ignore it.
9368f865
MC		 1107 */
1108 goto dopsksess;
1109 }
ec15acb6 1110
ec15acb6 1111 /*
72257204
MC		 1112 * Obfuscate the age. Overflow here is fine, this addition is supposed
1113 * to be mod 2^32.
ec15acb6 1114 */
9368f865
MC		 1115 agems += s->session->ext.tick_age_add;
1116
ed576acd 1117 reshashsize = EVP_MD_get_size(mdres);
c96ce52c 1118 s->ext.tick_identity++;
9368f865 1119 dores = 1;
ec15acb6
MC		 1120 }
1121
9368f865 1122 dopsksess:
add8d0e9 1123 if (!dores && s->psksession == NULL)
9368f865 1124 return EXT_RETURN_NOT_SENT;
ec15acb6 1125
add8d0e9 1126 if (s->psksession != NULL) {
38b051a1 1127 mdpsk = ssl_md(sctx, s->psksession->cipher->algorithm2);
9368f865
MC		 1128 if (mdpsk == NULL) {
1129 /*
1130 * Don't recognize this cipher so we can't use the session.
1131 * If this happens it's an application bug.
1132 */
c48ffbcc 1133 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
635c8f77 1134 return EXT_RETURN_FAIL;
9368f865
MC		 1135 }
1136
fc7129dc 1137 if (s->hello_retry_request == SSL_HRR_PENDING && mdpsk != handmd) {
9368f865
MC		 1138 /*
1139 * Selected ciphersuite hash does not match the hash for the PSK
1140 * session. This is an application bug.
1141 */
c48ffbcc 1142 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
635c8f77 1143 return EXT_RETURN_FAIL;
9368f865
MC		 1144 }
1145
ed576acd 1146 pskhashsize = EVP_MD_get_size(mdpsk);
9368f865 1147 }
ec15acb6
MC		 1148
1149 /* Create the extension, but skip over the binder for now */
1150 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk)
1151 || !WPACKET_start_sub_packet_u16(pkt)
9368f865 1152 || !WPACKET_start_sub_packet_u16(pkt)) {
c48ffbcc 1153 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1154 return EXT_RETURN_FAIL;
9368f865
MC		 1155 }
1156
1157 if (dores) {
1158 if (!WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick,
1159 s->session->ext.ticklen)
1160 || !WPACKET_put_bytes_u32(pkt, agems)) {
c48ffbcc 1161 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1162 return EXT_RETURN_FAIL;
9368f865
MC		 1163 }
1164 }
1165
add8d0e9
MC		 1166 if (s->psksession != NULL) {
1167 if (!WPACKET_sub_memcpy_u16(pkt, s->psksession_id,
1168 s->psksession_id_len)
9368f865 1169 || !WPACKET_put_bytes_u32(pkt, 0)) {
c48ffbcc 1170 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1171 return EXT_RETURN_FAIL;
9368f865 1172 }
c96ce52c 1173 s->ext.tick_identity++;
9368f865
MC		 1174 }
1175
1176 if (!WPACKET_close(pkt)
ec15acb6
MC		 1177 || !WPACKET_get_total_written(pkt, &binderoffset)
1178 || !WPACKET_start_sub_packet_u16(pkt)
9368f865
MC		 1179 || (dores
1180 && !WPACKET_sub_allocate_bytes_u8(pkt, reshashsize, &resbinder))
add8d0e9 1181 || (s->psksession != NULL
9368f865 1182 && !WPACKET_sub_allocate_bytes_u8(pkt, pskhashsize, &pskbinder))
ec15acb6
MC		 1183 || !WPACKET_close(pkt)
1184 || !WPACKET_close(pkt)
1185 || !WPACKET_get_total_written(pkt, &msglen)
1186 /*
1187 * We need to fill in all the sub-packet lengths now so we can
1188 * calculate the HMAC of the message up to the binders
1189 */
1190 || !WPACKET_fill_lengths(pkt)) {
c48ffbcc 1191 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
635c8f77 1192 return EXT_RETURN_FAIL;
ec15acb6
MC		 1193 }
1194
1195 msgstart = WPACKET_get_curr(pkt) - msglen;
1196
72257204
MC		 1197 if (dores
1198 && tls_psk_do_binder(s, mdres, msgstart, binderoffset, NULL,
1199 resbinder, s->session, 1, 0) != 1) {
635c8f77
MC		 1200 /* SSLfatal() already called */
1201 return EXT_RETURN_FAIL;
ec15acb6
MC		 1202 }
1203
add8d0e9 1204 if (s->psksession != NULL
72257204 1205 && tls_psk_do_binder(s, mdpsk, msgstart, binderoffset, NULL,
add8d0e9 1206 pskbinder, s->psksession, 1, 1) != 1) {
635c8f77
MC		 1207 /* SSLfatal() already called */
1208 return EXT_RETURN_FAIL;
9368f865
MC		 1209 }
1210
635c8f77 1211 return EXT_RETURN_SENT;
ec15acb6 1212#else
89bc9cf6 1213 return EXT_RETURN_NOT_SENT;
ec15acb6
MC		 1214#endif
1215}
1216
38b051a1 1217EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pkt,
a7e6a3d8
P		 1218 ossl_unused unsigned int context,
1219 ossl_unused X509 *x,
1220 ossl_unused size_t chainidx)
9d75dce3
TS		 1221{
1222#ifndef OPENSSL_NO_TLS1_3
32097b33
MC		 1223 if (!s->pha_enabled)
1224 return EXT_RETURN_NOT_SENT;
9d75dce3
TS		 1225
1226 /* construct extension - 0 length, no contents */
1227 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth)
1228 || !WPACKET_start_sub_packet_u16(pkt)
1229 || !WPACKET_close(pkt)) {
c48ffbcc 1230 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d75dce3
TS		 1231 return EXT_RETURN_FAIL;
1232 }
1233
1234 s->post_handshake_auth = SSL_PHA_EXT_SENT;
1235
1236 return EXT_RETURN_SENT;
1237#else
1238 return EXT_RETURN_NOT_SENT;
1239#endif
1240}
1241
1242
6dd083fd
MC		 1243/*
1244 * Parse the server's renegotiation binding and abort if it's not right
1245 */
38b051a1
TM		 1246int tls_parse_stoc_renegotiate(SSL_CONNECTION *s, PACKET *pkt,
1247 unsigned int context,
f63a17d6 1248 X509 *x, size_t chainidx)
6dd083fd 1249{
555cbb32
TS		 1250 size_t expected_len = s->s3.previous_client_finished_len
1251 + s->s3.previous_server_finished_len;
6dd083fd
MC		 1252 size_t ilen;
1253 const unsigned char *data;
1254
1255 /* Check for logic errors */
b77f3ed1 1256 if (!ossl_assert(expected_len == 0
555cbb32 1257 || s->s3.previous_client_finished_len != 0)
b77f3ed1 1258 || !ossl_assert(expected_len == 0
555cbb32 1259 || s->s3.previous_server_finished_len != 0)) {
c48ffbcc 1260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
b77f3ed1
MC		 1261 return 0;
1262 }
6dd083fd
MC		 1263
1264 /* Parse the length byte */
1265 if (!PACKET_get_1_len(pkt, &ilen)) {
c48ffbcc 1266 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
6dd083fd
MC		 1267 return 0;
1268 }
1269
1270 /* Consistency check */
1271 if (PACKET_remaining(pkt) != ilen) {
c48ffbcc 1272 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RENEGOTIATION_ENCODING_ERR);
6dd083fd
MC		 1273 return 0;
1274 }
1275
1276 /* Check that the extension matches */
1277 if (ilen != expected_len) {
c48ffbcc 1278 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1279 return 0;
1280 }
1281
555cbb32
TS		 1282 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_client_finished_len)
1283 || memcmp(data, s->s3.previous_client_finished,
1284 s->s3.previous_client_finished_len) != 0) {
c48ffbcc 1285 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1286 return 0;
1287 }
1288
555cbb32
TS		 1289 if (!PACKET_get_bytes(pkt, &data, s->s3.previous_server_finished_len)
1290 || memcmp(data, s->s3.previous_server_finished,
1291 s->s3.previous_server_finished_len) != 0) {
c48ffbcc 1292 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_RENEGOTIATION_MISMATCH);
6dd083fd
MC		 1293 return 0;
1294 }
555cbb32 1295 s->s3.send_connection_binding = 1;
6dd083fd
MC		 1296
1297 return 1;
1298}
1299
cf72c757 1300/* Parse the server's max fragment len extension packet */
38b051a1
TM		 1301int tls_parse_stoc_maxfragmentlen(SSL_CONNECTION *s, PACKET *pkt,
1302 unsigned int context,
f63a17d6 1303 X509 *x, size_t chainidx)
cf72c757
F		 1304{
1305 unsigned int value;
1306
1307 if (PACKET_remaining(pkt) != 1 || !PACKET_get_1(pkt, &value)) {
c48ffbcc 1308 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
cf72c757
F		 1309 return 0;
1310 }
1311
1312 /* |value| should contains a valid max-fragment-length code. */
1313 if (!IS_MAX_FRAGMENT_LENGTH_EXT_VALID(value)) {
f63a17d6 1314 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 1315 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 1316 return 0;
1317 }
1318
1319 /* Must be the same value as client-configured one who was sent to server */
1320 /*-
1321 * RFC 6066: if a client receives a maximum fragment length negotiation
1322 * response that differs from the length it requested, ...
1323 * It must abort with SSL_AD_ILLEGAL_PARAMETER alert
1324 */
1325 if (value != s->ext.max_fragment_len_mode) {
f63a17d6 1326 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
f63a17d6 1327 SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH);
cf72c757
F		 1328 return 0;
1329 }
1330
1331 /*
1332 * Maximum Fragment Length Negotiation succeeded.
1333 * The negotiated Maximum Fragment Length is binding now.
1334 */
1335 s->session->ext.max_fragment_len_mode = value;
1336
1337 return 1;
1338}
1339
38b051a1
TM		 1340int tls_parse_stoc_server_name(SSL_CONNECTION *s, PACKET *pkt,
1341 unsigned int context,
f63a17d6 1342 X509 *x, size_t chainidx)
6dd083fd 1343{
fb34a0f4 1344 if (s->ext.hostname == NULL) {
c48ffbcc 1345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
fb34a0f4
MC		 1346 return 0;
1347 }
1348
1349 if (PACKET_remaining(pkt) > 0) {
c48ffbcc 1350 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1351 return 0;
1352 }
1353
1354 if (!s->hit) {
aff8c126 1355 if (s->session->ext.hostname != NULL) {
c48ffbcc 1356 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1357 return 0;
1358 }
aff8c126
RS		 1359 s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
1360 if (s->session->ext.hostname == NULL) {
c48ffbcc 1361 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1362 return 0;
1363 }
1364 }
1365
1366 return 1;
1367}
1368
38b051a1
TM		 1369int tls_parse_stoc_ec_pt_formats(SSL_CONNECTION *s, PACKET *pkt,
1370 unsigned int context,
f63a17d6 1371 X509 *x, size_t chainidx)
6dd083fd 1372{
848a950b 1373 size_t ecpointformats_len;
6dd083fd
MC		 1374 PACKET ecptformatlist;
1375
1376 if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
c48ffbcc 1377 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1378 return 0;
1379 }
1380 if (!s->hit) {
aff8c126 1381 ecpointformats_len = PACKET_remaining(&ecptformatlist);
848a950b 1382 if (ecpointformats_len == 0) {
c48ffbcc 1383 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
848a950b
MC		 1384 return 0;
1385 }
6dd083fd 1386
cd0fb43c
MC		 1387 s->ext.peer_ecpointformats_len = 0;
1388 OPENSSL_free(s->ext.peer_ecpointformats);
1389 s->ext.peer_ecpointformats = OPENSSL_malloc(ecpointformats_len);
1390 if (s->ext.peer_ecpointformats == NULL) {
39a14059 1391 s->ext.peer_ecpointformats_len = 0;
c48ffbcc 1392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1393 return 0;
1394 }
1395
cd0fb43c 1396 s->ext.peer_ecpointformats_len = ecpointformats_len;
6dd083fd
MC		 1397
1398 if (!PACKET_copy_bytes(&ecptformatlist,
cd0fb43c 1399 s->ext.peer_ecpointformats,
aff8c126 1400 ecpointformats_len)) {
c48ffbcc 1401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1402 return 0;
1403 }
1404 }
1405
1406 return 1;
1407}
6dd083fd 1408
38b051a1
TM		 1409int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt,
1410 unsigned int context,
f63a17d6 1411 X509 *x, size_t chainidx)
6dd083fd 1412{
38b051a1
TM		 1413 SSL *ssl = SSL_CONNECTION_GET_SSL(s);
1414
aff8c126 1415 if (s->ext.session_ticket_cb != NULL &&
38b051a1
TM		 1416 !s->ext.session_ticket_cb(ssl, PACKET_data(pkt),
1417 PACKET_remaining(pkt),
1418 s->ext.session_ticket_cb_arg)) {
c48ffbcc 1419 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1420 return 0;
1421 }
1266eefd 1422
fb34a0f4 1423 if (!tls_use_ticket(s)) {
c48ffbcc 1424 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1425 return 0;
1426 }
fb34a0f4 1427 if (PACKET_remaining(pkt) > 0) {
c48ffbcc 1428 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
fb34a0f4
MC		 1429 return 0;
1430 }
1266eefd 1431
aff8c126 1432 s->ext.ticket_expected = 1;
6dd083fd
MC		 1433
1434 return 1;
1435}
1436
ab83e314 1437#ifndef OPENSSL_NO_OCSP
38b051a1
TM		 1438int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt,
1439 unsigned int context,
f63a17d6 1440 X509 *x, size_t chainidx)
6dd083fd 1441{
5de683d2
MC		 1442 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1443 /* We ignore this if the server sends a CertificateRequest */
5de683d2
MC		 1444 return 1;
1445 }
1446
6dd083fd 1447 /*
f63e4288
MC		 1448 * MUST only be sent if we've requested a status
1449 * request message. In TLS <= 1.2 it must also be empty.
6dd083fd 1450 */
fb34a0f4 1451 if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
c48ffbcc 1452 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1453 return 0;
1454 }
38b051a1 1455 if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) {
c48ffbcc 1456 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
fb34a0f4
MC		 1457 return 0;
1458 }
f63e4288 1459
38b051a1 1460 if (SSL_CONNECTION_IS_TLS13(s)) {
f63e4288 1461 /* We only know how to handle this if it's for the first Certificate in
1ee4b98e 1462 * the chain. We ignore any other responses.
f63e4288 1463 */
8521ced6 1464 if (chainidx != 0)
f63e4288 1465 return 1;
f63a17d6
MC		 1466
1467 /* SSLfatal() already called */
1468 return tls_process_cert_status_body(s, pkt);
f63e4288
MC		 1469 }
1470
6dd083fd 1471 /* Set flag to expect CertificateStatus message */
aff8c126 1472 s->ext.status_expected = 1;
6dd083fd
MC		 1473
1474 return 1;
1475}
ab83e314 1476#endif
6dd083fd
MC		 1477
1478
1479#ifndef OPENSSL_NO_CT
38b051a1
TM		 1480int tls_parse_stoc_sct(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1481 X509 *x, size_t chainidx)
6dd083fd 1482{
5de683d2
MC		 1483 if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
1484 /* We ignore this if the server sends it in a CertificateRequest */
5de683d2
MC		 1485 return 1;
1486 }
1487
6dd083fd
MC		 1488 /*
1489 * Only take it if we asked for it - i.e if there is no CT validation
1490 * callback set, then a custom extension MAY be processing it, so we
1491 * need to let control continue to flow to that.
1492 */
1493 if (s->ct_validation_callback != NULL) {
1494 size_t size = PACKET_remaining(pkt);
1495
1496 /* Simply copy it off for later processing */
aff8c126
RS		 1497 OPENSSL_free(s->ext.scts);
1498 s->ext.scts = NULL;
1266eefd 1499
3a63c0ed 1500 s->ext.scts_len = (uint16_t)size;
6dd083fd 1501 if (size > 0) {
aff8c126 1502 s->ext.scts = OPENSSL_malloc(size);
39a14059
MC		 1503 if (s->ext.scts == NULL) {
1504 s->ext.scts_len = 0;
e077455e 1505 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
39a14059
MC		 1506 return 0;
1507 }
1508 if (!PACKET_copy_bytes(pkt, s->ext.scts, size)) {
c48ffbcc 1509 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1510 return 0;
1511 }
1512 }
1513 } else {
b186a592
MC		 1514 ENDPOINT role = (context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
1515 ? ENDPOINT_CLIENT : ENDPOINT_BOTH;
1516
1517 /*
1518 * If we didn't ask for it then there must be a custom extension,
1519 * otherwise this is unsolicited.
1520 */
1521 if (custom_ext_find(&s->cert->custext, role,
1522 TLSEXT_TYPE_signed_certificate_timestamp,
1523 NULL) == NULL) {
c48ffbcc 1524 SSLfatal(s, TLS1_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
b186a592
MC		 1525 return 0;
1526 }
1527
f63a17d6 1528 if (!custom_ext_parse(s, context,
43ae5eed
MC		 1529 TLSEXT_TYPE_signed_certificate_timestamp,
1530 PACKET_data(pkt), PACKET_remaining(pkt),
f63a17d6
MC		 1531 x, chainidx)) {
1532 /* SSLfatal already called */
6dd083fd 1533 return 0;
f63a17d6 1534 }
6dd083fd
MC		 1535 }
1536
1537 return 1;
1538}
1539#endif
1540
1541
1542#ifndef OPENSSL_NO_NEXTPROTONEG
1543/*
1544 * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1545 * elements of zero length are allowed and the set of elements must exactly
1546 * fill the length of the block. Returns 1 on success or 0 on failure.
1547 */
38b051a1 1548static int ssl_next_proto_validate(SSL_CONNECTION *s, PACKET *pkt)
6dd083fd
MC		 1549{
1550 PACKET tmp_protocol;
1551
1552 while (PACKET_remaining(pkt)) {
1553 if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
f63a17d6 1554 || PACKET_remaining(&tmp_protocol) == 0) {
c48ffbcc 1555 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd 1556 return 0;
f63a17d6 1557 }
6dd083fd
MC		 1558 }
1559
1560 return 1;
1561}
1562
38b051a1
TM		 1563int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1564 X509 *x, size_t chainidx)
6dd083fd
MC		 1565{
1566 unsigned char *selected;
1567 unsigned char selected_len;
1568 PACKET tmppkt;
38b051a1 1569 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
6dd083fd 1570
1266eefd 1571 /* Check if we are in a renegotiation. If so ignore this extension */
c7f47786 1572 if (!SSL_IS_FIRST_HANDSHAKE(s))
6dd083fd
MC		 1573 return 1;
1574
1575 /* We must have requested it. */
38b051a1 1576 if (sctx->ext.npn_select_cb == NULL) {
c48ffbcc 1577 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1578 return 0;
1579 }
1266eefd 1580
6dd083fd
MC		 1581 /* The data must be valid */
1582 tmppkt = *pkt;
f63a17d6
MC		 1583 if (!ssl_next_proto_validate(s, &tmppkt)) {
1584 /* SSLfatal() already called */
6dd083fd
MC		 1585 return 0;
1586 }
38b051a1
TM		 1587 if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
1588 &selected, &selected_len,
1589 PACKET_data(pkt), PACKET_remaining(pkt),
1590 sctx->ext.npn_select_cb_arg) !=
6dd083fd 1591 SSL_TLSEXT_ERR_OK) {
c48ffbcc 1592 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1593 return 0;
1594 }
1266eefd 1595
6dd083fd
MC		 1596 /*
1597 * Could be non-NULL if server has sent multiple NPN extensions in
1598 * a single Serverhello
1599 */
aff8c126
RS		 1600 OPENSSL_free(s->ext.npn);
1601 s->ext.npn = OPENSSL_malloc(selected_len);
1602 if (s->ext.npn == NULL) {
39a14059 1603 s->ext.npn_len = 0;
c48ffbcc 1604 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1605 return 0;
1606 }
1607
aff8c126
RS		 1608 memcpy(s->ext.npn, selected, selected_len);
1609 s->ext.npn_len = selected_len;
555cbb32 1610 s->s3.npn_seen = 1;
6dd083fd
MC		 1611
1612 return 1;
1613}
1614#endif
1615
38b051a1
TM		 1616int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1617 X509 *x, size_t chainidx)
6dd083fd
MC		 1618{
1619 size_t len;
1620
1621 /* We must have requested it. */
555cbb32 1622 if (!s->s3.alpn_sent) {
c48ffbcc 1623 SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1624 return 0;
1625 }
1626 /*-
1627 * The extension data consists of:
1628 * uint16 list_length
1629 * uint8 proto_length;
1630 * uint8 proto[proto_length];
1631 */
1632 if (!PACKET_get_net_2_len(pkt, &len)
1633 || PACKET_remaining(pkt) != len || !PACKET_get_1_len(pkt, &len)
1634 || PACKET_remaining(pkt) != len) {
c48ffbcc 1635 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1636 return 0;
1637 }
555cbb32
TS		 1638 OPENSSL_free(s->s3.alpn_selected);
1639 s->s3.alpn_selected = OPENSSL_malloc(len);
1640 if (s->s3.alpn_selected == NULL) {
39a14059 1641 s->s3.alpn_selected_len = 0;
c48ffbcc 1642 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1643 return 0;
1644 }
555cbb32 1645 if (!PACKET_copy_bytes(pkt, s->s3.alpn_selected, len)) {
c48ffbcc 1646 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
6dd083fd
MC		 1647 return 0;
1648 }
555cbb32 1649 s->s3.alpn_selected_len = len;
6dd083fd 1650
0ef28021
MC		 1651 if (s->session->ext.alpn_selected == NULL
1652 || s->session->ext.alpn_selected_len != len
555cbb32 1653 || memcmp(s->session->ext.alpn_selected, s->s3.alpn_selected, len)
0ef28021 1654 != 0) {
4be3a7c7
MC		 1655 /* ALPN not consistent with the old session so cannot use early_data */
1656 s->ext.early_data_ok = 0;
1657 }
1658 if (!s->hit) {
9d5db9c9
MC		 1659 /*
1660 * This is a new session and so alpn_selected should have been
1661 * initialised to NULL. We should update it with the selected ALPN.
1662 */
1663 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
c48ffbcc 1664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
9d5db9c9
MC		 1665 return 0;
1666 }
4be3a7c7 1667 s->session->ext.alpn_selected =
555cbb32 1668 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len);
4be3a7c7 1669 if (s->session->ext.alpn_selected == NULL) {
39a14059 1670 s->session->ext.alpn_selected_len = 0;
c48ffbcc 1671 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4be3a7c7
MC		 1672 return 0;
1673 }
555cbb32 1674 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len;
ae8d7d99
MC		 1675 }
1676
6dd083fd
MC		 1677 return 1;
1678}
1679
1680#ifndef OPENSSL_NO_SRTP
38b051a1
TM		 1681int tls_parse_stoc_use_srtp(SSL_CONNECTION *s, PACKET *pkt,
1682 unsigned int context, X509 *x, size_t chainidx)
6dd083fd
MC		 1683{
1684 unsigned int id, ct, mki;
1685 int i;
1686 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
1687 SRTP_PROTECTION_PROFILE *prof;
1688
1266eefd
MC		 1689 if (!PACKET_get_net_2(pkt, &ct) || ct != 2
1690 || !PACKET_get_net_2(pkt, &id)
1691 || !PACKET_get_1(pkt, &mki)
1692 || PACKET_remaining(pkt) != 0) {
c48ffbcc 1693 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 1694 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
6dd083fd
MC		 1695 return 0;
1696 }
1697
1698 if (mki != 0) {
1699 /* Must be no MKI, since we never offer one */
c48ffbcc 1700 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRTP_MKI_VALUE);
6dd083fd
MC		 1701 return 0;
1702 }
1703
6dd083fd 1704 /* Throw an error if the server gave us an unsolicited extension */
38b051a1 1705 clnt = SSL_get_srtp_profiles(SSL_CONNECTION_GET_SSL(s));
6dd083fd 1706 if (clnt == NULL) {
c48ffbcc 1707 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_SRTP_PROFILES);
6dd083fd
MC		 1708 return 0;
1709 }
1710
1711 /*
1712 * Check to see if the server gave us something we support (and
1713 * presumably offered)
1714 */
1715 for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) {
1716 prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
1717
1718 if (prof->id == id) {
1719 s->srtp_profile = prof;
6dd083fd
MC		 1720 return 1;
1721 }
1722 }
1723
c48ffbcc 1724 SSLfatal(s, SSL_AD_DECODE_ERROR,
f63a17d6 1725 SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
6dd083fd
MC		 1726 return 0;
1727}
1728#endif
1729
38b051a1
TM		 1730int tls_parse_stoc_etm(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1731 X509 *x, size_t chainidx)
6dd083fd
MC		 1732{
1733 /* Ignore if inappropriate ciphersuite */
1734 if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
555cbb32 1735 && s->s3.tmp.new_cipher->algorithm_mac != SSL_AEAD
d724da69
DB		 1736 && s->s3.tmp.new_cipher->algorithm_enc != SSL_RC4
1737 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT
1738 && s->s3.tmp.new_cipher->algorithm_enc != SSL_eGOST2814789CNT12
1739 && s->s3.tmp.new_cipher->algorithm_enc != SSL_MAGMA
1740 && s->s3.tmp.new_cipher->algorithm_enc != SSL_KUZNYECHIK)
28a31a0a 1741 s->ext.use_etm = 1;
6dd083fd
MC		 1742
1743 return 1;
1744}
1745
38b051a1
TM		 1746int tls_parse_stoc_ems(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1747 X509 *x, size_t chainidx)
6dd083fd 1748{
088dfa13
TS		 1749 if (s->options & SSL_OP_NO_EXTENDED_MASTER_SECRET)
1750 return 1;
555cbb32 1751 s->s3.flags |= TLS1_FLAGS_RECEIVED_EXTMS;
6dd083fd
MC		 1752 if (!s->hit)
1753 s->session->flags |= SSL_SESS_FLAG_EXTMS;
1754
1755 return 1;
1756}
1757
38b051a1
TM		 1758int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt,
1759 unsigned int context,
88050dd1
MC		 1760 X509 *x, size_t chainidx)
1761{
1762 unsigned int version;
1763
1764 if (!PACKET_get_net_2(pkt, &version)
1765 || PACKET_remaining(pkt) != 0) {
c48ffbcc 1766 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
88050dd1
MC		 1767 return 0;
1768 }
1769
27e462f1
MC		 1770 /*
1771 * The only protocol version we support which is valid in this extension in
1772 * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else.
1773 */
1774 if (version != TLS1_3_VERSION) {
1775 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
27e462f1
MC		 1776 SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
1777 return 0;
1778 }
1779
426dfc9f 1780 /* We ignore this extension for HRRs except to sanity check it */
27e462f1 1781 if (context == SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)
426dfc9f 1782 return 1;
426dfc9f 1783
88050dd1
MC		 1784 /* We just set it here. We validate it in ssl_choose_client_version */
1785 s->version = version;
1d367677
MC		 1786 if (!ssl_set_record_protocol_version(s, version)) {
1787 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1788 return 0;
1789 }
88050dd1
MC		 1790
1791 return 1;
1792}
1793
38b051a1
TM		 1794int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
1795 unsigned int context, X509 *x,
f63a17d6 1796 size_t chainidx)
6dd083fd 1797{
3cf96e88 1798#ifndef OPENSSL_NO_TLS1_3
6dd083fd
MC		 1799 unsigned int group_id;
1800 PACKET encoded_pt;
555cbb32 1801 EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL;
a011b586 1802 const TLS_GROUP_INFO *ginf = NULL;
6dd083fd
MC		 1803
1804 /* Sanity check */
555cbb32 1805 if (ckey == NULL || s->s3.peer_tmp != NULL) {
c48ffbcc 1806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
6dd083fd
MC		 1807 return 0;
1808 }
1809
1810 if (!PACKET_get_net_2(pkt, &group_id)) {
c48ffbcc 1811 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
6dd083fd
MC		 1812 return 0;
1813 }
1814
fe874d27 1815 if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
f48d826e
DSH		 1816 const uint16_t *pgroups = NULL;
1817 size_t i, num_groups;
3847d426
MC		 1818
1819 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1820 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
3847d426
MC		 1821 return 0;
1822 }
1823
1824 /*
1825 * It is an error if the HelloRetryRequest wants a key_share that we
1826 * already sent in the first ClientHello
1827 */
555cbb32 1828 if (group_id == s->s3.group_id) {
c48ffbcc 1829 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
3847d426
MC		 1830 return 0;
1831 }
1832
1833 /* Validate the selected group is one we support */
f48d826e
DSH		 1834 tls1_get_supported_groups(s, &pgroups, &num_groups);
1835 for (i = 0; i < num_groups; i++) {
1836 if (group_id == pgroups[i])
3847d426
MC		 1837 break;
1838 }
f48d826e 1839 if (i >= num_groups
247b8e52
MC		 1840 || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
1841 || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
1842 0, NULL)) {
c48ffbcc 1843 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
3847d426
MC		 1844 return 0;
1845 }
1846
555cbb32
TS		 1847 s->s3.group_id = group_id;
1848 EVP_PKEY_free(s->s3.tmp.pkey);
1849 s->s3.tmp.pkey = NULL;
3847d426
MC		 1850 return 1;
1851 }
1852
555cbb32 1853 if (group_id != s->s3.group_id) {
6dd083fd
MC		 1854 /*
1855 * This isn't for the group that we sent in the original
1856 * key_share!
1857 */
c48ffbcc 1858 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
6dd083fd
MC		 1859 return 0;
1860 }
aa6bd216
BK		 1861 /* Retain this group in the SSL_SESSION */
1862 if (!s->hit) {
1863 s->session->kex_group = group_id;
1864 } else if (group_id != s->session->kex_group) {
1865 /*
1866 * If this is a resumption but changed what group was used, we need
1867 * to record the new group in the session, but the session is not
1868 * a new session and could be in use by other threads. So, make
1869 * a copy of the session to record the new information so that it's
1870 * useful for any sessions resumed from tickets issued on this
1871 * connection.
1872 */
1873 SSL_SESSION *new_sess;
1874
1875 if ((new_sess = ssl_session_dup(s->session, 0)) == NULL) {
e077455e 1876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB);
aa6bd216
BK		 1877 return 0;
1878 }
1879 SSL_SESSION_free(s->session);
1880 s->session = new_sess;
1881 s->session->kex_group = group_id;
1882 }
6dd083fd 1883
38b051a1
TM		 1884 if ((ginf = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
1885 group_id)) == NULL) {
c48ffbcc 1886 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
a011b586
NT		 1887 return 0;
1888 }
1889
6dd083fd
MC		 1890 if (!PACKET_as_length_prefixed_2(pkt, &encoded_pt)
1891 || PACKET_remaining(&encoded_pt) == 0) {
c48ffbcc 1892 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
6dd083fd
MC		 1893 return 0;
1894 }
1895
a011b586
NT		 1896 if (!ginf->is_kem) {
1897 /* Regular KEX */
1898 skey = EVP_PKEY_new();
1899 if (skey == NULL || EVP_PKEY_copy_parameters(skey, ckey) <= 0) {
c48ffbcc 1900 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED);
b3c34401 1901 EVP_PKEY_free(skey);
a011b586
NT		 1902 return 0;
1903 }
afce590b 1904
d5530efa
TM		 1905 if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
1906 PACKET_remaining(&encoded_pt)) <= 0) {
c48ffbcc 1907 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
a011b586
NT		 1908 EVP_PKEY_free(skey);
1909 return 0;
1910 }
6dd083fd 1911
a011b586
NT		 1912 if (ssl_derive(s, ckey, skey, 1) == 0) {
1913 /* SSLfatal() already called */
1914 EVP_PKEY_free(skey);
1915 return 0;
1916 }
1917 s->s3.peer_tmp = skey;
1918 } else {
1919 /* KEM Mode */
1920 const unsigned char *ct = PACKET_data(&encoded_pt);
1921 size_t ctlen = PACKET_remaining(&encoded_pt);
1922
1923 if (ssl_decapsulate(s, ckey, ct, ctlen, 1) == 0) {
1924 /* SSLfatal() already called */
1925 return 0;
1926 }
6dd083fd 1927 }
aa6bd216 1928 s->s3.did_kex = 1;
3cf96e88 1929#endif
6dd083fd
MC		 1930
1931 return 1;
1932}
4ff65f77 1933
38b051a1
TM		 1934int tls_parse_stoc_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
1935 X509 *x, size_t chainidx)
cfef5027
MC		 1936{
1937 PACKET cookie;
1938
1939 if (!PACKET_as_length_prefixed_2(pkt, &cookie)
1940 || !PACKET_memdup(&cookie, &s->ext.tls13_cookie,
1941 &s->ext.tls13_cookie_len)) {
c48ffbcc 1942 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
cfef5027
MC		 1943 return 0;
1944 }
1945
1946 return 1;
1947}
1948
38b051a1
TM		 1949int tls_parse_stoc_early_data(SSL_CONNECTION *s, PACKET *pkt,
1950 unsigned int context,
f63a17d6 1951 X509 *x, size_t chainidx)
38df5a45 1952{
fe874d27 1953 if (context == SSL_EXT_TLS1_3_NEW_SESSION_TICKET) {
6594189f
MC		 1954 unsigned long max_early_data;
1955
1956 if (!PACKET_get_net_4(pkt, &max_early_data)
1957 || PACKET_remaining(pkt) != 0) {
c48ffbcc 1958 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_MAX_EARLY_DATA);
6594189f
MC		 1959 return 0;
1960 }
1961
1962 s->session->ext.max_early_data = max_early_data;
1963
04c7fb53
MC		 1964 if (SSL_IS_QUIC_HANDSHAKE(s) && max_early_data != 0xffffffff) {
1965 /*
1966 * QUIC allows missing max_early_data, or a max_early_data value
1967 * of 0xffffffff. Missing max_early_data is stored in the session
1968 * as 0. This is indistinguishable in OpenSSL from a present
1969 * max_early_data value that was 0. In order that later checks for
1970 * invalid max_early_data correctly treat as an error the case where
1971 * max_early_data is present and it is 0, we store any invalid
1972 * value in the same (non-zero) way. Otherwise we would have to
1973 * introduce a new flag just for this.
1974 */
1975 s->session->ext.max_early_data = 1;
1976 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_MAX_EARLY_DATA);
1977 return 0;
1978 }
1979
6594189f
MC		 1980 return 1;
1981 }
1982
38df5a45 1983 if (PACKET_remaining(pkt) != 0) {
c48ffbcc 1984 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
38df5a45
MC		 1985 return 0;
1986 }
1987
4be3a7c7 1988 if (!s->ext.early_data_ok
c96ce52c 1989 || !s->hit) {
38df5a45
MC		 1990 /*
1991 * If we get here then we didn't send early data, or we didn't resume
4be3a7c7
MC		 1992 * using the first identity, or the SNI/ALPN is not consistent so the
1993 * server should not be accepting it.
38df5a45 1994 */
c48ffbcc 1995 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
38df5a45
MC		 1996 return 0;
1997 }
1998
1999 s->ext.early_data = SSL_EARLY_DATA_ACCEPTED;
2000
2001 return 1;
2002}
2003
38b051a1
TM		 2004int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt,
2005 unsigned int context, X509 *x,
f63a17d6 2006 size_t chainidx)
4ff65f77
MC		 2007{
2008#ifndef OPENSSL_NO_TLS1_3
2009 unsigned int identity;
2010
2011 if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
c48ffbcc 2012 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
4ff65f77
MC		 2013 return 0;
2014 }
2015
c96ce52c 2016 if (identity >= (unsigned int)s->ext.tick_identity) {
c48ffbcc 2017 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PSK_IDENTITY);
c96ce52c
MC		 2018 return 0;
2019 }
2020
2021 /*
2022 * Session resumption tickets are always sent before PSK tickets. If the
2023 * ticket index is 0 then it must be for a session resumption ticket if we
2024 * sent two tickets, or if we didn't send a PSK ticket.
2025 */
2026 if (identity == 0 && (s->psksession == NULL || s->ext.tick_identity == 2)) {
9368f865
MC		 2027 s->hit = 1;
2028 SSL_SESSION_free(s->psksession);
2029 s->psksession = NULL;
2030 return 1;
2031 }
2032
c96ce52c
MC		 2033 if (s->psksession == NULL) {
2034 /* Should never happen */
c48ffbcc 2035 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
4ff65f77
MC		 2036 return 0;
2037 }
2038
add8d0e9
MC		 2039 /*
2040 * If we used the external PSK for sending early_data then s->early_secret
2041 * is already set up, so don't overwrite it. Otherwise we copy the
2042 * early_secret across that we generated earlier.
2043 */
2044 if ((s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
2045 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
2046 || s->session->ext.max_early_data > 0
2047 || s->psksession->ext.max_early_data == 0)
2048 memcpy(s->early_secret, s->psksession->early_secret, EVP_MAX_MD_SIZE);
2049
9368f865
MC		 2050 SSL_SESSION_free(s->session);
2051 s->session = s->psksession;
2052 s->psksession = NULL;
4ff65f77 2053 s->hit = 1;
c96ce52c
MC		 2054 /* Early data is only allowed if we used the first ticket */
2055 if (identity != 0)
2056 s->ext.early_data_ok = 0;
4ff65f77
MC		 2057#endif
2058
2059 return 1;
2060}
3c95ef22
TS		 2061
2062EXT_RETURN tls_construct_ctos_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2063 unsigned int context,
2064 X509 *x, size_t chainidx)
2065{
2066 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2067 if (sc->client_cert_type == NULL)
2068 return EXT_RETURN_NOT_SENT;
2069
2070 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_client_cert_type)
2071 || !WPACKET_start_sub_packet_u16(pkt)
2072 || !WPACKET_sub_memcpy_u8(pkt, sc->client_cert_type, sc->client_cert_type_len)
2073 || !WPACKET_close(pkt)) {
2074 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2075 return EXT_RETURN_FAIL;
2076 }
2077 sc->ext.client_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2078 return EXT_RETURN_SENT;
2079}
2080
2081int tls_parse_stoc_client_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2082 unsigned int context,
2083 X509 *x, size_t chainidx)
2084{
2085 unsigned int type;
2086
2087 if (PACKET_remaining(pkt) != 1) {
2088 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2089 return 0;
2090 }
2091 if (!PACKET_get_1(pkt, &type)) {
2092 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2093 return 0;
2094 }
2095 /* We did not send/ask for this */
2096 if (!ossl_assert(sc->ext.client_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2097 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2098 return 0;
2099 }
2100 /* We don't have this enabled */
2101 if (sc->client_cert_type == NULL) {
2102 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2103 return 0;
2104 }
2105 /* Given back a value we didn't configure */
2106 if (memchr(sc->client_cert_type, type, sc->client_cert_type_len) == NULL) {
2107 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2108 return 0;
2109 }
2110 sc->ext.client_cert_type = type;
2111 return 1;
2112}
2113
2114EXT_RETURN tls_construct_ctos_server_cert_type(SSL_CONNECTION *sc, WPACKET *pkt,
2115 unsigned int context,
2116 X509 *x, size_t chainidx)
2117{
2118 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_NONE;
2119 if (sc->server_cert_type == NULL)
2120 return EXT_RETURN_NOT_SENT;
2121
2122 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_cert_type)
2123 || !WPACKET_start_sub_packet_u16(pkt)
2124 || !WPACKET_sub_memcpy_u8(pkt, sc->server_cert_type, sc->server_cert_type_len)
2125 || !WPACKET_close(pkt)) {
2126 SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2127 return EXT_RETURN_FAIL;
2128 }
2129 sc->ext.server_cert_type_ctos = OSSL_CERT_TYPE_CTOS_GOOD;
2130 return EXT_RETURN_SENT;
2131}
2132
2133int tls_parse_stoc_server_cert_type(SSL_CONNECTION *sc, PACKET *pkt,
2134 unsigned int context,
2135 X509 *x, size_t chainidx)
2136{
2137 unsigned int type;
2138
2139 if (PACKET_remaining(pkt) != 1) {
2140 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2141 return 0;
2142 }
2143 if (!PACKET_get_1(pkt, &type)) {
2144 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2145 return 0;
2146 }
2147 /* We did not send/ask for this */
2148 if (!ossl_assert(sc->ext.server_cert_type_ctos == OSSL_CERT_TYPE_CTOS_GOOD)) {
2149 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2150 return 0;
2151 }
2152 /* We don't have this enabled */
2153 if (sc->server_cert_type == NULL) {
2154 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
2155 return 0;
2156 }
2157 /* Given back a value we didn't configure */
2158 if (memchr(sc->server_cert_type, type, sc->server_cert_type_len) == NULL) {
2159 SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_VALUE);
2160 return 0;
2161 }
2162 sc->ext.server_cert_type = type;
2163 return 1;
2164}
A mirror of the official openssl repository